- Smart City/Mobility HOME
- Search by use case
-
Search by product/service
- event·
seminar - Column
- Inquiry
In recent years, the concept of safety design has come to be emphasized in the process of developing embedded systems. At the same time as this way of thinking, efforts are being made to establish international standards to ensure safety internationally.
In this article, while comprehensively explaining "functional safety", which is one of the important concepts for ensuring such safety, we will conclude with the safety of the real-time OS, which is one of the important functions of embedded systems. I will explain it so that you can spot it.
What is functional safety? Difference in definition from intrinsically safe
To understand functional safety, we must first understand intrinsic safety.
What is functional safety?
Functional safety refers to the relative reduction or elimination of risks to humans and the environment through peripheral safety measures.
The most obvious concrete examples for understanding what functional safety is is the gates, signals, and warning devices installed at railroad crossings that intersect the roadway.
The risk at a railroad crossing is the contact between a person or car and the train. In order to reduce the risk of contact, alarms and signals are used to make people aware of approaching trains, and barriers are used to urge people to stop.
In this case, it is possible to ignore everything and enter the track, so it cannot be said that complete safety is ensured. However, it is possible to reduce the risk of accidentally entering the track.
Such measures to reduce risks with circuit breakers and alarms are called "functional safety."
What is intrinsic safety?
Next, intrinsic safety refers to the direct elimination of risks to humans and the environment through safety measures.
As with functional safety, a specific example of intrinsic safety in relation to the risk of train collisions is to make the track an elevated line and run the roadway under it, so that the track and the roadway intersect three-dimensionally.
In this case, safety can be ensured by removing the environment itself where trains and cars collide.
Reliability and safety
Whether functional safety or intrinsic safety, safety measures are very important in system development. In constructing a safe design for an embedded system, it is necessary to understand the concepts of reliability and safety in order to consider how safe the safety measures are.
Here we discuss its reliability and safety.
What is Reliability
Reliability is defined in JIS X 0014 as "the ability of a functional unit to perform its requested function for a given period of time under given conditions."
If you extract only the important part, it is "the ability to execute the requested function for the given period". At first glance, this definition does not seem to pose a problem with safety, but upon closer inspection, there is no expression that clearly states safety in this definition.
In other words, even if the requested function itself has risks, it can be said that it is reliable if it can be executed for a given period.
If we use a train as an analogy, even if autonomous driving is running at a speed where there is a risk of derailment, there is no problem with reliability as long as it operates according to the required functions.
However, this is far from safe. That is why it is necessary to consider safety, which will be explained next.
What is safety
Safety is defined in (JIS X0134) as "the degree of expectation that a system, under specified conditions, will not transition to a state that endangers human life, health, property, or its environment." I'm here.
To extract the important part, it can be said that "safety does not shift to a state where it is exposed to danger". However, the "ability to perform functions" described in the definition of reliability is not mentioned in safety.
For example, safety is ensured even in trains that have been unloaded from the tracks and cannot run because they have no wheels.
So even if it is safe, the product value will be almost non-existent.
In other words, when considering safety design for all products including embedded systems, it is important that both reliability and safety are satisfied at the same time.
International standards "IEC61508" and "ISO26262" related to functional safety of embedded systems
The most famous standard for functional safety is the international standard IEC61508.
However, in this article, in addition to IEC61508, the international standard "IEC60601" related to functional safety in the medical field, which is the specialty of "BlackBerry QNX" handled by our company, and functional safety related to electrical systems such as automobile products I will explain the standard "ISO26262".
International standard "IEC61508"
IEC61508 is "Functional Safety of Electrical/Electronic Programmable Electronic Safety Related Systems" and is an international standard established by IEC (International Electrotechnical Commission) to ensure the functional safety of electronic systems. In Japan, JIS C0508 corresponds to IEC61508, and almost all embedded systems are considering safety design based on the functional safety defined in this IEC61508.
Functional safety in embedded systems such as electrical and electronic devices is achieved through the following three processes.
Quote: Ministry of Health, Labor and Welfare
In this review step, the important thing is what is required and what the safety integrity level (SIL) is to be set.
The details of this safety integrity level (SIL) are described later.
IEC60601, the international standard for medical electrical and electronic systems
IEC60601 is an international technical standard formulated by IEC (International Electrotechnical Commission) to ensure the safety of medical electrical equipment.
A similar safety standard is IEC60950, an international standard for IT equipment, but compared to ordinary IT equipment, medical equipment is closely related to human life and health, so it has extremely strict requirements.
The basic examination steps are often similar to IEC61508. As a measure of safety performance, we use the same safety integrity level (SIL) as in IEC61508.
