At the end of 2018, the long-awaited update to the ISO 26262 standard was finalized and published. This new version expands the scope of the original 2011 publication to incorporate additional safety measurements and industry segments beyond the original passenger vehicle applications. With this expansion, many of our customers are coming to us with the same questions: Does this updated standard apply to my project and how do I incorporate it into my development process?
Does the ISO 26262 Apply to Your Project?
Although the ISO 26262 standard can seem complex and overwhelming, we can guide you in the right direction and help you to answer the important questions. With our team of Automotive Functional Safety Engineers (AFSEs), we will show you a path to production that incorporates the necessary safety standards that are required for today’s various industries. We will assist your company in clarifying whether the updated ISO 26262 standard applies to your project, conduct a risk assessment of your product and development cycle, provide you with ISO capable hardware, and teach you how to incorporate the required development processes necessary to achieve the safety standard.
What is ISO 26262?
ISO 26262 is an international standard for road vehicles that provides a framework for functional safety throughout the progression of electrical and electronic (E/E) systems development. While some requirements are product specific, others focus on the safety regulations throughout the development lifecycle. These standards demonstrate how companies should integrate functional safety into their development process, providing regulations and recommendations on how to achieve appropriate functional safety measures. To put it simply, this is a common standard that measures and verifies the safety of a system before it is put into service.
ISO 26262 uses a system of steps to provide companies with a way to manage the functional safety and regulate product development on the system, hardware, and software from conceptual development through decommissioning. The steps include administering an automotive risk-based approach to determine the risk classes of a system, called Automotive Safety Integrity Levels (ASILs). It also includes practices that validate and confirm that a vehicle sufficiently reaches an acceptable level of safety.
What Revisions Were Made to ISO 26262 In 2018?
The 2018 revision to the ISO 26262 standard, titled “Road Vehicles – Functional Safety,” includes industry feedback and updates based on advances in technology since the standard was originally published. The standard was reconstructed to provide more detailed objectives and extensions to the overall vocabulary. Additions to the ISO standard include:
· Objective oriented confirmation measures
· Management of safety anomalies
· References to cyber-security
· Updated target values for hardware architecture metrics
· Evaluation of hardware elements
· Additional guidance on dependent failure analysis
· Guidance on fault tolerance, safety-related special characteristics, and software tools.
· Guidance for model-based development and software safety analysis
In addition, two completely new standards were added to the document: ISO 26262-11 for Semiconductors and ISO 2626-12 for Motorcycles.
The main addition that is concerning our customers is the revision that increases the scope of the standard beyond light-duty, automotive passenger applications to include trucks, buses, trailers, semitrailers, and motorcycles.
How and When Does ISO 26262 Apply to Your Project?
Firstly, let’s address when your system is not required to abide by the newly released ISO 26262 standard. Unique E/E systems in special vehicles are exempt from the standard, including:
· Mopeds
· Prototypes
· Systems designed for drivers with disabilities
· Systems and any components released for production prior to the publication date
· Systems and any components under development during the publication date
The standard is intended to be applied to safety-related E/E systems in production road vehicles, which are any vehicle used by or used among the general public. As stated above, this now incorporates trucks, buses, trailers, semitrailers, and motorcycles. In addition, if you are conducting alterations to an existing system that was released for production prior to the publication date, then it falls within the scope of the updated standard.
What Does an ASIL Requirement Mean and How is it Determined?
In order to understand what ASIL requirements are, we must first look at Hazard Analysis and Risk Assessments (HARA). HARAs are used to identify and classify hazardous events caused by malfunctioning behaviors within the system. Each hazard is assessed based on the relative effect the hazardous incident could have on the overall E/E system and is dependent on the probability of the hazard actually manifesting. The assessment also takes into account the severity of potential bodily injuries that could be attained by the driver or other passengers within the relative amount of time the vehicle is exposed to the hazard, as well as the probability of whether a typical driver could prevent injury from occurring. Once all the hazards are assessed, the HARA process creates safety goals to prevent or reduce each hazard, assigning each safety goal an Automotive Safety Integrity Level (ASIL).
ASILs are an automotive specific, risk-based approach that determine the risk classes and integrity levels of each safety goal. They also determine if the safety goals abide by the ISO safety standard. The determination of the ASIL is a function of three variables: exposure, severity, and controllability.
Exposure – how often does the operational situation occur?
Severity – how severe is the potential harm?
Controllability – are the occupants, or operator, able to take control to mitigate any potential injuries?
Since the ISO 26262 standard was originally published in 2011, industry experience and practice in this area has formalized into “SAE J2980 – Considerations for ISO 26262 ASIL Hazard Classification.” This document provides guidelines as to what each level means in a typical scenario. For example, controllability class C2 ‘Normally controllable’ would be true if 90% or more of all drivers are usually able to take control and avoid the specified harm. The guidelines can act as a rule-of-thumb in cases that require a judgement call.
Once these three items are established for each safety goal, the ASIL can be determined using the chart below.
While a “quality managed” (QM) rating signifies that the safety goal is not severe enough to require specific regulations through the standard, those that are will be given a rating of ASIL A through ASIL D depending on the severity.
The determined ASILs will be further refined into Functional Safety Requirements (FSRs), incorporating these same ASIL designations. At some point throughout the development process, the requirements will be allocated to units (e.g. ECUs) for implementation.