Functional Safety


Functional safety is important for safety critical applications in any industry where active monitoring is required on safety critical operations. The active monitors either prevents or mitigates the failure that causes safety goal violations of the system. As the number of electronic systems growing in vehicle, active functional safety become real with international functional safety standards e.g. ISO 26262 for cars and IOS 25119 for Tractors. Automotive systems developed to a Functional safety standard gives high importance to safety of driver and pedestrians, the safety standards Increases safety and Reduces vehicle call backs.

Error in a Hardware/Software results into a Fault. A fault or group faults in a system results into a Failure which may trigger Hazard. Depends on the Hazard′s severity, there will be risk to system safety. The below diagram explains the relationship between Error, Fault, Failure, Hazard and Risk.

Functional Safety
Functional Failure

Failures in a system are two types a) Systematci failures b) Random hardware failures. The below diagram explains failures classificiton.

Systematic failures are development errors which are deterministic, risks due to systematic failures can be prevented by developing Hardware and Software to correct design standard (guidelines) and perform safety analysis and system verification. Risks due to Random hardware failures can be reduced by deploying correct active safety mechanism (e.g. Built in tests) into system(item).

The main objective of the functional safety is to reduce unacceptable hazard′s risk probability to acceptable level .For this, functional safety standards provide methods and guidelines for all the phases and activities in system life cycle (Inception, Safety goal identification, Requirements specification, Hardware design, Software design, Safety analysis, verification, Installation, service and Maintenance).

Functional Safety


ISO 26262


ISO 26262 is an international functional safety standard for developing safety critical applications for electrical and/or electronic (E/E) systems that are installed in passenger cars. ISO 26262 provides automotive safety lifecycle (management, development, production, operation, service, decommissioning) guideline that helps in achieve functional safety.

ASIL

Automotive safety integrity level (ASIL) defines the acceptable failure rate of the system. There are four ASILs (ASIL-D(Highest), ASIL-C, ASIL-B, ASIL-A(Lowest)) in ISO 26262.

  •   Higher the ASIL, tougher safety objectives and higher Hardware target metrics
  •   Higher the ASIL, tougher product safety requirements and robust safety mechanisms
  •   Higher the ASIL, higher rigor and stringent process
  •   Higher the ASIL, lower acceptable residual risk
ASILAcceptable probability of failure per operational hours
D10-8
C10-7
B10-7
ANA

The ASIL is derived based on system's hazards severity (i.e. effect on driver, passenger, pedestrians), probability of exposure (i.e. occurrence) and controllability (possible control by driver or other passengers at risk).

Systems fall in QM category don't have to comply with any specific objectives in ISO 26262 because the risks associated with the system are acceptable for safety. The QM systems just needs to follow quality management process.

Automotive ASIL

item definition

Item definition holds functional requirements, non-functional requirements, environment requirements, operating scenarios, failure modes and interfacing requirements of the item.

Item definition is an important artefact that needs to be prepared by OEM/Tier1 which holds information that helps in identify hazard events of system and derive ASIL for the same.

Automotive Item Definition

Safety Goal

Safety goal is an unacceptable risk from possible hazard event.

E.g. Un intended acceleration, Un intended direction, Unintended deactivation low beam Safety goal needs to be derived for all unacceptable risks, along with this safety goal attributes (Safe state, Fault tolerance time interval, Warning incase system can't enter safe state within the expected interval) needs to be derived.

Functional Safety Concept

The functional safety concept (FSC) deploys safety mechanism that prevents the violation of safety goal. The following safety mechanisms are used in the functional safety concept

  •   Feedback/Loop back
  •   Partitioning
  •   Redundancy
  •   Dissimilar Hardware or Software
  •   Interlocks

E.g. Feedback from the previous output cycle helps the intended function to control output drive in current cycle

Technical safety concept

Technical safety concept (TSC) is derived from the functional safety concept by allocating technical safety requirements to Hardware and Software elements. E.g.

Automotive technical safety

Functional Safety analysis in ISO 26262

Failures are two types (Systematic failures and Random hardware failures). Systematic failures are deterministic which comes due to problems in design, so design failure mode effect analysis helps in eliminate design failures in the system, whereas Random hardware failures are non-deterministic, so Hardware FMEDA analysis helps in add additional safety mechanisms that improves controllability of the failure.

ISO 26262 recommends the following safety analysis

Code mutation: inject additional code statements or modify existing software component for the following:

  •   System design FMEA
  •   Hardware FMEDA
  •   Hardware FMEDA
  •   Software dependent failure analysis

Fault injecting testing in ISO 26262

ISO 26262 highly recommends fault injection testing for safety critical application. As part of fault injecting testing, tester injects faults into a component and test the fault prevention, detection and mitigation mechanisms are implemented correctly.

The following fault injection techniques can be used

Code mutation: inject additional code statements or modify existing software component for the following

  •   Corrupt component interface (shared global data, messages and function parameters and return values)
  •   Corrupt component protocol state and timing variables
  •   Corrupt scheduler execution timing (e.g. Interrupts, Task over run)
  •   Corrupt CPU states (e.g. Scratch registers, Stack pointers, link pointer) if possible
  •   Corrupt memory access (Invalid RAM/Flash locations access)

Analyse error propagation to other components and its effect on safety. Additional test cases can be added if mutant is not handled by existing test case(s).

Tool qualification in ISO 26262

Tool qualification in ISO 26262 is mandatory for higher ASIL systems if a tool fall in Tool confidence level 2 and 3. The Tool confidence level is derived based on Tool impact on detect malfunctions in software and Tool detection level.

