A recent regulation approved by the European Parliament laid out the requirements for type approvals of motor vehicles on their safety aspects calls for the introduction of these new safety features as a prerequisite. As such, the need for an internationally recognized standard for safety critical systems becomes more crucial to measure how safe a system is.
1. Requirements of ISO 26262
The issue of safety has always been one of the most important topics for the automotive
industry. The announcement made by Toyota last year for the recall of their defective vehicles
only serves to highlight how costly defects can be not only for the company’s balance sheet but
also costly in terms of eroded consumers’ confidence. New technologies introduced to enhance
vehicle control and driver assistance have now become standard accessories rather than
optional. In addition, a recent regulation approved by the European Parliament laid out the
requirements for type approvals of motor vehicles on their safety aspects calls for the
introduction of these new safety features as a prerequisite. As such, the need for an
internationally recognized standard for safety critical systems becomes more crucial to measure
how safe a system is.
Unlike other industries, detailed discussions about functional safety in the automotive industry
only began a few years ago. One of the reasons was that there was a prevailing view that the
risks posed as a result of mechanical failures are still within the control of the driver. A driver
merely had to stop the motor vehicle to bring the motor vehicle to a safe state. But we now
know that this is not always possible when there is a failure in the drive-by-wire throttle system,
as illustrated in the cases of gas pedal failures in Toyota cars in 2010.
Although there were existing standards on functional safety like the IEC 61508, this standard is
not dedicated to the auto industry. The application of a non dedicated functional safety standard
within different firms will not result in harmonization of functional safety objectives as different
interpretations of the standard will ensue.
SILs & ASILs
The ISO 26262 was developed to overcome this problem and to reach a harmonized standard
for the auto industry. This standard is provided for the requirements, processes and methods to
lessen the effects of systematic failures and unsystematic hardware failures. The ISO 26262 is
based on the IEC 61508 which is a generic yardstick on the functional safety for
Electrical/Electronic (E/E) systems created in 2002 by CENELEC. The ISO 26262 borrowed on
the IEC 61508 concept of “Safety Integrity Level” (SIL) and redefined it as “Automotive Safety
Integrity Levels” (ASIL).
The structure of the ISO 26262 comes in 10 parts as listed below:
• ISO 26262: Part one: Vocabulary
• ISO 26262: Part two: Management of functional safety
• ISO 26262: Part three: Concept phase
• ISO 26262: Part four: Product development: system level
• ISO 26262: Part five: Product development: hardware level
• ISO 26262: Part six: Product development: software level
• ISO 26262: Part seven: Production and operation
• ISO 26262: Part eight: Supporting processes
• ISO 26262: Part nine: ASIL-oriented and safety-oriented analyses
• ISO 26262: Part ten: Guideline on ISO 26262
-----------------------------------------------------------------------------------------------------------------------------------
IQPC GmbH | Friedrichstr. 94 | D-10117 Berlin, Germany
t: +49 (0) 30 2091 3330 | f: +49 (0) 30 2091 3263 | e: eq@iqpc.de | w: www.iqpc.de
Visit IQPC for a portfolio of topic-related events, congresses, seminars and conferences: www.iqpc.de
2. Overview of ISO 26262 structure
The ISO 26262 is specifically formulated for safety systems that have one or more
electrical/electronic systems which are installed in series production cars with a maximum gross
weight of 3500kg.
As the standard is designed for series production cars, Part 7 of the standard includes something
that is not found in the IEC 61508 standard which is the requirements for the production and
operation processes. The production aspect is seen in the framework of the automotive safety
lifecycle that include management stage, the development stage, the production stage, the
operation stage, the service stage and the decommissioning stage.
Approach of ISO 26262
As mentioned earlier, ISO 26262 standard uses a different approach for evaluating functional
safety in the sense it adopt ASILs instead of the SILS of IEC 61508. SILs have three levels while
ASILs have four levels from the lowest (A) to the highest (D).
The ASIL is obtained by conducting a hazard and risk analysis. From the start of a development,
all intended functions are evaluated and compared to possible hazards. The main question asked
is “What would result if malfunctions occur within the context of different operational
circumstances?”
-----------------------------------------------------------------------------------------------------------------------------------
IQPC GmbH | Friedrichstr. 94 | D-10117 Berlin, Germany
t: +49 (0) 30 2091 3330 | f: +49 (0) 30 2091 3263 | e: eq@iqpc.de | w: www.iqpc.de
Visit IQPC for a portfolio of topic-related events, congresses, seminars and conferences: www.iqpc.de
3. The risk assessment is based on a combination of several factors like the probability of
exposure, the controllability of the situation by the driver and the measurement of the severity
of injury of the person that is involved in the hazard.
Implementing the ASIL
Once all these factors are taken into consideration, an ASIL will be the result and this ASIL will
be assigned a consequent safety requirement that is generated to avoid the risk. There are five
stages in the implementation of ASIL. They are:
1. Defining the safety goals
These are the safety requirements of the function, assigned to each hazard that the risk
assessment indentified, that depict the safety goals to reach.
