ISO 26262 Risk Management for Automotive

Introduction:

Long gone are the days when safety practices in the automotive industry were a mere afterthought. Today, all major car manufacturers rely on standardized practices that help them design safer cars more efficiently. One such set of practices was released in 2011 by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC) to address the functional safety of electrical and/or electronic systems, and it’s called ISO 26262.

What Is ISO 26262?

Unlike other standards in the car industry, ISO 26262 focuses on functional safety, which means that it ensures that individual components do what they have been designed to do and when they are supposed to do it.

By complying with this standard, car manufacturers can avoid or at least minimize systemic failures, minimize the risk of harm to people, ensure compliance with relevant international regulations, avoid costly product recalls and reputational damage, and generally maintain their competitive advantage.

Other standards have a different focus. MISRA (Motor Industry Reliability Association) focuses on security and deals with software developed for electronic components used in the car industry. SAE J3061 from the Society of Automotive Engineers (SAE) provides an engineering process to design and build cybersecurity into vehicle systems in a comprehensive and systematic way. AEC-Q100 from the Automotive Electronics Council deals with stress testing for integrated circuits in automotive applications.

Overview of ISO 26262

ISO 26262 consists of 10 normative parts and a guideline, some of which are further divided into sub-chapters:

1. Vocabulary – This part specifies key terms like “fault” vs. “error” vs. “failure” and highlights the differences between them. 

2. Management of Functional Safety – This part deals with overall safety management, project-dependent safety management, and safety management regarding production, operation, service, and decommissioning.

3. Concept Phase – This part includes item definition, hazard analysis and risk assessment, and functional safety concept.

4. Product Development at the System Level – This part explains the general topics for product development at the system level, along with technical safety concepts, system and item integration, testing, and safety validation.

5. Product Development at the Hardware Level – This part deals with general topics for product development at the hardware level, specification of hardware safety requirements, evaluation of the hardware architectural metrics, evaluation of safety goal violations due to random hardware failures, and hardware integration and verification.

6. Product Development at the Software Level – This part provides information about general topics for product development at the software level, specification of software safety requirements, and software architectural design.

7. Production, Operation, Service, and Decommissioning – This part describes planning for production, operation, service, and decommissioning.

8. Supporting Processes – This lengthy part includes interfaces within distributed developments, specification and management of safety requirements, configuration management, change management, verification, documentation management, confidence in the use of software tools, qualification in the use of software tools, qualification of software components, evaluation of hardware elements, proven in use argument, interfacing an application that is out of scope of ISO 26262, and integration of safety-related systems not developed according to ISO 26262.

9. Automotive Safety Integrity Level (ASIL)-Oriented And Safety-Oriented Analysis – This important part deals with requirements decomposition with respect to ASIL tailoring, criteria for the coexistence of elements, analysis of dependent failures, and safety analysis. ASIL is a key component of ISO 26262 compliance because it seeks to specify the consequences of a failure to the driver and associated road users based on a combination of the severity, exposure, and controllability of the vehicle operating scenario. Depending on the severity of the consequences, safety requirements are assigned an ASIL of A, B, C, or D, with D being used for the most safety-critical requirements.

10. Guideline on ISO 26262 – Finally, the last part serves as a concise guideline on ISO 26262, listing its scope, normative references, and key concepts.

Together, the different parts of ISO 26262 provide a system of steps with the purpose of helping car manufacturers regulate product development on a system, hardware, and software level and manage functional safety. The steps cover the entire development process, including requirements specification, design, implementation, integration, verification, validation, and configuration.

Advantages of Implementing ISO-26262:

There are many benefits of implementing ISO 26262, including:

• Improved Product Development Processes: ISO 26262 provides a framework for designing and developing safe products. By following the requirements of the standard, automakers can improve their product development processes and ensure that their vehicles are safe.
• Reduced Liability: Automakers that comply with ISO 26262 can reduce their liability in the event of an accident. The standard provides a clear set of requirements that must be met in order to design and develop safe products. By following these requirements, automakers can demonstrate that they have taken all reasonable steps to ensure the safety of their products.
• Improved Customer Satisfaction: Customers are increasingly concerned about the safety of vehicles. By complying with ISO 26262, automakers can show customers that they are committed to safety and that their products meet the highest standards. This can lead to improved customer satisfaction and loyalty.
• Increased Market Share: Automakers that comply with ISO 26262 can differentiate themselves from their competitors and gain a competitive advantage. The standard provides a way for automakers to show that they are serious about safety and that their products meet the highest standards. This can lead to increased sales and market share.

