Background There is an ever-widening range of automotive electrical and/or electronic (E/E/PE) systems such as adaptive driver assistance systems, anti-lock braking systems, steering and airbags. Their increasing levels of integration and connectivity provide almost as many challenges as their proliferation, with non-critical systems such as entertainment systems sharing the same communications infrastructure as steering, braking and control systems. The net result is a necessity for exacting functional safety development processes, from requirements specification, design, implementation, integration, verification, validation, and through to configuration.ISO 26262 “Road vehicles – Functional safety” was updated in 2018, having first been published in 2011 in response to this explosion in automotive E/E/PE system complexity and the associated risks to public safety. Like the rail, medical device and process industries before it, the automotive sector based their functional standard on the (largely) industry agnostic functional safety standard IEC 61508 which, in turn, drew heavily from the guiding principles of the aerospace standards such as DO-178B/C. The net result is that proven tools are available to help with the implementation of ISO 26262 which are longer established than the standard itself. Automotive Safety Integrity Levels (ASILs) Like DO-178B/C and IEC 61508 before it, ISO 26262 specifies a number of hazard classifications levels – in this case, known as ASILs (Automotive Safety Integrity Levels). ASILs range from A to D, where ASIL D represents the most hazardous and hence demanding level.ASILs are assigned as properties of each individual safety function at the item level, where an item is defined as a “system or combination of systems, to which ISO 26262 is applied, that implements a function or part of a function at the vehicle level” . The assigned ASIL for a safety function in a safety-related system is dictated by the properties of associated hazardous events (figure 1).
ISO 26262 supports the decomposition of Functional Safety Requirements (FSRs) in a process often known as “ASIL decomposition” which can help to reducecost and effort.ASIL decomposition is typically performed manually and must result in redundant safety requirements allocated to design elements of sufficient technical independence.
Figure 1: Decomposition of the different ASIL ratings throughout the item can occur over different systems, elements and components
Changes to ISO 26262 second edition The latest revision to the ISO 26262 standard reflects industry feedback and updates based on advances in technology since the standard was originally published. Reconstructed to provide more detailed objectives and extensions to the overall vocabulary, notable software related additions to the standard include: • object oriented confirmation measures • management of safety anomalies • references to cyber-security • additional guidance on dependent failure analysis • guidance on fault tolerance, safety-related special characteristics, and software tools. • guidance for model-based development and software safety analysis In addition, two completely new parts were added to the standard: ISO 26262-11 which relates toSemiconductors and ISO 26262-12 which relates to Motorcycles. ISO 26262 second edition therefore consists of 12 parts with three focused on product development: system level (Part 4), hardware level (Part 5), and software level (Part 6). Part 6 provides detailed industry specific guidelines for the production of all software for automotive systems and equipment, whether it is safety critical or not.This second edition identifies channels of communication between functional safety and cybersecurity at both functional safety management level and at product development system level. Such an approach provides a useful interface to the recommendations outlined in the current SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems” and the proposed ISO/SAE 21434 “Road vehicles – Cybersecurity engineering”. ISO 26262-2:2018 Annex E “ Guidance on potential interaction of functional safety with cybersecurity” further discusses “the possible interactions between the activities of functional safety and cybersecurity”.