What is Functional Safety

Functional is how a system failure does not create a dangerous hazard

All of us, who work in electronics and software, know how a small floating point error can lead to a catastrophic failure. Alright, maybe we're being a little bit melodramatic here, but that's the hard truth, and you know it. In the automotive industry (not only, but we cover automotive topics, so that's the important part for us), a failure can have an impact on the safety of people. The main objective of functional safety is to ensure the functionality of an ECU is performed as intended and that the system is fault-tolerant, so, even if (or when) a fault occurs, the system handles it in a safely manner.

The functional safety standard ISO26262 named "Road Vehicles - Functional Safety" applies the safety concept to all Electrical and Electronic (E/E, and no, this is not related to E2E) that are deployed to road vehicles that are in series production, with the exception of mopeds. Without compying to the norm, the E/E systems are not allowed to hit the road. It includes a risk system divided into multiple levels, which you may have heard around, named ASIL (Automotive Safety Integrity Levels), with the goal of minimizing the hazardous situations that can arise from a malfunction in an E/E system.

What is ASIL and Why it Matters

ASIL (Automotive Safety Integrity Levels) is the system ISO26262 uses to classify the hazard risk levels for our road vehicles. There are four levels of ASIL, and their classification is based on the possibility and tolerance to harm, from ASIL A to ASIL D, where A is the more forgiving and D is represents the highest risk of hazard, in case of a failure. Every component that comprised a vehicle is required to obey to a certain ASIL level. For example, your brakes, airbags, steering would lead to a endangering problem if they were to fail. Can you imagine if your brakes just stopped working, or work way too well in a highway? I'm afraid you don't want to know. That's why these components are ASIL D. On the other end of the spectrum, what about your lights? They're important, yes, but it's not a bigger deal than the latter, so we can be looser on the requirements. Depending on the light, we would be looking at ASIL B or ASIL A. It's actually not too common to find ASIL D components. Not everything is that life-threatening. There is also ASIL QM (Quality Management), which states that the risks associated with a failure is not dangerous and do not require safety measures.

ASIL is calculated according to three different factors (SEC): Severity (what are the consequences?), Exposure (how likely this failure will occur?) and Controllability (how difficult will this failure be to control, from the driver's perspective?). As the severity can go up until 3, exposure to 4 and controllability to 3, you multiply all of them and get ASIL D.

Functional safety levels, according to ISO26262

Autosar Functional Safety Measures

As expected, Autosar does not leave you alone when it comes to deal with functional safety. Although, its support is also not very extensive in this part. They say it themselves, Autosar is not a complete solution when it comes to safety. So, by itself, using Autosar does not make you compliant with the ISO26262 norm. With that said, what does Autosar give you in order to help with the development of a compliant ECU? A few things, actually. To name a few:

• Partitioning - Autosar allows you to map your Software Components to different partitions, depending on their requirements, such as the memory that they're allowed/need to access. So you can restric some components from specific memory ranges, such as the hardware registers or the Flash, as you deem necessary (maybe some background theory would be useful here. You can check our articles related to Application Software development, such as Types of Interfaces and Ports (opens in a new tab) and Types of Software Components (opens in a new tab)).

• Timing and Execution Flow - Monitoring the program flow through time by resorting to OS mechanisms and the Watchdog Manager BSW module.

• Data Exchange - Detection of faults in communication using E2E (End to End) protection.

• Hardware Diagnostics - Mechanisms to verify that your microcontroller provides you a functionality you can trust, by making use of the Core Test and RAM Test components

I hope this article helped in your learning process, specifically, in what functional safety is all about, how the ISO26262 norm helps with ensuring the ECU's we deliver to the road are trustworthy, what ASIL is and why you should care and where Autosar comes to play in all of this. Tune in, so that we can explore further the Autosar concepts for functional safety further and learn about other norms that play in the automotive industry, such as MISRA. See you soon!

Author: Micael Coutinho (opens in a new tab)

References:

• ISO26262 Norm (opens in a new tab)

• Overview of Functional Safety Measures in AUTOSAR - Autosar Specification (opens in a new tab)