With the publication of ISO26262 [1] and the concept of Functional Safety, being able to identify the required safety integrity level for software components and defining the respective development steps has become increasingly important. A number of Tier 1 automotive suppliers, including Robert Bosch LLC, have been developing software for safety relevant systems, and have experience with a number of methods and tools for software analysis. This paper will focus on the pros and cons of the Criticality Analysis method.
Criticality Analysis (CA) is a method that rates outputs, sub-components and inputs to a function based on the ASIL rating of the function. Faller [2] proposed the use of CA in conjunction with IEC 61508 safety standard, and this author proposes that the CA can also be used in conjunction with ISO 26262. CA allows taking a function with any ASIL rating and breaking down the signal chain to develop safety requirements at each stage (see [2, 3]). Original use of the method was to perform ASIL allocation, but the method is best used to show which parts of an ASIL X function are critical to that ASIL rating, and which parts have less impact on the Safety Goals. CA can point out which software elements and signals are candidates for ASIL decomposition. Decomposition of ASIL ratings must still follow the scheme described in ISO26262-9. The CA method can show where the development and testing effort should be concentrated, and which areas are less critical. One of the main advantages of the method is efficiency gain by tailoring development efforts to parts of the software which are safety relevant.
The paper will focus on the advantages the method brings to safety oriented software design, the efficiency improvement over designing all subsystems according to ASIL D, and practical examples.