We were able to examine the connection between the terms danger, damage, risk and safety in more detail using the definitions in the last issue. In this article, we want to establish the connection to ISO 26262, break down the term risk according to the standard and understand the results of a risk analysis.
In ISO 26262, the term risk is broken down as follows:
It depends on the extent of the potential damage, the severity level "S"
It depends on the duration or frequency of the exposure to the hazard, the probability of occurrence "E"
The higher the severity level and the probability of occurrence of the exposure to the hazard, the higher the risk.
It is also assumed that the occurrence of a dangerous situation can be averted by the timely reaction of those involved, the so-called controllability "C".
The compilation of the assessment of the three characteristics according to severity level, probability of occurrence and controllability leads to the determined risk or the ASIL classification (Automotive Safety Integrity Level).
It does not matter whether possible personal injury affects the driver, passenger, pedestrian or other road users. The greater the potential damage, the more frequently situations that could cause such damage occur and at the same time the less capable the driver is of controlling such situations, the greater the risk and thus the ASIL.
The characteristics S, E and C are summarized in tables in ISO 26262 to form a risk.
The following applies to their possible sizes and their corresponding meanings:
S0 – no injuries
S1 – light and minor injuries
S2 – serious and life-threatening injuries, but with a chance of survival
S3 – life-threatening and fatal injuries with almost no chance of survival
E0 – unimaginable, never occurs
E1 – very unlikely, less than once a year for the vast majority of drivers
E2 – unlikely, a few times a year for the vast majority of drivers
E3 – medium probability, monthly to frequently for the average driver
E4 – high probability, situations occurring on average on almost every trip
C0 - generally manageable
C1 - easily manageable
C2 - normally manageable
C3 - difficult or unmanageable
To determine the ASIL, which is divided into the levels “QM (quality management measures), ASIL-A, ASIL-B, ASIL-C and ASIL-D, the individual values are added together.
R = S + E + C
ASIL-D results from 10 points
ASIL-C results from 9 points
ASIL-B results from 8 points
ASIL-A results from 7 points
≤ 6 points results in QM
If S0 or C0 are included in the assessment, this automatically corresponds to QM. If there is no probability of injury or the hazardous situation is generally controllable, there is no relevance for functional safety.
ISO 26262 only takes into account hazards that are caused or arise from the malfunction of E/E/PE systems (including interactions with them). Hazards such as electric shock, fire, smoke, heat, radiation, poisoning, flammability, chemical reactions, rust, energy release, etc. are not taken into account if they do not arise as a result of the malfunction.
ISO 26262 uses the ASIL classification as a basis and specifies, depending on the level, corresponding ASIL-dependent requirements for the item under consideration, as well as processes and risk reduction measures to be taken into account and recommended for the development of the respective system. For the QM result, the measures in a normal quality management system, i.e. the standards that already apply, are sufficient.
The item is the definition and description of the system under consideration and the system boundaries, including dependencies and interactions with the environment and other items. The item is recorded at the beginning in the item definition.
In order to result in an ASIL and thus be able to make individual assessments for severity, frequency of occurrence and controllability, the standard recommends the use of a HARA (Hazard Analysis and Risk Assessment). Its aim is to identify and categorize the hazards posed by the malfunction of the item. Furthermore, a HARA also aims to formulate safety goals to avoid or reduce hazardous events in order to exclude intolerable risks.
The creation of a HARA can depend on the complexity of the item under consideration, any specific requirements that may exist and the available resources and can therefore vary in duration.
The overall expertise of our team at Melster Consulting dates back to before the publication of ISO 26262. We would be happy to support you with our expertise in the development process of your product!