Professional Documents
Culture Documents
3. Automotive
malfunctioning
system
3.1. Source of categories (hazard is present)
The starting point of an hazard analysis and Risk
assessment (H&R) according to ISO 26262 is the Successful attempt Operational situation present
lighting in darkness or other conditions of reduced Ability to avoid a specified harm through
timely reaction of the person(s) at risk
visibility). Estimation of the extent of
Figure 3.1 gives an example of the relationships harm to the person(s) at risk
between a system failure, the corresponding hazard, Figure 3.2: Overview of ASIL classification method
hazardous event and accident.
3.2. Initial allocation ‘E’ defines the likelihood of exposure of the vehicle
Each of the identified hazardous events is assigned to an operational situation which may lead to a
an ASIL based on the ASIL classification method hazardous event in presence of the failure of the
discussed hereafter. Per ISO 26262, ASIL stands for system. Depending on cases, the exposure rating is
Automotive Safety Integrity Level and is based on based on frequency of occurrence of the situation or
determining three parameters associated with the on its duration (e.g. proportion of operating time in
hazardous events: the exposure ‘E’, the darkness or other conditions of reduced visibility
controllability ‘C’ and the severity ‘S’. compared to the total operating time of a vehicle).
There are four ASILs defined, with ASIL D ‘C’ characterizes the ability of the person(s) at risk to
representing the most demanding regarding a react timely in order to avoid any harm when the
necessary risk reduction and ASIL A the less hazardous event occurs (e.g. ability of the driver to
demanding. The events with no safety relevance are slowdown his/her vehicle safely and switch on the
assigned ‘QM’, i.e. Quality Management. hazard warning signal).
‘S’ is the estimation of the harm to person(s) at risk • When a requirement with no safety relevance and
that may result from the occurrence of a hazardous a safety requirement are both implemented by the
event when not controlled timely (e.g. harm resulting same architectural component, the complete
from a front collision). component has to be developed in compliance
‘S’ represents the severity of the risk associated with with the ASIL of the safety requirement, unless it
a vehicle-level hazard. ‘E’ in combination with ‘C’ can be shown that sufficient freedom from
and with the residual failure rate of the system failure interference exists from the sub-component with
that potentially lead to the hazardous event under no safety relevance to the safety-related sub-
consideration corresponds to the probability of component.
occurrence of this risk. Here, ‘freedom from interference’ means the
‘E’, ‘C’ and ‘S’ are rated using discrete scales. The absence of cascading failures from the lowest
ASIL assigned to the hazardous event is deduced ASIL(s) (or no-ASIL) sub-component(s) to the
from the combination of those three evaluated highest ASIL sub-component(s).
parameters by using a risk graph. 3.4. Dependability architecture and safety level
When more than one hazardous event is associated
to the same system failure then the event with the The ASIL inherited by a safety requirement can be
highest ASIL is held. downgraded provided the following design rule is
applied:
Additionally to the ASIL, a safety goal is determined
for each hazardous event. The safety goal An initial safety requirement is decomposed to
represents a top-level safety requirement that is redundant requirements implemented by
assigned to the system as a whole. Safety goals sufficiently independent architectural components,
always inherit the ASIL of their corresponding where each decomposed requirement complies
hazardous event (e.g. the system shall only switch with the initial safety requirement by itself.
off the head lighting on driver’s request). Here, ‘independence’ means the absence of
When a safety goal is associated with more than one common cause failures and the absence of
hazardous event, it inherits the highest ASIL. cascading failures between the architectural
components that could lead to the violation of the
Depending on cases, more than one safety goals initial safety requirement.
with different ASILs may be assigned to a system.
Reduction of ASIL does not apply to safety goals, i.e.
3.3. Allocation to components the top-level safety requirements.
The H&R, which results usually in a set of safety It may be applied to any lower safety requirements at
goals with their ASIL, is executed early in the system system level, electronic hardware-level or software-
development, typically during the concept phase. level.
The refinement of those safety goals in lower-level However, sufficient independence between the
safety requirements and their allocation to the architectural elements has to be checked at the
architectural components of the system is performed system level.
throughout the system design, the electronic Reduction of ASIL may be applied more than once.
hardware design and the software design. Table 3.1 gives the authorized ASIL reductions: the
Generally speaking, the ASILs of the safety goals first column indicates the ASIL of the initial safety
are propagated throughout the system development. requirements and the second column the possible
The following basic rules apply by default: combinations of ASILs for the decomposed
• Each safety requirement inherits the ASIL of the redundant requirements. The letters between
parent safety requirement it is derived from, brackets designate the ASIL of the safety goal from
starting from the ASIL of the safety goal, which the reduction of ASIL applies.
• Any architectural component that implements a
safety requirement has to be developed in ASIL C(D) + ASIL A (D)
compliance with the ASIL of this safety ASIL D ASIL B(D) + ASIL B(D)
requirement. ASIL D(D) + QM(D)
• When safety requirements with different ASILs are ASIL C
ASIL B(C) + ASIL A(C)
implemented by the same architectural ASIL C(C) + QM(C)
component, the complete component has to be ASIL A(B) + ASIL A(B)
ASIL B
developed in compliance to the highest ASIL, ASIL B(B) + QM(B)
unless it can be shown that sufficient freedom from ASIL A ASIL A(A) + QM(A)
interference exists from the sub-components with
the lower ASIL(s) to the sub-components with the
highest ASIL. Table3.1: Authorized ASIL reduction schemes
4. Nuclear PCC Frequency (order of
magnitude/year)
This part is a summary of citations from reference
PCC1:Operational Permanent or frequent
documents, especially IEC 61226 and IEC 61838.
Transient
We focus on the AIEA-IEC safety referential, -2
representative of the European practices. Some PCC2:Anticipated 10 to 1
operational occurrences
simplifications have been done given the limited size -4 -2
of the paper. PCC3:infrequent 10 to 10
accidents
4.1. Source of categories PCC4: limiting accidents Less than 10
-4
THR
THR
THR