Why ISO 26262 is useful: Using ISO 26262 makes sure that high safety standards are built into car parts from the beginning. The standard can help you set up a safety management system that is based on best practices that are known around the world and the newest way to handle risks. This will give you an edge over your competitors. Compliance with ISO 26262 is likely to be a way for carmakers to check the quality of parts and potential suppliers of E/E parts.
The ISO 26262 standard is made up of several parts that spell out the rules and requirements for making sure that E/E systems in cars work safely. The standard ISO 26262 is considered a best practice framework for achieving functional safety in road vehicles.
– Hardware and software like electric and electronic devices – Parts or systems that could have a big effect on people’s lives if they break down – It doesn’t cover equipment that is only made of machinery. – It covers the whole life cycle of automotive products. – It covers motor vehicles up to 3500 kg.
Safety has always been an important part of the auto industry, but recently it has become even more important. Currently the biggest compound annual growth rate (CAGR) in automotive electronics revenue can be attributed to safety applications. Increasingly car manufacturers are making safety a key selling point with which to differentiate themselves from their competition. However, because cars are now made with more and more electronics, we need to move away from the long-standing best practices approach and toward clear, universal guidelines. As a result, industry protagonists have joined forces to develop a standard with far-reaching implications.
The word “safety” is subject to various different interpretations. However, when applied to modern automobile design it can generally be categorized using the following structure:
1. Passive safety means that an accident is likely to happen, but the goal of passive safety mechanisms is to make that accident less bad. The passive safety elements found within a vehicle include seatbelts, crumple zones, etc. 2. Active safety: Systems that deal with active safety (based on what they know about the vehicle right now) will try to avoid accidents altogether and lessen their effects if they do happen. Seatbelt pre-tensioning, airbag deployment, predictive emergency braking, anti-lock braking systems and traction control are all examples of this.
3. Functional safety is about making sure that all electrical and electronic systems work properly. This includes all active safety systems as well as power supplies, sensors, communication networks, actuators, and more. Functional safety is dealt with by the ISO-26262 standard (published in November 2011).
It is important to note right away that functional safety does not mean that there is no chance of a malfunction occurring. Instead, it means that there is no unacceptable risk due to hazards caused by electrical and electronic systems malfunctioning.
The IEC 61508 standard has been changed to ISO/DIS 26262 so that it meets the needs of E/E systems used in vehicles. The functional safety parts of the whole development process are covered by ISO 26262. This includes activities like defining requirements, designing, implementing, integrating, verifying, validating, and setting up. The standard provides guidance on automotive safety lifecycle activities by specifying the following requirements:
ISO 26262 is the automotive industry’s gold standard for functional safety. As vehicles become increasingly complex and automated, having expertise in this critical standard is a highly sought-after skillset.
If you have an ISO 26262 related interview coming up, preparation is key. Knowing how to effectively communicate your capabilities regarding ISO 26262 will boost your chances of landing the job. In this comprehensive guide, we’ll explore the 20 most common ISO 26262 interview questions, providing sample responses to help master your answers.
Overview of ISO 26262
Before diving into the interview questions, let’s quickly recap what ISO 26262 entails:
-
ISO 26262 is an international standard that provides a framework for achieving functional safety in electrical and electronic systems within road vehicles.
-
It aims to minimize risk by defining processes, methods, and measures to ensure safety throughout the product lifecycle.
-
The standard was published in 2011 by the International Organization for Standardization and applies to passenger cars and other light on-road vehicles,
-
It addresses possible hazards resulting from malfunctions in electrical and electronic systems, providing requirements to ensure these systems function safely.
-
Adhering to ISO 26262 is crucial for automotive companies to gain certification and meet legal safety requirements in markets worldwide.
Now let’s look at some sample questions and model responses.
1. How would you integrate ISO 26262’s safety lifecycle into our existing product development process?
When preparing for ISO 26262 related interviews, expect questions on integrating the standard’s safety lifecycle. Your response should demonstrate a systematic approach and strong understanding of the key integration steps.
