ASIL Determination Exercise
ISO 26262
ASIL Determination Exercise
1
The Exercise
• The six hazards to be classified are the following: 1. Unwanted deployment of airbag 2. Airbag function unavailable, without any information to the driver about this unavailability 3. Unwanted full braking (around 10 ms-2), not limited in time 4. Unwanted full braking (around 10 ms-2), 1 second duration 5. “Collision avoidance by braking” function unavailable, without any information to the driver about this unavailability 6. Total loss of service brake function, i.e. not possible for the driver to brake using the brake pedal.
ISO 26262
ASIL Determination Exercise
2
ASIL Factors
ISO 26262
ASIL Determination Exercise
3
ASIL Allocation
C1 E1 QM QM QM QM QM QM QM A QM QM A B
ASIL Determination Exercise
C2 QM QM QM A QM QM A B QM A B C
C3 QM QM A B QM A B C A B C D
4
S1
E2 E3 E4 E1 E2 E3 E4 E1 E2 E3 E4
S2
S3
ISO 26262
Results and Discussion
ISO 26262
ASIL Determination Exercise
5
Version 1
Hazard S - Severity
S3 1. Unwanted deployment of airbag Driver distraction and possible incapacitation meaning the worst case is an accident leading to lifethreatening injuries
E - Exposure
E4 The driver is exposed to this potential hazard during the majority of all driving situations as the airbag is continually ready for action (recall E is the probability of exposure to driving situation where an accident can potentially happen)
C - Controllability
C3 The driver may be distracted and/or disorientated by the airbag firing and may react instinctively e.g. jerk the steering wheel. In this scenario, even such a small deviation may require skilled and rapid intervention to correct. Estimate 50% of drivers could have an initial panic reaction. Furthermore high likelihood of driver being disorientated or even rendered unconscious. Although C2 may have seemed more appropriate initially given how drivers would react (if conscious) the potential for incapacity leads to a classification of C3.
ASIL
D
ISO 26262
ASIL Determination Exercise
6
Version 2
Hazard S - Severity
S3 1. Unwanted The driver may deployment be so distracted of airbag that a lifethreatening accident occurs
E - Exposure C - Controllability
E4 Situations where life-threatening accidents may occur represent over 10% of the driving time C2 1%-10% of drivers are assumed to be incapable of avoiding a life-threatening accident
ASIL
C No need to Investigate S2 and S1 effects as ASIL will not be above C anyway
ISO 26262
ASIL Determination Exercise
7
Version 1
Hazard S - Severity
S3 2. Airbag function permanently unavailable, without any information to the driver about this unavailability We consider the situations where the airbag should have deployed which by definition are scenarios leading to an S3 outcome
E - Exposure
E1 Accidents are very rare events, occurring less than once per year per vehicle
C - Controllability
C3 No driver action is possible to control the outcome of this hazard.
ASIL
A
ISO 26262
ASIL Determination Exercise
8
Version 2
Hazard
2. Airbag function permanently unavailable, without any information to the driver about this unavailability
S - Severity
S3 The lack of airbag function could lead to life-threatening effects
E - Exposure
E1 Collisions are very rare events, occurring less than once per year per vehicle
C - Controllability ASIL
C3 Once the collision occurs, the driver can not control the situation A No need to Investigate S1-S2 effects as ASIL is limited to A by the E1 parameter
ISO 26262
ASIL Determination Exercise
9
Version 1
Hazard S - Severity
S3 3. Unwanted full braking (around 10ms2), not limited in time
E - Exposure
E4
C - Controllability
C3 The expected task of the driver of this vehicle is to maintain steering control of the vehicle as it slows (presumably to a halt). Other traffic participants will be expected to recognize and react to the sudden braking and stopping of this vehicle.
