Automotive ISO 26262 Design and Verification Challenges

Abstract

ISO 26262, derived from the IEC 61508 standard, is critical in ensuring the functional safety of automotive electronic and electrical (E/E) systems. It governs the development process, focusing on minimizing failures that could jeopardize human lives. The standard classifies systems into Automotive Safety Integrity Levels (ASIL) from A (low) to D (high), depending on the severity, exposure, and controllability of potential hazards. The primary goal of ISO 26262 is to mitigate risks through early-stage product development, comprehensive risk analysis, and validation of safety goals. This paper discusses the design and verification challenges associated with ISO 26262 in the context of embedded systems for automotive applications. We will explore five key parts of ISO 26262 relevant to an embedded system project, using a practical automotive example to illustrate these challenges.

Introduction

From a safety standpoint in the automotive industry, ISO developed the ISO 26262 standard, which is systematically segmented and has evolved with newer versions. As per ISO 26262:2018, the standard is divided into 12 parts. This paper focuses on key design segments and their corresponding verification challenges, illustrated with practical examples. The specific parts we will examine are:

1. Concept Phase: This involves project definition, risk assessment, and establishing functional safety requirements.
2. System-Level Development: This covers product development at the system level, including integration testing.
3. Product Development at the Hardware Level: This pertains to the design, development, and implementation of hardware components.
4. Product Development at the Software Level: This focuses on the design, development, and implementation of software components.
5. Production, Operation, and Decommissioning: This segment addresses planning for production, operational procedures, and eventual decommissioning of the product.

Every development process, whether at the system level, hardware level, or software level, follows the V-model structure, as shown in Figure 1.

While an organization may adopt its own development model, it typically aligns or maps with the V-shaped architectural process defined by ISO 26262.

Modern automotive systems have evolved beyond purely electronic, electrical, or mechanical components. Today’s vehicles integrate all these disciplines, a convergence known as mechatronics..   

A. Example- Airbag Protection Project in Automotive

1. Concept:

The Airbag Protection System is designed to enhance passenger safety during automobile collisions. Its primary function is to cushion passengers by deploying during a crash, reducing the force of impact with interior components such as the steering wheel or windows. This system minimizes injuries by distributing the force across a larger area, thereby reducing the likelihood of severe harm. The airbag system is fully automatic, integrating both electronic and mechanical components.

Verification Challenges:

• Critical Situation Focus: It is crucial to verify the system’s performance under extreme conditions, not just under normal scenarios like braking or minor impacts.
• Mechanical System Dependence: The system’s reliance on mechanical components introduces additional verification complexity.
• Timing Precision: The timing of airbag deployment is critical and must be precisely coordinated with the moment of collision.
• Risk Analysis: While the concept may appear straightforward, implementing it with zero failures requires meticulous risk analysis.
• Additional Challenges: Other verification challenges include complex system integration, requirement ambiguities, designing for reliability, and thorough validation.

2. System-Level Development:

The Airbag Protection System consists of sensors, a controller, a trigger device, and the airbag itself, as illustrated in Figure 2. While the system may appear functionally sound, the development of the Technical Safety Concept (TSC) from the Functional Safety Concept is a critical step. This involves assigning technical safety requirements to both hardware and software components of the airbag system. System and item integration and testing require the combination and verification of outputs from various disciplines across multiple integration levels, ultimately leading to the complete system. Safety validation must ensure that safety goals have been met, and that the development results are ready for release, production, and installation in vehicles.

Verification Challenges:

• Failure Analysis Complexity: Analyzing failures in all hardware and software components is complex. Establishing functional safety involves defining specific parameters and acceptable ranges, but real-time reliability is uncertain due to unpredictable real-world conditions.
• Fail-Safe Design Difficulties: Designing a fail-safe system that still protects passengers in case of a system failure is extremely challenging. A failure at a critical moment could result in injuries, with no alternative protection available.
• Detection and Integration Complexity: Deciding on the correct detection output across multiple integration levels is complicated. Ensuring consistent detection mechanisms and setting acceptable error margins and thresholds for each integration level is essential but difficult.
• Overlooked Hazards: During the setting of safety goals, there is a risk of overlooking potential hazards and their severity. The complexity of hardware design and software function identification increases due to the numerous possible scenarios and permutations.
• Risk Prioritization and Human Error: Identifying risks based on priority and tolerable levels is susceptible to human error. Achieving response time or failure rate requirements in all circumstances is particularly challenging, as human error during testing is common.
• Evolving Testing Techniques: Many techniques for addressing testing and safety challenges are still evolving, and their accuracy and effectiveness are subjects of ongoing research.

3. Product Development at the Hardware Level:

As illustrated in Figure 1, the development process follows the V-model. The airbag system integrates force sensors to measure impact forces, with a controller processing this data to determine if the impact exceeds the predefined threshold for airbag deployment. If the threshold is met or exceeded, the controller sends a trigger signal to the airbag device, which must deploy the airbag within milliseconds.

The system employs a sensor-based and processor-based approach to generate the trigger signal and initiate the inflation of the airbag through a gas release mechanism.

Circuit Design:

• Sensor Circuit:
  • Force Sensor → Op-Amp (Amplification) → RC Filter → ADC Input (Microcontroller)
• Microcontroller:
  • ADC Conversion → Data Processing → Trigger Signal Generation
• Trigger Mechanism:
  • Microcontroller Output → Driver Circuit (Transistor/Relay) → Airbag Deployment System

By adhering to this design framework, a reliable and efficient integration of sensors, microcontrollers, and trigger mechanisms for the airbag system is ensured.

