What Is Automotive Functional Safety?

What Is Automotive Functional Safety?

Mobility Insider
September 28, 2022

Automotive functional safety is the implementation of protective measures to eliminate or mitigate hazards caused by the failure or unintended behavior of a vehicle-level system.

The ISO 26262 standard provides automotive manufacturers and their suppliers with best practices to help ensure that functional safety is achieved at every step of product design.

Evaluating risk

The first step of an automotive functional safety program is identifying and evaluating potential hazards through a Hazard Analysis and Risk Assessment (HARA). Typically, it is OEMs’ responsibility to conduct HARAs on vehicle-level features to identify potential hazards and hazard scenarios and to determine the risk reduction level required for each potential hazard identified. HARAs take into account the frequency and duration of exposure to a potential hazardous situation during a particular driving scenario, the amount of control needed to correct for the malfunctioning behavior to mitigate the potential hazard, and the severity of the potential consequences should the malfunctioning behavior occur.

HARAs are conducted on features at the vehicle level, not at the component or element level. For each potential hazard, a number of potential driving scenarios are considered. For example, in a forward collision mitigation system, the potential hazard of undesired braking would be assessed with respect to different driving scenarios, such as operating speed and driving conditions. When an OEM provides a supplier with a HARA, the supplier recommends amendments if it identifies additional hazards or potential worst-case scenarios.

Assigning a risk reduction level

During the HARA, the OEM assigns each identified potential hazard an Automotive Safety Integrity Level (ASIL) rating. The ASIL rating indicates the amount of risk reduction needed to increase confidence that the feature will operate in a safe manner. If a potential hazard is not safety-related, the HARA will yield a QM rating, indicating that it is considered a quality management issue only and is covered under the supplier’s quality management process. The lowest rating is ASIL-A (i.e., the least amount of risk reduction is required) and the highest is ASIL-D (i.e., the highest amount of risk reduction is required).

For example, if a vehicle’s speed indicator suffers a failure during the vehicle start in the morning and shows no information at all (i.e., it is set to zero all the time), the scenario could be classified as QM, because the driver could easily perceive the failure and choose to have the car towed to a mechanic or drive more cautiously. In other words, the controllability of the scenario is very high and the severity is low. In contrast, a scenario where the driver’s brakes fail at high speed could be classified as ASIL-D if the vehicle becomes uncontrollable, resulting in a high chance of someone getting badly hurt.

To address these scenarios appropriately, ISO 26262 uses the ASIL rating to determine the rigor of the development steps the supplier must take and defines requirements for safety goals, including the following:

Failures in time: The FIT rate is the acceptable rate of failures for a vehicle within a given time period. The vehicle must meet the FIT rate dictated by the ASIL rating, but the OEM has the flexibility to choose the FIT rate for the underlying components within the system.

Safety concept: The safety concept (or safety strategy) determines how a failure is detected and how it should be controlled. Systems with higher ASIL ratings require a more stringent failure detection and response capability.

Safety requirements: The safety requirements dictate the appropriate response to any given failure. For example, if a sensor detects an internal safety-relevant issue, such as memory corruption, a fail-silent system might terminate communication via the controller area network within a defined amount of time in order to indicate its fault state to other systems. This is a typical safety mechanism described by safety requirements — but a fail-silent system is not always appropriate. For autonomous driving features, for example, the vehicle might employ a fail-operational system, which requires that a redundant system take over for the time necessary to bring the vehicle to a minimal risk state (e.g., safely stopped on the shoulder).

For systematic failures, following a rigorous development process helps increase confidence the feature will operate in a safe manner.

Continuous testing, integration and deployment

Automotive functional safety utilizes the V-model throughout development. The V-model mandates that for every step of development, there must be a corresponding step in testing. Suppliers routinely assess their development processes to ensure that the required steps have been followed for both hardware and software development.

The V-Model in Automotive Applications

The V-Model in Automotive Applications

OEMs, suppliers or independent companies perform functional safety audits and assessments on all relevant work products in order to help ensure that functional safety has been achieved. The ASIL rating dictates the level of independence required for the audits and assessments.

Automotive functional safety extends beyond the point of sale. Advancements in over-the-air (OTA) updates open the door to continuous improvements. OEMs can reduce remediation costs by deploying software updates over Wi-Fi and cellular networks instead of performing those updates at a dealership. However, the OTA function brings additional safety-related and cybersecurity risks that must be taken into account.

Functional safety requires a holistic management process to ensure proper oversight and complete system integration. Aptiv’s expertise with both the brain and nervous system of the vehicle helps us support the functional safety goals of our customers.