Example response:
To effectively integrate ISO 26262’s safety lifecycle into our existing product development process, I would first perform a thorough gap analysis to identify how our current practices align with the standard’s requirements. This would allow us to pinpoint specific areas that need to be addressed, such as hazard analysis and risk assessment, functional safety concept, and technical safety concept.
With these insights, we can then prioritize the implementation of changes that will have the most significant impact on safety. The next step would be to establish a robust safety management system, ensuring that functional safety considerations are embedded at every stage of the product development cycle. This includes training our team to understand the importance of safety requirements and how they translate into design, implementation, and verification activities.
By embedding safety activities such as Failure Mode and Effects Analysis (FMEA) and Fault Tree Analysis (FTA) early in the development process, we can design safety measures that are integral to the product architecture.
Lastly, it’s imperative to maintain a cycle of continuous improvement through regular safety reviews, validation, and verification activities, ensuring that our products not only comply with ISO 26262 at launch but also throughout their lifecycle. This approach not only minimizes risk but also fosters a culture of safety that aligns with the evolving landscape of functional safety standards.
2. What are the key differences between ASIL A and ASIL D in the context of ISO 26262, and how do they impact system design?
The ASIL classifications in ISO 26262 denote Automotive Safety Integrity Levels, indicating the level of rigor required to mitigate safety risks. Interviewers often ask candidates to explain the differences between ASIL A and ASIL D.
Example response:
ASIL A and ASIL D represent different levels on the ISO 26262 Automotive Safety Integrity Level spectrum, with ASIL A being the lowest and ASIL D the highest. The key difference between these levels lies in the rigor and stringency of the safety requirements that need to be met.
For ASIL A, the potential risks are less severe, and thus, the safety measures implemented can be less stringent, focusing on basic fault tolerance and ensuring that the system is safe under normal operating conditions.
In contrast, ASIL D pertains to systems where malfunctions could lead to critical situations with a high likelihood of severe or fatal injuries. The impact on system design between these levels is substantial. For ASIL D systems, designers must incorporate highly reliable components and sophisticated redundancy mechanisms, such as dual microprocessors with cross-checking, to minimize the risk of failure. This often results in increased design complexity, longer development times, and higher costs due to the need for more advanced safety features and rigorous testing and validation processes.
The verification for ASIL D systems is more exhaustive, requiring extensive fault injection testing and analysis to ensure that the system can handle a wide range of failures without endangering the vehicle occupants. In essence, the ASIL classification drives the depth and breadth of safety engineering activities throughout the development lifecycle.
3. Describe a scenario where applying ISO 26262 could conflict with other industry standards, and how you would resolve it.
When standards conflict, resolving the tension between safety and other requirements is key. Your response should demonstrate how you would analyze trade-offs and prioritize ISO 26262’s emphasis on safety.
Example response:
In the development of an advanced driver-assistance system (ADAS), we encountered a situation where ISO 26262’s stringent safety requirements appeared to conflict with the performance criteria set by another industry standard focused on wireless communication protocols.
The communication standard demanded a high data throughput to ensure real-time performance, which could potentially compromise the safety measures required by ISO 26262 due to the increased complexity and potential for faults in the communication system.
To resolve this, we conducted a thorough risk assessment to understand the impact of aligning with both standards. We engaged with stakeholders from both safety and communication teams to establish a common ground. By prioritizing the safety goals of ISO 26262, we identified critical areas where performance could be slightly reduced without significantly affecting the user experience.
We then implemented a robust fault-tolerant communication mechanism that satisfied the high reliability and availability requirements of ISO 26262, while still meeting the essential performance criteria of the communication standard. This solution involved using redundant communication channels and advanced error-checking protocols that allowed for real-time performance without compromising safety.
Through this approach, we ensured that the system adhered to the highest safety standards without neglecting the functional requirements dictated by industry-specific communication protocols.
