了解ISO 26262 ASILS

Download this article in .PDF format 此文件类型包括高分辨率图形和原理图。

如果在LinkedIn ISO 26262功能安全组上发布的问题有任何迹象，那么许多人需要了解该标准定义的ISO 26262 ROAD车辆 - 功能安全性以及汽车安全完整性水平（ASIL）。但是，似乎只有少数专家似乎了解ASIL的确定性及其对汽车中与安全相关的电子系统的设计，构建和验证的影响。

ASILs Aren't SILs

ISO 26262是IEC 61508电气/电子/可编程电子安全相关系统功能安全性的扩展。IEC 61508定义了安全完整性水平（SILS）。ISO 26262定义了ASIL。似乎ASIL就像SILS一样，任何熟悉需要为IEC 61508 SIL认证的系统建立安全案例的人都应该能够将这些方法传输到ISO 26262项目。

Experience building an IEC 61508 safety case and gathering evidence for it will certainly be invaluable to anyone building the safety case for an ISO 26262 system. But unlike IEC 61508, ISO 26262 is “not a reliability standard.”¹它没有设置可接受的失败概率的精确数字。ASIL不能以与IEC 61508 SIL相同的方式确定。

When defining SILs, IEC 61508 considers the target failure measures for systems acting in low demand, high demand, or continuous mode. For example, a software component certified to continuous mode SIL 3 is required to have a probability of dangerous failure below 1 in 10 million per hour of operation. IEC 61508 SILs can thus be considered one-dimensional, in the sense that they involve only the probability of failure in the stated operating mode.

但是，ASIL是三维的三维，涉及三个变量：严重性，暴露概率和可控性。ISO 26262-3，第7节“危害分析和风险评估”提供了将这三个变量分为类别的表。暴露的概率有五个类：“高概率”（E0-E4）。严重程度有四个类别：“无伤害”“威胁生命的伤害（生存不确定），致命伤害”（S0-S3）。可控性，意味着驾驶员的可控性，而不是由车辆电子系统具有四个类：“一般可控”至“难以控制或无法控制”。

本节第四个表标准的商店ws how these variables must be combined to determine the required ASIL for an electronic system, subsystem, or component in the vehicle. For example, a component that must be relied upon in a situation that has a medium probability of occurring (E3) and is considered normally controllable (C2) but can result in life-threatening injuries (S3) requires an ASIL of B.

这种确定ASIL的方法与IEC 61508规定的严格可靠性（失败的不可能）目标完全不同。尽管ISO 26262在第3部分的附件B中提供了详细信息和示例，确定ASIL涉及许多因素，即使有许多因素，即使有信息，即使有信息。附件B，要求我们做出许多假设。

For instance, the severity classes presented in this annex use the Association for the Advancement of Automotive Medicine’s Abbreviated Injury Scale (AIS), but the standard states “other categorizations such as Maximum AIS (MAIS) and Injury Severity Score (ISS) can be used.”²同样，附件B将C2的可控性定义为“ 90％或更多的驾驶员或其他交通参与者通常能够避免伤害”，”³and an E3 probability of exposure is defined as “1% to 10% of average operating time”（图。1）。⁴

These definitions are informative, not prescriptive, and leave a great deal of discretion to whoever is building each component system and ultimately to the automaker and suppliers. For example, the phrase defining C2 controllability doesn’t state 90% of which drivers, and it includes the word “usually.”

我们必须确定我们将使用哪种统计样本来确定90％的驾驶员通常可以避免伤害，并确定“通常”是否意味着50％以上的事件，超过90％的事件或其他东西。暴露的概率类似地取决于上下文和解释。在佛罗里达州，桥上暴露于桥梁上的黑冰的可能性与曼尼托巴省不同。

Further, the standard states that for the controllability and exposure classes, the difference in probability from one “class to the next is an order of magnitude.”⁵它没有明确指定此数量级是二进制（x2）还是十进制（x10）。从附件B中的示例中，我们可以推断出它是十进制的。例如，E1是“平均运营时间的<1％”，E2是“平均运营时间的1％至10％”。⁶

ISO26262: A Goal-Based Standard

鉴于我们必须假设的数量determine an ASIL, it is not surprising that the Society for Automotive Safety Engineers (SAE) is drafting J2980 – Considerations for ISO26262 ASIL Hazard Classification to provide more explicit guidance for classifying the three dimensions of an ASIL. These guidelines should reduce the breath of possibilities when we make assumptions about severity, probability of exposure, and controllability, but they will not eliminate the need for such assumptions when we determine ASILs.