ASIL
D
Driving at high Very common driving scenario speed on a motorway with heavy traffic
ISO 26262
ASIL Determination Exercise
10
ASIL Determination Exercise
ISO 26262
ASIL Determination Exercise
1
The Exercise
• The six hazards to be classified are the following: 1. Unwanted deployment of airbag 2. Airbag function unavailable, without any information to the driver about this unavailability 3. Unwanted full braking (around 10 ms-2), not limited in time 4. Unwanted full braking (around 10 ms-2), 1 second duration 5. “Collision avoidance by braking” function unavailable, without any information to the driver about this unavailability 6. Total loss of service brake function, i.e. not possible for the driver to brake using the brake pedal.
ISO 26262
ASIL Determination Exercise
2
ASIL Factors
ISO 26262
ASIL Determination Exercise
3
ASIL Allocation
C1 E1 QM QM QM QM QM QM QM A QM QM A B
ASIL Determination Exercise
C2 QM QM QM A QM QM A B QM A B C
C3 QM QM A B QM A B C A B C D
4
S1
E2 E3 E4 E1 E2 E3 E4 E1 E2 E3 E4
S2
S3
ISO 26262
Results and Discussion
ISO 26262
ASIL Determination Exercise
5
Version 1
Hazard S - Severity
S3 1. Unwanted deployment of airbag Driver distraction and possible incapacitation meaning the worst case is an accident leading to lifethreatening injuries
E - Exposure
E4 The driver is exposed to this potential hazard during the majority of all driving situations as the airbag is continually ready for action (recall E is the probability of exposure to driving situation where an accident can potentially happen)
C - Controllability
C3 The driver may be distracted and/or disorientated by the airbag firing and may react instinctively e.g. jerk the steering wheel. In this scenario, even such a small deviation may require skilled and rapid intervention to correct. Estimate 50% of drivers could have an initial panic reaction. Furthermore high likelihood of driver being disorientated or even rendered unconscious. Although C2 may have seemed more appropriate initially given how drivers would react (if conscious) the potential for incapacity leads to a classification of C3.
ASIL
D
ISO 26262
ASIL Determination Exercise
6
Version 2
Hazard S - Severity
S3 1. Unwanted The driver may deployment be so distracted of airbag that a lifethreatening accident occurs
E - Exposure C - Controllability
E4 Situations where life-threatening accidents may occur represent over 10% of the driving time C2 1%-10% of drivers are assumed to be incapable of avoiding a life-threatening accident
ASIL
C No need to Investigate S2 and S1 effects as ASIL will not be above C anyway
ISO 26262
ASIL Determination Exercise
7
Version 1
Hazard S - Severity
S3 2. Airbag function permanently unavailable, without any information to the driver about this unavailability We consider the situations where the airbag should have deployed which by definition are scenarios leading to an S3 outcome
E - Exposure
E1 Accidents are very rare events, occurring less than once per year per vehicle
C - Controllability
C3 No driver action is possible to control the outcome of this hazard.
ASIL
A
ISO 26262
ASIL Determination Exercise
8
Version 2
Hazard
2. Airbag function permanently unavailable, without any information to the driver about this unavailability
S - Severity
S3 The lack of airbag function could lead to life-threatening effects
E - Exposure
E1 Collisions are very rare events, occurring less than once per year per vehicle
C - Controllability ASIL
C3 Once the collision occurs, the driver can not control the situation A No need to Investigate S1-S2 effects as ASIL is limited to A by the E1 parameter
ISO 26262
ASIL Determination Exercise
9
Version 1
Hazard S - Severity
S3 3. Unwanted full braking (around 10ms2), not limited in time
E - Exposure
E4
C - Controllability
C3 The expected task of the driver of this vehicle is to maintain steering control of the vehicle as it slows (presumably to a halt). Other traffic participants will be expected to recognize and react to the sudden braking and stopping of this vehicle.
ASIL
D
Driving at high Very common driving scenario speed on a motorway with heavy traffic
ISO 26262
ASIL Determination Exercise
10