Automotive Functional Safety

Automotive Functional Safety

Functional safety is important for safety critical applications in any industry where active monitoring is required on safety critical operations. The active monitors either prevents or mitigates the failure that causes safety goal violations of the system. As the number of electronic systems growing in vehicle, active functional safety become real with international functional safety standards e.g. ISO 26262 for cars and IOS 25119 for Tractors. Automotive systems developed to a Functional safety standard gives high importance to safety of driver and pedestrians, the safety standards Increases safety and Reduces vehicle call backs.

Error in a Hardware/Software results into a Fault. A fault or group faults in a system results into a Failure which may trigger Hazard. Depends on the Hazard′s severity, there will be risk to system safety. The below diagram explains the relationship between Error, Fault, Failure, Hazard and Risk.

functional_safety
functional_failure

Failures in a system are two types a) Systematic failures b) Random hardware failures. The below diagram explains failures classification

Systematic failures are development errors which are deterministic, risks due to systematic failures can be prevented by developing Hardware and Software to correct design standard (guidelines) and perform safety analysis and system verification. Risks due to Random hardware failures can be reduced by deploying correct active safety mechanism (e.g. Built in tests) into system (item).

The main objective of the functional safety is to reduce unacceptable hazard′s risk probability to acceptable level .For this, functional safety standards provide methods and guidelines for all the phases and activities in system life cycle (Inception, Safety goal identification, Requirements specification, Hardware design, Software design, Safety analysis, verification, Installation, service and Maintenance).



ISO 26262

SO 26262 is an international functional safety standard for developing safety critical applications for electrical and/or electronic (E/E) systems that are installed in passenger cars. ISO 26262 provides automotive safety lifecycle (management, development, production, operation, service, decommissioning) guideline that helps in achieve functional safety.


ASIL

Automotive safety integrity level (ASIL) defines the acceptable failure rate of the system. There are four ASILs (ASIL-D(Highest), ASIL-C, ASIL-B, ASIL-A(Lowest)) in ISO 26262.

  • Higher the ASIL, tougher safety objectives and higher Hardware target metrics
  • Higher the ASIL, tougher product safety requirements and robust safety mechanisms
  • Higher the ASIL, higher rigor and stringent process
  • Higher the ASIL, lower acceptable residual risk

ASIL Acceptable probability of failure per operational hours
D 10-8
C 10-7
B 10-7
A NA

The ASIL is derived based on system's hazards severity (i.e. effect on driver, passenger, pedestrians), probability of exposure (i.e. occurrence) and controllability (possible control by driver or other passengers at risk).

Systems fall in QM category don't have to comply with any specific objectives in ISO 26262 because the risks associated with the system are acceptable for safety. The QM systems just need to follow quality management process.

asil

Item definition

Item definition holds functional requirements, non-functional requirements, environmental requirements, operating scenarios, failure modes and interfacing requirements of the item.

Item definition is an important artifact that needs to be prepared by OEM/Tier1 which holds information that helps in identify hazard events of system and derive ASIL for the same.

itemdef

Safety Goal

Safety goal is an unacceptable risk from possible hazard event.

E.g. Un intended acceleration, Un intended direction, Unintended deactivation low beamSafety goal needs to be derived for all unacceptable risks, along with this safety goal attributes (Safe state, Fault tolerance time interval, Warning incase system can't enter safe state within the expected interval) needs to be derived.


Functional Safety Concept

The functional safety concept (FSC) deploys safety mechanism that prevents the violation of safety goal. The following safety mechanisms are used in the functional safety concept:

  • Feedback/Loop back
  • Partitioning
  • Redundancy
  • Dissimilar Hardware or Software
  • Interlocks

E.g. Feedback from the previous output cycle helps the intended function to control output drive in current cycle


Technical safety concept

Technical safety concept (TSC) is derived from the functional safety concept by allocating technical safety requirements to Hardware and Software elements. E.g.

technical_safety

Functional Safety analysis in ISO 26262

Failures are two types (Systematic failures and Random hardware failures). Systematic failures are deterministic which comes due to problems in design, so design failure mode effect analysis helps in eliminate design failures in the system, whereas Random hardware failures are non-deterministic, so Hardware FMEDA analysis helps in add additional safety mechanisms that improve controllability of the failure.

ISO 26262 recommends the following safety analysis:

Code mutation: inject additional code statements or modify existing software component for the following:

  • System design FMEA
  • Hardware FMEDA
  • Hardware FMEDA
  • Software dependent failure analysis

Fault injecting testing in ISO 26262

ISO 26262 highly recommends fault injection testing for safety critical application. As part of fault injecting testing, tester injects faults into a component and test the fault prevention, detection and mitigation mechanisms are implemented correctly.