Using an ASIC (Application-Specific Integrated Circuit) instead of a microcontroller offers benefits such as higher performance, lower power consumption, and optimized functionality tailored to airbag systems. The ASIC will handle sensor data acquisition, processing, and trigger signal generation. It will interface with force sensors to receive analog data, condition the signals, and process them using predefined algorithms. If the processed data exceeds the impact threshold, the ASIC will generate a trigger signal to activate the airbag deployment mechanism. HDL code will be used to implement the sensor interface, data processing algorithms, and trigger mechanism. The design will be verified through simulation and real-world testing to ensure compliance with safety and performance requirements.

Verification Challenges:

• Sensor Accuracy:
  Ensuring that sensors consistently function correctly and send accurate signals to the controller is a significant challenge. Factors such as a noisy environment, lack of precision, incorrect calibration, or cost-effective yet unreliable equipment can lead to sensor failures.
• Microcontroller and ASIC Reliability:
  Both microcontrollers and ASICs are susceptible to issues related to incorrect programming or HDL coding, which can result in incorrect triggering or system failures.
• Rigorous Testing:
  In the hardware development process, especially for safety-critical automotive systems, rigorous testing is essential to ensure that the hardware functions correctly under all possible conditions. Testing methods include debugging, emulation, and simulation, conducted by individual developers and specialized testing teams at various integration levels.
• Verification Coverage:
  Despite rigorous procedures, not all verification codes or possible corner cases may be covered. Human error, limitations in testing tools, and the complexity of modern systems can lead to certain scenarios being overlooked.
• ASIL Determination:
  Determining the Automotive Safety Integrity Level (ASIL) for hardware is challenging due to the complexity of the process and the critical nature of safety in automotive systems.

4. Product Development at the Software Level:

In automotive development, the ISO 26262 standard provides a structured approach to ensuring functional safety, often implemented using the V-Model development process. This model offers a clear framework for both development and verification/validation activities.

Before starting the coding process, it is crucial to thoroughly understand both the inputs and outputs of the system. This foundational understanding is essential for ensuring that the software functions correctly and safely, especially in complex and safety-critical systems like those in vehicles.

For an Airbag Protection system, coding can be done in various programming languages, such as Embedded C, C++, or Java. However, MISRA C is often preferred in the automotive industry due to its guidelines for writing safe, reliable, and maintainable C code—critical for safety-critical systems like airbag controllers.

During testing, the software is rigorously tested with the hardware under various scenarios to ensure reliability and safety. This includes both positive and negative testing. Another crucial aspect of testing involves fault injection, where faults are deliberately introduced into the code to observe their impact on system performance. This rigorous approach helps ensure that the Airbag Protection system can withstand faults and continue to protect passengers effectively.

Verification Challenges

• Complexity of Real-World Scenarios: Ensuring software reliability across all possible scenarios, especially in safety-critical systems, is a significant challenge. The unpredictability of real-world conditions complicates this task.
• Testing Limitations: Comprehensive testing can be limited by the constraints of test environments and the inherent unpredictability of software bugs and faults.
• Fail-Safe Design: Designing systems with fail-safe mechanisms to handle unexpected scenarios or faults is challenging but necessary to ensure continued safety.
• ASIL Determination: Determining the Automotive Safety Integrity Level (ASIL) for software is complex due to the critical role software plays in vehicle safety.

5. Production, Operation, and Decommissioning:

Production Phase:

In the production phase of automotive systems like the airbag protection system, several critical steps ensure that the system meets safety and quality standards. This phase involves manufacturing processes, quality control, and adherence to regulatory requirements.

Operation Phase:

The operation phase focuses on maintaining the system’s functionality and safety throughout its service life. This includes regular maintenance, fault handling, and ensuring ongoing compliance with safety standards.

Decommissioning Phase:

The decommissioning phase involves the safe removal and disposal of the system when it reaches the end of its life or is no longer needed. This phase ensures that all processes comply with regulatory and environmental guidelines.

Verification Challenges:

• Quality Checks: Ensuring the safety and reliability of systems like airbag protection systems involves inherent limitations and challenges, such as maintaining consistent quality checks.
• Operational Limitations: Adopting and maintaining operations can be challenging due to factors like human error, fatigue, and system complexity.
• Cost vs. Effectiveness: Balancing effective maintenance with cost efficiency is crucial for ensuring system reliability without incurring excessive expenses.
• Production Changes: Making sudden changes to a system at the production level is challenging due to factors such as manufacturing processes, quality control, and regulatory compliance.
• Manual Services and Monitoring: Manual services and monitoring can be prone to errors due to human factors and system complexity.
• Decommissioning Risks: Properly managing decommissioning is essential to avoid environmental risks, safety hazards, and operational inefficiencies.

Conclusion

ISO 26262 places significant emphasis on documentation throughout the safety lifecycle of automotive systems. Proper documentation is essential for ensuring compliance with the standard and for managing the complexities involved in developing safe and reliable systems.

ISO 26262 is a robust standard that addresses safety-related issues in automotive systems by providing a structured approach to functional safety. However, it cannot guarantee complete safety due to the inherent complexity of real-world scenarios, potential gaps in coverage, integration challenges, and the rapid evolution of technology. To address these limitations and enhance overall safety, continuous improvement, adaptation, and rigorous testing are necessary.

The design and verification challenges outlined in ISO 26262 are vast and complex, reflecting the critical importance of safety in automotive systems. Research and development (R&D) play a crucial role in advancing automotive safety. They contribute to addressing new technologies, improving safety standards, enhancing testing methods, and managing emerging risks. Ongoing R&D efforts are vital to ensuring that safety standards like ISO 26262 evolve to meet the challenges of modern automotive systems and drive continuous improvements in vehicle safety.