4. In what ways does ISO 26262 address cybersecurity concerns within automotive systems?
With vehicles becoming increasingly connected, cybersecurity is a growing concern related to functional safety. Be ready to discuss ISO 26262’s applicability to mitigating cyber risks.
Example response:
ISO 26262 primarily focuses on the functional safety of automotive systems to address hazards stemming from system malfunctions. However, it indirectly addresses cybersecurity concerns by establishing a rigorous risk assessment and management process that can be adapted to include cybersecurity threats.
The standard’s emphasis on identifying hazards, assessing risks, and implementing safety measures provides a strong foundation for integrating cybersecurity considerations, especially when evaluating the potential for cyberattacks to induce safety-critical failures.
Recognizing the interplay between safety and security is crucial, as a cyberattack could compromise safety functions and lead to hazardous events. For a comprehensive approach, ISO 26262 should be used in conjunction with cybersecurity-specific frameworks, such as SAE J3061 or the upcoming ISO/SAE 21434.
This ensures that while ISO 26262 guides the development of safety-critical systems, the cybersecurity framework addresses the protection of these systems from malicious breaches, creating a robust defense-in-depth strategy that encompasses both safety and security.
5. Outline your approach to conducting hazard analysis and risk assessment as per ISO 26262 requirements.
Hazard analysis and risk assessment form the backbone of the ISO 26262 safety lifecycle. Interviewers want to see that you grasp the key steps and can apply them methodically.
Example response:
In accordance with ISO 26262, my approach to hazard analysis and risk assessment begins with a comprehensive understanding of the item’s intended functionality and its operational context. This foundational step ensures that potential hazards are identified in light of the vehicle’s entire lifecycle, including various operational situations and environmental conditions.
Once hazards are identified, I systematically evaluate the risk posed by each hazard, considering the severity, exposure, and controllability factors to determine the Automotive Safety Integrity Level (ASIL) for each scenario.
The next phase involves formulating safety goals aimed at mitigating identified risks to acceptable levels. These goals are specific, measurable, and aligned with the ASIL requirements. In proposing risk mitigation measures, I prioritize strategies that integrate seamlessly with the system design and adhere to the safety lifecycle.
My experience includes successfully implementing such measures, which has not only ensured compliance with ISO 26262 but also enhanced the overall safety of automotive systems. For instance, I’ve previously led the integration of fail-safe mechanisms that directly addressed potential hazards, thereby reducing the risk to both the vehicle occupants and the surrounding environment.
6. Detail a situation where you had to tailor functional safety concepts from ISO 26262 to a low-volume production project.
For low-volume production, fully applying ISO 26262 may be impractical. Your response should demonstrate adaptability in scaling the standard while upholding safety.
Example response:
In a recent project, we were tasked with developing an electric powertrain system for a low-volume luxury sports car, where the typical economies of scale of ISO 26262 compliance were not feasible.
To address this, we conducted a thorough hazard analysis and risk assessment to identify safety goals critical to the project.
What ISO 26262 Does Not Cover
- Vehicles with special purposes, like those made for disabled drivers, have their own E/E systems.
- Electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, energy release, and other similar dangers, unless they are directly caused by E/E safety systems that aren’t working right.
- Nominal performance of E/E systems
Example for Functional Safety:
Part 6 of the standard specifically addresses product development at the software level. Requirements for the following development activities are specified:
- Initialization of product development
- Specification of software safety requirements
- Software architectural design
- Unit design and implementation
- Unit testing
- Software integration and testing
- Verification of software safety requirements.
What is functional safety in accordance with ISO26262?
ISO 26262 focuses on the functional safety of electrical and electronic (E/E) systems in vehicles. Functional safety in accordance with ISO 26262 affects all systems containing electrical, electronic, or electromechanical components, i. e. systems from the fields of actuator and sensor technology as well as control electronics. IEC 61508 covers industrial systems in general, and there are also standards that are specific to railroad technology, aircraft technology, and other fields. ISO 26262 is the sector-specific extension of IEC 61508 for the automotive industry.
