ASIL (ISO 26262) Decomposition
ASIL (ISO 26262) Decomposition
ASIL (ISO 26262) Decomposition
Madhusudhanan Ravi
www.embeddeduncharted.com
2
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL
3
Madhusudhanan Ravi www.embeddeduncharted.com
Automotive Safety Integrity Level
Risk Potential
QM A B C D
4
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Basics
• The ASIL is calculated for a function and not calculated for
a physical system component. HARA
Cost, Effort
• There are strict underlying concepts and rules that must
be respected.
6
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Decomposition
7
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Decomposition
8
Madhusudhanan Ravi www.embeddeduncharted.com
Valid Combinations – Simple Decomposition
ASIL C ASIL C
ASIL C
ASIL B(C) ASIL A(C) ASIL C(C) QM (C)
ASIL B ASIL B
ASIL B
ASIL A(B) ASIL A(B) ASIL B(B) QM (B)
ASIL A
ASIL A
ASIL A(A) QM (A)
9
Madhusudhanan Ravi www.embeddeduncharted.com
Valid Combinations – Multilevel Decomposition
ASIL Value ASIL Decomposition Combinations
• System Design
Inherited Safety Goal
• Hardware Design and Safe State
• Software Design
11
Madhusudhanan Ravi www.embeddeduncharted.com
Redundancy through Decomposition
Functional Redundancy
• ASIL Decomposition introduces functional redundancy. Safety
Goal
• Two independent architectural elements work toward the same
(redundant) safety goal.
Remember that (in general) there is actually very little redundancy in automotive systems. Costs !
12
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Decomposition Example -
Motor Control Function
13
Madhusudhanan Ravi www.embeddeduncharted.com
Function Description
Description :
• Consider a function F which, upon input from a combination of sensors S1, S2, ... Sn issues an activation
command to actuator M (“Motor”)
• Sensors S1, S2 till Sn measure different values. They are independent and non-redundant.
S1 MCU
U
S2 PWM cmd signal
ASIL D V
: M
W
: driver
: Brushless
Sn 3-phase DC Motor
14
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Allocation
• Assumption : In this scenario we assume that each of these sensors, if faulty, could by itself cause the safety
goal to be violated.
• Therefore according to the ASIL theory in the standard, each sensors shall inherit the same ASIL level D, allocated
to the function F
ASIL D
ASIL D
MCU ASIL D
ASIL D S1
U
PWM cmd signal
V
ASIL D S2 M
ASIL D W
driver
ASIL D Sn Motor
15
Madhusudhanan Ravi www.embeddeduncharted.com
Initial Analysis
• Using the specific knowledge of the technology, analysis must be performed to reason which elements of the
architecture are capable of violating safety goals.
• In this example, we know from the theory of motor control, that the three phases need signals that are
precisely defined in time,
• Therefore some of the components (e.g. the driver and its associated command channel), in case of
failure couldn’t possibly produce the precise signals necessary to erroneously activate “M”.
• And therefore they are incapable by themselves of violating the safety goal.
U
PWM cmd signal
V
M
W
driver
16
Madhusudhanan Ravi www.embeddeduncharted.com
Lowering ASIL
• As a result of this analysis, we are justified in lowering the ASIL of the driver, motor, and command channel to QM.
Note : This depends entirely on the technology; if the motor were based on continuous technology, it would not have been possible
to lower the ASIL to QM
ASIL D
QM
MCU QM
ASIL D S1
U
PWM cmd signal
V
ASIL D S2 M
QM W
driver
ASIL D Sn Motor
17
Madhusudhanan Ravi www.embeddeduncharted.com
◉ Lessons Learnt:
Sometimes through examining the technology and its potential for
safety goal violation, we can influence ASIL allocation. A project might
even change its technologies after such analyses.
18
Madhusudhanan Ravi www.embeddeduncharted.com
Exploiting the HARA results – System Design
• As we begin to perform system design, we shall look to improve the Safety architecture by considering the
results of HARA.
• Currently the architecture considers only “erroneous sensor inputs”, regardless of the operational scenario.
• Typically the HARA shall distinguish the operational scenarios related to the risks (such as speed of the
vehicle).
• Assuming that the HARA yielded the result that the “undesired activation of M” is dangerous only at a speed
greater than threshold, this information could be exploited to introduce a safety mechanism in our
architecture.
Risk analysis information
(ex: operational scenario) Another example : consider undesired
HARA deployment of an airbag – its effect depends
on the velocity of the vehicle.
New
Architecture Typical Operational Scenarios :
Initial • Driver-side door open
Architecture Safety • Temperature of the engine greater than
Mechanism a threshold.
19
Madhusudhanan Ravi www.embeddeduncharted.com
Introducing a Safety Mechanism
We now introduce a Safety mechanism : “The function M must not be activated when vehicle speed is greater than a
specified threshold”.
– This is effectively introducing a kind of “AND” gate to lower the probability of M being erroneously activated.
– The undesired activation of M can only occur now if F fails and V>threshold.
ASIL D(D)
ASIL D(D)
QM
MCU QM
S1
U
PWM cmd signal
V
S2 M
QM W
driver
Sn Motor
V
SHW Application SW
SSW – SW introduced for the safety mechanism
SHW – HW introduced for the safety mechanism
Speed Sensor
20
Madhusudhanan Ravi www.embeddeduncharted.com
◉ Lessons Learnt :
By careful examination of the Hazard and Risk Analysis and sufficiently
detailed analysis of operational scenarios, we can discover possibilities for
the introduction of safety mechanisms in the architecture.
