ISO26262 is an automotive industry specific standard for safety related electrical systems in passenger vehicles up to 3.5 tonnes. It addresses possible hazards caused by malfunctioning behaviour within and between electrical and electronic (EE) safety related systems and should:
- Provide an automotive functional safety lifecycle (management, development, production, operation, service, decommissioning) and support the tailoring the necessary activities during these lifecycle phases
- Cover functional safety aspects of the entire development process (including such activities as requirements specification, design, implementation, integration, verification, validation, and configuration)
- Provide an automotive-specific risk-based approach for determining risk classes – automotive safety integrity levels (ASILs)
- Use ASILs for specifying the item’s necessary safety requirements for achieving an acceptable residual risk
- Provide requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety is achieved, supported by documented evidence
ISO 26262 has been written to represent the state of the art best practice for EE Systems and therefore qualifies as a non optional requirement. These directives do not provide guidance on implementation, nor do they provide interpretations of the law.
Legal critiques of products will be conducted in court using hindsight and evidence to determine whether or not the manufacturer was negligent, and whether or not the designer produced a reasonably safe design. Lawyers will argue how the evidence available shows how the manufacturer of the product applied (or didn’t apply) good safety engineering practices.
A concern is that if a potential failure of a system occurs and litigation results as a consequence, there are no examples as to how the legal process will consider evidence supported by the use of the standard.
The standard, although not a legal requirement, will be used to ascertain whether all appropriate mitigation was identified, analysed, adopted and functioned in accordance to documented evidence based upon
ISO 26262 methodologies, which concludes that the system is compliant with the current accepted state-of-the-art methods and principles.
Legally, ‘state-of-the-art’ could be difficult to establish whether the statement refers to what was currently in use within the manufacturer’s establishment or what was currently available globally.
Another consideration should be as to whether the statements interpretation of ‘current’ is when the vehicle was designed, when it was launched or when the problem was discovered.
A current state-of-the-art condition is a constantly moving target especially within EE so much so that what was state-of-the-art at the concept stage of a project may be regarded as obsolete by launch.
There will be many anomalies that will come to light during the following months but we must be aware that ISO 26262 is still in its infancy and as such is evolving and as practical users, we must identify areas of the standard that provoke concerns and possible implications to OEMs, suppliers and end-users.
When we at Lotus were first confronted with the ISO 26262 functional safety standard, it was met with a little trepidation before realising that it mainly put a more formal process around what we considered as ‘normal engineering business’.
ISO 26262 is a fundamental requirement of the automotive industry doctrine and ensures that current and future EE Systems within EV, hybrid and conventional vehicles are fully transparent regarding functional safety.
Similar, logical processes, required to achieve acceptable functional safety standards within our range of controllers and EE Systems have been in use for a number of years throughout Lotus. These processes are part of the Lotus customer-driven engineering design tools referred to under failure mode avoidance (FMA).
At the working level the greatest challenges we face when adhering to ISO 26262 requirements is training engineering teams to embrace the benefits of the methodology contained in applying it.
The introduction of ISO 26262 has required Lotus to reassess its approach to EE development and in doing so has highlighted aspects of in-house knowledge that enabled the development of Lotus’ own robust methodology in the determination of ASIL ratings. This is extremely time efficient when establishing the classification of HEV systems.
Lotus has used the ISO 26262 methodology across all aspects of electronic and electrical systems currently in vehicles and powertrain variations, conventional mechanical drive systems with manual and auto shifting, series and parallel hybrids as well as pure EVs. The process is fully adaptable and logical which concentrates the minds of engineering teams to the achievement and verification of the safety goals.
One of the biggest impacts is on product development, especially testing. By using the methodology defined, it has highlighted areas of concern which might have previously been overlooked. To this end far more robust validation and verification methods have been introduced based upon proving that an acceptable functionally safe state will be achieved across all identified hazard scenarios.
An example is the detailed design and control strategy developed to provide robust, rapid identification and mitigation of theoretical electric motor faults.
This included MiL simulation and HiL virtual testing using IPG Carmaker and component failure mode testing on LabCar and Lotus EV test-chambers prior to inducing control level simulations of the potential electric motor failures on the development vehicle being driven at speed under specific manoeuvres on the test track.
Software compliance is an essential requirement within vehicle control systems although many OEMs design and implement software which is unique to them. This practice is becoming less common as more and more companies adopt Autosar- compliant operating systems.
The main fear of OEMs and the supply base is that as ISO 26262 is new, it will require a completely different approach and understanding on their part, entailing increased workload. Yes, there will be a certain amount of training and extra detailed work at the start of projects but this should lead to a far more compact, robust, realistic, time and cost saving validation plan.
Training courses in the usage of ISO 26262 and FMA is a requirement of all Lotus teams, first and second tier suppliers. Lotus also offer courses to any OEM and suppliers who wish to understand the ISO 26262 and how best to implement it, supported with practical examples of its usage and results.
Lotus has the benefit of considerable expertise spanning the full range of design, development, manufacturing and production disciplines. This provides a unique viewpoint from which to recognise, first hand, the many facets required to fully implement safety and functional safety at a component, system and vehicle level from concept and design, through product development to product implementation and on to full production.
ISO 26262 is here to stay and therefore all OEMs and their supply bases need to quickly develop structured usage methods based upon actual projects. It would be advantageous if all the learning generated by the adoption and application could be pooled.
Unfortunately as this standard pertains to safety it is expected that most manufacturers will not openly divulge their experiences for mutual benefit and the greater good so in general each company will develop their own interpretations and approaches to meeting the standard in relative isolation.
Lotus are well placed and available to train, advise and support the implementation and understanding of the Standard.
Writer: Richard Mayes, Exec. Manager EE functional safety, Lotus Engineering