ASIL vs MSIL: Why a Separate ISO 26262-12:2018 Standard has been Introduced for Two-Wheelers?
When ISO 26262 standard was launched in 2011, it was meant for vehicles with four wheels or more (up to 3500 kg). Although not mentioned explicitly, the standard was not applicable to two-wheelers.
“Why were motorcycles excluded from the standard?” you may ask. Well, the specific answer to that question will be best known to the insiders at the ISO 26262 committee. However, what can easily be interpreted is that the safety criticality guidelines designed for a four-wheeler were not relevant for a two-wheeler.
For example, the onus of balancing a motorcycle (when it is stationary) is on the rider. There is no such dependence in a car. Furthermore, the controls in both types of vehicles are quite different.
Even some similar components in a car and a bike would pose different hazards and thus, a need for a separate set of guidelines was felt for motorcycles.
The new scope of ISO 26262 took a major shift from “road vehicles up to 3500 kg” to “road vehicles excluding mopeds”. This, not only brought motorcycles under the ISO 26262 umbrella but also heavy vehicles like buses and trucks.
The scope of this blog will be restricted to the functional safety guidelines for motorcycles or two-wheelers in general.
Notable Differences in the New ISO 26262 Guidelines for Motorcycle Functional Safety
As already mentioned, the safety criticality in a motorcycle works differently. Therefore, there are some key differences in the ISO 26262 standards for two-wheelers.
Motorcycles have unique functional safety requirements. The emphasis is more on the rider’s behavior than the vehicle components. The changes in the latest version of ISO 26262 standard are visible right from the start, i.e., the concept phase. As the changes must come from within, safety culture in the organizations that are stakeholders in motorcycle development requires additional focus.
Let’s find out how ISO 26262 adapts itself to the unique safety needs of a motorcycle:
- The organization must define process and work instructions for compliance to Part 12 in the QMS. It has to also ensure that the other standards are well integrated. For example: interactions between cybersecurity and Functional Safety.
- Measures for process improvement need to be put in place, to learn from executed safety projects.
- Organization must give sufficient authority to safety team for execution and compliance.
Reclassification of confirmation reviews:
- For motorcycles, table 1 in Part 12 replaces Part 2 table on confirmation reviews. This table basically, skips ASIL D column as in earlier table. ASIL D is missing in the table as the highest MSIL maps to ASIL C.
- Confirmation measures such as confirmation reviews and functional safety audits are to be performed as per the independence mentioned in the table.
- Functional safety assessment to be done, if going for certification.
These guidelines shape up processes like HARA, safety validation and more while development of ISO 26262 compliant two-wheeler software and hardware. Let’s understand this in a little more detail.
- Hazard Analysis and Risk Assessment (HARA)
There are a few modifications made to the process of HARA. Naturally so, because the safety in a two-wheeler ecosystem depends on multiple external factors such as helmets, protective gears, training, etc. Also, the rider has an enhanced responsibility to keep the two-wheeler safe while riding.
A hazard may also result from the motorcycle’s behavior and not necessarily from a failure.
For instance, a passenger car is inherently designed to navigate safely through snow/ice on the road. However, a motorcycle is not.
So, if the rider decides tries off-roading or drives in hazardous situation (during a heavy snowfall), he/she is accepting a higher degree of risk.
Such a scenario is outside the scope of ISO 26262 Part-12. Moreover, the 3 important factors in Hazard Analysis and Risk Assessment (HARA) – controllability, severity and exposure are also affected to a great extent in such conditions.
Motorcycle specific hazard analysis and risk assessment:
- More emphasis on rider behaviour than the machine components, for mitigating risks. Controllability of motorcycle specific hazardous events place more emphasis on the rider.
- HARA leads to MSIL (Motorcycle Safety Integrity Level) determination.
- The worldwide established level of technology in the motorcycle industry suggests that ASIL classification is inappropriate for motorcycles. So, an alignment between MSIL and ASIL classification is established to match ISO26262 to the worldwide capability of the motorcycle industry.
Identifying operating scenarios:
- Malfunctions are considered in operational modes when the vehicle is correctly used and when it is incorrectly used in a reasonably foreseeable way. For example: road race, Motocross or trial events are not considered normal motorcycle use conditions.
- HAZOP can be used to identify hazards and operational scenarios. Annex B lists severity scale based on AIS standard including the exposure (duration/frequency) probability examples. For controllability, the assumption is that the driver is trained, experienced and in good condition.
