Cushioning your fall: Automotive functional safety with ISO 26262 standard

Throughout the 1970s, automation progressively entered the automotive industry, resulting in computer-centric vehicle control systems. The ECU (Electrical Computing Unit) networks in modern cars are complex and hierarchical to ensure a comfortable, fast, and safe driving (Figure 1). As the number of ECUs increases and more computerized platforms come out, both the volume of code and the complexity of the hardware increase. Vehicles are becoming smarter and making more autonomous technical decisions. However, this leads to more system failures. There are high stakes when it comes to these failures because they can happen in vehicles moving at high speeds and weighing up to 3500 kg. Here’s when the functional safety in automotive comes. 

In this article, we outline N-iX's methods and approaches to minimize software failure risk in vehicles. Additionally, it highlights innovative ways to prevent accidents caused by system failures.

Why is functional safety so important in automotive?

Addressing system failures is a work-intensive process that ensures proper functional safety in automotive. With decades of experience in aviation, aerospace, and the military, engineers have accumulated significant expertise in risk calculation and failure analysis. Understanding the types of failures that could lead to system issues helps design and implement practices for writing safe code and creating secure software. We use ISO 26262 as a foundational guideline for our engineering teams because it combines risk classification systems, testing methods, safe code writing practices, hardware creation, and recommendations for managing development, testing, integration, and certification.

What is functional safety in automotive?

Mostly, the functional safety standards in automotive rely on ISO 26262. This standard provides developers and integrators with a series of advantages in the market, namely:

• Safety framework: ISO 26262 ensures safety in vehicle electrical and electronic systems, reducing system failure accidents.
• Systematic safety management: The standard offers a structured approach to developing, implementing, and assessing safe automotive systems.
• Risk management: It aids in identifying, assessing, and minimizing risks, protecting drivers and pedestrians.
• Legal compliance: Adherence is necessary for meeting regional legal and regulatory requirements, and preventing legal issues and fines.
• Liability protection: Compliance demonstrates adherence to safety practices, providing liability protection.
• Market confidence: Adoption of ISO 26262 builds consumer and stakeholder trust, showcasing a commitment to safety and quality.
• Competitive edge: Compliance positions manufacturers as industry leaders, providing a competitive advantage.
• Global recognition: ISO 26262 facilitates international market entry for manufacturers due to worldwide acceptance.
• Continuous improvement: Implementation fosters ongoing enhancement of safety practices and processes.
• Integration ease: The standard simplifies integration of various suppliers’ safety systems, promoting interoperability.

ISO 26262 in real life: examples of implementing automotive functional safety

Below are two examples that may not necessarily be related to automotive companies but pertain to the standard. 

Example 1: Engineering and safety framework at auto company X

Engineering: While working on its driver-assistance systems, company X diligently adheres to ISO 26262, ensuring the software's safety. From concept to decommissioning, the team observes the standard's safety lifecycle meticulously.

Safety framework: company X conducts early risk assessments to identify and address potential hazards in line with ISO 26262. Safety goals are set, Automotive Safety Integrity Levels (ASILs) are assigned for each risk, and necessary safety measures are verified for effectiveness.

Example 2:  EV maker Y’s Liability shield and legal adherence

Liability shield: EV Maker Y produces vehicles in strict compliance with ISO 26262. In the event of a lawsuit over a supposed software glitch causing an accident, their adherence to ISO 26262 plays a pivotal role in their defense, showcasing their commitment to established safety practices.

Legal adherence: EV Maker Y incorporates ISO 26262 to meet international legal standards for vehicle production. This not only assures the safety of their products but also facilitates easy market access, reinforcing their reputation for safety and legal compliance among consumers and regulators alike.

By ensuring automotive functional safety, ISO 26262 provides legal and liability safeguards for original equipment manufacturers (OEM), as well as Tier-1 and Tier-2 companies. ISO 26262 is an exceptionally flexible tool that extends beyond its described boundaries. It easily interacts with other standards, frameworks, guidelines, and descriptions of materials, technologies, and methods, further enhancing its value.

