What is the ISO 26262 Functional Safety Standard?
What is ISO 26262? The functional safety standard ISO 26262 (International standard for standardization 26262), titled “Road vehicles — functional safety,” is utilized in the automobile sector, and ASIL is a key component in determining safety criteria for software development (software safety analysis). For the development of automotive application products i.e., in the automotive industry, adherence to this standard is essential. OEMs, their suppliers, and automotive component (automotive application) developers must all comply. For software development teams, we provide an overview of ISO 26262, ASIL (Automotive Safety Integrity Level), and ISO 26262 functional safety compliance guidelines (functional safety requirements).
Table of content:
- ISO 26262 Functional Safety Standard
- Why Is ISO 26262 Important?
- The 10 Parts of ISO 26262
- Functional Safety For Software Developers
- ISO 26262 Tool Qualification
- What Is ASIL?
- How to Determine ASIL?
- ISO 26262 Compliance Guide
- Difference between IEC 61508 and ISO 26262
- Is ISO 26262 a legal requirement?
- What is automotive functional safety?
- Related questions
ISO 26262 Functional Safety Standard
ISO 26262, developed from IEC 61508, is a risk-based safety standard. It applies to production cars’ electric and/or electronic systems. Driver aid, propulsion, and vehicle dynamics control systems are all included. The functional safety standard encompasses all areas of functional safety throughout the development process, including:
- Requirements specification
Why Is ISO 26262 Important?
The standard’s purpose is to assure the safety of automotive equipment and systems during their entire safety life cycle. Every phase has its own set of requirements. This ensures that the vehicle is safe from the moment it is designed until the time it is retired. You can avoid or control systematic failures if you follow this standard. You’ll also be able to detect and control random hardware failures.
The 10 Parts of ISO 26262 are:
|Part 2||Management of functional safety|
|Part 3||Concept phase|
|Part 4||Product development at the system level|
|Part 5||Product development at the hardware level|
|Part 6||Product development at the software level|
|Part 7||Production and operation|
|Part 8||Supporting processes|
|Part 9||ASIL-oriented and safety-oriented analysis|
|Part 10||Guideline on the safety standard.|
A section devoted to the safety of the intended function — SOTIF — was to be included in the second version of the safety standard. SOTIF, on the other hand, has since been published as an ISO/PAS 21448 standard.
Functional Safety For Software Developers
The most crucial portion for software engineers is Part 6. It outlines the actions that developers must follow to verify that each critical component is safe. Furthermore, Part 6 contains various tables that define the procedures that must be examined in order to meet the standard’s requirements.
ISO 26262 Tool Qualification
Any tool used in the creation of automobiles must be qualified. Part 8 gives instructions on how to qualify tools.
It calls for the following:
- Software tool qualification plan.
- Software tool documentation.
- Software tool classification analysis.
- Software tool qualification report.
It’s easier to qualify certain instruments than others. Helix QAC, for example, is a static code analyzer for C and C++ that comes with certificates of conformity to make the qualification process easier.
What Is ASIL?
The Automotive Safety Integrity Level (ASIL) is a crucial component of ISO 26262 that is used to assess the risk of a system component. The larger the system’s complexity, the greater the chance of systematic and random hardware failures. A–D represents the four levels of Automotive Safety Integrity. ASIL A is the lowest level of risk, and ASIL D is the highest; the compliance requirements become more stringent as you progress from A to D. There is also a fifth option — QM — when defining Automotive Safety Integrity Levels (quality management). This is used to indicate that the component has no safety requirements. (However, in order to improve product quality management, it’s usually a good idea to comply.)
How to Determine ASIL?
ASIL is determined by three factors:
The severity of a system failure is determined by its severity. Both persons and property are affected.
There are four severity levels:
- S0: No injuries.
- S1: Light to moderate injuries.
- S2: Severe to life-threatening (survival probable) injuries.
- S3: Life-threatening (survival uncertain) to fatal injuries.
The possibility of a given failure resulting in a safety issue is referred to as exposure.
Each condition’s probability is ranked on a five-point scale:
- E0: Incredibly unlikely.
- E1: Very low probability (injury may only occur in rare operating conditions).
- E2: Low probability.
- E3: Medium probability.
- E4: High probability (injury may occur under the most operating conditions).
When a dangerous state occurs, controllability is a measure of the likelihood of avoiding harm. This circumstance could be caused by the driver’s behavior or by external factors.
