The Functional Safety Mirror

July 12, 2020, Issue no.22, ISO 26262-4:2018, Development on System Level

This series is dedicated to the absolute functional safety beginners, system engineers or software engineers or anyone who wants to know about automotive functional safety ISO 26262 standard from ZERO. Disclaimer, this series only expresses the author view to the ISO 26262 and not to the view of any company, institution or organization.

Introduction

In the last article, we have covered how to integrate the system elements to build a safe item definition. After item integration, you have to come out with two work products: Integration and test strategy and Integration test report . Today, we will validate our system development on the vehicle level.That being said, we will integrate our item: Electric Power Steering, AEB , or BMS, etc. into the vehicle. Before final acceptance and item shipping, you have to pass the validation test according to predefined pass criteria.

Safety Validation

What are the objectives of safety validation?

• to provide evidence that the safety goals are achieved by the item integration into the vehicle; our safety goal is achieved when we integrate the item into the vehicle. In this stage, Tier 1 supplier will validate the item on its lab cars before delivering the item to OEM to be validated on the target vehicle.
• to provide evidence that FSC and TSC succeeded to fulfill functional safety for the item

Safety validation provides assurance that the safety goals have been achieved, based on examination and test. The following graph depicts the safety validation model:

1- Input to the validation process

2- The specs of the validation test

3- The execution of the safety validation given the specs in the context of the target vehicle

4- The evaluation panel of experts that the item is safe and safety goals are achieved

5- Safety validation report is generated as an evidence for the functional safety of the item

1- Input to the validation process

The following info shall be available:

• HARA, FSC
• TSC, Item Definition, and Safety Analyses

I will imagine that you are at the OEM side and have the HARA. In HARA, you have defined failure modes of the vehicle model and all hazards scenarios. You have to regenerate these scenarios to make sure that the safety goals are covered.

2- The specs of the validation test

• The safety goal shall be validated on the model of the vehicle
• Safety goals shall be validated giving consideration to variance in operation that impacts the technical characteristics, which have been considered in the HARA

The safety validation specification shall be defined, including:

a) the configuration of the item subjected to safety validation including its calibration data in

accordance with ISO 26262-6:2018, Annex C;

In the fig C.1, configuration data and calibration data are specific for each vehicle variant.

b) the specification of safety validation procedures, test cases, driving manoeuvres, and acceptance criteria; and

c) the equipment and the required environmental conditions.

3- The execution of the safety validation given the specs in the context of the target vehicle

• If testing is used for safety validation, then the same requirements as provided for verification testing (see ISO 26262-8:2018, 9.4.2 and 9.4.3) may be applied.
• The achievement of functional safety for the item when being integrated into the vehicle shall be validated by evaluating the following aspects:

a) the controllability, How?

you know that controllability is the ability of the driver to mitigate the hazard to increase the item controllability. Therefore, you have to use all the affecting factors on controllability at the validation test. That being said, to check if the generated hazards scenario is mitigated by the controllability and safe state is achieved.

b)the effectiveness of the the external measures. How?

Suppose you have HARA for low voltage management and it supplies the cooling for the rear inverter "according to the item design" . If the low voltage management is down, the cooling function will not be provided and hence there is a severity of the inverter high temperature.

On the other hand , you have inverter cooler in your system and the BMS provides a second cooling for the inverter or the inverter material is not flammable so these external measures increased your controllability value of low voltage management " ASIL is reduced". Since your low voltage management ASIL is affected with external measures. Therefore, you have to test the effectiveness of the " BMS" & "nonflammable material" to make sure that they are valid and working.

c) the effectiveness of the elements of other technologies. How?

If you have a mechanical safety measure that mitigates the failure of the E/E system, you have to validate it to see the final effect on the item under test. So, include the mechanical measure in your test.

• The safety validation at the vehicle level, based on the safety goals, the functional safety requirements and the intended use, shall be executed as planned using:

a) the safety validation procedures and test cases for each safety goal including detailed pass/fail criteria

b) the scope of application. This may include issues such as configuration, environmental conditions, driving situations, operational use cases, etc.

• An appropriate set of the following methods shall be applied:

a) repeatable tests with specified test procedures, test cases, and pass/fail criteria;

EXAMPLE 1 Positive tests of functions and safety requirements, black box testing, simulation, tests under boundary conditions, fault injection, durability tests, stress tests, , simulation of external influences, highly accelerated life testing (HALT), see the below fig:

Fig: HALT Chamber: temperature +/-, vibration +/-, reliability testing

b) analyses;

EXAMPLE 2 FMEA, FTA, ETA, simulation. "selected test cases to be executed"

c) long-term tests, such as vehicle driving schedules and captured test fleets;

d) operational use cases under real-life conditions, panel or blind tests, or expert panels; and

e) reviews.

4- The evaluation panel of experts that the item is safe and safety goals are achieved

The results of the safety validation shall be evaluated to provide evidence that the implemented safety goals achieve functional safety for the item.

The evaluation shall be based on the passed- failed criteria and engineering judgement for the output of the validation test execution.

5- Safety validation report is generated as an evidence for the functional safety of the item

• Safety validation specification including safety validation environment description
• Safety validation report resulting from requirements in validation execution section

Conclusion

Validation test process is to provide evidence that the item under test meets the functional safety specs according to ISO 26262. That being said, in this stage, you have the item integrated: SW & HW& ME.

Congratulation! We have finished

ISO 26262-4

Next, we will start a new chapter : Software ISO 26262-6.

Stay tuned!

Feel free to send me your opinion/findings, we learn from each other.

References

• ISO 26262:2018
• Google Images
• Wikipedia