ISO26262 Reflection and Deviations (Open Question List)

Hello there! While studying and trying to follow ISO26262 guidelines, I felt overwhelmed by many very general guidelines in ISO26262 => how many people do agree with me? (^_^)

In this article, I only want to present some my reflections on and deviations from ISO26262 in Functional Safety Concept by raising a list of open questions for discussion purpose.

1. Level of Detail of the preliminary architecture

• What level of detail the preliminary architecture should be described at?
• Should we use an simple preliminary architecture (in Figure 1) or a detailed preliminary architecture (in Figure 2), or a more detailed architecture (in Figure 3) in order to develop and allocated functional safety requirement? So what is best?
• When selecting an preliminary architecture, should we allocate FSRs to an entire subsystem or to specific elements inside the subsystem?

2. Safety Analysis

When specifying the functional safety requirements, ISO-26262 states that one can use safety analysis techniques such as FMEA, FTA or HAZOP in order to develop a complete set of functional safety requirements. What if we have no experience with the above mentioned analyses or only know one (for example: FTA), and at the same time feel confident that we could produce a complete set of FSRs without it, how can we derive FSRs from safety goals?

3. Fault Tolerant Time Interval (FTTI) determination

Another remark is the fault tolerant time interval for each functional safety requirement and safety goal. In ISO26262, Part 4, 6.4.2.3, it states "In-vehicle testing and experimentation can be used to determine the fault tolerant time interval." As there is no guidance to how to determine fault tolerant time interval in part 3 of ISO-26262, we are assuming the same means could be used in Part 3. However, as we lack the means of doing these tests, how to estimate the FTTI stated for each FSR in this work product?

4. Emergency Operation

The ISO-26262 standard, [6, Part3, 8.4.2.4], states that "If a safe state cannot be reached by a transition within an acceptable time interval, an emergency operation shall be specified." Some open questions came to my mind as follows:

• How should this be interpreted though?
• Does it mean that an emergency operation shall be specified for those requirements which do not have a safe state?
• Or specified for those requirements that does have a safe state, but it is not possible to reach it within an acceptable time interval?
• Or maybe even specified for all requirements just in case?
• Even if these questions were answered, what is an emergency operation?

We have not found an answer to the last question in the ISO-26262 standard, nor anywhere else. Due to all these unanswered questions, should we choose not to specify any emergency operations, since it would be based on guesses?

5. ASIL Decomposition

When performing ASIL decomposition, ISO-26262 states that the elements used for decomposition need to be independently implemented. But to what extent?

For example, if you implement two redundant elements on two different ECUs, does these ECUs have to be bought from two different manufacturers? And if they are, what if these ECU manufacturers buy their components from the same supplier? And so on.

The reason I am asking this question is that in the future, when and if ISO-26262 becomes required by law, vehicle manufacturers will want to put redundant elements on the same ECU for different reasons such as cost and area consumption. This ECU would obviously need separate CPUs, memories etc. But will it also need separate power supplies? Does the CPUs need to be of different brands and type? Questions like these need to be clearly answered in ISO-26262.

PS: Hopefully after reading this article, you who are FUSA experts can give me some your own ideas or share your experience to be clear many vague guidelines in ISO26262.

Thank you, and see you in my next articles (^_^)