Underwriters Laboratories expects ISO 26262 to be published as an international standard in the fourth quarter of 2011. ISO 26262 is an adaptation of the well-known mother functional safety standard IEC 61508; its publication will be a significant event for the automotive industry.
Why has ISO 26262 been developed when IEC 61508 already exists? According to Thomas Maier, principal engineer, functional safety at UL, there are a number of motivating factors. “I think the main motivation of automobile manufacturers and suppliers in getting behind this standard is that they believed that 61508 is oriented too much to the process industries,” he says.
IEC 61508 is mostly applicable to systems that are developed once and that are not mass-produced, which is not the case for onboard automotive systems. For example, system controllers and Anti-Locking Breaking Systems (ABS) are produced in hundreds of thousands or even millions of units. On the other hand, systems under 61508 for the process industry are often built only once, or perhaps three or four times, depending on the number of plants involved.
Another reason Maier cites is that ISO 26262 explicitly states requirements for the production process. It sets requirements that need to be verified in production that do not exist in ISO 61508. “ISO 26262 has a well-defined hazard identification and risk assessment method that is normative,” says Maier. This is possible because the standard is focused on onboard automotive systems. “In 61508, the hazard identification and risk assessment methods are informative, not normative,” he continues. “It doesn’t prescribe precisely what you have to do to identify the safety integrity levels.”
Where IEC 61508 refers to Safety Integrity Levels (SIL), ISO 26262 uses Automotive Safety Integrity Levels (ASIL) that employ an alphabetical hierarchy, rather than the numerical ones in SILs. Safety-critical functions are usually distributed throughout an automobile by electronic control units (ECUs). As ISO 26262 becomes more prominent after publication, manufacturers of ECUs supplying automakers will be well served to secure the UL Functional Safety Recognized Mark.
Another aspect of IEC 61508 that has facilitated the move to 26262 is its old-fashioned nature of techniques and development methods. The automotive world is leading in the development of electronics and software. The new standard 26262 encourages things like hardware emulation and simulation, model driven software development, and code generation. IEC 61508 did nothing of the sort.
“ISO 26262 is considered state-of-the-art in automotive,” says Maier. “IEC 61508 is state-of-the-art only if you do safety related control systems—no matter where—if no other regulation exists. If an accident happens, if the manufacturer is brought to court, then it needs to demonstrate that state-of-the-art safety procedures were followed. Even though 26262 is not published yet, it has strong support from all the automotive industry. Once it is published, it will establish both legal and market precedence.”
No matter what power drives a vehicle, whether it is an electric motor or a traditional combustion engine, ISO 26262 will apply to all onboard systems. “Electric vehicles will have additional or different safety concerns, and there will be a difference in the nature of the electronic and programmable systems” such as the charging system and the battery management system, says Maier. Another area of interest is the other ways of integrating safety features into the power train of an electric vehicle. “Electric vehicles will have new safety requirements and new functional safety challenges, but 26262 can be applied to new challenges and existing ones,” he continues.
In fact, there is no way to apply the standard differently based on power source; it is about functional safety for all onboard automotive systems. In the electric vehicle, the systems and functions that are safety related will be covered by 26262. ISO 26262 applies to what it defines as “systems.” Systems can be part of items, and an item can be any aspect, system, or function in a car. Typical examples of an item are a battery management system or an ABS.
The first step is to define the item—the product or the feature to be considered, or that you want to add to the car, or that you want to produce as a supplier. “You must do a hazard identification and risk analysis for that item and consider it within the context of the entire car,” says Maier. “You must consider it within the context of the different operations of a car, such as the driver's reactions—‘controllability.’ But in the end, the ASIL will need to be applied to the system. In 61508 terms, this is the safety related control system. ISO 26262 can also be applied to elements that are component parts of the system. So the ASIL can be applied to a single microcontroller, for example, that implements certain safety related functionality or detection functionality. This is very similar to the compliant item concept of IEC 61508.”
The chart below tries to map entities of the system hierarchy in ISO 26262 to those of IEC 61508.
Enabling New Technology
According to Anura Fernando, research engineer, predictive modeling and risk analysis at UL, ISO 26262 is likely to smooth the introduction of new automotive technology. “When we look at different automotive technologies such as wireless, fuel cells, and electric vehicles, this new standard can actually help enable their acceptance in the marketplace because the risk based approach it takes makes it much easier to address the unique risks associated with those technologies,” he says.
According to Kevin Connelly, business development manager at UL, that factor helps gain acceptance. “There are genuine safety concerns with new technologies,” says Connelly. “Consider fuel cells. People may have concerns about the safety of a fuel cell and a fuel cell system. The risk based approach of the 26262 standard should help allay those fears and give people a greater level of confidence that a state-of-the-art evaluation has been done, and that the technology is safe.”
In recent years, safety has taken center stage in the industry due to a number of rather dramatic recalls. “Mechatronics”—what the industry terms the combination of mechanical, electronic, and software—has experienced a plethora of issues in terms of failures and recalls. Adherence to functional safety standards is one logical means of addressing these problems.
Regardless of the automotive component or system involved, UL can provide the appropriate functional safety evaluation to ensure compliance with ISO 26262 and whatever functional safety certificate, certification, or mark the manufacturer seeks.
“We have been a trusted partner for those suppliers serving the automotive market for years,” notes Connelly. “As electronics become an even more important part of automotive design and production, we expect to be even more involved with the industry.”