The number of electronic/electrical systems on the car continues to increase. Some high-end luxury cars have more than 70 ECUs (Electronic Control Unit), including airbag systems, brake systems, chassis control systems, engine control systems, and lines. Control systems, etc. are all safety related systems. When the system fails, the system must go into a safe state or switch to the degraded mode to avoid system failure and cause casualties. Failure may be caused by errors in the normative human error, environmental impact, and so on. In order to achieve the functional safety design of the electronic/electrical system on the vehicle, the road vehicle functional safety standard ISO 26262 was officially released in 2011, providing a guide for the development of automotive safety-related systems based on electronic/electrical/in any industry. Functional safety standard for programmable electronic systems IEC 61508.

Talking about the Structure and Decomposition of Automobile ISO 26262 Safety Standard

In the ISO 26262 standard for functional safety design of the system, an important step in the early stage is to conduct a hazard analysis and risk assessment of the system, identify the hazard of the system and the risk level of the hazard - ASIL level (AutomoTIve Safety IntegraTIon Level, car safety) Integrity level) is evaluated. ASIL has four levels, A, B, C, and D, where A is the lowest level and D is the highest level. Then, at least one security goal is determined for each hazard, the security goal is the highest level of security requirements of the system, the security requirements are derived at the system level, and the security requirements are assigned to hardware and software. The ASIL level determines the requirements for system security. The higher the ASIL level, the higher the security requirements for the system. The higher the cost of achieving security, the higher the diagnostic coverage of the hardware, and the stricter the development process. The development cost is increased, the development cycle is extended, and the technical requirements are strict. ISO 26262 proposes a method for reducing the ASIL level under the premise of meeting the safety objectives - ASIL decomposition, which can solve the difficulties in the above development.

This paper first introduces the ASIL classification method in the hazard analysis and risk assessment phase of the ISO 26262 standard, and then introduces the principles of ASIL decomposition, with examples.

2. Hazard analysis and risk assessment

When performing functional safety design according to ISO 26262 standard, firstly identify the function of the system and analyze all possible functional faults (MalfuncTIon). The available analysis methods are HAZOP, FMEA, brainstorming, etc. If faults that are not identified at this stage are found at various stages of system development, return to this stage and update. Functional failures can cause casualties in specific driving situations, such as low beam systems. One of the malfunctions is that the lights are unexpectedly extinguished. If you drive on a mountain road in a dark night, the driver cannot see the road conditions. Will fall into the cliff, causing the car to be destroyed; if this malfunction occurs during the day, it will not have any impact. Therefore, after performing functional fault analysis, a scenario analysis is performed to identify driving scenarios related to the fault, such as highway overtaking, garage parking, and the like. Analyze driving scenarios suggested from road types: national roads, urban roads, country roads, etc.; road conditions: such as slippery roads, snow and ice roads, dry roads; vehicle status: such as steering, overtaking, braking, acceleration, etc.; environmental conditions: : Wind and snow, night, tunnel lights; traffic conditions: congestion, smooth, traffic lights, etc.; personnel: not as good as passengers, passers-by and so on. The combination of functional failure and driving scenarios is called a hazardous event. After the hazard event is determined, the risk level of the hazard event is assessed based on three factors—Severity, Exposure, and Controllability. - ASIL level. The severity refers to the degree of damage to the driver, occupant, or pedestrian, etc.; the exposure rate refers to the probability that the person is exposed to the system failure can cause harm; the controllability refers to the driver or other involved Insurers are able to avoid the possibility of accidents or injuries. The classification of these three factors is given in Table 1.

The ASIL rating is determined based on these three impact factors. Table 2 shows the ASIL determination method, where D represents the highest level, A represents the lowest level, and QM represents the quality management (Quality Management), indicating that the system is developed according to the quality management system or The function is sufficient, regardless of any safety-related design. Once the hazard ASIL level has been determined, at least one safety objective is identified for each hazard as a basis for functional and technical safety needs.

Talking about the Structure and Decomposition of Automobile ISO 26262 Safety Standard

Table 2 ASIL rating

The following is an example of how to conduct a hazard analysis and risk assessment using the EPB (Electrical Park Brake) system as an example.

Compared with the traditional parking brake, the EPB has a dynamic start assist function, an emergency brake function and an automatic parking function in addition to the parking function. Here we take the parking function as an example. When parking, the driver issues a braking request by button or other means. The EPB system applies braking force on the rear wheel of the car to prevent the car from unintended sliding. The hazards of this system are: unintended brake failure, unintended brake start. The same hazard is different in different scenarios, so we have to analyze different driving scenarios. In order to simplify the problem, here we only conduct a risk assessment of the functional failure of "unexpected brake failure". Table 3 gives the EPB risk assessment form, in which we consider the driving scenario where the car is parked on a slope and the driver is not in the car. If the driver is in the car, the driver can control the car to slide by braking, and the controllability increases, then the ASIL rating evaluated will be lower than the ASIL D in the table, but for the same safety target, if the ASIL rating is evaluated In the case of difference, choose the one with the highest ASIL rating.

Talking about the Structure and Decomposition of Automobile ISO 26262 Safety Standard

Through the above analysis, the safety goal of the EPB system is: to prevent the brake failure, the ASIL level is D.

Fibos large range column load cell sensor 

Press Load Cell

Rated load

Structure is tight

load cell light 

Fibos provides load cell and measure & control solution. Fibos goes into load cell and measure & control solution field since 2009.
Measure world well, know the world better" is Fibos` pursue.

Fibos owns mature design, manufacturer and test team. Engineers work in top load cell solution providing company such as HBM and Tecsis. Mature engineer team makes Fibos confident to provide client excellent products.

Fibos equipment list: Curing box, Overloader, weight machine, High and low temperature test box. Fibos purchase new equipment every year. Complete equipment chain is the guarantee of Fibos load cell quality.

Fibos main business range: Customized Load Cell, mini Force Measure Load Cell, high precision force measure load cell, high accuracy Weighing Load Cell , S Type Load Cell , Shear Beam Load Cell , Multi Axis load cell, tension load cell, Transmitters, instrument and measure&control solution.

Just name your requirement, the rest things belongs to Fibos.

Large Range Column Load Cell

large range column load cell ,large range column sensor

Fibos Measurement Technology (Changzhou) Co., Ltd. ,