ASIL-D Certified: The Next Step for Connected Vehicle Software ASIL-D Certified: The Next Step for Connected Vehicle Software
Safety

/

February 11, 2022

ASIL-D Certified: The Next Step for Connected Vehicle Software

This is an external post, click the button below to view.
View Post

If we had to return to the Apple store every time our iPhone needed an update, there is a good chance that we wouldn’t have smartphones. If we did, there is an even greater chance that most people would be walking around with un-updated and malfunctioning devices. 

For a cellphone, that’s not such a big deal. But what if it was a car? What if most of the drivers on the road were driving un-updated and malfunctioning vehicles? Traffic collision numbers would skyrocket. Breakdowns would be a weekly, if not daily, occurrence, and roads would no longer be safe for drivers, passengers, and innocent bystanders. 

Fortunately, international functional safety standards have prevented manufacturers from getting ahead of themselves. Still, cars already require more code to function than a space shuttle, about 10 to 20 times as much. As automotive technology continues to advance, this code will require regular updates, adjustments, and repairs. Weekly trips to the dealer are not the answer. 

What if OEMs were able to combine an embedded software update and data management solution with ASIL-D, the highest automotive functional safety certification available? Well, that could just be the answer to everyone’s problems. Let’s dive deeper into exactly what ASIL means and how ASIL-D-certified connected vehicle software is paving the way for a more connected future. 

ISO 26262

In 2011 the International Organization for Standardization mandated international functional safety standard 26262. ISO 26262 defines functional safety as “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical or electronic systems.” It outlines technical safety requirements (TSRs) that must be met throughout the vehicle’s lifecycle–development, production, operation, decommissioning, etc–to mitigate the risk of a safety fault or hazard. ISO 26262 includes specifications for functional safety management, implementation, design, validation and verification, and customer-supplier relations. 

ASIL-D Explained

During ISO 26262 certification, the assessor takes each electrical component through an automotive hazard analysis and risk assessment (HARA) to determine the potential impact on user safety. Once the hazard potential is realized, each component is assigned an Automotive Safety Integrity Level (ASIL). 

The level delineation depends on three things: the probability of a fault, severity potential, and vehicle controllability in the event of a malfunction. 


ASIL Assessment Scale


Let’s use an example to better understand the chart above. Say we have a component with a rating combination of high severity (S3), medium exposure (E3), simple controllability (C1). It would be designated as an A-level component (ie. rear lights). As risk increases so does the rating, with high-risk ECUs, or those with a high severity (S3), high exposure (E4), difficult controllability (C3) combination (ie. anti-lock brakes & power steering), falling under the ASIL-D umbrella. Any electrical component integrated into the vehicle must meet the ASIL standards associated with its risk level. For example, if a manufacturer produces a new type of anti-lock brake ECU but it only meets B-level standards, when it needs to meet D level. This product would not be permissible for consumer use. 

Any Safety Element out of Context (SEooC), such as an over-the-air software solution like Sibros’ Deep Connected Platform (DCP), must also undergo ISO 26262 certification if it is to be used in a vehicle’s ecosystem. A SEooC doesn’t function unless it is integrated. However, similar to the anti-lock brake example, to ensure user safety the software ASIL should be equal or greater than that of the ECU that hosts the software.  

Sibros ASIL-D Compliant

In accordance with ISO 26262, Sibros brought in UL to perform a functional safety assessment. Both firmware products met all the necessary functional safety requirements and were certified with an ASIL-D. In other words, Sibros software can be safely integrated into any ECU, in any vehicle, at any time. Both solutions work in conjunction to perform safe, seamless, and effective over-the-air (OTA) updates with ease. 

The Sibros OTA Deep Updater comprises one part of the Deep Connected Platform (DCP). It is an end-to-end solution that manages update packages and deployments, analyzes fleet data, and performs full vehicle firmware and software updates. This includes establishing a cloud connection, verifying firmware package images and metadata, and performing precondition checks–including owner permission and vehicle health–prior to update rollout. 

Meanwhile, the Sibros Bootloaders verifies the application image and initiates its execution. It enables updates by downloading new images into the ECU via a connected network, and provides firmware image authentication and secure UDS communications for vehicle-wide ECU configuration and updating. 

Automaker Responsibility & How Sibros Helps

Sibros is one of the first and only automotive OTA update and data management platforms on the market with an ISO 26262 ASIL-D certification. “As vehicle complexity continues to grow, more OEMs are relying on software updates to manage safety-critical ECUs. Hence it is becoming even more important to have an over-the-air update system that meets the highest functional safety standards”, stated Jody Nelson, managing director of functional safety in UL’s Energy and Industrial Automation group. “We congratulate Sibros for helping advance the role of functional safety in the automotive industry by achieving the ISO 26262 ASIL-D certification for its connected vehicle over-the-air products”, added Nelson.

This certification means OEM customers can remotely deliver vehicle and fleet-wide software and firmware updates with the same level of safety and confidence as when they would with a trained dealer technician in a dealership service bay. The difference with Sibros is the safety checks responsibilities that would fall on the shoulders of the technician are performed automatically by our hardware-agnostic solution, and all while the vehicle is parked safely at home. 

Sibros Deep Updater and Bootloaders take care of the following:


All of this information is logged to provide full traceability on every ECU in every vehicle. When manufacturers send an update to a vehicle grouping based on a specific dynamic or static parameter, Sibros Deep Updater looks at each unit’s existing data and only updates the components not running the most recent software version. The OEM can view update progress and unexpected failures from their own customizable portal. This data is collected into a log file or Deployment Log, where OEMs are able to see exactly where, when, and in which components the update failed. 

Although Sibros ensures image validity during and after the cloud to vehicle transfer, it has no authority on the update image itself. Thus, the integrity and validity of the image are the responsibility of the manufacturer. However, part of Sibros’ DCP solution includes helping OEMs learn to create and verify valid images for update rollouts.

UNECE WP.29

ASIL-D certification has greater implications than simply meeting the standards set forth by ISO 26262. It also indicates Sibros’ compliance with UNECE WP.29 functional safety requirements listed in section 7.2.2.1 for software management systems. The requirement states that if an update has the potential to affect the functional safety of a vehicle, the OEM must demonstrate the ability to safely execute the update via specific technical measures. These include precondition checks, such as ensuring the vehicle is in and remains in a safe state during the update, and restricting driver access to any functional features that could impact vehicle safety until update completion. It also specifies the need for mechanisms to restore functionality in the event of a failure. Sibros Deep Updater meets all of these specifications in addition to adhering to all recommendations from ISO 26262 standards. 

The Sibros Standard

Functional safety will always play an integral role in the automotive industry, but it doesn’t have to stall the advance of innovation and ingenuity. With Sibros Deep Connected Platform, manufacturers can rest assured knowing that the fleet is receiving OTA updates with the highest quality, functional safety, and cybersecurity standards in mind. Contact us to learn more about how we can help streamline your update processes to keep your vehicles safe, secure, and on the road. 

Amber Parle
Amber is a Content Specialist at Sibros with over nine years of writing and blog content experience. She is a University of California at Davis graduate and an avid world traveler.