2. Safe state implementation
This is the stage where the function is put into operation in order that the level of risk is
reduced to an acceptable level so that the safety goals are not violated.
3. Risks Mitigation
Mitigation of risks resulted for random hardware failure to an acceptable level with the
application of specific measures.
4. Systematic Failures Prevention
Prevention of systematic failures through the definition of a set of requirements.
5. ASIL Decomposition
This process allows the distribution of an ASIL that is associated to a function to the
various elements that assist in the performance of the function dealing with the same
safety goals.
The Development Models
The development model include in Part three to Part six of the ISO 26262 standard
encompasses the development process from:
• Part three – concept phrase
• Part four- Product development system phrase
• Part five – Product development (hardware phrase)
• Part six – Product development (software phrase)
For the product development system phrase, the ISO 26262 uses a V model. Likewise, the
hardware development phrase and software development phrase also uses a V model.
Below is the list of recommended phases for the product development (software) stage:
• Initiation of software development
• Software safety requirements specification
• Software architectural and design
• Software unit implementation
-----------------------------------------------------------------------------------------------------------------------------------
IQPC GmbH | Friedrichstr. 94 | D-10117 Berlin, Germany
t: +49 (0) 30 2091 3330 | f: +49 (0) 30 2091 3263 | e: eq@iqpc.de | w: www.iqpc.de
Visit IQPC for a portfolio of topic-related events, congresses, seminars and conferences: www.iqpc.de
4. • Software unit test
• Software integration and test
• Software safety acceptance test
There is a standard framework of objectives, inputs, recommendations, requirements and work
products that generally become the inputs for the next phase. It is these recommendations and
requirements that form the foundation of the standard.
For example, under Part 6, the requirements to methods for informally verifying the architecture
of the software design are as listed in the table below:
Requirements Traceability
Prior to the development of the software stage, the ISO 26262 standard requires the planning of
activities, methods and measures utilized in the different sub-phrases of software development,
is always with reference to the system’s ASIL under development. One vital aspect to consider
upfront is “Requirements Traceability”. This refers to the capability to track the life of a
particular requirement in both directions, forward and backward.
The objective is to follow a requirement to its implementation and its testing phrase. This is
helpful in seeing whether a requirement has been fulfilled and tested for. Requirements
traceability also helps in ensuring the completeness of the requirements through the
identification of requirements that are not integrated into the model and by indentifying parts of
the model that cannot be linked to any particular requirement. Being able to indentify the
discrete parts of the model, it will help in preventing the modelling and implementation of
behaviours which are not intended. In addition, it will assist in the management of changes in
requirements.
-----------------------------------------------------------------------------------------------------------------------------------
IQPC GmbH | Friedrichstr. 94 | D-10117 Berlin, Germany
t: +49 (0) 30 2091 3330 | f: +49 (0) 30 2091 3263 | e: eq@iqpc.de | w: www.iqpc.de
Visit IQPC for a portfolio of topic-related events, congresses, seminars and conferences: www.iqpc.de
5. Conclusion
Most of the requirements of the ISO 26262 standard in dealing with the development and
auxiliary processes are already incorporated into existing internal quality standard. That is not to
say that the automotive industry faces no challenges in the adoption of the ISO 26262.
Requirements have to be applied efficiently with consideration to the internal context and
limitation. Most of the difficulties in implementing the ISO 26262 requirements occur during the
later part of the development phrases. This is mainly due to the integration of areas into a
setting which has yet to develop into the same standard. Because the ISO 26262 standard is a
process standard, full integration in current E/E processes will require some time. One should
bear in mind that the ISO 26262 is just a standard guideline. It is equally important to
understand that good engineering sense is required in helping to improve the processes used in
relation to the existing E/E processes. Using the ISO 26262 standard with the correct attitude
will only benefit the automotive industry in terms of functional safety in the long run.
Want to learn more about E/E commercial vehicles, about current technologies
and developments?
Visit our Download Center for more articles, whitepapers and interviews:
http://bit.ly/eecommercials-articles
About IQPC:
IQPC provides tailored conferences, large events, seminars and internal training programmes for
managers around the world. Topics include current information on industry trends, technical
developments and regulatory rules and guidelines. IQPC's conferences are market leading events, highly
regarded for their opportunity to exchange knowledge and ideas for professionals from various industries.
IQPC has offices in major cities across six continents including: Berlin, Dubai, London, New York, Sao
Paulo, Singapore, Johannesburg, Sydney and Toronto. IQPC leverages a global research base of best
practices to produce an unrivaled portfolio of problem-solving conferences. Each year IQPC offers
approximately 2,000 worldwide conferences, seminars, and related learning programs.
-----------------------------------------------------------------------------------------------------------------------------------
IQPC GmbH | Friedrichstr. 94 | D-10117 Berlin, Germany
t: +49 (0) 30 2091 3330 | f: +49 (0) 30 2091 3263 | e: eq@iqpc.de | w: www.iqpc.de
Visit IQPC for a portfolio of topic-related events, congresses, seminars and conferences: www.iqpc.de