A Study of Automatic Allocation of Automotive Safety Requirements in Two Modes: Components and Failure Modes

Abstract

ISO 26262 describes a safety engineering approach in which the safety of a system is considered from the early stages of design through a process of elicitation and allocation of system safety requirements. These are expressed as automotive safety integrity levels (ASILs) at system level and are then progressively allocated to subsystems and components of the system architecture. In recent work, we have demonstrated that this process can be automated using a novel combination of model-based safety analysis and optimization metaheuristics. The approach has been implemented in the HiP-HOPS tool, and it leads to optimal economic decisions on component ASILs. In this paper, first, we discuss this earlier work and demonstrate automatic ASIL decomposition on an automotive example. Secondly, we describe an experiment where we applied two different modes of ASIL decomposition. In HiP-HOPS, it is possible to decompose ASILs either to the safety requirements of components or individual failure modes of components. Protection against independent failure modes could, in theory, be achieved at different ASILs and this will lead to reduced design costs. Although ISO26262 does not explicitly support this option, we have studied the implications of this more refined decomposition on system costs but also on the performance of the decomposition process itself, and we report on the results. Finally, motivated by our study on ASIL decomposition, we discuss the general need for increased automation of safety analysis in complex systems, especially autonomous systems where an infinity of possible operational states and configurations makes manual analysis infeasible.