“Why don’t we just decompose this into lower ASILs, it would make our work easier?” is one of the phrases I come across often while consulting on functional safety projects. It is almost always followed with a wry smile on my face and a counter query, “Are you sure about that?”
The concept of ASIL decomposition mentioned in ISO 26262 provides us with an opportunity to lower the ASIL of a system/function by using hardware and/or software. However, there is a lot of gray area that most people forget to consider while finalizing their system’s architecture.
A lower ASIL may lead to an easier implementation for designers, but it may not always be the right approach. If we do a cost-benefit analysis for a system design with and without ASIL decomposition, we often find that the decomposed design is probably unnecessary and more expensive to implement.
Then there is also Freedom from Interference. This is required by ISO 26262 to provide evidence showing sufficient independence between the decomposed functions and the elements they are allocated to. If there is enough independence between the elements, then ASIL decomposition is acceptable. Here’s an example:
- If the vehicle speed function must be realized at ASIL D, and the system has a wheel speed sensor (WSS) and a transmission output shaft speed, then the function can be decomposed and allocated to each of the sensors at ASIL B(D). This is because we can prove that there is sufficient independence between the two sensors and that each sensor can satisfy the primary function (speed measurement) by itself.
However, if we consider an example of modern automotive systems, then object detection is a potential ASIL D function. Let us assume that this function is realized using camera and radar technology. For example:
- If we try to decompose this function in a similar fashion to a camera and a radar at ASIL B(D) each, then it would be an incorrect decomposition and difficult to justify. One of the reasons is that both technologies have limitations when detecting an object in different scenarios, camera – foggy/night conditions and radar – detecting object farther away. Due to this, we cannot justify that both technologies can satisfy the complete primary function alone. For this reason, a software decomposition on modern complex microcontrollers is very difficult to achieve.
ASIL decomposition can be considered a potential asset when applied correctly, but careful consideration must be used to ensure full redundancy exists in the system. Each automotive system is different. The applicability of ASIL decomposition should be considered on a case-by-case basis.