N-iX approach to automotive functional safety

Risk management

Right from the start of our development process, we place a strong emphasis on risk management, which is essential in identifying potential risks and strategizing their mitigation. An early-stage intensive analysis is crucial to preventing serious issues later in a product's lifecycle.

With deep experience handling systems across various safety levels (ASIL A - D), our engineering team identifies and addresses all conceivable risks throughout the development process. This team comprises highly qualified specialists certified per ISO 26262 and ISO 21434 standards, ensuring a wealth of expertise and competency in risk management.

We employ innovative approaches for developing reliable and fault-tolerant computer systems crucial for risk management. The systems are classified into three operational modes–normal, critical, and supercritical. Each mode undergoes a thorough analysis for potential failures, with the determination of respective recovery strategies. Systems operating in the supercritical mode, characterized by high ASIL levels, are afforded special attention, possessing capabilities for self-analysis and restructuring during critical situations.

An integral aspect of our risk management approach is the strategic integration of the Automotive SPICE and SAFe 5.1 frameworks. The Automotive SPICE framework is pivotal for enhancing the software development process specifically for automotive systems. Within Automotive SPICE, the MAN.5 process plays a crucial role in the systematic identification, assessment, and mitigation of risks during the project lifecycle, providing a structured procedure for efficient risk management.

Moreover, we have synchronized our risk management process with the ISO 26262 standards. Particularly in the Concept Phase (Part 3) and Product Development at the System Level (Part 4), our team engages in comprehensive hazard analysis and risk assessment, essential for delineating safety goals and specifying arising safety requirements. This alignment not only aids in risk mitigation but also ensures compliance with legal and regulatory prerequisites, fortifying our commitment to safety and quality in product development.

We also incorporate the SAFe framework, which offers a guide for scaling agile and lean practices in large organizations. The Risk Owners and Mitigated (ROAM) process within SAFe, integrated into the Program Increment (PI) Planning process, is invaluable for the collaborative identification, assessment, and prioritization of risks. The Inspect and Adapt (I&A) Workshop held at each PI's end is a significant event where the current solution state is demonstrated and assessed, facilitating continuous risk mitigation and management through agile practices and feedback loops.

Through our integrated risk management strategy, we combine the advanced engineering experience of our engineers with innovative development methods, early risk detection techniques, and international standards like Automotive SPICE, ISO 26262, and SAFe. Through this multifaceted approach, we effectively manage risks and ensure increased functional safety in automotive across all of our products and developments.

Software development and testing

It is important to emphasize our adherence to the V-model of software development before diving into the different phases. The software development process can be divided into five phases:

• analysis,
• design,
• development,
• testing,
• support and documentation, with an optional integration phase when necessary.

We also advocate for the concurrent execution of certain phases, such as development, automotive testing, and documentation, to increase efficiency and coherence. As shown in Figure 2 and outlined below, each phase includes specific activities that comply with critical safety standards.

Analysis phase

Requirements analysis

• Conducting a safety-centric requirements analysis aligned with ISO 26262.
• Establishing safety requirements for the system and its components.

Risk classification and analysis

• Determining the Automotive Safety Integrity Level (ASIL).
• Implementing risk management strategies based on the standard’s guidelines.

Design phase

Architecture design:

• Applying ISO 26262 safe design principles during architectural planning.
• Developing detailed architectural specifications, considering operational modes (normal, critical, and supercritical). Special attention is given to the supercritical mode, which involves a set of unique requirements and architectural features (see Figure X for details).

Development phase

Coding and development:

Adhering to safety requirements during the coding process. The software is crafted to handle various operational modes efficiently: normal, critical, and supercritical. For the supercritical mode, the architecture is specifically designed to allow system reconfiguration and restoration to initial settings in case of failure, ensuring continuous operation and safety (refer to Figure X for the architectural overview).

