entr
entr

What is Functional Safety (ISO26262)?

Before starting to talk about functional safety, it is essential to clarify some basic concepts. At this point comes the words safety and security in mind. I have observed in Turkey that these words are used in different contexts. However, I do not agree with this differentiation. For me safety and security have a common meaning: the state of being safe and a secure environment. They include and encompass each other. In short, we can call it both functional security and functional safety in Turkish without any loss in the meaning.

However, in order to understand “functional safety,” we need to focus on the differences between security and safety. Safety means to be inherently safe, while security means to be made secure from external dangers.

What is the Difference Between Security and Safety?

Imagine this: you have had an accident with your car. What would you do in such a situation? You would take safety/security precautions to bring yourself and the other vehicles into safety. You would wear a reflective safety vest, you would set up a warning sign at a 50 meters distance from your car and you would inform the police. So far what you have done is called “Security.” It means to take the necessary measures to maket he environment secure for yourself and the other vehicles (i.e. other drivers may not see you and crash your car). Safety implies making the system itself safe against the environmental risks caused by an inherent error.

 Security means the measures that are taken against an external danger, while safety are the measures against the risks caused by an inherent error within the system.

Electrical and Electronic Devices, Systems and Security

As consumers we expect a newly bought device, such as a cell phone or a TV, to function perfectly, not to break down and not to pose any risk sor dangers to us or our environment. This expectation is so natural that we are schocked when we encounter a break down or a risk. Let’s take the notorious exploding cellphone, Samsung’s Galaxy Note 7 Galacan example. The phone unexpectedly overheated and burnt. Eventually Samsung had to remove 2.5 million phones from the market and lost 5.3 billion dollars in stock value. This model was even banned from all airline flight because of the possible risks. Samsung disclosed that the problem occured because there wasn’t sufficient room around the heat-protective layer of the battery. One incident sufficed to discredit the biggest cellphone producer in the World and changed the entire company culture.

Turkish Airlines banned Samsung Galaxy Note 7 in 2016.
 In 2016 Turkish Airlines banned Samsung Galaxy Note 7 phones from all flights due to security risks. (Dear Passengers, Samsung galaxy Note 7 devices can no longer be transported on person, in carry-on baggage, in checked bags or as air Cargo on all Turkish airline flights due to the security threats they pose.)

Almanya ve Avrupa’da tüm ürünler, çalışma ekipmanları ve görüntülenmesi gereken sistemler Product Safety Act’a göre üretilmek zorundadır. Buna EU tarafından hazırlanan European Directive 2001/95/EC temel teşkil eder. Her üye ülke kendi diline çevirmiştir. Bu normlara göre son tüketici için üretilmiş her ürün güvenli olmak zorundadır. Bu demektir ki her ürün öyle bir geliştirilmeli ve üretilmeli ki kullanıcıların sağlığını ve güvenliğini tehlikeye atmamalıdır.


Functional Safety (ISO26262)

Functional Safety (ISO26262) is the adaptation of  IEC 61508, which is defined for all programmable electrical and electronic devices, for the automative industry. In its simplest form ISO26262 defines the necessary safety measures when developing critical mechanisms at the system. It enables a safety lifecycle while developing electrical and electronical systems installed in road vehicles.

The goal is to avoid unreasonable risks if possible, and if it is not possible at least to minimize them.

Actually it is all about demand… When we compare the first cars in the history with the ones that are produced now, the mechanism of the old automobiles would be closer to bicycles than cars.  If  Gottlieb Daimler and Wilhelm Maybach were  teleported to our age and could see the systems that are defined as ‘standard’ today, they would be shocked. The great complexity brings great risks with it. Safety  was once regarded as a research topic for mechanical engineering, but today it is considered as the main theme for the electrical and electronical systems that involve software.

Electronic Control Units of the vehicle
Our vehicles that have almost 150 ECUs take thousands of adaptive decisions in milliseconds without us knowing.
Benz Patent-Motorwagen
The first automobile in history: Benz Patent-Motorwagen

How to Ensure Safety?

As I have mentioned above, a safe product is directly related to the safety of the user and the people around the user. However, a product can never be 100% safe. The risk it poses can only be reduced to an reasonable level. ISO26262 uses a risk-based approach to determine potential risks. OEMs use this method during Hazard Analysis and Risk Assessment.

There are three event classifications in this process.

1. Severity (Severity of Injuries): What is the extent of harm that may be caused to the driver or other people?

S0: No injuries

S1: Light ot moderate injuries

S2: Severe to life-threatening injuries (survival probable)

S3: Life-threatening (survival uncertain) to fatal injuries

Sample Case: Failure to negotiate bends and run-off road collision

2. Exposure: The likelihood of the conditions under which a particular failure would result in a safety hazard.

E0 – Incredibly unlikely

E1 – Very low probability: Can happen for most drivers once or a couple of times a year.

E2 – Low probability: Can happen for most drivers a few times a year -> less than 1% of average drive time

Sample Case: Driving backwards

E3 – Medium Probability: Can happen at least once or a couple of times a month for an average driver -> Between 1% and 10 % of average drive time

E4 – High probability: Can happen almost every time an average driver uses his car -> more than 10 % of average drive time

Sample Case: Driver brakes

3. Controllability: How far can that harm avoided by the driver or the other passangers when a hazardous situations occurs?

C0 – The harm is controllable in general through the intervention of the driver or the passengers: 100% effective actions can be taken in each situation.

C1 – Simply controllable by the driver: 99% of the drivers or the passengers can act to prevent the potential harm or injuries.

Sample Case: Air conditioner blowing cool air instead of warm air.

C2 – Normally Controllable: 90% of the drivers or the passengers can act to prevent potential harm or injuries.

C3 – Difficult to control or uncontrollable: 90% or less than 90% of the drivers and passengers can take actions to prevent the potential harm or injuries.

Sample Case: Steering wheel is locked

ASIL (Automotive Safety Integrity Level) is determined by these three factors.

ASIL Determination
ASIL is determined by three factors — severity, exposure, and controllability.

As you can see in this table, we make the ASIL determination to be able to measure the extent of the safety risk for every probable dangerous scenario by assessing how severe is the danger, how probable it is and how far it can be controlled. That forms HARA assesment. We decide on safety goals based on the HARA results and each safety goal has a ASIL values derived from HARA. Our goal is to eliminate the unreasonable risks if possible. If not, we try to minimize them. How to we achieve that? We comeup with safety goals. Which precautions should be taken to reach those goals? Which system components are responsible for thses? Which sofware components are responsible? The final step is to write the functional safety needs.

QM: It means that the risk associated with a hazardous event is not unreasonable or there is no safety risk at all. Therefore, standard quality management is sufficient fort he function and the signals.    

ASIL A, is the lowest risk classification.

ASIL D is the highest risk classification. In each ASIL classification from ASIL A to D the number of methods that you need to apply and the number of tests you need to perform will increase and therefore it will take more time.

You can read my article on HARA explained through the front mirror here.

M.Eng.Can Acar

Autonom – Engineering Manager

Functional Safety Engineer (TÜV Rheinland)

# 21401 / 21


References

Functional Safety Essentials ISO26262 — at a glance, Dr. Roland Sadler, Dirk Dürholz, Kugler Maag CIE

Functional Safety for Road Vehicles: New Challenges and Solutions for E-mobility and Automated Driving, Hans-Leo Ross, Springer