As discussions around active safety systems and automated driving become more widespread, the functional safety requirements for these systems emerge as a central topic. For many inside and outside of our industry, functional safety requirements and how we apply them can be a bit confusing. In this article, we look at a key component of these requirements, ASIL-D, and touch on what Aptiv is doing to meet functional safety challenges for our customers.
ASIL-D is an automotive risk classification that is part of a larger ISO standard – ISO 26262 – which looks at the functional safety requirements for all of the different electrical and electronics systems in a vehicle. ASIL-D represents the highest level of risk management, so components or systems that are developed for ASIL-D are made to the most stringent safety requirements.
ISO 26262, originally established in 2011 and updated in 2018, proposes process and design integrity recommendations covering the full product life cycle for road vehicles. ISO 26262 tailors the recommendations based on several levels of risk classification, known as Automotive Safety Integrity Level (ASIL). There are four levels, ranging from ASIL-A (low risk reduction needed) to ASIL-D (high risk reduction needed). There is also a classification called Quality Management (QM), which indicates that there is no need to implement additional risk reduction measures above and beyond the industry acceptable quality system.
Three factors determine the ASIL requirement for a particular system. The first is Severity – that is, if a system were to fail, how bad could the safety consequences potentially be on the driver, passengers or nearby pedestrians and vehicles? The second is probability of Exposure – the likelihood of an operational situation that can be hazardous if coincident with the failure mode under analysis. And the third is Controllability – if the system were to fail, what is the ability to avoid a harm through the timely reactions of the persons involved in the operational situation (driver, passengers or persons in the vicinity of the vehicle).
The ASIL-D designation is reserved for High Exposure operational situations (i.e. more than 10% typical operational time) where a malfunction can lead to High Severity harm (i.e. death or major bodily harm) with very Low Controllability (i.e. less than 90% of average drivers or other traffic participants are able to avoid harm).
Consider a couple of examples.
Say the vehicle speed indicator on the dashboard display fails. It’s possible the indicator could show no information at all (i.e. it’s set to zero all the time) or it could display the wrong speed. In the first case, the Controllability is very high, since a driver could easily perceive the failure and then drive more cautiously. That scenario could be classified QM. In the second case, the failure is less obvious to the driver (e.g. it indicates 55 mph when it should indicate 65 mph), but the Controllability is still relatively strong, so this scenario could be classified ASIL-A or ASIL-B.
By contrast, say the driver’s brakes fail during a high-speed operational situation in crowded streets. This would have a serious effect on the driver’s ability to control the vehicle, and there is a chance the driver or others could get badly hurt as a result. This risk would be classified as ASIL-D in this case.
A similar failure during a low-speed scenario in less crowded streets may be classified at a lower ASIL, due to the ability of te driver to cruise the vehicle to reduce speed and eventually stop the car. Any system that controls steering or braking would likely have to support a range of scenarios, many of which would be classified as ASIL-D, since those functions are so critical to the operation and control of the vehicle.
Active safety systems will interface with the vehicle’s steering and braking systems, and certainly automated driving systems do as well. As these systems become more prevalent, the need for systems that can meet ASIL-D requirements increases.
Aptiv’s Smart Vehicle Architecture™ takes this into account for highly automated vehicles by building resilience into their architecture from the ground up and ensuring that vehicles can recover from a system failure. Our team developed a fail-operational design that incorporates resilience at three layers: compute, network and power. If a compute node fails, redundant compute resources can bring the vehicle to a safe stop. The network uses an innovative dual-ring topology for full redundancy in the data network. And a dual-ring topology for power, coupled with smart fusing, ensures that our zone controllers can deliver affordable, fail-operational performance.