Understanding How ISO 26262 ASIL is Determined for Automotive Applications

According to the Motor vehicle safety data, by the BTS (Bureau of Transportation Statistics), more than 6 million crashes involving motor vehicles are reported every year on an average.

As per the U.S. Transportation Department data, United States automakers had to make a record safety recall of 53.2 million vehicles in 2016. This increase in auto safety recalls was caused by the rise in road traffic deaths/road traffic fatalities in U.S.

An auto recall, according to National Highway Traffic Safety Administration (NHTSA, US), is said to be issued when a manufacturer or NHTSA determines that a vehicle, equipment, car seat, or tire can create an unreasonable safety risk or fails to meet minimum safety standards”.

These statistics clearly lead us to one common conclusion – how even after technical advancements along the breadths and depths of the industry, an automobile is still a major reason for road accidents.

Hence safety, becomes the fundamental requirement of an automotive application development. For an automotive vehicle, in specific, the functional safety is a very crucial paradigm at every stage of production and decommission.

Through the Lens of ISO 26262 Paradigm: What is Functional Safety and ASIL

ISO 26262 standard defines functional safety as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”.

For ISO 26262 compliance; a functional safety consultant identifies and assesses hazards (safety risks).

These hazards are then categorized based as per the Automotive Safety Integrity Level (ASIL) framework.

Such a clear classification of hazards helps to :

·         Establish various safety requirements to mitigate the risks to acceptable levels

·         Smoothly manage and track these safety requirements

·         Ensure that standardized safety procedures have been followed in the delivered product.

Automotive Safety Integrity Level (ASIL) , specified under the ISO 26262 is a risk classification scheme for defining the safety requirements. ASIL values are assigned by performing risk analysis of potential hazard, by evaluating various risk parameters (Severity, Exposure and Controllability).

Safety Life-cycle is a Journey, Safety Goals and ASIL are the Milestones!

The journey of safety life-cycle, of any automotive component, begins with the definition of the system and its safety-criticality at the vehicular level.

This is achieved by conducting Hazard Analysis and Risk Assessment (HARA) for the corresponding automotive component (hardware/ software). HARA is a necessary exercise for the determination of the Automotive Safety Integrity Level (ASIL).

During HARA, all the potential scenarios of hazards and dangers are evaluated for a particular automotive component, the occurrence of which can be critical for vehicle safety.

For example, an unexpected inflation of airbag or failures of brakes are potential safety hazards that should be assessed and managed in advance.

HARA is followed by identifying the safety goals for each component, which are then classified according to either the QM or ASIL levels, under the ISO 26262 standard.



Automobile Safety Issue types

 

Safety goals are basically the level of safety required by an automotive component to function normally without posing any threats to the vehicle.

For example, for a car door, the safety goal could be both the importance of having it opened or closed depending on which action is safe under a particular condition. During instances of fire inside the vehicle or a flood, the safety goal would be to have the car door opened as quickly as possible so that the passengers can escape.

On the contrary, while the vehicle is moving fast, the safety goal related to the door will be to remain closed- accidental opening of door of a moving car could lead to greater risks.

How to Determine the ASIL Value for an Automotive Application, as per the ISO 26262 Standard

ISO 26262 standard defines four values of ASIL: ASIL A, ASIL B, ASIL C, ASIL D.

ASIL D represents the highest degree of automotive hazard and ASIL A the lowest. There is another level called QM (for Quality Management level) that represents hazards that do not dictate any safety requirements.

The following figure demonstrates the steps involved in the determination of ASIL for an Anti-Breaking System ( ABS).


For any particular failure of a defined function at the vehicle level, a hazard and risk analysis (HARA) helps to identify the intensity of risk of harm to people and property.

Once this classification is completed, it helps in identifying the processes and the level of risk reduction needed to achieve a tolerable risk. Safety goal definition as per ASIL is performed for both hardware and software processes within automotive design to ensure highest levels of functional safety.

These safety levels are determined based on 3 important parameters:

Exposure ( E): This is the measure of the possibilities of the vehicle being in a hazardous or risky situation that can cause harm to people and property. Various levels of exposure such as E1: very low probability, E2: low probability, E3: medium probability, E4: high probability are assigned to the automotive component being evaluated.

Controllability (C) : Determines the extent to which the driver of the vehicle can control the vehicle if a  safety goal is breached due to  failure or malfunctioning of any automotive component  being evaluated. The order of controllability is defined as: C1<C2<C3 ( C1 for easy to control while C3 for difficult to control).

Severity ( S): Defines the seriousness or intensity of the damage or consequences to the life of people ( passengers and road users) and property due to safety goal infringement. The order of severity is : S1 for light and moderate injuries; S2 for severe and life-threatening injuries, and  S3 for life-threatening incidences.

The ISO 26262 ASIL Allocation table

The ASIL levels – ASIL A, B, C ,and D are assigned based on an allocation table defined by the ISO 26262 standard.



Evaluation safety goals of automotive components

 

Let us try to understand the determination of ASIL values for various components based on the E,C and S parameters.

Few observations from the ASIL allocation table,

  1. A combination of S3, E4 and C3 (the extremes of the 3 parameters) refers to a highly hazardous situation. Hence the component being evaluated is identified to be ASIL D, which means it is prone to severely life-threatening events in case of a malfunction and calls for the most stringent levels of safety measures.
  2. On the contrary, a combination of S1, E1 and C1 ( the lowest levels of the 3 parameters in terms of safety-criticality) calls for QM levels, which means the component is not hazardous and does not emphasize safety requirements to be managed under the ISO 26262.
  3. Similarly, combination of the medium levels – S2, E4 and C3 or S2,E3 and C2 defines either an ASIL C or an ASIL A.

The intensity of the hazard thus depends on the ASIL levels of the components , under consideration. Allocation of ASIL helps in identifying how much threat the malfunctioning of a particular component can cause under various situations.

Under the framework of the ISO 26262 ASIL and functional safety; the safety goals are more critical than the functionality of the automotive component. Let us take the example of charging of a vehicle battery to understand this statement.

The safety goals associated with a battery is a more critical consideration to be evaluated as per ASIL, more than the battery itself as shown in the table below. The overcharging of battery at a speed below 10 km/hour is not as serious a situation as overcharging at very high speeds, where the possibilities of overheating and consequent fire could also be high. :

Vehicle Condition

Cause of malfunction

Possible hazard

ASIL

Running Speed< 10 km/h

Charging of battery pack beyond allowable energy storage

Overcharging may lead to thermal event

A

Running Speed> 10 – 50 km/h

Charging of battery pack beyond allowable energy storage

Overcharging may lead to thermal event

B

Running Speed>  50 km/h

Charging of battery pack beyond allowable energy storage

Overcharging may lead to thermal event

C

Thus, ASIL determination forms a very critical process in the development of highly reliable and functional safe automotive applications. In today’s time where the car designs have become increasingly complex with huge number of ECUs, sensors and actuators, the need to ensure functional safety at every stage of product development and commission has become even more important.

This is why modern day automotive manufacturers are very particular about meeting the highest automotive safety standards in accordance to the ISO 26262 standard and ASIL Levels.