- The scenarios should not be too many (which makes analysis vague and exposure rare) or too few (insufficient safety measures might get considered). The best way is to aggregate similar scenarios to the list ‘as relevant as possible’ to usage. Eg: A normal motorcycle is not expected to travel on bad roads at high speed.
The output of HARA for a motorcycle is MSIL, the motorcycle counterpart of the ASIL.The method and the approach used to perform HARA for motorcycles is similar to that for the passenger vehicles. However, the ASIL-MSIL alignment/mapping is the key difference.
For example, ASIL C for a passenger car is equivalent to MSIL D, which is the maximum value for MSIL.
Reasons for Mapping MSIL to ASIL:
- This mapping of MSIL to ASIL helps the motorcycle industry to develop the software/hardware components in accordance with the mapped ASIL grade.
- Before the safety goals are derived from the MSIL, it needs to be mapped to the corresponding ASIL value. This is because, the product development phase (Part-4) is still relevant and so are its applicable requirements.
Similar to ASIL, MSIL is also derived based on the three factors – <strong>Severity (S), Exposure (E) and Controllability (C)</strong>. The table below will help you understand how these factors contribute to the process.
We have already discussed why it is important to map the MSIL value to ASIL. But for those interested in working on the Functional Safety of two-wheelers, ‘how’ assumes more importance.
ISO 26262 Part-12 document provides Table-6 as the reference for mapping MSIL to ASIL. MSIL QM remains QM for ASIL, however, MSIL D is mapped to ASIL C.
As per the standard, the ASIL levels mapped from the MSIL represent the minimum requirement. It implies that if the HARA determines the MSIL to be B, the component will be developed according to the requirements mentioned for ASIL A.
However, to meet the requirements of any safety goal, the requirements mentioned in Part-12 will supersede the requirements in the other parts.
Confirmation measures are major requirements for certain work products in the functional safety lifecycle. These measures include confirmation reviews, assessments and audits.
The purpose of these reviews is to ensure that the activities such as HARA, FMEA, FMEDA, etc. are on the intended track.
Some of these reviews need to be done by a different person (I1) while few confirmation measures are supposed to be performed by a person from a different department or organization (I3). The classification depends on the safety goals and the ASIL values.
*I0 to I3 is the degree of independency
In Part-12 of the latest ISO 26262 standard, the confirmation measure has been re-classified for the motorcycle industry. I2 has been set as the highest level of independence as compared to I3 in the automotive functional safety. It implies that the confirmation measure will be performed by a person from a different team who does not report to the same direct superior.
The changes in the ISO 26262 standard are not only confined to HARA and ASIL but also permeate to the testing activities.
Major modifications have been made in Part-4 of the ISO 26262 standard (Product development at system level) with respect to motorcycles.
For instance, there is a Table-7 for correct implementation of the functional safety requirements at the vehicle level. The test methods mentioned in the table will always get preference over the test methods defined in Part-4, Part-6 or Part-8 of the ISO 26262 standard (Only Motorcycle Functional Safety).
Similarly, Table-8 gives the methods to ensure the correct functional performance, accuracy and timing of safety mechanisms at the vehicle level. These methods are recommended to fulfill the motorcycle-specific safety goals.
Modifications in the Vehicle Integration testing
- If concerns over rider safety exist, it is appropriate to select alternative test methods or move some of the vehicle integration test activities to other sub-phases.
- User tests and long-term tests with normal users as testers are not feasible for motorcycles.
- Real-life condition can be conducted using simulated condition.
Modified scope of Safety Validation
Safety validation covers:
- the controllability (including intended use and foreseeable misuse)
- the effectiveness of the external measures
- the effectiveness of the elements of other technologies (For example, a mechanical component that prevents a malfunction can be validated on the final vehicle at a later stage)
- assumptions that influence the ASIL mapped from MSIL in the hazard analysis and risk assessment
- aspects that can be checked only in the final vehicle
How is the New ISO 26262 Version Going to Impact the Motorcycle Industry?
The answer is, ‘Exactly how it impacted the automotive industry’. The response to the ISO 26262 standard and functional safety in general has been very welcoming.
While bigger OEMs were already concerned about safety, the smaller players are now serious about it.
Now that the infotainment system, ABS, Battery Management System, etc. have made their way inside a two-wheeler, it is only natural that functional safety will assume far more importance.
Industry insiders report that a few two-wheeler OEMs were inculcating a safety culture even before the 2018 version of ISO 26262 was released.
They were mapping ASIL for motorcycles based on their expertise and domain knowledge.
However, with a formal ISO 26262 standard now out for motorcycles, a clearer path for ensuring motorcycle functional safety is available. Hopefully, the future holds safer motorcycles for us.