ISO26262, the international standard for automotive electrical and electronic systems
ISO26262 is an international standard established by ISO (International Organization for Standardization) for functional safety related to automotive electrical and electronic systems. Since automobiles have many different environments (traffic rules, driving culture, weather effects, etc.) than ordinary electric and electronic devices, ISO26262 was formulated as a functional safety standard for automotive use based on IEC61508. I was.
There is a movement to standardize the application of ISO26262 for automobile electronic products and microcomputers, and many automobile manufacturers and suppliers ensure safety by meeting the requirements of this ISO26262.
The difference between ISO26262 and IEC61508 is that SIL is not used as a safety integrity level. Instead, ASIL (Automotive Safety Integrity Level) is used, which defines the functional safety of vehicles on public roads. More on ASIL later.
Risk classification system "SIL" and "ASIL"
So far, SIL and ASIL have appeared in explanations as indices for measuring safety levels. In this section, we will explain SIL and ASIL in detail.
What is SIL
SIL (Safety Integrity Level) is a safety level defined by IEC61508, and is used for safety evaluation of many electrical and electronic systems, including medical equipment with strict safety standards.
Different indices are used for SIL depending on the frequency of the required operation. In high-frequency demand mode, "average frequency of dangerous failures" is used, and in low-frequency demand mode, "average probability of dangerous function failure" is used.
|
Safety Integrity Level (SIL) |
Average frequency of dangerous failures (high frequency mode) |
Dangerous function failure average probability (low frequency mode) |
|
SIL4 |
10-9~10-8 |
10-5~10-4 |
|
SIL3 |
10-8~10-7 |
10-4~10-3 |
|
SIL2 |
10-7~10-6 |
10-3~10-2 |
|
SIL1 |
10-6~10-5 |
10-2~10-1 |
The required SIL is assigned from SIL1 to SIL4 by quantitatively determining it using a probabilistic method. SIL4 is the highest safety requirement, and the requirement level decreases as you go down from 3 to 1.
In developing the safety of various electrical and electronic systems, it is important to select a product (such as a real-time OS) that satisfies this SIL.
What is ASIL
ASIL (Automotive Safety Integrity Level) is a safety level defined by ISO26262, and is currently used to guarantee the performance of almost all automotive electrical and electronic systems. This ASIL evaluates the safety level in four stages of A, B, C, and D.
In addition, in ISO26262, we will determine ASIL that is adapted to each possible individual hazard from hazard analysis and risk analysis. The big steps up to the decision can be easily understood by looking at "Determination of functional safety concept" described in ISO26262.
Determination of functional safety concept
Quote: https://www.jqa.jp/service_list/fs/file/techdata_26262.pdf
Source: ISO 26262-3 Table 1, Table 2, Table 3
ASIL is assigned from three perspectives: Severity (S), Exposure (E), and Controllability (C), and safety goals are determined. Specifically, they are assigned based on the table below.
Quote: https://www.jqa.jp/service_list/fs/file/techdata_26262.pdf
Source: ISO 26262-3 Table 4
D is the highest safety level, and the required safety level decreases as it changes from C to A. QM (Quality Management) means that there are no safety level requirements to be met by ASIL, but a certain level of management should be carried out.
It is important to select a product (such as a real-time OS) that satisfies this ASIL in the development of safety for automotive electrical and electronic systems.
Importance of functional safety in real-time OS
So far, we have discussed functional safety and safety standards, but the real-time OS, which plays a central role in the control of embedded systems, is one of the most important products requiring safety and reliability.
If a real-time OS with low safety and reliability is used, system malfunctions are more likely to occur, and there are risks such as low security strength against malware and cyberattacks.
In the unlikely event that a problem like the above occurs, there is a possibility that it will develop into an irreversible situation for medical equipment that is related to human life and health, and for automobile equipment that poses a serious hazard.
A real-time OS, which plays a central role in control, must thoroughly eliminate the above risks. For that reason, you must choose a real-time OS that is SIL or ASIL certified and has high reliability and security.
Introduction of "BlackBerry QNX" handled by our company and strengths
Finally, I would like to briefly explain the real-time OS “BlackBerry QNX”, for which we are a domestic distributor, and its strengths.
For automotive applications, it has been adopted by more than 45 automotive brands as a highly reliable real-time OS, and is currently installed in more than 215 million vehicles. Since we have acquired the D certification, we can greatly reduce the work required for customers to obtain certification.
Automotive solutions
In addition, we have obtained IEC 61508 SIL3 certification for our embedded solutions, and because of their high reliability, they are often used in medical equipment with high safety requirements.
Embedded solution
It is possible to introduce at a low total cost while maintaining high reliability as described above.
A brief introduction ends here. If you want to know more about "BlackBerry QNX", please refer to our website at the link below. We also have an introduction video in the webinar, so please watch it.
Inquiry
If you have any questions or concerns regarding the content of this article, please feel free to contact us using the form below.