From being a fancy addition to cars, software now determines the value of the car. Whether the car has a 360-degree camera or advanced ADAS features makes or breaks a deal.
Such rapid innovation in automotive software has been possible partly because of the standardization brought about by ASPICE. And the safety threats that such software poses is mitigated by following the ISO 26262 standard.
As a matter of fact, both standards are indispensable for the automotive industry. And most of the time, both the standards have to be followed simultaneously.
ASPICE provides an ideal framework to implement the ISO 26262 standard as it covers the entire system development. The ISO 26262 lifecycle can be matched with the V-model followed by Automotive SPICE.
We have talked about two different concepts here; one that takes care of the overall software quality and the other that deals with the safety aspect. How are they related? Do ASPICE and ISO 26262 complement each other? Can they co-exist? Let’s try to find some answers! But first, we must understand ASPICE and ISO 26262 in their individual capacity.
Role of ASPICE and ISO 26262 in Improving Quality and Safety of Automotive Applications
The role of ISO 26262 and ASPICE in the automotive industry is multifaceted and synergistic. ISO 26262 ensures that automotive E/E systems are safe and capable of performing to the required safety levels, while ASPICE enhances the overall process capability and quality of software development.
Together, they form a robust framework for developing automotive software that is not only functionally safe but also of high quality, ensuring reliability and trust in automotive applications. This integrated approach is essential for automotive manufacturers and suppliers striving to meet the growing demands for safety and quality in an industry marked by rapid technological advancements.
Understanding the role and interaction of these standards is crucial for automotive manufacturers and suppliers.
ISO 26262: The Automotive Functional Safety Standard
ISO 26262 is an international standard for functional safety in electrical and electronic (E/E) systems within road vehicles. Originating from the generic functional safety standard IEC 61508, ISO 26262 is tailored specifically for the automotive context.
Safety Lifecycle Management: It covers the entire lifecycle of automotive E/E systems, from conceptual design to production and operation. It emphasizes identifying and mitigating risks associated with potential malfunctions of E/E systems that could lead to hazardous situations.
Hazard Analysis and Risk Assessment: ISO 26262 involves systematic hazard analysis and risk assessment to determine Automotive Safety Integrity Levels (ASILs), which dictate the stringency of safety measures to be applied.
Safety-Oriented Design: The standard prescribes safety-oriented design principles and methods, including requirements specification, design, implementation, verification, validation, and configuration management.
ASPICE: Enhancing Software Process Capability
ASPICE is a framework for assessing and improving software development processes in the automotive industry. It is based on the ISO/IEC 15504 standard (SPICE) and tailored for automotive software development.
Process Capability Levels: ASPICE provides a process capability framework that assesses processes on a scale from Level 0 (Incomplete) to Level 5 (Optimizing). Achieving higher capability levels indicates more mature, consistent, and effective software development processes.
Quality Improvement: By following ASPICE, organizations can systematically improve their software development processes, leading to higher quality software products. It focuses on areas like requirements management, design, implementation, testing, and maintenance.
Supplier Assessment: ASPICE is often used by automotive manufacturers to assess and select suppliers, ensuring that the suppliers’ software development capabilities meet certain standards.
Interplay and Integration of ISO 26262 and ASPICE
The integration of ISO 26262 and ASPICE is crucial in the automotive industry for several reasons:
- Complementary Objectives: While ISO 26262 focuses on functional safety, ASPICE aims at process quality and capability. Together, they ensure that automotive software is not only safe but also developed using high-quality processes.
- Mutual Reinforcement: Compliance with ISO 26262 can be facilitated by ASPICE’s process improvement framework. A higher process capability level in ASPICE can lead to more effective implementation of safety requirements as outlined in ISO 26262.
- Unified Approach to Safety and Quality: Integrating ISO 26262 and ASPICE allows organizations to adopt a holistic approach, where safety considerations are embedded into every stage of the software development lifecycle, enhanced by ASPICE’s focus on process quality.
As is clear from the image above, the ISO 26262 lifecycle can be matched with the V-model followed by Automotive SPICE.
The additional items that ISO 26262 brings to the table are mostly related to the concept phase. They include:
- Item Definition: It is a list of the system, sub-systems, functional dependencies, and various such attributes. The information contained in the item definition document, serves as an input for the HARA process.
- Failure Mode Effect Analysis (FMEA): FMEA is an inductive analysis method to find the causes and effects of a failure. It also contributes to the identification of functional and non-functional requirements, which might not have been identified during HARA.
- Failure Modes, effects, and diagnostic analysis (FMEDA): Failure Modes, Effects, and Diagnostic analysis (FMEDA), is an ideal method for the derivation of Hardware Architecture Metrics like PMHF (Probabilistic Metrics for Hardware Failures), SPFM (Single-Point Fault Metric) and LFM (Latent Fault Metric).
- Failure Tree Analysis (FTA): Fault Tree Analysis (FTA) is an example of deductive failure analysis where root case of the fault is depicted using Boolean logic.
- Hazard Analysis and Risk Analysis (HARA): The purpose of HARA is to identify the malfunctions that could possibly lead to E/E system hazards and assess the risk associated with them.
Together with ISO 26262 and ASPICE, there are approximately 250 work products and 60 process to take care of which is indeed a sheer quantity of work.
The ISO 26262 mandated safety lifecycle is followed simultaneously with ASPICE. At every stage of V-cycle, certain analyses recommended by ISO 26262 standard are performed alongside ASPICE processes. For instance, a hazard analysis is performed as an extension to risk management (ASPICE). More analyses like FMEA and FMEDA are introduced to derive safety goals, failure in time (FIT) and certain hardware metrics such as SPFM, LFM and PMHF.
