A Viewpoint by Wessam Moussa, Amaris Consulting Alumni.
The combination of electronic devices and safety in cars
The last 20 years have seen an exponential growth of Electronic Control Units (ECUs) and software controls in automobiles. Today, it is estimated that a modern vehicle contains around 150 ECUs responsible for different functionalities. These functionalities include comfort features, active safety, and even autonomy.
The industry’s shift from mechanical components to electrical controls adds more complexity to software in particular. For example, electrification efforts require electric motor controls and battery management software to monitor complex functions.
Although not all functionalities are created to improve passengers’ safety, electronics and software must be developed safely, which means that components are built to prevent any malfunction that can cause any harm to passengers and the environment.
Even an element as simple as the power windows, designed for passengers’ comfort, presents risks related to the malfunction of the control system. For example, consider closing the windows when a passenger’s arm is in the way. Closing the window can lead to physical injury if the power windows sensors fail. Therefore, there must be a way to detect the sensor malfunction and prevent force from being applied when it can be harmful and functionally safe.
What is Functional Safety?
Functional safety attempts to eliminate unreasonable risks and mitigate the remaining threat to prevent physical injury as much as possible. Hazard Based Safety Engineering (HSBE) uses Safety Integrity Levels (SILs) to measure the associated risk and highlight the necessary risk management procedures. The SIL is defined as a function of the expected severity (number and scale of injuries), exposure (probability of this situation occurring) and controllability (how the driver can avoid this risk).
The role of ISO 26262 in Functional Safety
The International Organization for Standardization introduced ISO 26262 in 2011 as a reference for risk management and mitigation of electronic control systems in vehicles. The standard was developed from the general IEC 61508 and adapted to the specific recommendations of the automotive sector. Both standards are based on HBSE technology.
The goal of the standard is to define measures to ensure safety throughout system development, testing, production and decommissioning. Thus, it is both a process model and a project-specific guideline for action.
ISO 26262 is a growing trend in the automotive industry; almost all Original Equipment Manufacturers (OEMs) apply the standard principles’ and certify their features and products to some extent. In addition, Tier 1 and Tier 2 automotive parts suppliers are also following the upward trend to keep up with the OEMs. Also, software tools commonly used for embedded software development are being certified.
Implementing ISO 26262
ISO 26262 best practices at the process level follow a similar structure to ASPICE (Automotive Software Performance Improvement and Capability determination). The difference is that the goal of ISO 26262 is not process evaluation. However, since OEMs and suppliers have widely used ASPICE at the organization level, adopting ISO 26262 for project development from a process perspective has been simplified.
The specific part of the ISO 26262 project cannot be applied without finding first the Automotive SIL (ASIL) of the different system functionalities.
A single system can have multiple functionalities or safety objectives with different SILs; this poses a complexity at the software design level. These functionalities need to be adequately separated both spatially and temporally.
The higher the SIL of a system, the less tolerable it is for hardware failures, which means that random electronic losses must be quantified. Although the standard provides a metric to measure the suitability of the hardware design to the SIL, the choice of appropriate elements and the overall design of integrated components need to be considered.
Some notions need to be applied to the hardware design to allow redundancies, source diversity, and electronic safety mechanisms. This is a challenging obstacle for legacy systems or procedures built before the ISO26262 safety planning, as the need to redesign hardware may become noticeable once failure rates are calculated.
ISO 26262 in the era of autonomous vehicles
ISO 26262 provides a reference for developing traditional electronic systems and is a comprehensive guide for hardware and software systems. However, as the race towards autonomous vehicles continues, standard software has been replaced by more “intelligent” systems.
Currently, machine learning is rapidly making its way into the field of safety-critical applications within the scope of ISO 26262 standard. Examples include computer vision systems or trajectory planning for autonomous driving (AD). The advancement of machine-learned models is their applicability to inherently complex problems that are poorly understood through data.
Unfortunately, this advantage is often accompanied by a black-box character and high complexity of the final model in use, which makes conventional security assurance methods insufficient or inapplicable.
Consequently, the use of deep learning algorithms requires the adaptation of the ISO26262 standard process. Currently, there is ongoing research to adapt ISO 26262 to the needs of the autonomy market.
ISO 21448 – A new standard
ISO 21448 or SOTIF (Safety of The Intended Functionality) standard was developed in 2019 to address concerns previously mentioned. The standard guides the functional design, verification, and validation measures required to achieve SOTIF and complements the safety mechanisms covered by the ISO 26262 series.
SOTIF will be applied to anticipated functionalities where adequate situational recognition is fundamental to safety and where that situational awareness is derived from complex sensors and processing algorithms; especially emergency intervention systems (e.g. emergency braking systems) and Advanced Driver Assistance Systems (ADAS) with levels 1 and 2 in the OICA/SAE J3016 automation scales.
The edition of the document can be considered for higher levels of automation, although additional measures may be necessary. Some of the actions described in this standard apply to innovative functions of such systems if situational awareness derived from complex sensors and processing algorithms is part of the innovation.
While ISO 26262 is currently the leading standard for automotive electronic system safety and an excellent benchmark for industry best practices, it simply cannot keep pace with the evolution of machine learning or artificial intelligence and needs to be combined with other standards such as SOTIF and cybersecurity methodologies to ensure safety without compromising driving comfort.
Want to learn more? Discover our Engineering capabilities.