Knowledge Center
Navigation
Knowledge Center

ISO 26262 – Functional safety

Standard related to the safety of electrical and electronic systems within a car
popularity

Description

ISO 26262 is a standard related to the safety of electrical and electronic systems within a car and addresses possible hazards caused by malfunctioning behavior of safety-related systems, including interaction of these systems. ISO 26262 is a derivative of IEC 61508.

ISO 26262 consists of the following parts, under the general title “Road vehicles – Functional safety”:

– Part 1: Vocabulary
– Part 2: Management of functional safety
– Part 3: Concept phase
– Part 4: Product development at the system level
– Part 5: Product development at the hardware level
– Part 6: Product development at the software level
– Part 7: Production and operation
– Part 8: Supporting processes
– Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses
– Part 10: Guideline on ISO 26262

New functionalities such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems increasingly touch the domain of system safety engineering. With the trend of increasing technological complexity, software content and mechatronic implementation, there are increasing risks from systematic failures and random hardware failures. ISO 26262 includes guidance to avoid these risks by providing appropriate requirements and processes.

System safety is achieved through a number of safety measures, which are implemented in a variety of technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic) and applied at the various levels of the development process. Although ISO 26262 is concerned with functional safety of E/E systems, it provides a framework within which safety-related systems based on other technologies can be considered. ISO 26262:

  •  a) provides an automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases;
  • b) provides an automotive-specific risk-based approach to determine integrity levels [Automotive Safety Integrity Levels (ASIL)];
  • c) uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk;
  • d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved;
  • e) provides requirements for relations with suppliers.

Functional safety is influenced by the development process (including such activities as requirements specification, design, implementation, integration, verification, validation and configuration), the production and service processes and by the management processes.

Safety issues are intertwined with common function-oriented and quality-oriented development activities and work products. ISO 26262 addresses the safety-related aspects of development activities and work products.

The following is a list of terms found in ISO 26262:

ASIL: Automotive Safety Integrity Level – One of four levels to specify the item’s (1.69) or element’s (1.32) necessary requirements of ISO 26262 and safety measures (1.110) to apply for avoiding an unreasonable residual risk (1.97), with D representing the most stringent and A the least stringent level. ISO 26262 9 describes ASIL analyses in detail. (ISO 26262-1 1.6/ISO 26262-9)

ASIL Decomposition: Automotive Safety Integrity Level Decomposition – Also called, “ASIL Tailoring.” Apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with the objective of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the corresponding elements. (How-to example chart is in ISO26262-9 5.4.10/ISO 26262-1 1.7/ISO 26262-9 5)

AUTOSAR: AUTomotive Open System Architecture – Not in ISO 26262, this is an open and standardized automotive software architecture, jointly developed by automobile manufacturers, suppliers and tool developers. (http://www.autosar.org; http://en.wikipedia.org/wiki/AUTOSAR)

CCF: Common Cause Failures – Failure (1.39) of two or more elements (1.32) of an item (1.69) resulting from a single specific event or root cause.
Common cause failures are dependent failures (DF) (1.22) that are not cascading failures (CF) (1.13). (ISO 26262-1 1.14)

CF: Cascading Failure – Failure (1.39) of an element (1.32) of an item (1.69) causing another element or elements of the same item to fail.
Cascading failures are dependent failures (DF) (1.22) that are not common cause failures (CCF) (1.14). (ISO 26262-1 1.13)

CMF: Common Mode Failure – A type of common cause failure (CCF) where multiple items fail in the same mode. Analyze it using fault tree analysis (FTA). (ISO 26262-10 B.3.2)

DC: Diagnostic Coverage – Proportion of the hardware element (1.32) failure rate (1.41) that is detected or controlled by the implemented safety mechanisms (1.111). (ISO 26262-1 1.25/ISO 26262-5 D)

DCLS: Dual Core Lockstep

DF: Dependent Failure – Failures (1.39) whose probability of simultaneous or successive occurrence cannot be expressed as the simple product of the unconditional probabilities of each of them. Dependent failures include common cause failures (CCF) (1.14) and cascading failures (CF) (1.13).
(ISO 26262-9 7 explains dependent failure analysis (DFA); ISO 26262-1 1.22/ISO 26262-9 7)

