07. ASIL Decomposition

System Diagram after ASIL Decomposition

Here is the system diagram after decomposing the safety lane block:

ASIL Decomposition

Splitting off an element into a QM and ASIL C element is actually offering some amount of redundancy in a sense. Let's just say after some user testing that we decide to limit the vibrational torque to +/- 3 N-m. Anything beyond +/- 3 N-m was too difficult for drivers to control.

Maybe we'll put in a buffer and say that the "normal lane assistance functionality software block" will ask for a torque of +/- 2.8 N-m.

The "safety lane assistance functionality" block's only job is to make sure the torque does not go beyond +/- 3 N-m.

So you could program the "normal" block to only make requests between +/- 2.8 N-m. The "safety" block is then adding an extra check to make sure the request never goes beyond +/- 3 N-m. If the torque request goes beyond +/- 3 N-m, the safety software block will assume something has gone wrong with the system. The safety software block might not know why the malfunction occurred or what the source was. But the safety software block knows that something has gone wrong.

Why would the "normal" block ever request a torque beyond +/- 2.8 N-m? Two sources could be either a software bug or an ECU hardware component failure. Maybe an electrical short circuit could cause the malfunction as well.

The benefit of the ASIL decomposition is that the "normal" block, which will have functionality for receiving and interpreting camera subsystem signals, only needs to go through quality management protocols; otherwise, all of that functionality would have to go through the extra rigors of ASIL C testing.

Lane Keeping Assistance Example: ASIL Inheritance and ASIL Decomposition

Where do we put the software block for the lane keeping assistance function? And what is its ASIL?

Let's go back to the safety goal and functional safety requirements for the lane keeping function:

From the Hazard Analysis and Risk Assessment, the safety goal was the "lane keeping assistance function shall be time limited and the additional steering torque shall end after a given timer interval so that the driver can not misuse the system for autonomous driving". We rated this ASIL B.

We then derived the functional safety requirement: "the lane keeping item shall ensure that the lane keeping assistance torque is applied for only Max_Duration".

The functional safety requirement inherits the ASIL from the safety goal, so this functional safety requirement is ASIL B as well.

What do we do now? We already decided that the lane departure warning made the lane assistance software block ASIL C. But we also have a functional safety requirement with ASIL B for the same software block. If two safety requirements are assigned to the same block, the higher ASIL prevails. So the simplest answer is that the lane assistance software block would have ASIL C.

The rule in ISO 26262 is that sub-elements should inherit the highest ASIL level unless you can prove that the lower ASIL sub-element has no impact on and does not cause a failure in the higher ASIL sub-element. This is called criteria for co-existence. If you can prove that the lane keeping assistance software would not affect the lane departure warning, then you can separate out the functionality into two blocks with ASIL C and ASIL B.

Criteria for Co-existence

If a failure in the lane keeping assistance software element has no impact on the lane departure warning software element, then the lane keeping assistance software block can be ASIL B; otherwise, the lane keeping assistance software block needs ASIL C.

These types of failures where one element fails and then causes another element to fail is called a cascading failure.

You can avoid cascading failures by carefully designing the data and control flow of software or the input/output signals and control lines for hardware.

For the purposes of the lesson, we will assume that a failure in the lane keeping assistance function will not impact the lane departure warning function.

System Diagram after Adding Extra Safety Elements

Here is the system diagram after adding safety elements for the lane departure warning and lane keeping assistance:

Quiz: ASIL Decomposition