The following fault injection techniques can be used:

Code mutation: inject additional code statements or modify existing software component for the following:

  • Corrupt component interface (shared global data, messages and function parameters and return values)
  • Corrupt component protocol state and timing variables
  • Corrupt scheduler execution timing (e.g. Interrupts, Task over run)
  • Corrupt CPU states (e.g. Scratch registers, Stack pointers, link pointer) if possible
  • Corrupt memory access (Invalid RAM/Flash locations access)

Analyse error propagation to other components and its effect on safety. Additional test cases can be added if mutant is not handled by existing test case(s).


Tool qualification in ISO 26262:

Tool qualification in ISO 26262 is mandatory for higher ASIL systems if a tool fall in Tool confidence level 2 and 3. The Tool confidence level is derived based on Tool impact on detection of malfunctions in software and Tool detection level.

Tool Impact (TI):

  • TI1: If tool can inject or fail to detect errors in an item
  • Tool Impact (TI)

Tool error Detection (TD):

  • TD1: High degree of confidence that tool can prevent or detect the error
  • TD2: Medium degree of confidence that tool can prevent or detect the error
  • TD3: other cases.

Tool Confidence level:

determinationoftool

Example 1: Compiler and Linker used in generate target executable must be qualified because there is possibility the compiler may add unintended additional code in target executable.

Example 2: Tool used in testing must be qualified because there is possibility the tool may fail to detect an error in the software.

Once a tool is qualified to a highest ASIL by an authority, the tool can be used in any future project without additional qualification. However, it is good practice to produce tool evaluation report for the project and find out if there are any additional tool operational requirements to be re-qualified on the tool.


Safety validation in ISO 26262

Safety validation checks safety goals and functional safety concept are correct, complete and fit for functional safety of the item under development. Safety validation can be done through testing (Similar to vehicle level testing), analysis (FMEA, FTA, ETA, simulation) and reviews.


Key features of ALTEN Global Technologies developed telematic gateway ECU:

  • Fully automotive grade components used in the design
  • Power supply: 12/24V, protection for load dump, reverse supply
  • I/O: Digital inputs and outputs with protection, Analog inputs, Frequency inputs
  • Interfaces: UART, RS-485, Ethernet, CAN, LIN
  • Sensors: GNSS, LTE CAT4 Modem, Bluetooth, Wi-Fi, Accelerometer, Gyroscope
  • Processing: Vehicle interface processor, Application processor
  • Memory: EEPROM, eMMC, DDR2
  • Emergency: SOS and breakdown switch interface

  • SIM: eSIM, Plastic SIM
  • Antenna: GNSS, LTE with diversity, BLE, Bluetooth, Wi-Fi
  • Internal Backup Battery: 4-hour backup
  • Connector: Main 48-pin
  • Firmware: Bare metal and open source Linux
  • Security: Secure Boot, Secure key storage, Secure communication, Secure Digitally signed certificates
  • Tamper Detection
  • Secure over the air upgrade (COTA , FOTA and DFOTAA)

Key features of ALTEN Global Technologies Vehicle tracking ECU:

  • Fully automotive grade components used in the design
  • Supports NiMh chemistry for internal battery backup
  • Provision for both internal and external antenna for GPS/IRNSS/GSM
  • GSM modem supports upgradeability from 2G to 4G in the same footprint
  • Interfaces: CAN , UART
  • Sensors: GNSS, Accelerometer, Gyroscope

  • I/O: Digital inputs and outputs with protection, Analog inputs
  • Tamper Detection
  • Secure over the air upgrade (COTA , FOTA and DFOTAA)
  • Firmware developed on bare metal
  • Message protocol complies to the AIS-140 specification*
  • *AIS-140 is a government of India regulation that specifies the requirements for vehicle tracking units installed in public transport vehicles in India

Key features of ALTEN Global Technologies Fleet management system (Mobile and Web application):

  • Fleet Administration
  • Vehicle Grouping
  • User Account Management (Multiple Roles)
  • Driver Management
  • Alerts (Harsh Braking Alert, Harsh Cornering Alert, Harsh speed Alert, Safety Alerts, Security Alerts, Tamper Alerts, Geofence Alerts, Towing Alerts, Crash Alerts, Excessive Idling Alerts, Warranty Alerts, Driver Alerts, Maintenance Alerts)
  • Fleet Level Reports

  • Charts and Visual Reports
  • Predictive Maintenance (Reminders)
  • Routes and Trip Management
  • Report Automation
  • SMS and Email
  • FCM Push Notifications

Functional Safety analysis in ISO 26262

Failures are two types (Systematic failures and Random hardware failures). Systematic failures are deterministic which comes due to problems in design, so design failure mode effect analysis helps in eliminate design failures in the system, whereas Random hardware failures are non-deterministic, so Hardware FMEDA analysis helps in add additional safety mechanisms that improve controllability of the failure.

