The importance of managing risks in safety-critical industries such as the medical field, the automotive sector, and other transport and mission-critical industries (railway, aviation, nuclear, etc) cannot be emphasized enough. The lives of human users may depend on such devices, so their safety and reliability is vital.
Safety is a top concern for automotive manufacturers and developers of embedded software used in road vehicles. A few tragic accidents resulting from an issue that could have been prevented in the design stage could not only gravely affect the reputation of these companies, it could also have direct financial consequences: lawsuits and product recalls are common in the automotive industry, and could result in huge losses.
Safety standards and regulations
In addition to the obvious reasons of potentially protecting human lives as well as the business interests of automotive companies, there's another reason to implement adequate risk management & Quality Assurance processes. The automotive sector is a highly regulated industry, with various standards stipulating the relevant safety and reliability requirements. Failing to prove compliance with these could mean that the company (or their non-compliant models) can't even enter the market.
Thus, international standards such as IEC 61508 or ISO 26262 are fundamental in automotive development. IEC 61508 is a general umbrella standard focusing on the functional safety requirements of electrical/electronic/programmable electronic (E/E/PE) safety-related systems. Our IEC 61508 compliance guide provides ample information on the standard, as well as how codeBeamer can help you comply with its regulations. In this blog post, we're going to focus on the risk-related requirements of ISO 26262, the standard governing the functional safety requirements of road vehicles, which is an adaptation of IEC 61508 to automotive development.
For more information on automotive risk managemetn, watch our webinar recording from June 2015 below:
Risk Management & Compliance with ISO 26262
The standard, titled "Road vehicles – Functional safety", is the first comprehensive regulation that governs the requirements of safety-related systems in road vehicles (of up to 3,500 kg), whether they are electrical, electronic or software elements. It addresses the risks caused by the possible malfunctioning of electrical / electronic safety systems. Consequently, risk management is a huge part of ISO 26262.
Automotive Safety Integrity Levels
Specifically, the standard employs a risk-based approach to help its users determine the risk classes of safety-related systems – using Automotive Safetey Integrity Levels, or ASILs, it provides a method to determine each item's safety requirements. These ASIL classes help determine the acceptable residual risk for each subsystem, as well as an acceptable general risk (safety) level.
ASILs are determined at the first stage of the development process, and are made up of three components:
1) the probability (likelihood) of the hazardous event
2) controllability, that is, how the hazard is detected and controlled
3) severity of the consequences, should the hazard occur.
Components are assigned an appropriate ASIL level (A, B, C, or D, with ASIL D being the highest safety integrity level), which will serve as a safety goal during development. These goals help you set out the requirements to mitigate / reduce risks to an acceptable level; ISO 26262 also defines the testing requirements for each ASIL level, thus governing the entire process of development.
Using Intland's Automotive ISO 26262 Template that leverages the advanced capabilities of our ALM tool, codeBeamer ALM enables you to develop automotive systems up to ASIL D.
Failure Mode and Effects Analysis
Failure Mode and Effects Analysis (FMEA) is one of the methods widely used in safety-critical systems development, and can also play an important role in achieving ISO 26262 compliance. While on its own, it's definitely not sufficient to develop safe and reliable systems and to prove their reliability, it is nevertheless a hugely helpful tool that can be used to guide the process of development.
FMEA lets you identify potential failure modes (risks), and determine their probability, detectability (controllability), and severity values. Based on these, it helps you prioritize your failure modes. What's more, after determining the mitigation actions to take, codeBeamer's dedicated FMEA template lets you derive these actions as requirements, ensuring complete traceability all the way to testing. As a consequence, FMEA can be used as guiding line of all risk mitigation actions, helping you achieve the desired ASIL levels.
To learn more about FMEA with codeBeamer, watch our webinar recording titled Risk Management, Hazard Analysis and FMEA.
Software Tool Classification Analysis & Tool Confidence Levels
ISO 26262 also aims to ensure that all software applications tools used in developing safety-related systems are suitable, and thus these need to be assessed and classified.
A Tool Confidence Level (TCL) is determined based on:
- the software tool's malfunction can either cause, or fail to identify problems in the safety-related system being developed (tool impact, TI1 and TI2)
- the detectability of the software tool's malfunctioning, or the measures taken to avoid these malfunctions (tool error detection: TD1, TD2 and TD3)
The TCL is calculated as a function of TI and TD, and helps determine what tools need subsequent qualification. Those with the lowest TCLs cannot cause serious harm, and as a consequence won't need qualification.
After qualification (through the "Proven in Use" argument, an analysis of the tool's development process, the validation of the tool, or its development according to a safety standard), a Software Tool Qualification Report will need to be compiled. Thus, risks regarding both the safety system being developed, and the processes & tools used in the development can be identified, analyzed, mitigated. This helps ensure the overall safety and reliability of the end product.
As all the above suggests, compliance with ISO 26262 is a broad and highly complex task. In addition, it also involves a lot of documentation, further increasing the complexity of the task at hand. In the above article, we have identified its main points relevant to risk management, and how they help develop safe and reliable products. Achieving compliance with these requirements isn't easy, but using the appropriate tools such as an integrated, end-to-end Application Lifecycle Management platform, the costs and effort needed to comply can be greatly reduced.