The Cost of ASIL Compliance
The cost and complexity of compliance may increase by as much as an order of magnitude with each step, ranging throughout ASIL A to ASIL D. While ASIL A may have small limited effects on the development process, it is assumed that safety goals with an ASIL D rating have significant cost and timing effects for a program.
For example, to plan, execute, verify, and document compliance, the following effort multipliers could be considered:
Functional System : 1
ASIL A : 1.5x – 3x
ASIL B : 2x – 4x
ASIL C : 5x – 8x
ASIL D : 10x+
These multipliers depend heavily on current process maturity, system design, and system requirements. Specific requirements and obligatory work items for software, hardware, and tools are provided within the safety standard.
How Can ASIL Decomposition Save Time and Money?
ISO 26262:9 describes ASIL-oriented and safety-oriented analyses. One of which is ASIL Decomposition, whereby ASIL safety levels and requirements are decomposed over redundant and sufficiently independent elements within your design. As higher ASILs typically require higher costs, decomposition can help to meet safety requirements with reduced cost and effort.
Decomposing the different ASIL levels typically follows a predefined pattern, often occurring over multiple ASIL levels since the ISO standard allows for multilevel decomposition. The figure below shows an example of the decomposition of an ASIL D using three different approaches.
Decomposition of the different ASIL ratings throughout the system can occur over different elements, working down through the system, subsystems, software, and hardware. ASIL decomposition is typically performed manually and must result in redundant safety requirements allocated to design elements of sufficient technical independence. Here at New Eagle, we have certified staff and experience with ASIL tailoring, such as ASIL Decomposition, which may be applied within your project to save cost and time.
Path to Production
Based on your ASIL allocations after decomposition, you need to select an ECU to be utilized in your design that will best meet the requirements defined by the ISO 26262 standard. For each ASIL, you will likely have a list of required diagnostic coverage mechanisms. In a typical safety design, for example, processors integrate a self-checking safety monitor. Additionally, intended hardware typically includes pre-established safety features, such as error correcting code (ECC) and a programmable watchdog timer, to help detect system failures and runtime faults. A modern central processing unit (CPU) will utilize a multicore architecture with a hardware lock-step safety mechanism, which can significantly reduce complexity while improving reliability and availability. These modern architectures include built-in self-test and optimization to prevent common cause failures.
Using an off-the-shelf component in a safety design requires that the component be capable of executing the necessary functions, compatible with your system design, and well documented. Typically, the component would be documented as a Safety Element out of Context (SEooC). It’s important to understand which subcomponents in the ECU can be defined as a safety-critical dependent for an application, as these elements may be used in your safety design. Diagnostic coverage mechanisms must be in place and able to detect dangerous failures within these components in order for them to be used in a safety function. These assumptions should be documented by the ECU vendor within a Safety Manual, and must be taken into account. They provide constraints on the applicability of an off-the-shelf part for any given design.
Here at New Eagle, we have several Raptor™ hardware design options available for production projects that require ISO 26262. These safety capable ECUs target ASIL B – ASIL D, and include a range of I/O and communication interfaces.
· GCM196 / ECM196 –This ASIL B capable hardware design is built on the standard automotive e-gas monitoring concept commonly used for powertrain control. Depending on the results of ASIL Decomposition, this is an excellent option for multiple safety goals with various ASIL ratings. This control module has three CAN buses, one LIN bus, and a large variety of I/O.
· C48 – This powerful general-purpose control module is perfect for applications that require advanced performance, timing systems, and functional safety capabilities. The CPU is a high-performance multi-core architecture that can support the highest level of functional safety (ASIL-D).
· GCM121 – This ASIL C capable, general-purpose control module is perfect for applications that require advanced performance, timing systems, and functional safety capabilities. It has a broad communication capacity with its four CAN buses, two LIN buses, and one Ethernet bus.
· C112 – This powerful general-purpose control module is perfect for applications that require advanced performance and heavy communication requirements due to its four CAN buses, two LIN buses, and Ethernet capabilities. The CPU is a high-performance multi-core architecture that can support the highest level of functional safety (ASIL-D).
These examples illustrate a range of design options, which can be matched with your system requirements to create a solution compatible with your needs. All ISO 26262 production projects require safety planning and implementation assistance from our Functional Safety Certified staff. Please contact our sales team to discuss our available options.