DFA: Dependent Failure Analysis – Aims to identify the single events or single causes that could bypass or invalidate a required independence or freedom from interference between given elements and violate a safety requirement or a safety goal. (ISO 26262-9 7)

DIA: Development Interface Agreement – Agreement between customer and supplier in which the responsibilities for activities, evidence or work products to be exchanged by each party are specified. An example DIA is at ISO 26262-5 B. (ISO 26262 1.24/ISO 26262-8 5)

DTI: Diagnostic Test Interval – Amount of time between the executions of online diagnostic tests by a safety mechanism. Use ISO 26262-5 Table D.1 for analysis. (ISO 26262-1 1.26/ISO 26262-5 D)

E/E/PE: Electrical, Electronics And Programmable Electronic – 3.2.6 of IEC 61508-4 defines this as based on electrical and/or electronic and/or programmable electronic technology (see examples). (IEC 61508- 3.2.6)

EMI: Electromagnetic Interference – Disturbance that affects an electrical circuit due to either electromagnetic induction or electromagnetic radiation emitted from an external source. [Wikipedia] (ISO 26262-2/http://en.wikipedia.org/wiki/Electromagnetic_interference)

EOS: Electrical Overstress – Electrical overstress failures can be classified as thermally-induced, electromigration-related and electric field-related failures. Can result in a latchup short cirvuit. [Wikipedia] Example of failure rate resulting from EOS is in ISO 26262-10 A.3.4.2.4. Calculation methods are in IEC TR 62380, “Reliability data handbook – Universal model for reliability prediction of electronics components, PCBs and equipment” (ISO 26262-10 A.3.4.2.4/IEC TR 62380/http://en.wikipedia.org/wiki/Failure_modes_of_electronics)

ESD: Electrostatic discharge – A subclass of Electrical Overstress (EOS). A burst of electricity between caused by contact, an electrical short, or dielectric breakdown. [Wikipedia] See ISO 26262-5 E for example of SPFM and LFM calculation with ESD. (ISO 26262-2)

FIT: Failure In Time – The number of failures that can be expected in one billion (1×10^9) device-hours of operation. [Wikipedia] Mean time between failures (MTBF) = 1,000,000,000 x 1/FIT. (ISO 26262-2)

FMEA: Failure Mode And Effects Analysis – As opposed to fault tree analysis (FTA), failure mode and effects analysis (FMEA) is an inductive approach focusing on the individual parts of the system, how they can fail and the impact of these failures on the system. Analysis starts at faults, which can lead to errors and then failures. Can be qualitiative or quantitative. (ISO 26262-10 B)

FMEDA: Failure Mode Effects and Diagnostic Analysis – A procedure for the detailed determination of error causes and their impact on the system and can be very efficiently used in the early stages of systems development for the purpose of early identification of weaknesses. [http://www.tuv-nord.com/en/methods/fmeda-81629.htm] (http://www.tuv-nord.com/en/methods/fmeda-81629.htm)

FTA: Fault Tree Analysis – As opposed to failure mode and effects analysis (FMEA), fault tree analysis (FTA) is a deductive (top down, see Figure B.2) approach starting with the undesired system behaviour and determining the possible causes of this behavior. Can be qualitiative or quantitative. (ISO 26262-10 B)

FTTI: Fault Tolerant Time Interval – The time between when a fault occurs and the system can transition to a safe state and be ready to experience another possible hazard. Maximum FTTI = DTI + Fault Reaction Time + Safe State. (ISO 26262 1.44)

HSI: Hardware-Software Interface – Use ISO 26262-4 B for a detailed explanation. (ISO 26262-2; ISO 26262-4 B)

LFM: Latent Fault Metric – Latent faults are multiple-point faults (1.77) whose presence are not detected by a safety mechanism (1.111) nor perceived by the driver within the multiple-point fault detection interval (1.78). The latent fault metric (LFM) is a hardware architectural metric that reveals whether or not the coverage by the safety mechanisms, to prevent risk from latent faults in the hardware architecture, is sufficient. Single point fault metric (SPFM) is the other hardware architectural metric.
ASIL B (≧60%), C (≧80%) and D (≧90%) coverage requirements are in ISO 26262-5 8.4.6 Table 5.
Equations and context are at ISO 26262-5 C.3.
Example for calculation is at ISO 26262-5 E.
( ISO 26262-1 1.71; ISO 26262-4 6.4.3; ISO 26262-5 8; ISO 26262-5 C; ISO 26262-5 E)

