After a level 1 output criticality has been evaluated, every element or function involved in the creation of this output is set to the same ASIL
as the level 1 corresponding output (item’s output).
The criticality of an item and of its sub-elements is therefore estimated only once at high level, so it is not necessary to estimate the criticality of each item sub-elements. The result is a great time saving and the consistency of the evaluations assessments is guaranteed compared to traditional approaches such as FMECA or FMEDA, in which the risk assessment stage is carried out on each item sub-elements.
To make this “viral” propagation of ASIL (recovery of the upper level output ASIL) usable in the industry, it is possible to reduce the level of criticality of a sub-element if the functionality is redundant or monitored. The ASIL decomposition uses a well-defined method defined in the ISO 26262 standard.
In addition to the system risk level evaluation process, the ISO 26262 standard
introduces other methods to ensure the functional safety of your projects. The main methods cited by the ISO 26262 standard
are the intensive use of the FMEA
and the FTA
during the different phases of the project design.
The FMEA is a deductive approach that tries to deduce all probable consequences of a specific element failure on the complete system. It’s a cause to effects approach.
The FTA graphically shows the possible combinations of events that allow the realization of a predefined adverse event. It’s an effect to causes approach.
The ISO 26262 enhance the performance of these tools by associating an abstraction level approach: It is easy at high level to identify which elements may have a dangerous impact and thus allows to rapidly identifying any problems. The only step back is at high level it may be difficult to identify all the probable causes of failures. It’s why it is important to perform FMEA and FTA analyzes at all levels of abstraction defined in the standard. Furthermore, ISO 26262 requires to refer to higher level all changes in potentially dangerous failure modes and to update the FMEA and FTA analyzes at higher levels.