Publication

According to the functional safety standard for road vehicles, ISO 26262, the list of safety goals shall be shown to be complete. Especially when considering highly automated driving, this may lead to the formulation of very general hazardous event. On the one hand this may make it easier to show completeness, but on the other hand it may cause that too strong ASIL attributes are allocated on too much of the implementation, implying unnecessary high cost. This position paper claims that carefully chosen explicit failure models in the hazard definitions, will generally enable more cost-efficient and still safe E/E systems for road vehicles. This is especially important for highly automated driving and autonomous vehicles, where many safety goals may have an impact on a large part of the entire E/E architecture. Keywords — ISO 26262, hazard analysis and risk assessment, safety goals, failure models, highly automated driving. I. INTRODUCTION When performing a hazard analysis and risk assessment (HA&RA) in the domain of road vehicles according to ISO 26262 [1], it is a challenge to make the list of Safety Goals (SG) complete and correct, still not forcing the implemented functionality to become too expensive. This is a variant of the classical problem in design verification, saying that if you are not so detailed in the analysis you need instead to be conservative. The more details you put in your analysis, the smaller margins are needed. In an analogous way the HA&RA can be based on few and general hazards and situations, or a larger number of more detailed ones. In the former case the benefit is a shorter HA&RA, easier to perform and easier to show complete. The cost for this is a design that might be much more expensive because of the higher values and or/the broader implications of the safety goals. In the latter case the cost might be lower, but this requires a more elaborated HA&RA. This position paper argues that safety goal formulation, is an active choice and that it in many cases is worth the effort to be more explicit and elaborated in the HA&RA. The paper is organized as follows. In section II is argued for how to verify completeness of a HA&RA. Section III presents why it can be said that a HA&RA that is an activity that can be performed in many valid ways and thus important make a choice about. In section IV it is argued how to elaborate the HA&RA and especially identifying several hazards constituted by different tolerance margins. Section V then tells why this is extra important for autonomous vehicles, where the cost implications may be significantly higher.