Tool Impact (TI)

  •   TI1: If tool can inject or fail to detect errors in an item
  •   Tool Impact (TI)

Tool error Detection (TD)

  •   TD1: High degree of confidence that tool can prevent or detect the error
  •   TD2: Medium degree of confidence that tool can prevent or detect the error
  •   TD3 : other cases

Tool Confidence level

Tool Confidence level

Example 1: Compiler and Linker used in generate target executable must be qualified because there is possibility the compiler may add unintended additional code in target executable.

Example 2: Tool used in testing must be qualified because there is possibility the tool may fail to detect an error in the software.

Once a tool is qualified to a highest ASIL by an authority, the tool can be used in any future project without additional qualification. However, it is good practice to produce tool evaluation report for the project and find out if there are an additional tool operational requirement to be requalified on the tool.

Safety validation in ISO 26262

Safety validation checks safety goals and functional safety concept are correct, complete and fit for functional safety of the item under development. Safety validation can be done through testing (Similar to vehicle level testing), analysis (FMEA, FTA, ETA, simulation) and rreviews.

Functional Safety analysis in ISO 26262


Failures are two types (Systematic failures and Random hardware failures). Systematic failures are deterministic which comes due to problems in design, so design failure mode effect analysis helps in eliminate design failures in the system, whereas Random hardware failures are non-deterministic, so Hardware FMEDA analysis helps in add additional safety mechanisms that improves controllability of the failure.

ISO 26262 recommends the following safety analysis:

  •   System design FMEA: Analyse and check system design meets the system safety requirements.
  •   Hardware FMEA: Evaluation of hardware architectural metrics (SPFM-Single point fault metric, LFM- Latent fault metric).
  •   Hardware FMEDA: Evaluation of probability of safety goal violation due to random Hardware Failures (PMHF)
  •   Software design FMEA: Analyse and check the efficiency of safety mechanisms
  •   Software dependent failure analysis: Analyse and check freedom from interference and interdependencies between the software components

Confirmation measures in ISO 26262


Confirmation measures is an important activity that ensures project work products compliance to ISO 26262 objectives. The following confirmation measures are requirements from ISO 26262:

Confirmation MeasuresObjectiveWork productRemarks
Confirmation reviewEvaluates project work products compliance to ISO 26262 requirements i.e. checking of correctness with respect to formality, contents, adequacy and completeness regarding the requirements of ISO 26262.Confirmation review reportSelective work products (as per ISO 26262 )undergo confirmation review.
ASIL A, B, C, D
Functional Safety AuditEvaluates item implementation process is in accordance with process specified in Safety planFunctional safety audit reportASIL (B), C, D
Functional Safety AuditEvaluates item functional safety achieved as specified in item definition , checks the following:
  1. Work products compliance to ISO 26262 (including the work products that are not covered in the confirmation review)
  2. Functional safety process
  3. Effectiveness of the implemented safety measures
  4. Recommendations from the previous Functional safety assessment
Functional safety assessment reportConfirmation reviews and Functional safety audits can be combined with Functional safety assessment report. ASIL (B), C, D

Safety case in ISO 26262

Safety case is a work product in ISO 26262, it contains list of work products produced in safety lifecycle. The safety case is a running document which needs to be produced for confirmation review, once the confirmation review accepted the final safety case it needs to be submitted to Functional safety assessment.

Stake holders' responsibilities in achieving ISO 26262 functional safety compliance

All the stakeholders of the system must perform their activities to achieve ISO 26262 functional safety. ISO 2626 Part2 activities (Safety plan, Safety culture, DIA and Safety case‥ etc) are all three stakeholders (OEM, Tier1 and Tier2) responsibility. ISO Part 3 activities (Item definition, Safety goals, derive ASIL, Hazard analysis and risk assessment. Etc) are OEM's responsibility. ISO Part 4 activities (System design, Technical safety concept, System testing‥ etc) are Tier1's responsibility. ISO Part 5 and 6 activities (Hardware and Software safety requirements, HW and SW design, verification‥ etc) are Tier2's responsibility. ISO 26262 Part9 activities (System design FMEA, Hardware FMEDA, Software design FMEA and Software dependent failure analysis) are Tier1 and Tier2 responsibility.

Automotive functional safety standards


Avionics domain functional safety standards

  •   ARP 4754A : This standard provides guidelines for development of civil aircraft systems.
  •   ARP 4761 : This standard provides guidelines and methods for safety assessment for certification of civil aircraft
  •   DO 254 : This standard provides guidelines for development of airborne electronic hardware.
  •   DO 178C: This standard provides guidelines for production of software for airborne systems.

Automotive domain functional safety standards

ISO 26262: This standard provides guideline for management, development, verificaton, production and service of electrical and/or electronic (E/E) systems within road vehicles. ISO 25119 :This standard provides guideline for design and verification of electrical and/or electronic (E/E) systems in Tractors in agriculture and forestry.

The below diagram explains the relation between the standards


Standards

Accord Services in Automotive Functional Safety


Accord has vast experience with functional safety in both Avionics and Automotive domains. Accord designed and developed functional safety systems and passed functional safety audits, our rich experience with safety audits has helped our customers very well.

Accord provides the following services in Automotive functional safety

  •   Safety plans preparation
  •   Support in define an item, Safety goals, Hazard analysis and risk assessment
  •   Prepare Functional safety concept and Technical safety concept
  •   Item integration testing
  •   Hardware and Software development and verification
  •   Safety analysis
    •          System design FMEA
    •          Hardware FMEDA
    •          Software design FMEA
    •          Software dependent failure analysis (DFA)
  •   Unit testing, Software integration testing, Fault injection testing
  •   Structural coverage testing
  •   Tool qualification
  •   Component qualification
  •   Support in confirmation measures (review, audit and measurement)
Embedded Security