MBU: Multiple Bit Upset – When two or more error bits occur in the same word. Cannot be corrected by simple single-bit ECC. (JESD89A)

MPFDI: Multiple Point Fault Detection Interval – The time span to detect a multiple-point fault (1.77) before it can contribute to a multiple-point failure (1.76). (ISO 26262-1 1.78; ISO 26262-4 6.4.4)

PMHF: Probablistic Metric for (Random) Hardware Failures – Is the sum of the single point, residual and multipoint fault metrics. Is expressed in FITs. Calculation methods are described in ISO 26262-5 F. (ISO 26262-5 9.2; ISO 26262-5 F)

SEL: Single Event Latch-up: A type of single event effect (SEE) caused by a single event upset (SEU) that causes a transient fault. This transient fault is “hard” and can only be corrected by cycling the power. Causes include cosmic rays and electrostatic discharge (ESD). [Wikipedia] (http://en.wikipedia.org/wiki/Latchup)

SEooC: Safety Element out of Context – A safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle. (ISO 26262-10 9)

SEE: Single Event Effect – A “soft error” caused by a single, energetic particle, and can take on many forms. Causes “transient faults” like single event upsets (SEU), single event transients (SET) and single event latch-ups (SEL). Use ISO 26262-5 Table D.1 for analysis. (ISO 26262-5 D)

SET: Single Event Transient – A “glitch” that happens when the charge collected from an ionization event discharges in the form of a spurious signal traveling through the circuit. This is de facto the effect of an electrostatic discharge (ESD). It is a “soft error” transient fault and is a type of single event effect (SEE). If a SET propagates through digital circuitry and results in an incorrect value being latched in a sequential logic unit, it is then considered a single event upset (SEU). [Wikipedia] (http://en.wikipedia.org/wiki/Single_event_upset)

SEU: Single Event Upset – Single Event Upsets (SEUs) are soft errors, and non-destructive. Is a “bit flip” or change of state caused by cosmic rays. It is a type of a type of single event effect (SEE).

SPFM: Single Point Fault Metric – Single point faults are faults (1.42) in an element (1.32) that are not covered by a safety mechanism (1.111) and that lead directly to the violation of a safety goal (1.108). The single point fault metric (SPFM) is a hardware architectural metric that reveals whether or not the coverage by the safety mechanisms, to prevent risk from single point faults in the hardware architecture, is sufficient. Latent fault metric (LFM) is the other hardware architectural metric.
ASIL B (≧90%), C (≧97%) and D (≧99%) coverage requirements are in ISO 26262-5 8.4.5 Table 4.
Equations and context are at ISO 26262-5 C.2.
Example for calculation is at ISO 26262-5 E.
(ISO 26262-1 1.122; ISO 26262-5 8; ISO 26262-5 C; ISO 26262-5 E)

TCL: Tool Confidence Level – Use ISO 26262-8 11.4.5.5 Table 3 to calculate based on tool impact (TI) and tool error detection (TD). Values are TCL1, TCL2 and TCL3. (ISO 26262-8 11.4.5.5)

TD: Tool Error Detection – The confidence in measures that prevent the software tool from malfunctioning and producing corresponding erroneous output, or in measures that detect that the software tool has malfunctioned and has produced corresponding erroneous output. Values are TD1, TD2 and TD3. (ISO 26262-8 11.4.5.2)

TI: Tool Impact – The possibility that a malfunction of a particular software tool can introduce or fail to detect errors in a safety-related item or element being developed. Values are TD1, TD2 and TD3. (ISO 26262-8 11.4.5.2)

– Terms and references courtesy of Arteris.

Multimedia

Improving Functional Safety In Chips

Multimedia

Using Static Analysis For Functional Safety

Multimedia

3 Safety Standards For Auto Electronics

Multimedia

Multimedia

Multimedia

Multimedia

Multimedia

Multimedia