21
Madhusudhanan Ravi www.embeddeduncharted.com
Safety Mechanism ASIL?
By introducing the safety mechanism we have changed the ASIL D(D)
architecture now, ASIL D(D)
MCU
- Introduced a new speed sensor “v”. S1
- Introduced new software.
S2
22
Madhusudhanan Ravi www.embeddeduncharted.com
SW ASIL Decomposition?
Observation: Analyzing the new architecture we can observe, Decision:
• ASIL D for the complete system software to be too high and • Apply ASIL Decomposition at the software level.
• Introducing HW redundancy is not cost optimal.
V
SHW
ASIL D(D) ASIL D(D) Any software function potentially leading to the violation of
the safety goal (operating system, safety mechanism, etc.)
23
Madhusudhanan Ravi www.embeddeduncharted.com
Independence
Is this Decomposition acceptable ?
24
Madhusudhanan Ravi www.embeddeduncharted.com
Lessons Learnt :
Software level ASIL decomposition involves a careful analysis of both
software and hardware independence. Hardware metrics are not affected
by ASIL decomposition at the software level.
25
Madhusudhanan Ravi www.embeddeduncharted.com
HW Level Decomposition
• The analysis of software level decomposition reveals that there are too many issues, and hence we shall
perform a HW-level decomposition.
Application software,
firmware, operating system
QM
QM QM
MCU
QM
S1
U
PWM cmd signal
V
S2 M
QM W
driver
Sn Motor
Independence
V
SHW The Safety Element disables the
ASIL D(D) Safety Element driver if V > threshold
Functions related
ASIL D(D) to the safety goal
26
Madhusudhanan Ravi www.embeddeduncharted.com
The Safety Element - HW
What exactly is the Safety Element in terms of hardware?
• This doesn’t have to be a full microprocessor
• It might be a programmable gate array, essentially just a state machine, programmed only one time, with no
operating system
• They cost only one-tenth of a full micro, and are very reliable, with their own clock and power supply, easy to
manage
27
Madhusudhanan Ravi www.embeddeduncharted.com
Lessons Learnt :
Hardware level ASIL decomposition involves deep knowledge of
the characteristics of the available hardware, so that
independence, functionality, and costs are all correctly balanced
28
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Decomposition – Architecture evolution
Initial Architecture
29
Madhusudhanan Ravi www.embeddeduncharted.com
Alternate Decompositions
30
Madhusudhanan Ravi www.embeddeduncharted.com
Alternate Decomposition
The HW level decomposition presented here can be favorable when
There are many non-critical functions that can be confined to the main MCU, and
A limited number of safety critical functions sharing the same safe state (driver deactivation).
What other possibilities exist for decomposing the original ASIL (D) over the two elements?
• There are two more decomposition possible :
1. ASIL B (assigned to μP) + ASIL B (assigned to safety element)
2. ASIL C (assigned to μP) + ASIL A (assigned to safety element)
31
Madhusudhanan Ravi www.embeddeduncharted.com
Alternative 1: ASIL B(D) + ASIL B(D)
The first alternative decomposition represents having two essentially equivalent processors with
redundant functionality.
• This is a prohibitively expensive solution already from the hardware side (a processor is much more
costly than e.g. a simple sensor)
• Furthermore, the software would have to be developed with “diversity” techniques that are also
known to be prohibitively expensive
High Cost !
ASIL D
32
Madhusudhanan Ravi www.embeddeduncharted.com
Alternative 2 : ASIL C(D) + ASIL A(D)
This alternative represents an asymmetric layout once again
• Main MCU : The software assigned to the main microprocessor ASIL D
implements the overall functions of the Controller.
• Safety Element : The safety element is simple, inexpensive, and reliable. ASIL C(D) ASIL A(D)
33
Madhusudhanan Ravi www.embeddeduncharted.com
Alternative 2 : ASIL C(D) + ASIL A(D)
- The Safety element may be too simple to be able to handle more complex safety functions.
- In some cases the safety element could be a legacy element from previous designs and it has a prescribed use.
34
Madhusudhanan Ravi www.embeddeduncharted.com
Lessons Learnt :
The “obvious” decomposition may not always be possible due to
project-specific constraints such as legacy components. Case-by-
case analysis is essential.
35
Madhusudhanan Ravi www.embeddeduncharted.com
Ten ASIL Misconceptions
36
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Misconceptions
10. The ASIL deals with hardware development only
- ASIL has an impact on hardware, software, and supporting processes
37
Madhusudhanan Ravi www.embeddeduncharted.com
ASIL Misconceptions
5. ASIL decomposition is required by the 26262 standard
- In reality, it is not a required step. It can be seen as an opportunity to allocate homogeneously functions with
different safety criticality during the SW partitioning onto the HW elements.
4. Software level ASIL decomposition is simpler and cheaper than hardware level decomposition
- In reality, software level decomposition is often more difficult and more expensive than hardware level decomposition,
due to heavy requirements for diversity and independence.
38
Madhusudhanan Ravi www.embeddeduncharted.com
www.embeddeduncharted.com