Download The Report

Abstract: Agonising Over Automotive Safety Integrity Levels: Controllability And The In-Wheel Motor

In the automotive domain the standard ISO 26262 places significant emphasis on the assignment of Automotive Safety Integrity Levels (ASILs). In particular much of Part 3 of the standard is dedicated to the process that determines the three factors that contribute to the final assigned ASIL value: exposure, severity and controllability.

In this paper we examine some of the issues that the authors have encountered during the development of an in-wheel electric motor and will argue that the perceived emphasis on ASIL ratings, in the context of developing a safe system, is misplaced and potentially counterproductive.

Agonising Over Automotive Safety Integrity Levels: Controllability And The In-Wheel Motor – Introduction

As indicated above, significant proportion of ISO 26262 Part 3 is devoted to assigning Automotive Safety Integrity Levels (ASILs). The means by which these values are assigned is further expanded in Part 3 Annex B. However, rather than providing a process or methodology for determining these properties, the reader is presented with a simplified set of example tables. For instance, section B.2 which develops the concept of Maximum Abbreviated Injury Scale (MAIS) in some detail, leaves the process by which the severity rating should or perhaps could be derived as “Accident statistics can be used to determine the distribution of injuries that can be expected to occur in different types of accidents”. The information provided relating to exposure is somewhat more helpful, but does not address issues such as how different factors could or should be combined. Similar observations can be applied to the examples provided for controllability ratings in section B.4; where a table of driving situation examples is given with assumptions about the corresponding control behaviours that would avoid harm. Somewhat less clear is how to build the evidence that forms the rationale for the controllability rating chosen. In section 1 we review the “item” with which we are concerned, the hazards associated with it, and briefly review the lessons that can be learned from history. Section 2 summaries the factors that feed into the ASIL determination and section 3 discusses these in more detail; noting some weakness in the way these factors are defined and observes that controllability is the critical factor. Section 4 examines controllability in the context of the driver and examines in detail what can, and more importantly what cannot, be expected of the driver. These driver expectations are then discussed in the context of the development of the functional safety concept for the in-wheel motor application. In section 6 we conclude that, if the safety goals (high level safety requirements) are incorrect, then getting the ASIL wrong is irrelevant.