In earlier posts, we provided a general intro to the ISO 26262 standard as well as a deep dive into the Fault Metrics. Today, we will continue with Part 5 of the standard and explore the Automotive Safety Integrity Level (ASIL).
Automotive Safety Integrity Level (ASIL)
Clause 9 finally introduces us to the Automotive Safety Integrity Level (ASIL) and how to evaluate it. Similar to the IEC 61508 Safety Integrity Level (SIL), the goal of the ASIL calculation is demonstrate that the probability of random failures is sufficiently low to meet the safety goal.
The ISO standard specifically states that the evaluation is limited to random hardware failures, neglecting systematic failures. As regular readers of my other blog already know, I strongly disagree, and believe that systematic failures should be both qualitatively and quantitatively considered wherever possible, but I digress…
Two options are given in Part 5 for calculating ASIL:
- Probabilistic Metric for random Hardware Failures (PMHF)
- Individual evaluation of faults (i.e. cut set analysis)
We will briefly discuss each approach below.
Probabilistic Metric for random Hardware Failures (PMHF)
This approach is similar to the IEC 61508 approach for a high demand or continuous SIF, where a target probability of failure per hour (PFH) is specified for each SIL level. The ASIL targets are shown below:
Note that for ASIL:
- No quantitative target or calculations are required for ASIL A
- The PFH targets for ASIL B and C are the same (other requirements differ)
- The PFH values for ASIL do not exactly match up with the targets for SIL. The ASIL targets are higher, i.e. ASIL B/C is equivalent to the PFH for SIL3. ASIL D is the equivalent of SIL4. (Although ASIL A does not have a quantitative target, presumably it is equivalent to SIL2 if the risk matrix is linear.)
Since most of us don’t do IEC 61508 continuous mode SIL calculations every day, the continuous mode SIL table from IEC 61508 is shown below for reference:
The ISO 26262 probabilistic metric evaluation must be done quantitatively, although the standard does not specify the method. Quantitative fault tree analysis (FTA) is suggested as one method. It does have specific requirements that the analysis must cover, including the concept of “exposure duration” which is roughly equivalent to the MTTR considered in SIL calculations.
For higher ASIL C and D targets, the standard requires that a single-point fault in a hardware part shall only be considered acceptable if “dedicated measures” are taken, where dedicated measures are steps to ensure the failure rate is low, such as over-design, separation, sampling, etc. This concept is somewhat similar to the proven-in-use concepts of IEC 61508.
Individual evaluation of faults (i.e. cut set analysis)
The second option for evaluating ASIL is based on evaluating faults one at a time. A simple flowchart is provided in the standard to describe the iterative design process. The advantage of this approach appears to be that a complex model (e.g. FTA) of the entire system is not required for the analysis. I suspect (but have not confirmed) that the downside is that this approach is much more conservative.
This method introduces the concept of failure rate class for individual hardware parts. The failure rate class ranking for a hardware part failure rate is determined as follows:
- Class 1 = <10-10 /hr
- Class 2 = <10-9 /hr
- Class 3 = <10-8 /hr
- etc. (where Class i = Class i-1 x 10)
In this method, each ASIL level has one or more failure rate classes that are allowed to be used, as shown below. There is one table each for (i) single point faults (i.e. no diagnostics), (ii) residual faults, and (iii) dual point faults, as shown below:
This method of component “classes” is conceptually similar to the “parts counts” methods used in the past, most notably in MIL-HDBK-217. That itself is enough to make me skeptical of this approach since the military eventually shelved MIL-HDBK-217 for being wildly inaccurate.
I also wonder if the failure class targets in ISO 26262 are so conservative that this approach is infeasible. A Class 1 part as required for ASIL D must have a failure rate of less that 1E-10 /hr. Stated differently, the MTTF for that part must be more than 1,141,000 years. I want to know where to buy these awesome Class 1 devices for my safety functions! I suspect that this is a subtle way of encouraging hardware fault tolerance without strictly requiring it.
Key takeaways from this article should include:
- The Automotive Safety Integrity Level (ASIL) is similar in concept to high demand SIL, but the levels are different.
- The standard gives two options for calculating ASIL, one based on an overall model of the function (similar to SIL calculations), and one based on consideration of individual faults.
- The PMHF method is similar to traditional IEC 61508 methods, but requires a quantitative model (e.g. FTA). The individual evaluation of faults may be simpler, but the class rules may give very conservative results.
I hope you found this brief overview of ASIL to be informative. Thanks for reading!