Moreover, the System Requirement specification would also include safety requirements. The Verification and Validation processes would also follow the methodologies as mentioned in the ISO 26262 standard. The diagram makes the overlapping of ISO 26262 and ASPICE clearer:
What Does ASPICE 3.1 Change in Terms of Integration with ISO 26262?
The newer version of ASPICE adds enhanced support for ISO 26262 implementation. By implementing ASPICE, a major part of ISO 26262 implementation can also be fulfilled.
Requirement Elicitation as per ASPICE corresponds to Item definition in ISO 26262 standard. In the latest version of ASPICE, requirement elicitation offers a strong support in performing item definition. It implies that a large part of these two activities can be merged which would result in reduced effort and time.
Similarly, there are certain ASPICE processes that offer medium level support to their corresponding activity in ISO 26262 implementation. One example is software unit verification, where few of the guidelines overlap while others don’t. Most of the ASPICE processes are in the medium support category such as system architectural design, integration test etc.
However, there are couple of ISO 26262 activities that are still quite distant from ASPICE process. They include functional safety concept and technical safety requirement specifications.
Looking at the overall picture, it is quite clear that the automotive industry as a whole is pushing the integration of ASPICE and ISO 26262. Still, there are certain inherent challenges when it comes to integration of ASPICE and ISO 26262. Let’s look at them.
Challenges in ASPICE and ISO 26262 Integration and How to Overcome Them
Integrating ISO 26262 and ASPICE can be challenging due to several factors, including differences in scope, terminology, and evaluation criteria.
ISO 26262 is a standard that mandates various testing methodologies, software architectural design and implementation guidelines etc. to ensure functional safety concerns are met at the system level.
Whereas ASPICE is more focused on improving the quality of the automotive software not only at the system level but also at the project and org level.
These fundamental differences thus lead to challenges in scenarios where ASPICE and ISO 26262 standard are required to be implemented. Let’s explore these challenges.
Scope and FocusISO 26262 primarily focuses on functional safety aspects, addressing hazards and risks associated with electrical and electronic systems in vehicles. On the other hand, ASPICE focuses on improving software development processes. Integrating these two standards requires aligning their different scopes and ensuring a comprehensive approach.
Challenge: The automotive manufacturer needs to determine how to combine safety-related activities from ISO 26262 (e.g., hazard analysis, safety requirements management) with the software development activities defined in ASPICE (e.g., requirements engineering, testing). They must establish a clear mapping and coordination between safety-critical aspects and software development processes.
Terminology and ConceptsISO 26262 and ASPICE use different terminology and concepts, leading to potential confusion and misalignment among project stakeholders. Harmonizing these differences is crucial for effective integration.
Challenge: The automotive manufacturer faces the challenge of establishing a common language and understanding among team members. For instance, aligning the terminology of safety goals, safety requirements, and functional safety concepts from ISO 26262 with the software development terminology of requirements, design, and testing from ASPICE.
Evaluation Criteria and AssessmentsISO 26262 and ASPICE have different evaluation criteria and assessment methods. ISO 26262 includes safety integrity levels (ASILs) and the concept of safety case, while ASPICE uses process capability levels and process assessments. Integrating these evaluation approaches requires careful consideration.
Challenge: The automotive manufacturer needs to determine how to harmonize the assessment methods and criteria to ensure a unified evaluation of both functional safety and process capability. They must establish a consistent evaluation framework that satisfies the requirements of both ISO 26262 and ASPICE.
Training of cross-functional teams and knowledge integrationISO 26262 and ASPICE are highly technical standards with complex concepts and requirements. Training team members from different disciplines, such as software development, system engineering, functional safety, and quality management, may require varying levels of technical understanding.
Challenge: Integrating the knowledge gained from ISO 26262 and ASPICE training programs can be challenging. Team members may struggle to understand how the requirements and processes of these standards align and complement each other. Facilitating discussions, workshops, or practical exercises that allow team members to apply their knowledge in an integrated manner can help overcome this challenge.
These challenges must be taken up by the functional safety manager and ASPICE consultant working on the project. They can work together to mitigate the challenges involved in integrating ASPICE and ISO 26262. Here’s a few pointers on how they can approach these challenges:
Gap analysis and alignment: The ASPICE consultant can conduct a thorough gap analysis to identify the areas of misalignment or differences between ASPICE and ISO 26262. They can collaborate with the functional safety manager to create an integration plan that maps the processes and activities of ASPICE to the corresponding functional safety activities in ISO 26262.
Training and knowledge sharing: The functional safety manager, being well-versed in ISO 26262, can provide specialized training to the team members involved in the integration effort. The ASPICE consultant can complement this by providing training on ASPICE and its process improvement methodologies.
Documentation and evidence management: Both the functional safety manager and the ASPICE consultant must collaborate to establish a unified documentation framework. They can define the necessary templates, artifacts, and traceability requirements that align with the expectations of both ASPICE and ISO 26262.
Process harmonization: The commonalities and overlaps between the two standards should be identified and streamlining of activities can be performed to avoid duplication and optimize resource utilization.
The Road Ahead
ASPICE covers the broad aspects of software development and ISO 26262 can expand its safety aspect. These two standards are different in many regards such as cost and time implications, assessments etc. However, they have quite a few similarities that include process areas such as configuration and change management and commitment towards achieving bi-directional traceability between the work-products.
Several tools and templates are also available that make the integration of ASPICE and ISO 26262 easier for the development and compliance teams. Functional Safety consultancy organizations leverage these tools and templates to help the OEMs and suppliers in achieving the required compliance.
By integrating ASPICE and ISO 26262, automotive projects can benefit from enhanced process maturity, improved software quality, effective risk management, and compliance with safety standards. These integrations enable organizations to develop safer and more reliable automotive systems by aligning their software development processes with functional safety requirements.