Disadvantages of Implementing ISO-26262:

There are some disadvantages of implementing ISO 26262, including:

• Increased Costs: The cost of compliance with ISO 26262 can be significant. Automakers will need to invest in training, tools, and processes to meet the requirements of the standard. In addition, the costs of liability insurance may increase for automakers that comply with ISO 26262.
• Bureaucracy: Some critics argue that ISO 26262 is too bureaucratic and that it imposes unnecessary costs on automakers. They argue that the standard should be voluntary so that only those companies that want to comply with it do so.
• Time-Consuming: Implementing ISO 26262 can be time-consuming and disruptive to product development timelines. Automakers will need to make changes to their product development processes and train their employees on the requirements of the standard. This can lead to delays in product development and launch.

Despite these disadvantages, many automakers are choosing to comply with ISO 26262 as a way to improve their product development processes and ensure the safety of their vehicles. The benefits of compliance outweigh the costs, and the standard is becoming increasingly popular among automakers around the world.

Functional Safety For the Software Developers:

Part 6 is the most important for software developers. Part 6 explains the details of the steps the developers take in order to ensure the safety of each component. It combines several tables that define the methods that must be followed in order to achieve compliance with ISO-26262. 

Tool Qualification for ISO-26262:

The tools that are used in the process of automotive development must be qualified as well for safety reasons. Part 8 of the standard defines the guidelines for tool qualification. The following are mandatory:

• Qualification Plan of the software tool
• Documentation of the software tool
• Classification analysis of the software tool
• And qualification reports of the software tool.

What is the Automotive Safety Integrity Level?

The Automotive Safety Integrity Level, abbreviated as ASIL, is one of the most important components of the ISO-26262 standard. This component is used to measure the risk of each particular system component. ASIL states that the more complex the system is, the greater the risk of system failures and other random hardware failures. 

ASIL has four measuring values recognized as A, B, C, and D. Where A represents the minimum level of risk, and D represents the highest level of risk. Apart from these four, there is also a fifth option called Quality Management (QM) which is used to ensure that the component does not have any safety-related requirements. 

How to determine ASIL?

ASIL is determined on the basis of three factors, that are:

• Severity 
• Exposure 
• Controllability 

Severity measures the seriousness of both people and property damage in the system failure. There are four classes of severity:

• S3 – Ranges from life-threatening to fatal injuries
• S2 – Ranges from severe to life-threatening injuries
• S1 – Ranges from light to moderate injuries
• S0 – States no injuries

Exposure measures the likelihood of certain conditions under which a system failure might result in safety hazards. There are five classes of exposure:

• E4 – High Probability
• E3 – Moderate probability 
• E2 – Low Probability 
• E1 – Very low probability
• E0 – Very Unlikely to happen

Controllability measures the probability that the damage can be avoided when a hazardous condition arises. There are four classes of controllability:

• C3 – Difficult or unable to control
• C2 – Normal controllability, means most driver’s actions can prevent injuries
• C1 – Simply controllable
• C0 – Easily controllable 

Once the levels of severity, exposure, and controllability are determined, ASIl can also be determined. 

How to Support ISO 26262?

There are many important benefits associated with adherence to ISO 26262. Those who comply with this standard can ensure that E/E safety hazards don’t suddenly emerge later in the production process when it costs significantly more to fix them.

However, adherence to ISO 26262 also requires extensive documentation and testing, both of which can be extremely time-consuming without the right tool to support them. To successfully overcome the numerous compliance challenges associated with ISO 26262, development teams should use a capable requirements management tool to make ISO 26262 compliance easier, less error-prone, and more cost-effective.

Visure Requirements and ISO 26262

Visure Requirements can support ISO 26262 with its comprehensive and agile artifact management for the development and verification of electrical and/or electronic systems in production vehicles. In one cohesive environment, it provides end-to-end traceability between all the items, hazards, safety goals, risks, safety requirements, verification, changes, and project artifacts, helping users comply with the standard and create the necessary deliverables to meet the desired ASIL Levels.

By providing a centralized and open repository for all artifacts, Visure Requirements delivers end-to-end traceability between them for full impact analysis, hazard analysis, and risk management. It promotes collaboration by allowing several users to work with the very same set of requirements at the same time while keeping traces and reports of every change with a complete versioning system. It also provides a versatile Integration Platform to integrate with third-party tools and extend the capabilities of Visure Requirements while keeping everything centralized.

Conclusion

ISO-26262 is a global standard that specifies an automotive functional safety management system. The benefits of ISO 26262 are impossible to ignore but the same can be said about its requirements, which can be very time-consuming to fulfill without the right requirements management tool. Visure Requirements is designed to provide integral support to the complete requirement process, making it fully capable of supporting ISO 26262 for the production of electrical and/or electronic systems in production vehicles. Request a free 30-day trial of our platform today to see how we can help you achieve compliance with ISO 26262.