Functional safety means that people are not put at an unreasonable risk by possible problems in electrical and electronic systems. Functional safety is therefore considered a system property. Active and passive safety systems are different because active safety focuses on preventing accidents before they happen, and it does this through electronic systems like ACC, ABS, ESP, and others. Active safety, on the other hand, means reducing the effects of an accident after it has already happened (e.g. g. safety belts, but also electronic systems such as airbags, belt tensioners, etc. ). Electronic systems for active and passive safety must also be functionally safe, since problems with these systems could also hurt people. Functional safety mainly looks at the risks that come from random hardware problems as well as planned problems in system design, hardware or software development, production, starting with setting up the system and ending with taking it offline for repair.
To do this, ISO 26262 is made up of 10 sections, each with about 750 clauses and 450 pages. These sections cover a wide range of topics, such as system design, hardware, software, and the development processes that go along with them. The safety lifecycle plays an important role in this regard. Finding, designing, monitoring, and judging the different parts of an industry-standard V-model in order of cause and effect is controlled by the safety lifecycle. It’s not a good idea to mix up or even equate the term “functional safety” with things like a product’s dependability, availability, or security 1. Reliability describes the probability of a system performing its assigned function within a particular period of time. According to Wikipedia, availability is the percentage of a system’s service life that it can be used to do its job2.
Since ISO 26262 isn’t a certification standard, it doesn’t have any rules about certifications or what they cover. As far as the standard goes, there is no need to certify systems, parts, or processes against it. This standard also has nothing to do with registering vehicles. Experience with implementing ISO 26262 has shown that many people who use the standard should get both certification and an outside assessment. The content of these checks are currently being finalized by the competent certifying bodies.
When it comes to the law, ISO 26262 doesn’t directly change anything. The provisions of product liability and liability for material defects continue to apply. There are references to the relevant legal publications for other legal issues, such as the shifting of the burden of proof. When judging the “state of the art,” professional standards are usually taken into account. This means that ISO 26262 is indirectly important for the law.
To account for the way the automotive industry’s supply chain works, ISO 26262 sets rules for who is responsible for safety-related tasks when there are multiple sites working on the same project. This is what the Development Interface Agreement (DIA) is for; it’s the clear, detailed agreement between the companies at their interfaces. Additionally, as we will see in the next section, it is not enough for a customer to simply ask his supplier to work in an “ISO 26262-compliant manner” or to name a specific safety classification. A clear agreement at the technical level about things like safety goals, how to group safety goals, the safety measures that will be used, and so on. is also essential to ensure the development of a safe product above and beyond supply boundaries.
How is functional safety in accordance with ISO26262 achieved?
The safety lifecycle starts with a definition of the system to be considered at vehicle level (“item”). For the purposes of illustration, let us take the example of an airbag system. The next step is to do a risk and hazard analysis on the system that is being thought about. One potential hazard in an airbag system would be the airbag inflating unintentionally. A corresponding safety goal must now be determined for each hazard. In this example case, one safety goal would be to prevent the airbag from inflating unintentionally. Typically, a large number of safety goals are identified at this point. Based on QM or one of four possible safety classes, which are called Automotive Safety Integrity Levels (ASIL) in the standard, each safety goal is then put into one of these four groups. The four levels are called ASIL A through ASIL D. The rating “QM” indicates that a standard quality management system, e. g. Following established standards like Automotive SPICE is enough to meet the safety goal, according to ISO/TS 16949, and no extra requirements from ISO 26262 are needed. In terms of ISO 26262, “ASIL A” is the lowest safety rating and “ASIL D” is the highest classification. There is an allocation table in the standard that helps figure out the ASIL for each safety goal. Three parameters are evaluated in each case. These are:
Exposure, i. e. how often the vehicle is in a situation in which the people involved, e. g. driver, passengers or other road users, may be put at risk, Controllability, i. e. level of how well the people involved can handle a breach of the safety goal; Severity, which measures how bad the consequences could be if the safety goal is breached;
The unintentional inflation of the airbag is typically classified as “ASIL D.”