But if we step back and look at ISO 26262 as a whole, we note that the standard is about preventing harm:

安全goals are top-level safety requirements … They lead to the functional safety requirements needed to avoid an unreasonable risk for each hazardous event. Safety goals are not expressed in terms of technological solutions, but in terms of functional objectives.⁷

危害可能来自如此多的因素，实际上，它们都不能被命名和描述，甚至计算在内。因此，构建ISO 26262系统，因此不会造成不可接受的伤害取决于广泛的技术。ASIL只是策略的一部分，用于帮助我们根据与失败相关的后果的风险和严重性来确定组件的必要性。

IEC 61508是高价值，低量实施的系统的规定标准，例如核电站和油钻平台。相比之下，ISO 26262是基于目标相对较低但高容量实现的目标标准。它就像其他基于目标的标准一样，这些标准是针对特定环境（医疗设备，火车，汽车等）开发的，而不是针对一种系统类型的规定标准（即电子设备的IEC 61508）和它表达安全要求的方法就像其他基于目标的标准一样。

For example, in a manner analogous to ISO 26262, the IEC 62304 standard for medical devices identifies three classes of medical devices—A (no possible injury or damage to health), B (possibility of non-serious injury or harm), and C (possibility of serious injury or harm, or death)—and focuses on such things as the design, development and validation processes, and tools and techniques used to build the safety case. Both standards also discuss the use of systems or subsystems not developed for the safety-related system in which they will be used.

ASILs are more complex than the IEC 62304 medical device classes. But like these classes, they do not set dependability requirements. ASILs provide guidance to help us establish dependability requirements, based on the probability and acceptability of harm. In many cases we will need to set the numerical values for dependability ourselves, based on the information in ISO 26262 and methods such as ALARP (as low as reasonably practical), GAMAB (globalement au moins aussi bon: “globally at least as good”), or MEM (minimum endogenous mortality).⁸

鉴于这种情况，最有效的方法是回答诸如“无人驾驶汽车的ASIL是什么？”之类的问题。可能是进一步制定标准，以包括可能性的可能性，例如非人类驾驶员正在行使的可控性。正如标准现在所读到的那样，缺乏人类驾驶员意味着可控性始终接近零，因为ISO 26262将其定义为“通过涉及人员的及时反应避免指定损害或损害的能力，可能会得到支持来自外部措施。”⁹

Therefore, we will have to classify every safety-related component as an ASIL D. For the present, this will also be the answer for a more conventional car with human driver if we ask the same sort of question: for example, “What is the ASIL of assisted cruise control?” Until we understand all three dimensions of the ASIL, we cannot know the answer.

We must, therefore, begin by determining our systems’ dependability requirements based on all three ASIL dimensions: the probability of exposure to harm should the system fail, the controllability of the situation upon exposure, and the severity of the resulting harm should the situation not be controlled.

一旦我们理解了这些维度，分配ASIL就是一个简单的问题，即在标准第3部分，表4中查找它。然后，我们可以构建我们的ISO 26262安全案例，以证明我们的组件使用所有的组件符合我们的可靠性声明我们提供的相关方法和证据：流程和质量管理，正式设计，代码分析，测试，用于组件零件的可用数据等等。

Finally, when we build the Safety Case, we must demonstrate not just that our system meets the dependability claims we make about it, but also that this dependability is acceptable for our selected ASIL and that our selected ASIL is appropriate for the system we have built.

References

1. William Taylor III等人，“系统安全和ISO 26262汽车锂离子电池的合规性”，2012年IEEE产品合规工程研讨会，波特兰，2012年11月5日至7日，www.psessymposium.org/sites/psessymposium.org/files/1569633449.pdf。

2。ISO 26262-3:2011, B.2.1.

3。Table B.4.

4.表B.2。

5. 7.4.3.4和7.4.3.7。

6.表B.2。

7。7。4。4。3。

8.克里斯·霍布斯（Chris Hobbs）和帕特里克·李（Patrick Lee），“在设计和测试之前定义并陈述您的安全要求”，”Electronic Design，2012年1月9日，electronicdesign.com/embedded/define-and-state-your-safety-requirements-design-and-test。

9。ISO 26262-1:2011, 1.19; Strictly, the absence of a driver does not reduce controllability zero because the standard allows passengers and persons outside the vehicle to be included in the determination of controllability.

10.滑铁卢大学阿尔玛·华雷斯·多明格斯（Alma Juarez Dominguez），“对汽车主动安全功能中特征相互作用的检测”https://cs.uwaterloo.ca/~aljuarez/Docs/Thesis_Juarez_Alma.pdf。

ChrisHobbs是QNX软件系统的操作系统内核开发人员，专门研究“足够可用”的软件（以最低限度开发工作来满足客户的可用性和可靠性需求）和生产安全软件（符合IEC61508 SIL3）。他还是WBEM/CIM设备，网络和服务管理的专家，也是A Practical Approach to WBEM/CIM Management（2004）。他的博客，软件沉思，，，，focuses “primarily on software and analytical philosophy.” He earned a BSc, honours, in pure mathematics and mathematical philosophy at the University of London’s Queen Mary and Westfield College.

PatrickLee是QNX软件系统认证团队的成员，在该团队中，他应用了分析技术，例如故障树，贝叶斯信念网络，正式模型检查和定理，旨在验证和改进针对安全关键市场的QNX产品中的软件设计。在加入QNX之前，他从事ECSI和Canada General Dynamics的实时嵌入式软件开发人员的航空电子系统和软件工具的开发。他还曾在Nortel，Catena Networks和Imagination Technologies担任嵌入式软件开发人员。他拥有巴斯大学的电气和电子工程学士学位，并拥有格洛斯特郡大学的教育研究生证书。

Download this article in .PDF format 此文件类型包括高分辨率图形和原理图。