Automotive functional safety is the implementation of protective measures to eliminate or mitigate hazards caused by the failure or unintended behavior of a vehicle-level system.

The ISO 26262 standard provides automotive manufacturers and their suppliers with best practices to help ensure that functional safety is achieved at every step of product design.

Evaluating risk

The first step of an automotive functional safety program is identifying and evaluating potential hazards through a Hazard Analysis and Risk Assessment (HARA). Typically, it is OEMs’ responsibility to conduct HARAs on vehicle-level features to identify potential hazards and hazard scenarios and to determine the risk reduction level required for each potential hazard identified. HARAs take into account the frequency and duration of exposure to a potential hazardous situation during a particular driving scenario, the amount of control needed to correct for the malfunctioning behavior to mitigate the potential hazard, and the severity of the potential consequences should the malfunctioning behavior occur.

HARAs are conducted on features at the vehicle level, not at the component or element level. For each potential hazard, a number of potential driving scenarios are considered. For example, in a forward collision mitigation system, the potential hazard of undesired braking would be assessed with respect to different driving scenarios, such as operating speed and driving conditions. When an OEM provides a supplier with a HARA, the supplier recommends amendments if it identifies additional hazards or potential worst-case scenarios.

Assigning a risk reduction level

During the HARA, the OEM assigns each identified potential hazard an Automotive Safety Integrity Level (ASIL) rating. The ASIL rating indicates the amount of risk reduction needed to increase confidence that the feature will operate in a safe manner. If a potential hazard is not safety-related, the HARA will yield a QM rating, indicating that it is considered a quality management issue only and is covered under the supplier’s quality management process. The lowest rating is ASIL-A (i.e., the least amount of risk reduction is required) and the highest is ASIL-D (i.e., the highest amount of risk reduction is required).

For example, if a vehicle’s speed indicator suffers a failure during the vehicle start in the morning and shows no information at all (i.e., it is set to zero all the time), the scenario could be classified as QM, because the driver could easily perceive the failure and choose to have the car towed to a mechanic or drive more cautiously. In other words, the controllability of the scenario is very high and the severity is low. In contrast, a scenario where the driver’s brakes fail at high speed could be classified as ASIL-D if the vehicle becomes uncontrollable, resulting in a high chance of someone getting badly hurt.

To address these scenarios appropriately, ISO 26262 uses the ASIL rating to determine the rigor of the development steps the supplier must take and defines requirements for safety goals, including the following:

Failures in time: The FIT rate is the acceptable rate of failures for a vehicle within a given time period. The vehicle must meet the FIT rate dictated by the ASIL rating, but the OEM has the flexibility to choose the FIT rate for the underlying components within the system.

Safety concept: The safety concept (or safety strategy) determines how a failure is detected and how it should be controlled. Systems with higher ASIL ratings require a more stringent failure detection and response capability.

Safety requirements: The safety requirements dictate the appropriate response to any given failure. For example, if a sensor detects an internal safety-relevant issue, such as memory corruption, a fail-silent system might terminate communication via the controller area network within a defined amount of time in order to indicate its fault state to other systems. This is a typical safety mechanism described by safety requirements — but a fail-silent system is not always appropriate. For autonomous driving features, for example, the vehicle might employ a fail-operational system, which requires that a redundant system take over for the time necessary to bring the vehicle to a minimal risk state (e.g., safely stopped on the shoulder).

For systematic failures, following a rigorous development process helps increase confidence the feature will operate in a safe manner.

Continuous testing, integration and deployment

Automotive functional safety utilizes the V-model throughout development. The V-model mandates that for every step of development, there must be a corresponding step in testing. Suppliers routinely assess their development processes to ensure that the required steps have been followed for both hardware and software development.

The V-Model in Automotive Applications

The V-Model in Automotive Applications

OEMs, suppliers or independent companies perform functional safety audits and assessments on all relevant work products in order to help ensure that functional safety has been achieved. The ASIL rating dictates the level of independence required for the audits and assessments.

Automotive functional safety extends beyond the point of sale. Advancements in over-the-air (OTA) updates open the door to continuous improvements. OEMs can reduce remediation costs by deploying software updates over Wi-Fi and cellular networks instead of performing those updates at a dealership. However, the OTA function brings additional safety-related and cybersecurity risks that must be taken into account.

Functional safety requires a holistic management process to ensure proper oversight and complete system integration. Aptiv’s expertise with both the brain and nervous system of the vehicle helps us support the functional safety goals of our customers.

Read More About ADAS

Careers

Shape the future of mobility. Join our team to help create vehicles that are safer, greener and more connected.

View Related Jobs

Subscribe