In the rapidly evolving world of automotive technology, working to strengthen the safety of electrical and electronic systems is paramount. ISO 26262:2018, the international standard for implementing functional safety in road vehicles, helps support this effort. It provides a comprehensive framework for addressing the hazards caused by malfunctioning behavior of complex electrical and electronic systems.
At the core of this standard is functional safety analysis (or safety analysis), a comprehensive process designed to uncover faults and failures in automotive systems before implementation.
In the traditional V model for system development, the analysis methods fall on the left-hand side of the V. If agile methodology is employed, safety analysis is also an iterative process. The analysis is performed on design or architecture at the Concept, System, Hardware or Software level to derive or verify safety requirements in the respective phases.
Objectives of automotive safety analysis
The objective of safety analysis is to help minimize risk due to the violation of safety requirements by systematic and random hardware failures.
- Safety analyses focused on verification of the existing safety requirements for completeness and correctness and compliance with ISO 26262.
- During a safety analysis, safety related faults are identified, and safety mechanisms are defined to detect, and/or mitigate, and/or control the faults that may occur at the appropriate abstraction level in which the analysis is performed. Safety analysis may be done at the concept, system, hardware or software level.
- The safety mechanisms are then converted to additional safety requirements for prevention, detection, safe state transition and driver alerts.
- Requirements related to driver alerts help improve the controllability of the situation and reduce severity.
The Functional Safety Analysis process
A critical aspect of safety analysis is the systematic and thorough examination of the design/architecture to identify potential faults. This involves methodically analyzing the design to determine possible failure modes and implementing appropriate countermeasures to manage them effectively. The goal is to ensure that the design meets safety requirements and is robust enough to handle any identified faults through prevention, detection and mitigation strategies. The safety analysis techniques required by ISO 26262:2018 are inductive and deductive analysis.
Functional Safety Analysis methods according to ISO 26262
Inductive analysis is a bottom-up approach while deductive analysis is a top-down approach. Both are complementary methodologies required to achieve safety.
The ISO 26262 standard provides specific guidelines about these analyses as per the assigned ASIL. Inductive safety analysis must be performed for all ASIL levels A through D. However, deductive analysis is only required for ASIL C and D systems. In an ideal analysis, the inductive and deductive analysis will yield the same results. These systematic approaches provide a clear and logical pathway for identifying root causes and developing mitigation strategies. This facilitates proactive identification and management of risks, reducing the likelihood of system failures. The analysis could be qualitative or quantitative as the standard requires quantitative analysis only at the hardware level. Analysis methods include:
Deductive analysis
Deductive analysis is a method used to identify potential causes of system failures. It starts with a known undesirable event often termed as a vehicle level hazard (the top-level event) and works backwards to determine the root causes or contributing factors that could lead to this event often termed as a fault. By tracing all possible faults that could lead to a vehicle level hazard, deductive analysis helps ensure no potential fault is overlooked.
Fault Tree Analysis
Fault Tree Analysis (FTA) in ISO 26262 is one of the common deductive methods used to determine the root causes of system failures. FTA uses logical gates like AND and OR to map out the pathways that lead to the top-level event, providing a visual representation of how different failures at base level combine to cause a system failure. FTA is crucial in the context of ISO 26262, as it supports the identification and management of potential hazards in automotive systems, ensuring that appropriate safety measures are implemented to prevent or mitigate failures.
Inductive analysis
Inductive analysis is an effective technique to identify the vehicle level impact of a potential failure. It often starts with a potential identified fault at the component/subsystem level and works towards determining the vehicle level impact of the fault.
Failure Mode and Effects Analysis
Failure Mode and Effects Analysis (FMEA) in ISO 26262 is an inductive structured approach used to identify and evaluate potential failure modes within automotive electronic systems and their effects on system performance and safety. The process involves systematically examining each component/subsystem to determine how it might fail, the potential effects and causes of each failure and identifying the appropriate safety mechanism that covers its effects at the vehicle level. By identifying high-risk failure modes, FMEA helps engineers develop and implement mitigation strategies to enhance the overall reliability and safety of the system.
Failure Mode Effects and Diagnostic Analysis
Failure Mode Effects and Diagnostic Analysis (FMEDA) is an inductive analysis which is quantitative in nature and performed at the hardware level. This method is used to determine random hardware failure metrics. The hardware detailed design is analyzed to compute hardware architecture metrics, such as the Single Point Fault Metric and latent Fault metric, to verify if it meets the targets for the respective ASIL. Another metric that is calculated is the Probabilistic Metric for Random Hardware Failure. FMEDA requires deep expertise in hardware analysis and is a tedious process which must be executed precisely.
Dependent Failure Analysis
As systems become more complex, the interdependencies between system elements increase significantly and can lead to dependent failures. Dependent Failure Analysis (DFA) is the method recommended in ISO 26262 to identify and evaluate failures that affect the freedom of interference and independence at various levels within a system. The two categories of dependent failures are cascading failures and common cause failures.
One key aspect of DFA is the identification of cascading failures, where the failure of one component triggers failures in other components, leading to a chain reaction of failures. Another important consideration is the identification of common cause failures, where multiple components fail due to a single underlying cause, such as a shared environmental factor or a design flaw. While eliminating dependent failures is often challenging, DFA aims to recommend appropriate strategies to mitigate their impact. These strategies include introducing redundancy and diversity in critical architectural elements as well as development lifecycle.
Functional safety expertise and hands-on experience
When working with UL Solutions, you gain access to experts in functional safety who bring hands on experience in the design and development of automotive system hardware and software. Partnering with us for your safety analysis is an efficient way to gain the appropriate expertise you need to complete the necessary complex analyses.
Benefits
- Efficient and thorough safety analysis by industrial experts
- Increased confidence in the safety of your products
- Reduced risk of confirmation bias in analysis
- Recommendations based on vast industry experience
Get connected with our team
Thanks for your interest in our products and services. Let's collect some information so we can connect you with the right person.