Safety goals must be implemented in accordance with the classified ASILs. To put it another way, the right procedures and techniques must be used to stop systematic flaws, and the product must be given extra criteria to fix technical flaws. This is done initially by defining a functional safety concept. This could be an example of a redundancy idea that includes a control channel and a separate monitoring channel. The airbag would only inflate if both channels were in accordance with each other.
The technical aspects are then fleshed out in a technical safety concept. For this example, a safety architecture could be made with enough separate sensors, with each channel needing to be able to turn on the trigger circuit by itself so that the functional safety idea could be put into action. The architecture could also include safety measures implemented outside the E/E system (e. g. using mechanical preventive measures). The implementation of such measures does not, however, fall within the scope of ISO 26262. The corresponding standards must be taken into account in this regard.
The hardware safety requirements and software safety requirements are now determined based on the technical safety concept. The following goals are very important: making sure that redundant systems are independent enough (called “dependent failure avoidance”) and that certain metrics are met when evaluating hardware (called “single point fault metric” and “latent fault metric”). After integrating the system, it must be safety validated, functionally tested, and then released for production. The specific requirements of ISO 26262 are based on the ASIL classification of the safety goals.
The standard also covers everything from building and running the system to taking it offline in the field. For example, the airbag is a great example of a product that should never be inflated by accident, even at the end of its lifecycle.
Need for internal expertise
- Functional safety is a complex topic
- Functional safety standards are difficult to master
Further challenges
- ISO26262 can lead to multiple interpretations
- Many companies/consultants were (and still are) very much IEC61508 focused
- But automotive has different constraints to consider
- People often mix up the ideas of safety, availability, and dependability: “It has to always work.” Then needs to comply to ISO26262!”.
- Many people still read ISO26262 words with IEC61508 “eyes,” which leads to a lot of confusion.
Example: In IEC61508, the item is a part of the final control system. In ISO26262, the item is the final system at the vehicle level.
Based on the functional safety concept,the technical safety concepts are derived. – The technical safety requirements are mapped to system elements which are hardware or software based.
- If a system component fails:
- It is necessary to describe the ways that the failure will be found (self-control) and
- There must be a reaction that will allow the system to reach a safe state.
- Integration of hardware and software comes after development of hardware and software. System integration and vehicle integration come after that.
- Experimentaltesting (time and costintensive)
- Reconfiguration of HW and SW
- Timing behavior(Analytics)
- Independence and Interference
Please refer the following documents for autosar safety information:
ISO 26262 functional safety question
FAQ
What is the principle of ISO 26262?
What is safety goal in ISO 26262?
What is the ISO 26262 lifecycle?
What is the parent standard of ISO 26262?
What is ISO 26262 functional safety?
ISO 26262, titled ‘Road vehicles — functional safety’, is a functional safety standard used in the automotive industry. It is crucial for automotive product development and includes the concept of ASIL/ASIL levels to determine safety requirements for software development. Complying with ISO 26262 is critical.
What is ISO 26262?
ISO 26262 is a risk-based safety standard derived from IEC 61508 that applies to electric and/or electronic systems in production vehicles. It covers electric and/or electronic systems, including driver assistance, propulsion, and vehicle dynamics control systems. ISO 26262 is a functional safety standard that covers all of the functional safety aspects of the entire development process.
How do I prepare for a job interview about ISO 26262?
When preparing for a job interview that may involve questions about ISO 26262, it’s important to demonstrate a comprehensive understanding of how the safety lifecycle is integrated into product development. This ensures that from concept to decommissioning, all stages comply with safety regulations.
How can ISO 26262 help you get a job?
Boost your chances of landing the job by learning how to effectively communicate your ISO 26262 capabilities. ISO 26262 stands as a paramount standard within the automotive industry, setting forth rigorous guidelines to ensure the functional safety of electrical and electronic systems in road vehicles.
