ASIL
Given a malfunction of a defined function at the vehicle level (e.g., an anti-lock braking system), a hazard and risk analysis follows to determine the risk of harm/injury to people and of damage to property. This analysis is based on the exposure, severity, and controllability of the hazard and the resulting risk, and determines the automotive safety integrity level (ASIL), i.e., the level of risk reduction needed to achieve a tolerable risk. Figure 2 shows an example of the steps that leads to the ASIL determination based on the malfunction and its potential impact. ASIL A is the least stringent level of safety reduction, while ASIL D is the most severe.
Figure 2: ABS example of ASIL determination based on hazard and risk analysis at the concept phase
For hardware components, the ASIL requirements determines the values to achieve for the failure metrics as shown in Table 1. For addressing systematic failures, the ASIL will also set the strictness of process compliance (e.g., traceability, process quality, documentation).
Functional Safety Lifecycle and Development Phases
All the phases of the functional safety lifecycles are defined and documented in the ISO 26262 standard. Figure 3a illustrates the sequence of the concept and the development phases, while Figure 3b and Figure 3c report the corresponding functional safety activities with examples. The concept phase is owned by car manufacturers and defines the systems to implement a function at the vehicle level (called the item in ISO 26262 terminology, e.g., the automatic emergency braking (AEB) system). The ASIL is determined at this level, and the safety goals and the functional safety requirements are defined from it. For each functional safety requirement, when the system-level product development phase begins, the technical safety requirements are derived with respect to the hardware and software components of the safety-related function.
Essentially, the safety goals start at the vehicle level and are mapped and refined during the development chain until the hardware failure metrics are defined and allocated to the various hardware subsystems.