MISRA Safety Analysis

Overview of MISRA SA

The MISRA Safety Analysis Guidelines provide an extension to the original MISRA Development Guidelines for Vehicle Based Software, in that they give extended detailed advice on the sections on Integrity and Safety Analysis, as well as presenting additional advice on other parts of safety management and the safety lifecycle.

This subject matter is being used increasingly to enable new programmable systems to be deployed onto vehicles, and will become automotive best practice when the ISO 26262 standard is published.

The Guidelines begin by explaining why it is necessary to provide an approach for automotive systems that it different to those provided in the current standards, in particular IEC 61508.  It describes how the safety lifecycle for automotive systems fits into the total development lifecycle of a vehicle, and descriptions are given of the various plans and other documents that are needed in order to manage that safety lifecycle effectively.

The process of Preliminary Safety Analysis on a system concept or outline design is described in some detail.  Guidance is given on how to model the system and use this model to identify hazards.  A scheme for classifying hazards, the MISRA Risk Graph, is introduced which extends the original classification scheme described in MISRA Development Guidelines for Vehicle Based Software.  It is then shown how the resulting Risk Levels can be translated into safety integrity requirements.  A set of possible quantitative requirements is also presented.

The process of Detailed Safety Analysis on a design, by which the safety integrity requirements can be verified and validated, is then outlined.  The Guidelines propose the use of both deductive analysis, e.g. FMEA, and inductive analysis, e.g. FTA, as part of this procedure.

Future work

MISRA is developing guidance on requirements allocation processes (also known as "ASIL decomposition") in ISO/DIS 26262. Such schemes are included in some of the international standards whereby a SIL n requirement in an element of a system can be achieved through a combination of sub-elements with a reduced requirement, typically SIL (n-1). This guidance will provide a rigorous basis for applying such schemes in the context of automotive functional safety.