Wednesday, October 16, 2013

Understanding ISO 26262 ASILs

ISO 26262 is an extension of IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems. IEC 61508 defines Safety Integrity Levels (SILs). ISO 26262 defines ASILs. It might seem that ASILs are like SILs and that anyone familiar with building a safety case for a system requiring certification to an IEC 61508 SIL should be able to transfer those methods to an ISO 26262 project.
Experience building an IEC 61508 safety case and gathering evidence for it will certainly be invaluable to anyone building the safety case for an ISO 26262 system. But unlike IEC 61508, ISO 26262 is “not a reliability standard. It doesn’t set precise numbers for acceptable probabilities of failure. ASILs are not determined in the same manner as IEC 61508 SILs.
When defining SILs, IEC 61508 considers the target failure measures for systems acting in low demand, high demand, or continuous mode. For example, a software component certified to continuous mode SIL 3 is required to have a probability of dangerous failure below 1 in 10 million per hour of operation. IEC 61508 SILs can thus be considered one-dimensional, in the sense that they involve only the probability of failure in the stated operating mode.
ASIL's, though, are three dimensional, involving three variables: severity, probability of exposure, and controllability. ISO 26262-3, section 7 “Hazard analysis and risk assessment” provides tables that break these three variables down into classes. Probability of exposure has five classes: “Incredible” to “High probability” (E0-E4). Severity has four classes: “No injuries” to “Life-threatening injuries (survival uncertain), fatal injuries” (S0-S3). Controllability, which means controllability by the driver, not by the vehicle electronic systems, has four classes: “Controllable in general” to “Difficult to control or uncontrollable.”

read it entirely, clicking here...............

No comments:

Post a Comment