Determining Functional Safety Levels for Automotive Applications

 

Even the most basic car available over the past three or four decades has contained a significant amount of technology to make it safer, more “intelligent” and more enjoyable to drive and this adoption of technology will only increase as the industry moves towards autonomous vehicles.

The widespread use of electrical and electronic systems comes with potential risks and specific standards exist, most notably ISO 26262, to greatly reduce these risks by laying down requirements for the overall functional safety of these various and interrelated components and systems.

Six million crashes and over 53 million vehicles recalled

According to vehicle safety data published in the US by the Bureau of Transportation Statistics (BTS) of the Department of Transportation, an average of just over six million vehicle crashes are reported every year.

The same organisation records that, in 2016, US car manufacturers were forced to issue a safety recall of 53.2 million cars.

According to the US National Highway Traffic Safety Administration (NHTSA), a safety recall is issued when the NHTSA or the car maker identifies that the vehicle no longer meets a satisfactory safety level or can potentially be a safety risk.

Causes for this can not only include failure of the vehicle’s electrical and electronic systems but also tyre issues for example or the vehicle’s structural integrity. Although these figures are based on the United States, they are almost certainly reflected by scale in other parts of the World.

As a result of these numbers, safety is today the most important part of automotive design and manufacture.

Functional Safety

In the car industry, functional safety, as defined by ISO 26262, is the absence of unreasonable risk due to “hazards” caused by badly functioning electrical/electronic systems.

Importantly, the ISO 26262 series details a risk-based approach for determining levels of risk which are known as Automotive Safety Integrity Levels or ASILs.

These are calculated by performing a risk analysis of potential hazards based on the levels of severity, probability of exposure and driver controllability. This risk classification helps to establish varying safety requirements to mitigate the risks in components and systems to acceptable levels, manage and record these safety requirements and ensure that all procedures have been followed to the letter in the final product.

ISO 26262 ASILs and safety at the component level

Within the ISO 26262 standard, an automotive component lifecycle starts with definingwith defining the system where it will be used and how crucial it is to the safety of the vehicle.

For the Automotive Safety Integrity Level (ASIL), this is determined by hazard analysis and risk assessment (HARA) for the corresponding automotive component – both hardware and/or software.

As a result, ASIL determination forms the initial phase of the automotive system development. This means all potential hazard and danger scenarios are evaluated for a specific automotive component, the result of which can be critical for vehicle safety.

So, the potential for safety issues like an unexpected airbag inflation or brake failure should be assessed and managed in advance.

This step is followed by identifying the level of safety required by an automotive component to function normally without posing any threats to the vehicle which are then classified according to ASIL levels under the ISO 26262 standard.

One example could concern a car door. Here, the safety goal should consider the importance of it being opened or closed when faced with certain conditions. Should fire occur inside the vehicle or should it be submerged, the safety goal would be to get the door opened rapidly so that the occupants can escape. On the other hand, when the vehicle is moving, the safety goal will be for the door to remain closed as the accidental opening leads to greater risks.

Determining the ASIL for an Automotive Application

There are four ASILs identified by ISO 26262: ASIL A, ASIL B, ASIL C and ASIL D where ASIL D is the highest degree of automotive hazard and ASIL A the lowest. There is another level called QM (for Quality Management level) that represents hazards that do not dictate any safety requirements.
Figure 2 outlines the steps involved in the determination of ASIL for an Anti-Braking System (ABS).

Determining the ASIL for an Automotive Application

There are four ASILs identified by ISO 26262: ASIL A, ASIL B, ASIL C and ASIL D where ASIL D is the highest degree of automotive hazard and ASIL A the lowest. There is another level called QM (for Quality Management level) that represents hazards that do not dictate any safety requirements.
Figure 2 outlines the steps involved in the determination of ASIL for an Anti-Braking System (ABS).

For failures of a defined function at the vehicle level, a hazard and risk analysis (HARA) helps to identify the level of risk of harm to people and property. Once completed, the classification helps to identify the processes and the level of risk reduction needed to achieve a tolerable risk. The safety goal definition (as for ASIL) is used for both hardware and software processes within automotive design to ensure the highest levels of functional safety.

These safety levels are determined by three key parameters: Exposure (E) measures the possibility of the vehicle being involved in a situation that can cause harm to people and property. Various levels of exposure such as E1: very low probability, E2: low probability, E3: medium probability, E4: high probability are assigned to the automotive component being evaluated.

Controllability (C) determines the extent to which the driver is able to control the vehicle should a safety goal be breached by the failure or malfunctioning of the automotive component being evaluated. C1 is easy to control while C3 is hard to control.

As it says, Severity (S) defines the severity or level of the consequences to the life of passengers and other road users and property due to the infringement of the safety goal. S1 is for light and moderate injuries; S2 for severe and life-threatening injuries, and S3 for life-threatening incidents.

ISO 26262 ASIL Allocation Table

ISO 26262 ASIL levels – ASIL A, B, C and D are assigned based on an allocation table defined by the ISO 26262 standard.

It helps to understand how ASIL values are determined for various components based on the E, C and S parameters. From the table, you can see:
A combination of the extremes of the three parameters (S3, E4 and C3) refers to a very dangerous situation so the component being evaluated is identified to be ASIL D. This means it is prone to serious life-threatening events in case of a malfunction and demands the most stringent levels of safety measures.

A combination of the lowest of the three parameters in terms of safety critical (S1, E1 and C1) calls for QM levels, which means the component is not hazardous and is not required to be managed under the ISO 26262.

A combination of the medium levels (S2, E4 and C3 or S2, E3 and C2) defines an ASIL C or an ASIL A.

So the intensity of the hazard depends on the component’s ASIL levels. ASIL allocation helps to identify the level of threat the malfunctioning of a component will cause in particular situations.

Within the scope of ISO 26262 ASIL and functional safety, safety goals are more critical than how the automotive component functions. To understand this, look at the table below which illustrates vehicle battery charging.

Battery pack overcharging at speeds below 10kmh is not as serious as overcharging at very high speeds where the potential for overheating and fire can be high.

Vehicle Condition

Cause of malfunction

Possible hazard

ASIL

Running Speed< 10 km/h

Charging of battery pack beyond allowable energy storage

Overcharging may lead to thermal event

A

Running Speed> 10 – 50 km/h

Charging of battery pack beyond allowable energy storage

Overcharging may lead to thermal event

B

Running Speed> 50 km/h

Charging of battery pack beyond allowable energy storage

Overcharging may lead to thermal event

C

Because of this, determining ASILs is a hugely critical process in the development of highly reliable and functional safe automotive applications. Today’s car designs have become increasingly complex with the large number of ECUs, sensors and actuators and the need to ensure functional safety at every stage of product development and commission has become even more important.

This is why today’s car manufacturers are very stringent about meeting the highest automotive safety standards in accordance to the ISO 26262 standard and the ASIL Levels.