Functional safety is an increasingly important topic in automotive companies including OEMs, Tier 1 and Tier n. In this article, we describe a solution to common problems faced by an automotive company when safety information needs to be exchanged among the other organizations in the supply chain.
Functional safety activities do concern the whole lifecycle of the system (item) under development and involve a cooperative effort from all participating stakeholders. Thus, safety-related work products have to be exchanged between all the organizations involved in the supply chain. Details such as roles, responsibilities, and work products should be specified in a Development Interface Agreement (DIA), according to ISO 26262. However, it is not prescribed by ISO 26262 how such information should be exchanged (regarding content, formats, etc.).
In current practice, this typically leads to inefficient and manual document-centric processes with information duplication on both sides of the supply chain i.e. the consumer and the supplier. It may also happen, that important information is missing at the time when certain activities (such as the provisioning/configuration of safety mechanisms of basic software) are finally executed. All of this results in inconsistencies, limited traceability, and difficulties when demonstrating the overall safety case.
On the other side, the AUTOSAR Architecture together with the AUTOSAR methodology and supporting tools already work between organizations in the supply chain by providing standard exchange formats and a common methodology. Using these formats, relevant software system and ECU implementation information can easily be exchanged. In the following sections, we will explore how a standard such as AUTOSAR could solve the functional safety problem in an elegant way.
The OEM provides the general concepts for the systems (items) of the same platform. The functional safety concept work typically starts at the item level(s) of a vehicle platform, leading to safety goals and requirements for different items, systems and sub-systems of the platform.
The functional safety concepts of the OEM are then shared to Tier 1 for their specific items, system or sub-system.
The Tier 1 could already have developed a (sub-) system specific safety concept using the safety element out of the context method, before or in parallel with the OEM specific safety goals and requirements available to them. This approach allows that a safety implementation exists, based on an assumed system.
Once a Tier 1 receives the functional safety concept of the OEM, it needs to match the safety requirements which are already met using the existing safety concept, and potentially design or redesign the safety concept to meet the OEM’s requirements.
The sub-system would include many safety measures or mechanisms, which are required to meet the safety requirements and goals. These would result in particular safety mechanisms being implemented and validated at sub-system or system level by the Tier 1.
Tier 1 would transfer its implementation back to the OEM, along with the information related to the safety measures or mechanisms that have been implemented to fulfill the OEM’s safety requirements.
OEM would collect various implementations for integration of safety concepts into their system and perform validation of the system on a vehicle platform level. This process could be iterative in nature
A similar process would occur for lower Tiers, which contribute to the Tier 1 work. The difficulties in transferring safety related information, as described above, mainly exists in two phases when such information gets exchanged between organizations:
The information to be transferred contains relevant parts of the functional safety concept i.e. the safety goals and requirements, safety considerations in the architecture and allocation information of safety requirements to elements of the architecture.
In this phase, the information on the implemented safety mechanisms and measures and the mapping between the safety requirements and such mechanisms is an important information.
As initially described, the OEM will potentially communicate with multiple Tier 1 suppliers and the Tier 1 suppliers usually again have to contact multiple Tier n suppliers. The presence of a standardized exchange format for safety information will ease the communication between organizations and help in avoiding cost-intensive and error-prone rework or translation of safety related information.
The AUTOSAR Safety Extensions introduced in release 4.2.1 provide such a standardized exchange format. In addition to the introduction of the pure exchange format, the AUTOSAR methodology has been extended and now contains activities in which the safety related artifacts are produced.
The idea of the AUTOSAR Safety Extensions is to facilitate the AUTOSAR XML (.arxml) representation as the format in which safety information is represented and exchanged. In the current release as part of AUTOSAR 4.2.1, an approach is used which does not impact the existing AUTOSAR metamodel. The new standard defines how the information has to be provided using only existing generic concepts of the AUTOSAR metamodel by applying specific standardized tags and content.
Thus, in addition to the conventional AUTOSAR models that are exchanged among organizations in the supply chain, these safety extensions add new elements to the model and refer to existing elements. The fact that these safety extensions can be applied only as extensions means that they do not affect exiting AUTOSAR models.
According to the development process described above, the main concepts of the extension are Safety Requirements and Safety Measures together with their ASIL attributes.
In AUTOSAR R4.2.1 clearly distinguishable safety requirements can be defined in AUTOSAR metamodel, thus fulfilling the needs as specified by ISO 26262 parts 4 and 8 (section 4). Safety Requirements may have attributes and relations that are used to define them in accordance with ISO26262 specifications, such as decomposition and refinement. Additionally, by using AUTOSAR Trace the traceability and allocation of safety requirements and safety measures can be described according to ISO 26262 parts 4, 6 and 8 (section 6)
Safety Measures have a textual description, a unique ID and a type that declares whether it is a safety mechanism (i.e. part of the AUTOSAR implementation) or an external measure (e.g. a review). Furthermore, ASIL attributes according to ISO 26262 can be specified.
In AUTOSAR R4.2.1, safety integrity levels / ASIL can be assigned for each AUTOSAR element including safety requirements and safety measures.
The provisioning and processing of AUTOSAR models with safety extensions is subject to appropriate tool support. Tools supporting the safety process according to ISO 26262 could be used to provide the safety requirements and the required ASIL attributes. AUTOSAR tools such as configuration tools could read this information and add further information such as the traces to the safety mechanisms and measures that are part of the final configuration. As the safety extensions are standardized, arbitrary AUTOSAR compliant tools can be used here
The application of AUTOSAR Safety Extensions together with appropriate tool support provides several benefits. The need for information exchange in arbitrary formats (mostly with Word and Excel) is reduced and also the time required for the transformation of this information, if it flows across an organization border, is reduced. Hence, the workflow can be organized much more efficiently than today. Besides the advantages in the process, there is also an increase in the quality of the safety information, as the traceability is much better, e.g. for a safety case argumentation. In addition, this explicit traceability in the models offer possibilities for consistency checks
KPIT Technologies GmbH
Chief Technology Officer
KPIT Technologies GmbH