PREPARING THE FUTURE FOR FUNCTIONAL SAFETY OF AUTOMOTIVE E/E-SYSTEMS

In contrast to other industries like aviation, rail or process industry, the topic of functional safety has only started to be discussed in detail a few years ago within the automotive industry...

Nevertheless, the development of new safety systems within [the] automotive industry like active safety systems, driver assistance systems and currently the electrification of the powertrain, lead to new functionality which is mainly based on E/E-Systems. Failures in these systems may have also an impact on vehicle safety, as the competence of these systems is growing.

Schwartz, J and Buechl, J
US NHTSA

Home > Solutions > Automotive Systems > Verification > Verification of Compliance with the ISO 26262 Functional Safety Standard

Verification of Compliance with the ISO 26262 Functional Safety Standard

The underlying intent of verification is to ensure that components, subsystems and entire vehicles conform to their specification. The over-riding concern at the specification level should be safety. However, the automotive industry has been slow to standardize an approach to safety, unlike the aerospace, industrial controls and medical device industries. In 2010, a standard was published after a considerable gestation period under the auspices of the International Standards Organization - ISO 26262 Road Vehicles - Functional Safety.

This standard was derived from an earlier standard that applies to industry in general published by the International Electrotechnical Commission (IEC) called IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES.

ISO 26262 Functional Safety standard has added the requirement for additional rigour in analyzing hazards caused by the failure of electrical and electronic safety related systems (including software). The risk associated with failure is computed as a function of probability of occurrence, controllability by driver, and likely severity of outcome. The risk level (A to D – D being most severe) determines the measure required to be put in place to mitigate that risk. This standard, peculiarly, does not address performance standards that are required of Active Safety Systems. One approach to applying functional safety is to add a monitoring capability to those systems requiring risk mitigation. Monitors check the outputs of components, subsystems and systems to determine whether they are valid as expected from the inputs and expected states of the system being monitored.

This necessarily increases the requirement for a comprehensive higher order of verification. Not only is the testing of the identified unit (which is critical enough to need a monitor to check its function) required to be exhaustive, but the monitoring unit also requires exhaustive testing, as does the interaction between the unit and its monitor. The verification of a unit and its paired monitor needs to be performed prior to its physical implementation. Exhaustive verification will typically find fundamental problems in control system design. Modelling them enables extensive, low cost, iterative empirical investigation and verification, with likely re-design, prior to implementation. The model-based design process is required to guarantee the overall safety of vehicles economically. 

Optimization can lead to design simplicity and simple systems require less verification

Although optimization is not part of the verification process, modelling and simulation enable exploration of the design space of the unit and its paired monitor that will result in the best of the configurations being chosen for physical implementation. If one of the objective functions of optimization is design simplicity, and it can be measured quantitatively, optimization can reduce complexity considerably. Simple systems are inherently easier to make safe and simple systems require less verification.

ESSE Model-based design, development and verification reduces the number of physical mule vehicles – reduces costs and recalls, improves vehicle quality and reliability

The ESSE Systems Workbench provides the modelling, optimization and simulation capability to enable the building and verification of single units (software + ECU + plant), single units with paired monitors, subsystems comprised of a combination of units that are monitored and not monitored, and full vehicle models composed of such subsystems. Finally, the ESSE Workbench enables the thorough verification and validation of entire vehicles – incorporating monitored and unmonitored subsystems. Such models may be regarded as high fidelity virtual mule vehicles that are exhaustively tested prior to committing to any physical engineering It is expected that between 20% and 50% of physical mule vehicles could be replaced by virtual mule vehicles for each new and updated vehicle make and model. The expected saving is approximately US$250,000-US$300,000 per physical mule vehicle not built – between $5m-$15m for a typical run of 100 mule cars.

Continue on Verification: