Practical experiences in

applying the “concept phase”

of ISO 26262

Dr David Ward
General Manager
Functional Safety

November 2012

Smarter Thinking. © MIRA Ltd 2012

© MIRA Ltd 2012

Agenda

! ISO 26262 “concept phase” case study

-  Item definition
-  Hazard analysis and risk assessment
-  Functional safety concept
! Summary of some key lessons learned

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 2

© MIRA Ltd 2012
ISO 26262 “concept phase” case study

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 3

© MIRA Ltd 2012
ISO 26262 “concept phase” case study

! MIRA conducted the “concept phase” (ISO 26262 Part 3) in order to develop a
functional safety concept for vehicle supervisory control (VSC) on a novel
range-extended electric vehicle (REEV) architecture

! Activities included
-  Item definition
-  Initiation of safety lifecycle
-  Hazard analysis and risk assessment (H&R)
-  Definition of the functional safety concept (FSC) including warning and
degradation concept

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 4

© MIRA Ltd 2012
ISO 26262 lifecycle

2.5 – 2.7 Management of functional safety

3.5 Item definition

Concept phase

Initiation of
3.6
safety lifecycle

Hazard analysis and

3.7
risk assessment

Functional safety
3.8
concept

4 Product development
System level Allocation
Product development

External
HW SW to other Controllability
7.5 Production planning 5 6 measures
level level technologies

4.9 Safety validation

7.6 Operation planning
Functional safety
4.10
assessment
Release for
4.11
production
After SOP

7.5 Production In case of a

modification, back
Operation, service , to the appropriate
7.6 lifecycle phase
decommissioning

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 5

© MIRA Ltd 2012
Scope of concept phase activities

Fuel

Fuel  tank  

E-­‐Drive  system  
VDC HEVAC

APU   VSC

HMI Ba7ery  
DC-DC conv

User
information
User input

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 6

© MIRA Ltd 2012
Item definition for the VSC

! Objectives
-  Define and describe the VSC, including its interactions and dependencies
with the environment and other items
-  Ensure an adequate understanding of the VSC is gained, so that
subsequent activities in the safety lifecycle can be performed
! The specifics of the VSC item definition for this project
-  A functional architecture was defined for the VSC
-  Primary VSC functions were defined
-  External interfaces to other systems were defined (including interfaces
with brake/accelerator pedals, PRND, ACC, DSC, TCM, BMS, etc.)
-  Preliminary internal functionality and dependencies defined
! In order to analyse how an item can lead to hazardous behaviour, it is first
necessary to understand how it works

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 7

© MIRA Ltd 2012
VSC primary functions

! Primary VSC functions defined

1.  Vehicle motion control
2.  Vehicle energy management
3.  Thermal management
! Function cascades were developed for each of the primary functions above
-  For example, part of Vehicle Energy Management is to manage energy
apportionment efficiently within the constraints of the systems
o  Achieved by the secondary functions of determining the instantaneous optimal
ratio between APU and BMS for a given driver demand; generating a set-point
for the APU; and managing the traction loads
o  These secondary functions were developed further into tertiary (3rd level)
functions where applicable
! The item definition is often assumed to be trivial, but it is in fact one of the
most important activities

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 8

© MIRA Ltd 2012
Example function cascade

Primary Secondary Tertiary

•  Vehicle energy •  Determine optimal •  Acquire driver demand
management ratio between APU and •  …
BMS
•  Determine APU
setpoint
•  Manage traction loads

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 9

© MIRA Ltd 2012
Elements in scope of item (incomplete)

Element Sub-elements Technology Function

Vehicle system Electronic Manage
controller (programmable) propulsion torque
Accelerator pedal Electrical Acquire requested
(potentiometer) torque
Shifter (PRND) Electronic (Hall Acquire requested
effect) direction
E-drive system Motor controller Electronic Manage electrical
(programmable) machine
Motor Electrical (motor) Produce torque
but not yet
specified
Encoder Electronic (Hall Detect motor
effect) position

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 10

© MIRA Ltd 2012
Initiation of safety lifecycle

! As this was a novel architecture developed from a “clean sheet” approach it

was intended to apply ISO 26262 in full
-  No pre-existing development and therefore no impact analysis required

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 11

© MIRA Ltd 2012
Hazard analysis and risk assessment

Safety requirements cascade

Hazards relating to unintended vehicle

3-7 Hazard identification
acceleration and deceleration (i.e.
undemanded torque at the road wheels)

3-7 Hazard classification Hazards relating to unintended traction

battery charging (including plug-in
charging)
3-7 Specification of safety goals
Automotive Safety Integrity Level (ASIL)
identified for each hazardous event (a
3-8
Specification of functional hazard in an operational situation)
safety requirements

Specification of technical
4-6
safety requirements

Specification of hardware Specification of software

5-6 6-6
safety requirements safety requirements

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 12

© MIRA Ltd 2012
Hazard identification

! Vehicle level functions were identified from specifications provided

! Functional failure guidewords used for identifying potential hazards and to add
consistency to the process
! Effects of functional failure analysed to determine if hazardous to people

• No function
Identify • Partial/over/
vehicle From the features Functional degraded Hazard defined at
and functions list failures Hazards the vehicle level
• Intermittent
functions
• Unintended

e.g. provide motion control e.g. unintended e.g. undemanded

application of motion control vehicle acceleration

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 13

© MIRA Ltd 2012
Hazard list (incomplete)

! Undemanded vehicle acceleration

! Loss of vehicle acceleration
! Reversed vehicle acceleration
! Increased vehicle stopping distance
! Undemanded vehicle deceleration
! Vehicle instability
! Degraded vehicle directional control
! Exposure to hazardous voltages
! Exposure to hazardous substances
! …

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 14

© MIRA Ltd 2012
Risk assessment

! Each identified hazard was considered during different (relevant) operating

situations and the risk associated with these hazardous events (hazardous
event = hazard + operational situation) assessed
-  The same hazard occurring during different operational situations may
carry different levels of risk. For example:
o  Loss of vehicle acceleration during a high speed overtaking manoeuvre may
carry a higher level of risk than
o  Loss of vehicle acceleration whilst parking
However
o  An undemanded vehicle acceleration during a high speed overtaking
manoeuvre may carry a lower level of risk than
o  An undemanded vehicle acceleration during a parking manoeuvre (potential to
crush pedestrians)
-  Note, these are examples only!

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 15

© MIRA Ltd 2012
Hazardous event example

! Undemanded vehicle acceleration at a junction

! Candidates for harm could also be other road users e.g. pedestrians or
cyclists
Smarter Thinking. November 2012 We Deliver Smarter Thinking. 16
© MIRA Ltd 2012
ASIL determination

! Each applicable hazardous event is therefore assessed for

-  Severity (an estimate of the extent of harm to one or more individuals)
-  Exposure (the probability or length of time of being in an operational
situation that can be hazardous)
-  Controllability (ability to avoid harm through the timely reactions of the
persons involved)
! A combination of Severity, Exposure and Controllability gives the Automotive
Safety Integrity Level (ASIL)
! The ASIL represents the necessary risk reduction requirements to avoid
unreasonable risk. ASIL D carries a higher degree of rigour than ASIL A
! Example: Undemanded acceleration at a junction
-  Severity = S3, Exposure = E4, Controllability = C2 ⇒ ASIL C
-  Note, rationale for all selected risk parameters was captured
! ASILs shown are examples and not a definitive statement for any hazard
Smarter Thinking. November 2012 We Deliver Smarter Thinking. 17
© MIRA Ltd 2012
Risk assessment
ISO 26262 risk graph

C1 C2 C3
E1 QM QM QM
E2 QM QM QM
S1
E3 QM QM ASIL A
E4 QM ASIL A ASIL B
E1 QM QM QM
E2 QM QM ASIL A
S2
E3 QM ASIL A ASIL B
E4 ASIL A ASIL B ASIL C
E1 QM QM ASIL A
E2 QM ASIL A ASIL B
S3
E3 ASIL A ASIL B ASIL C
E4 ASIL B ASIL C ASIL D

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 18

© MIRA Ltd 2012
Hazard analysis and risk assessment
Safety goals
Safety requirements cascade

3-7 Hazard identification

3-7 Hazard classification

Vehicle level safety goals were then

developed for the identified hazards
3-7 Specification of safety goals
Example: Vehicle occupants and other
road users shall not be exposed to
Specification of functional unreasonable risk due to undemanded
3-8
safety requirements vehicle acceleration (ASIL C)

Specification of technical
4-6
safety requirements

Specification of hardware Specification of software

5-6 6-6
safety requirements safety requirements

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 19

© MIRA Ltd 2012
Functional safety concept

Safety requirements cascade

VSC functional safety requirements were
3-7 Hazard identification then developed

Example: The VSC shall not send a

3-7 Hazard classification command to the E-drive which causes the
vehicle to accelerate without a driver
demand above the creep threshold
(ASIL C)
3-7 Specification of safety goals

A warning and degradation concept was then

developed to mitigate fault conditions
Specification of functional
3-8
safety requirements
Example: For all detected faults relating to
the determination of torque demand, the
4-6
Specification of technical vehicle level reaction shall be to remove
safety requirements the propulsion torque within [TBD] ms,
accompanied with a warning [TBD] to the
Specification of hardware Specification of software
driver
5-6 6-6
safety requirements safety requirements
⇒ These are both expressed as functional
safety requirements

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 20

© MIRA Ltd 2012
Warning and degradation concept

Fault warning   Fault recovery  

Immediate
system Warning Fault Continued recovery
Hazard   response   light   Message   logging   After re-start   strategy  
Undemanded Remove torque   Continuous   DTC + After re-start of vehicle if If fault occurs 3 times
vehicle red   Snapshot power-up checks passed   torque latches off, light
acceleration   data   stays on and flashes with
message – authorized reset  
Excessive Invoke limp home, Continuous Limp DTC + After re-start of vehicle if If fault occurs 3 times
vehicle reduced torque red   home Snapshot power-up checks passed   torque latches off, light
acceleration   immediately for mode data   stays on and flashes with
duration of drive   warning   message – authorized reset  
Insufficient No intervention to Continuous   DTC + After re-start of vehicle if Continued operation
vehicle system function yellow   Snapshot power-up checks passed allowed in limp-home
acceleration   (do not remove data   remove yellow light. If fault mode.  
torque or attempt detected yellow light on and
to increase)   warning message, limp-
home reduced torque until
authorized re-set.  

Need to understand what magnitudes and durations are tolerable

! Hybrid system responses to hazardous behaviour defined
! Driver warnings, fault logging and recovery requirements defined
! Not always desirable to simply “switch off” and put “red light” on

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 21

© MIRA Ltd 2012
Fault tolerant time interval

! Specification of the functional safety concept includes

-  Fail-safe or fault-tolerant behaviour
-  Allowable time to detect and react to a fault
-  Warning strategy to communicate presence of faults to the driver
! A key feature of the detection and fail-safe strategies is to place the vehicle in
an appropriate safe state within a tolerable timescale

Fault Fault detection Possible hazard

Normal Undetected Transition to

Safe state
operation fault safe state
Time
Diagnostic test interval Fault reaction time

Fault tolerant time interval ?

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 22
© MIRA Ltd 2012
Tolerable hazard magnitude and duration

! It was necessary to determine the magnitude and durations of tolerable

hazardous behaviour
-  For example, for how long can a full undemanded application of drive
torque be tolerated before a safety goal is violated?
! Example: undemanded vehicle acceleration at a junction

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 23

© MIRA Ltd 2012
Tolerable hazard magnitude and duration

! Some initial assumptions were made

1.  300 mm (0.3 m) of unrequested vehicle movement would be tolerable (comparable
to stalling the engine of a traditional vehicle)
2.  The vehicle has the potential to accelerate at 6 m s-2 (~ 0 to 100 kph in 6 seconds)
3.  The driveline is engaged, the handbrake is not applied and the driver has their foot
on the brake (overcoming the creep function)
4.  The friction brakes have the ability to overcome any level of drive torque at the
wheels
5.  The driver reaction time to notice undemanded acceleration and react by pressing
brake pedal harder is 0.5 seconds (based on literature review and expert opinion)

! Some simple calculations determined that a potentially full undemanded

application of drive torque must be detected and placed within a safe state
(removal of drive torque) within 140 ms to ensure that the driver can bring the
vehicle to halt within 300 mm from a stationary position

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 24

© MIRA Ltd 2012
Summary of lessons learned

! The item definition is a key activity to ensuring correct and complete execution
of the concept phase activities – it is not just identifying the system under
study
! A systematic and rigorous approach to hazard identification is needed
-  In this example we have used functional failure analysis; other methods
can be used
-  Note: ISO 26262 does not specify a particular hazard identification method
! The fault tolerant time interval is important in specifying the functional safety
concept
-  In this example some simple calculations were used for initial
specification; these would need to be confirmed as development
progresses

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 25

© MIRA Ltd 2012
Contact details

Dr David Ward
MA (Cantab), PhD, CEng, CPhys, MInstP, MIEEE
MIRA Ltd
General Manager
Functional Safety Watling Street,
Nuneaton, Warwickshire,
CV10 0TU, UK

Direct T: +44 (0)24 7635 5430 T: +44 (0)24 7635 5000

E: david.ward@mira.co.uk F: +44 (0)24 7635 8000

www.mira.co.uk

Smarter Thinking. November 2012 We Deliver Smarter Thinking. 26

© MIRA Ltd 2012