ISO 26262 recommends the following safety analysis:

  • System design FMEA: Analyse and check system design meets the system safety requirements.
  • Hardware FMEA: Evaluation of hardware architectural metrics (SPFM-Single point fault metric, LFM- Latent fault metric).
  • Hardware FMEDA: Evaluation of probability of safety goal violation due to random Hardware Failures (PMHF)
  • Software design FMEA: Analyse and check the efficiency of safety mechanisms
  • Software dependent failure analysis: Analyse and check freedom from interference and interdependencies between the software components

Confirmation measures in ISO 26262

Confirmation measures is an important activity that ensures project work products compliance to ISO 26262 objectives. The following confirmation measures are requirements from ISO 26262:

Confirmation Measures Objective Work product Remarks
Confirmation review Evaluates project work products compliance to ISO 26262 requirements i.e. checking of correctness with respect to formality, contents, adequacy and completeness regarding the requirements of ISO 26262. Confirmation review report Selective work products (as per ISO 26262)undergo confirmation review.
ASIL A, B, C, D
Functional Safety Audit Evaluates item implementation process is in accordance with process specified in Safety plan Functional safety audit report ASIL (B), C, D
Functional Safety Audit Evaluates item functional safety achieved as specified in item definition , checks the following:
  1. Work products compliance to ISO 26262 (including the work products that are not covered in the confirmation review)
  2. Functional safety process
  3. Effectiveness of the implemented safety measures
  4. Recommendations from the previous Functional safety assessment
 Functional safety assessment report Confirmation reviews and Functional safety audits can be combined with Functional safety assessment report. ASIL (B), C, D

Safety case in ISO 26262

Safety case is a work product in ISO 26262, it contains list of work products produced in safety lifecycle. The safety case is a running document which needs to be produced for confirmation review, once the confirmation review accepted the final safety case it needs to be submitted to Functional safety assessment.


Stake holders' responsibilities in achieving ISO 26262 functional safety compliance

All the stakeholders of the system must perform their activities to achieve ISO 26262 functional safety. ISO 2626 Part2 activities (Safety plan, Safety culture, DIA and Safety case‥ etc) are all three stakeholders (OEM, Tier1 and Tier2) responsibility. ISO Part 3 activities (Item definition, Safety goals, derive ASIL, Hazard analysis and risk assessment. Etc) are OEM's responsibility. ISO Part 4 activities (System design, Technical safety concept, System testing‥ etc) are Tier1's responsibility. ISO Part 5 and 6 activities (Hardware and Software safety requirements, HW and SW design, verification‥ etc) are Tier2's responsibility. ISO 26262 Part9 activities (System design FMEA, Hardware FMEDA, Software design FMEA and Software dependent failure analysis) are Tier1 and Tier2 responsibility.

Automotive functional safety standards


Avionics domain functional safety standards:

  • ARP 4754A : This standard provides guidelines for development of civil aircraft systems.
  • ARP 4761 : This standard provides guidelines and methods for safety assessment for certification of civil aircraft
  • DO 254 : This standard provides guidelines for development of airborne electronic hardware.
  • DO 178C: This standard provides guidelines for production of software for airborne systems.


Automotive domain functional safety standards:

ISO 26262: This standard provides guideline for management, development, verification, production and service of electrical and/or electronic (E/E) systems within road vehicles. ISO 25119 :This standard provides guideline for design and verification of electrical and/or electronic (E/E) systems in Tractors in agriculture and forestry.


The below diagram explains the relation between the standards:

standards

ALTEN Global Technologies Services in Automotive Functional Safety

ALTEN Global Technologies has vast experience with functional safety in both Avionics and Automotive domains. ALTEN Global Technologies designed and developed functional safety systems and passed functional safety audits, our rich experience with safety audits has helped our customers very well.




ALTEN Global Technologies provides the following services in Automotive functional safety:

  • Safety plans preparation
  • Support in define an item, Safety goals, Hazard analysis and risk assessment
  • Prepare Functional safety concept and Technical safety concept
  • Item integration testing
  • Hardware and Software development and verification
  • Safety analysis
    • System design FMEA
    • Hardware FMEDA
    • Software design FMEA
    • Software dependent failure analysis (DFA)
  • Unit testing, Software integration testing, Fault injection testing
  • Structural coverage testing
  • Tool qualification
  • Component qualification
  • Support in confirmation measures (review, audit and measurement)