A hazardous situation’s controllability is graded on a four-point scale:
|C0||Controllable in general|
|C2||Normally controllable (majority drivers could act to prevent injury|
|C3||Difficult to control or uncontrollable|
You may calculate the Automotive Safety Integrity Level once you’ve determined the severity, probability, and controllability.
ISO 26262 Compliance Guide
Whether you’re building traditional automotive components (such as integrated circuits) or virtual ones, adhering to the safety requirement is critical (e.g., automotive hypervisors). It’s also vital to maintain compliance throughout the safety life cycle of your automobile embedded software development. Compliance, on the other hand, might be tough for development teams. Systems and codebases get increasingly complex. As a result, it’s more difficult to test and validate software. Using software development tools will make it easier.
Complying with regulations — and showing that you did so — is a time-consuming procedure. The requirements must be documented and linked to other artifacts, such as tests, problems, and source code. Using a solution like Helix ALM, you can make your verification process easier by establishing requirements traceability. It also aids risk management during the development phase.
In addition, if you’re working on automotive semiconductors, a tool like Methodics IPLM can assist you establish verification traceability for your designs. In addition, Methodics IPLM can assist you with ISO 26262 functional safety certification management.
Storing your code in Helix Core — version control from Perforce — ensures that all of your digital assets have a safe revision history. Fine-grained access restrictions, audit logs with high visibility, strong password security, and safe replication are all included. Consequently, you may have faith in your code.
Apply a Coding Standard
It might be challenging to ensure that code is safe, secure, and trustworthy. Specific coding and design criteria must be followed. It’s easy to check your code to the safety standard recommendations when you use a coding standard like MISRA® or AUTOSAR. This is true when using a static analyzer such as Helix QAC.
Difference between IEC 61508 and ISO 26262
Did you know that the ISO 26262 standard evolved from the IEC 61508 standard? Even now, their vocabularies, techniques, and applications are similar. So, how do you decide which standard to include in your industry’s functional safety guidelines? The ISO 26262 twelve-part standard is only for on-road vehicles, such as passenger cars, lorries, buses, and motorcycles, and it covers electrical/electronic components from design through manufacture. With IEC 61508 on the other hand, Machinery, oil wells, chemical facilities, nuclear sites, forklifts, and robots are all covered by this seven-part industrial standard.
- Part 1: Overall normative requirements at system level
- Part 2: System and hardware development
- Part 3: Software development
- Part 4: Definitions
- Parts 5, 6, 7: Informative guidelines
The necessity of safety assessments such as Fault Tree Analysis (FTA), Failure Modes and Effects Analysis (FMEA), and quantified analysis is addressed in both standards. The hardware metrics in the two standards, however, are radically different, despite the fact that they both use a similar technique called FMEDA (Failure Modes and Effects Diagnostics Analysis) (FMEDA).
Another significant distinction is in the risk assessment. ISO 26262 incorporates a very precise Hazard Analysis and Risk Assessment (HARA) procedure. However, IEC 61508 allows for more freedom in their Hazard and Risk Analysis, allowing for the use of a variety of approaches to assess dangers, including those found in the ISO 12100 standard.
IEC 61508 refers to their stringency levels as Safety Integrity Levels (SIL), whilst ISO 26262 refers to them as Automotive Safety Integrity Levels (ASIL) (ASIL). UL now provides UL Certified Functional Safety Professional (UL-CFSP) automotive and IEC 61508 training with the option to certification to better clarify these guidelines, parallels, and distinctions.
Is ISO 26262 a legal requirement?
The legal implications of ISO 26262 are not limited to the use of a product that has been created in accordance with the standard’s processes. The standard’s user must adhere to legal standards as early as the safety concept phase, development phase, and production phase.
What is automotive functional safety?
ISO 26262 is a functional safety standard for automotive equipment that applies throughout the safety life cycle of all electronic and electrical safety related systems in automobiles. Its goal is to mitigate the potential dangers posed by electronic and electrical systems that are failing (malfunctions).
What is ASPICE in automotive?
German automakers created the Automotive Software Performance Improvement and Capability Determination (ASPICE) automotive standard. It gives you some broad ideas for improving your software development processes and evaluating vendors.
What is a latent fault?
A latent fault is a flaw that is not readily apparent. A flaw that is present but cannot be detected using standard methods. Latent faults are usually only discovered as a result of an accident or a thorough proof test.
What is a SIL rating?
