Automotive systems that impact safety require adherence to the automotive functional safety standard — ISO 26262. Those electronic and electrical systems that are interlinked to use the input from one sensor to provide different functions in the automobile and minimize system cost, have additional safety considerations. To ensure proper and verified capability, the hardware (HW), software (SW), or system elements must meet Safety Element out of Context (SEooC) criteria and be developed according to ISO26262-6.
ISO26262 defines an Automotive Safety Integrity Level (ASIL) of A, B, C, or D, with D being the most critical. Each level demands a maximum failure rate and a minimum percentage of “safe” failures with respect to all failures the system can have in operation. The appropriate ASIL is determined through hazard analysis and risk assessment (HARA) performed at the vehicle level. As a key system component, sensors contribute to and must meet the overall ASIL rating.
HARA is specified in the Concept Phase (Part 3) of the ISO 26262-3:2018 standard document. This analysis helps assign the right ASIL value to an automotive system and derive the safety goals. ISO 26262 identifies the verification methods (specific techniques and processes that must be used) to ensure that a vehicle’s safety-related functions meet the necessary safety requirements, including SEooC aspects.
Unlike traditional automotive system safety development, which typically uses a top-down approach, SEooC uses a bottom-up methodology. After determining the HW, SW, or system element that must be developed as ASIL, formulated assumptions on the ASIL level and the context/environment in which the safety element will be used are established. This determines the scope or boundary for the element.
With a verified SEooC sensor (or other SW, HW, or system aspect), system integrators can use the same SEooC element in several programs instead of developing separate safety elements for every program, thereby reducing development costs and effort.
Sensing considerations
Different automotive safety-related systems require different ASIL grades. For example, sensors in airbag, anti-lock brake, and power steering systems require an ASIL-D grade. To meet the ASIL requirements, different internal safety mechanisms are designed into those sensors.
Autonomous driving requires ASIL-qualified sensors, too. In fact, SEooC sensors can have different ASIL ratings. For example, a high-accuracy, 6-axis inertial measurement unit (IMU), a 3-axis digital accelerometer and a 3‑axis digital gyroscope, has been designed for SEooC applications, and has an ASIL-B rating. In this case, its safety boundaries, behavior, and knowledge of several aspects essential to its proper application as an SEooC component are detailed for system integrators that have previously produced a vehicle-level HARA.
Sensors that measure linear accelerations and angular rates have multiple system applications in vehicles. These measurements are used in-dash car navigation, accurate positioning, V2X (vehicle-to-everything), radar, lidar, camera stabilization systems, and more. As noted previously, the required measurements and ASIL grade can vary greatly. For example, pressure sensors are offered with SEooC ratings for up to ASIL C system integration.
Sensor suppliers provide guidelines and recommendations for the proper use of SEooC sensors to help system designers. Identified assumptions are also essential for sensor suppliers and system designers to be on the same page. Goal Structuring Notation (GSN) is an approach to defining and documenting the assumed SEooC requirements used during the validation and verification phases in a graphical manner.
SEooC sensors
With the right design approach, commercial off-the-shelf (COTS) sensors with an SEooC rating, can be used in safety systems — if they have been properly validated and integrated into the safety development process.
References
SEooC for Dummies
[Vlog] Hazard Analysis and Risk Assessment (HARA): A Friend In-deed of your ISO 26262 Functional Safety Journey
A GSN Approach to SEooC for an Automotive Hall Sensor
ISO 26262 and Safety Element out of Context (SEooC): Enabling Efficient and Reliable Safety Development
What is Safety Element Out of Context (SEooC) in Automotive Functional Safety (ISO 26262)
Leave a Reply
You must be logged in to post a comment.