Do High-quality Software To Support Intelligent Manufacturing

About Software


What is functional safety

In the automotive industry, the ISO26262 (GB/T 34590) standard is defined as:
absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems.
According to popular understanding, functional safety means that even if the automobile fails, the failure is controllable.

What is ISO26262

ISO26262 is derived from the basic standard IEC61508 for the functional safety of electrical, electronic and programmable electronic devices. It is mainly positioned in specific electrical devices, electronic devices, programmable electronic devices and other components specially used in the automotive industry, aiming at improving the international standard for the functional safety of automotive electrical and electronic products.

The International Electrotechnical Commission (IEC) issued IEC61508-1 in 1998 and IEC61508 in 2000, marking the formal consensus of functional safety and becoming an independent research field. After the release of IEC61508, various industries have launched functional safety standards within the industry, including railway related standards EN50126/128/129; Process industry standard IEC61511; Mechanical industry standard IEC62601; Nuclear industry standard 61513, etc

ASIL(Automotive Safety Integrity Level)

IEC 61508 divides the safety integrity level (SIL) into four levels, and the fourth level is the highest integrity. Similarly, ISO 26262 proposes the Automotive Safety Integrity Level (ASIL), with the lowest ASIL A and the highest ASIL D. In addition, as shown in the figure, for ASIL B to ASIL D, ISO 26262 proposes recommended parameters for single point failure, latent failure and hardware failure probability index (PMHF, also known as timely failure in the industry). The proportion of detectable faults is called diagnostic coverage. Diagnostic coverage refers to the percentage of component failure rate that can be diagnosed by the safety mechanism; Typical values: 60%, 90% and 99%.

ASIL's Rating

After getting a requirement document, the automobile R&D personnel should first perform ASIL rating and give target parameters for each requirement.
The safety risk after a requirement failure can be expressed by the formula Risk=E * C * S (Exposure probability, Controllability controllability, Severity severity)
A standard ASIL rating table is given in ISO26262, where C1-C3 and E1-E4 are various specific ratings

FMEDA

FMEA, FTA and FMEDA, as the three important analysis technologies of ISO26262, have played an important role in the product development process. Compared with the first two commonly used analysis technologies, FMEDA, as the core technology of quantitative analysis, has attracted more and more attention of practitioners.
FMEDA calculates three indicators of the hardware architecture to verify whether it meets the corresponding safety level requirements. If the system does not meet the design requirements, it is necessary to improve the product design through a series of iterative activities such as design optimization, analysis and calculation, and finally design the products that meet the requirements.
On the basis of following the FMEA bottom-up methodology, FMEDA has added two parts to expand the FMEA to complete quantitative analysis: failure rate, failure mode distribution and diagnostic coverage of each failure mode of the underlying fault.

FMEDA process

(1) According to the hardware architecture of the system, list all hardware units, query the failure rate and the proportion of different failure modes from the relevant standards of component failure rate (SN29500, IEC 62380, etc.), and convert the reference failure rate into the failure rate that can be used for analysis and calculation according to the product use environment

(2) According to the flow of failure mode analysis and whether it will violate the safety requirements, confirm whether the failure mode of hardware unit is safety-related and whether there is corresponding safety mechanism one by one, until it is confirmed that the failure mode is safety failure, single point failure or multi-point failure

(3) Refer to the safety mechanism catalog in Appendix D of ISO26262-5 to determine the diagnostic coverage of the safety mechanism developed in the product design process for calculation and analysis. If the corresponding diagnostic coverage cannot be found, the value of the corresponding diagnostic coverage shall be evaluated according to the previous project design experience

(4) According to the formula of SPFM, LFM and PMHF, calculate the measurement indicators of the hardware architecture to evaluate whether the calculation and analysis results meet the measurement indicators of the corresponding security level

(5) If the design does not meet the requirements of the corresponding safety level, the optimization iteration can be carried out for the weak items of the product design according to the corresponding results of the FMEDA analysis until the analysis results can meet the requirements of the safety level

References

[1] ISO26262:2011 Road Vehicles – Functional Safety
[2] ISO8402:1994 Quality management and quality assurance
[3] Wikipedia.org, item "ISO 26262"
[4] 木城 汽车软件工程师生存手册