A safety integrity level (SIL) is a relative level of risk reduction given by a safety function, or a target level of risk reduction specified by a safety function. Simply said, SIL is a measurement of the needed performance for a safety instrumented function (SIF).
Why is functional safety important?
The total safety of a system or piece of equipment that relies on automatic (automation) protection includes functional safety. This automatic protection system must respond to its inputs correctly. It should also have predictable failure answers.
What is Asil decomposition?
ASIL decomposition is a mechanism for assigning ASILs to duplicate requirements that is detailed in the ISO 26262 standard. The purpose of building systems from the bottom up is to achieve a desired system level ASIL from component pieces that already have some sense of ASIL connected with them.
What is a functional safety engineer?
Job description: Responsible for system-level functional safety development and related tests during the development of safety systems in order to efficiently meet the requirements of associated standards such as ISO26262.
What is the single point fault metric?
The single point fault metric (SPFM) is a hardware architectural metric that determines whether or not the safety mechanisms’ coverage is sufficient to prevent risk (safety risks) from single point errors in the hardware design. The other hardware architectural metric is the latent fault metric (LFM).
What is functional safety management?
Functional Safety Management refers to all activities (functional safety activities) that must take place during a product’s or process’s Functional Safety Life cycle phases in order to achieve the requisite degree of Functional Safety. The Functional Safety Life cycle is essential to IEC 61511 and the prevention of systematic failures.
What is QM in Asil?
The maximum level of automobile hazard is ASIL D, whereas the lowest level is ASIL A. There is also a level known as QM (Quality Management), which reflects hazards that do not impose any safety standards.
What is system safety analysis?
System Safety Assessment (SSA) is a methodical and thorough examination of the architecture, design, and installation of systems to ensure that all applicable safety criteria are met. Throughout the aircraft development process, SSA is a continual and iterative process.
How do you become a functional safety engineer?
To become a TÜV Rheinland Functional Safety Engineer (Automotive), you must complete the following steps:
- Take the exam and pass it.
- Have at least three years of experience in the field of functional safety and be able to demonstrate technical qualifications (e.g., as an engineer, computer scientists, physicist, etc.).
What is a functional safety assessment?
The job normally comprises an audit of existing processes and procedures to guarantee compliance with IEC61511 criteria, as well as verification of each stage of the lifecycle and validation (safety validation) of the entire set of safety requirements.
What is a fault tolerant time interval?
For each safety goal, the Fault Tolerant Time Interval should be defined. The FTTI is simply the amount of time a fault can exist in a system before it causes a possible hazard. As a result, the FTTI is a total goal time that the system must achieve in order to transition to a safe state.
Relevant Information on ISO 26262
- One of the safety goals of ISO 26262 is to provide safety validation and confirmation standards to guarantee that an adequate and acceptable level of safety is met (safety requirements).
- ISO 26262 aims to improve to the tool confidence level (qualification of software tools for the intended and actual use)
- ISO 26262 provides an automotive safety life cycle (safety management, development, manufacture, operation, service, and decommissioning) and assists in adapting the required tasks during different phases of the safety life cycle.
- OEMs can use ISO 26262 to vet their supply chain and guarantee that E/E safety hazards (safety-related E/E systems) don’t arise later in the manufacturing process, when problems are far more expensive to rectify.
- The standard includes an automotive-specific method for determining risk classes or Automotive Safety Integrity Levels (ASIL).
- Hazardous Event: The outcome of a vehicle-level hazard and operational situation that, if not addressed by appropriate and timely driver action, could result in an accident and/or harm.
- Automotive Safety Integrity (ASIL) aids in the identification of ISO requirements and safety measures to be used in the design and function of an item or element in order to minimize unjustifiable risk (safety risks).
- ISO 26262 does not cover the particular E/E safety-related systems found in special purpose vehicles, such as those developed for drivers with disabilities.
- Unless directly caused by faulty behavior of safety-related E/E systems, ISO 26262 does not cover risks such as electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, energy release, and similar hazards.
- ISO 26262 standard ensures that adequate levels of safety are being met (safety requirements) and maintained throughout the vehicle lifecycle.
- Even if separate functional performance standards exist for E/E safety-related systems, ISO 26262 does not address their nominal performance (e.g. active and passive safety systems, brake systems, Adaptive Cruise Control).
- Because ISO 26262 assumes that someone is driving the vehicle, it does not directly pertain to fully autonomous vehicles.
- The ISO 26262 standard defines methodologies for using ASILs to specify needed safety requirements to achieve an acceptable level of residual risk.