ASIL Rankings of Safety Goals

 

The ASIL plays a vital role in achieving ISO 26262 compliance. It should be determined at the beginning of the development process. The planned system functions should be analyzed with respect to possible hazards. The team should ask the question, “If a failure occurs, what will be the effect of the failure or happen to the driver and any accompanying road users?” You then can determine your system’s dependability requirements based on the ASIL ratings of:

1.      Probability of exposure to harm due to system failure (how likely is it to occur)

2.      Controllability of the incident by the driver, should the system fail (can the driver control the situation)

3.      Severity of the failure defined by the possible level of harm to the driver or others if not controlled

The standard contains information for ranking each of the factors. The Exposure factor consists of five different classifications, Severity has four and Controllability has four.  The standard also contains a fourth table that indicates how the variables should be combined to determine the ASIL rating for an electronic system, subsystem, or component within the road vehicle.

The definitions provided by the ISO 26262 standard are informative, but not very strict or tightly defined. The definitions allow much discretion on the part of the evaluator, designer, builder, and supplier of each component, element or item and the automaker as well. Due to the quantity of assumptions that must be made to determine the ASIL rating, The Society for Automotive Safety Engineers (SAE) has developed “J2980 – Considerations for ISO26262 ASIL Hazard Classification”. The purpose of this document is to provide guidelines for classifying the three factors used to develop an ASIL.  This document should help reduce the number of assumptions made regarding the severity, probability of exposure, and controllability factors. However, the new guidelines may not eliminate the necessity to make some assumptions when determining ASILs. For items with high ASILs, the ISO 26262 standard requires strict measures be taken to minimize or eliminate the unacceptable risk. Under certain circumstances, the ASIL rating may be lowered through the technique of ASIL Decomposition.

ASIL Decomposition

 

The ISO 26262 standard contains a clause that contains the rules and guidelines for the decomposition of safety related elements. The ASIL is part of the safety goal and is innate to each successive safety requirement. The functional and technical safety requirements are assigned to all the design elements, beginning with the preliminary design concepts all the way down to the software and hardware elements. Through decomposition during the development phase, the ASIL rating can be customized to the next level of the system design. To further clarify; an element that addresses a particular safety goal, assigned a specific ASIL rating, can be broken down into two independent elements, each with a possible lower ASIL rating. The benefit is that the cost of development to a lower ASIL is generally lower. The stipulation is that each of the decomposed elements must address the same safety goal and take on the same safe state. In addition, to demonstrate fulfillment of the original requirements there must be traceability to and from the decomposed element’s requirements. Another thing to remember is that decomposition of the software element requires thorough investigation of the software and hardware independence.  However, the hardware metrics are not impacted by the decomposition of the software.

 

Validation Testing and Qualification

 

Within the ISO 26262 section 4, the standard covers software, hardware and even testing tool qualifications. The section contains several requirements and tables that indicate analysis and testing requirements based on the ASIL rating. There is also a clause to qualify components based on a “Proven in Use Argument”. This clause is applicable to components or systems having previously been in use in other applications without incident. Proven reliable systems that remain unchanged from previous vehicles are certifiable under the ISO 26262 standard. Therefore, by combining certifiable components from similar applications and from applications used extensively throughout the industry, prior to the standard, the system complexity can be minimized and the certification requirements reduced.