ISO 26262 is unusual among safety standards in that it defines a way in which an element can be developed independently from the top-level system in which it shall be integrated. This is necessary in the automotive industry with multiple tiers of suppliers delivering electrical and/or electronic (E/E) systems to both vehicle manufacturers and others within the supply chain. In particular the definition of a Safety Element out of Context allows a supplier to produce an element and sell to the general market for different applications, while still following the development process and producing the evidence required to allow the element to be used in a safety-relevant application.
This series of blogs will look at how a Safety Element out of Context is defined in the ISO 26262 standard, and will then look at the benefits this can bring to an E/E system developer. We will then look into some of the challenges often encountered when applying this part of the standard, including common pitfalls and tips for avoiding them.
Safety Element out of Context (SEooC) is defined in ISO/DIS 26262-10.2:2017, “Guideline on ISO 26262″. Assumptions, and the documentation and verification of these assumptions, are crucial to the development of an SEooC. SEooC development takes place without knowledge of the design or requirements from the top-level system, so from the beginning of the development process assumptions are made about the item the SEooC shall operate in, and the application it shall be used within.
The SEooC will be designed to be capable of complying with assumed requirements of a certain ASIL. These may be assumed requirements from the top-level system, or may originate from outside this system. It will not be possible to perform a complete hazard analysis and risk assessment without knowledge of the item level hazards, but it is useful to think about the possible hazards that may be applicable, and document these, along with the predicted ASIL rating of the assumed requirements the SEooC shall have to comply with. Current industry practice and information from potential customers can be used as sources for identifying hazards, and then estimating the appropriate ASIL for the assumed requirements. As with all development of an SEooC, it is very important to document these sources as part of the safety case.
In our next post we will be looking at how the development process defined in ISO 26262 is adapted for SEooC development, with a closer look at some of the key activities.
By Alison Young, Functional Safety Consultant