Testing phase

Module and integration testing:

• Conducting tests in compliance with ISO 26262, validating the software's reliability in all operational modes.
• Employing simulation methodologies like MIL, SIL, and HIL using tools such as Automated Driving Toolbox by Mathworks, IPG CarMaker, CARLA, Simulink Simscape, and GTSuite.

System testing and validation:

• Validate compliance with system requirements and assure safety.

Support and Documentation:

• Develop and maintain documentation in accordance with ISO 26262 and ISO 29119 standards.

Functional safety in automotive: Innovative solutions

Preventative measures

In the process of developing functionally safe components for the automotive industry, we meticulously define the states of each component, taking into account safety needs and in accordance with ISO 26262 requirements. Two standard states are crucial: "normal" and "critical," each characterized by a specific set of requirements and a level of abstraction.

Additionally, our team has introduced a new, high-priority state - "supercritical." This is described for components whose failure leads to catastrophic consequences. Thus, the supercritical state requires a high level of attention and control, with specific requirements focusing on system self-analysis, redundancy, and, if necessary, automatic reconfiguration of components to restore their functionality.

Components in a supercritical [1, 2] state are classified as ASIL D and have additional mechanisms for diagnosing and maintaining the safe operation of a failed component. Importantly, these mechanisms are characterized by a higher class of fault tolerance compared to standard ASIL D components. Thus, the probability of faultless operation in the supercritical state is  Rsc(t) = 0.9955, and the mean time to failure (MTBF) in the supercritical state is 11,000 hours. After analyzing the Safety Margin of ASIL D components that meet additional requirements for operating in a supercritical state, we obtained the following Safety Margin coefficients:

To develop components and compositions that meet the requirements of supercritical operating modes, we extensively use the Mathworks toolset along with classic code development tools and Ci/Cd tools. An illustrative representation of the process of building a supercritical system using the Mathworks toolset is shown in Figure 3.

You may also be interested in: 10 reliable automotive testing companies 

How can N-iX help you with automotive functional safety?

For stakeholders in the automotive industry, these methodologies and approaches provide a blueprint for developing ISO 26262-compliant software, and go above and beyond these standards to ensure absolute safety. We invite industry partners, manufacturers, and other stakeholders to engage with us, explore our practices, and consider implementing similar strategies within their development frameworks. By fostering a shared commitment to safety and quality, we can drive the industry forward, delivering products that offer groundbreaking functionalities and unparalleled safety and reliability.

Adopting a proactive and safety-centric approach to development is non-negotiable in a landscape where technology is ever-evolving. By doing so, we protect the end-users of automotive products and contribute positively to the industry’s reputation, setting a high bar for safety and reliability. Engage with our team to learn more about our commitment to safety, our innovative approaches to component development, and how we can collaboratively work towards creating robust, reliable, and, above all, safe automotive software.

Keep reading: Automotive battery management system: Model-based development saves the day 

Conclusion

In the automotive industry, safety is at the forefront of the development processes described in this article. We make sure that both functional and safety requirements are met and exceeded by defining and analyzing each component under ISO 26262 standards. Introducing the "supercritical" state highlights our proactive approach to addressing components whose failure could lead to severe consequences, underlining our dedication to preventing catastrophic events through careful planning, analysis, and innovative practices.

We don't just follow standards, we create and implement new safety mechanisms and processes to bolster the safety and reliability of automotive components. Integrating fault tolerance mechanisms into supercritical components shows our commitment to delivering cutting-edge technology and unwavering safety.

References

[1] Humennyi, Dmytro. Established Definitions of Super-Critical Operational Modes as Automotive System Requirements / X International conference "Information Technology and Implementation" (IT&I-2023)

[2] Humennyi, Dmytro. EMPHASIS ON SUPER-CRITICAL OPERATIONAL MODES IN ROBOTIC SYSTEM / International Scientific Symposium «INTELLIGENT SOLUTIONS-S» Computational Intelligence (Results, Problems and Perspectives).