Impact analysis – Its significance as per ISO 26262

Safety Life cycle of a product begins with an item definition followed by impact
analysis. Hence performing an Impact analysis becomes a very critical input for the
entire safety life cycle of a product. Impact analysis needs to be done immediately
after the item definition to foresee the further development activities.

Impact analysis determines whether the change will have an impact on the safety
goal and whether the existing safety documents can be reused or needs a
modification.

For those of you who are very new to Functional safety let me introduce few terms:

ITEM is a system or combination of systems to implement a function at the vehicle

level, to which ISO 26262 is applied.

ELEMENT is a phrase used for Sensor, Actuator, Controller, Hardware and Software
which contributes for the overall system function.

COMPONENTS are the Hardware parts or Software Units which are used to perform
logical or technical functions for the elements.

SEooC – Safety related element which is not developed in the context of any specific
item (eg- a generic microcontroller with assumed safety requirements to be
integrated in different systems)
Impact analysis at an item level shall be performed by the Vehicle Manufacturer (VM)
to determine whether the item is a new development, a modification of an existing
item or an existing item is placed in a new environment.

New Item Development

When the Vehicle Manufacturer develops a new item, Design review and Concept
review must be done. If the new system function is a small portion of a carryover
from the existing system function, then Impact analysis needs to be done for the
new system function with respect to the existing function. To be more precise if your
product is using a new technology or a new generation function at the vehicle level,
then the impact analysis must be done.

Modification of an existing Item

When certain requirements are modified, when calibration data is altered, when
there are some software corrections or a design modification which results in the
change in operating modes of the item then impact analysis must be done.

Existing Item in a new environment

When the proven item is installed in a new vehicle environment meaning the item
which has completed all the ISO 26262 lifecycle in a particular vehicle environment is
now placed in another vehicle variant with different mission profile or placed in a
different location of the item within the vehicle or used in different operational
situations then impact analysis must be done.

The impact analysis document’s development should be discussed with the VM

during Development Interface Agreement (DIA).

Now this impact analysis was created at the item level by the VM. However, impact
analysis also needs to be done at the element level by the suppliers and for those
HW parts or SW units which are integrated as SEooC development.
Impact analysis at the element level

In the case an existing element is reused, an impact analysis at the element level
shall be performed

1. To identify the modifications to the operational context of the elements

2. To evaluate whether the reused element, with or without modifications, can
comply with the allocated safety requirements of the item.
3. To identify the safety activities to be performed based on an evaluation of the
implications of the modifications, including implications on the validity of
previously made assumptions
4. To evaluate whether the existing safety-related documentation regarding the
reused element is sufficient to support the integration of the element into the
item.

An existing element can be reused:

1. based on an evaluation of hardware elements (ISO 26262-8:2018, Clause 13)

2. based on a qualification of software components (ISO 26262-8:2018, Clause 12)

3. based on a proven in use argument (ISO 26262-8:2018, Clause 14)

4. as a Safety Element out of Context (ISO 26262-10).

Impact analysis during SEooC integration

When the SEooC is integrated into the product, the assumed safety requirements are
matched with the functional safety requirements (FSR) to ensure their integration
into the product will not violate any safety goal.

During this process an impact analysis is conducted as described in ISO 26262 and in
case of any mismatch assumption following are done.

1. If the difference is minor and if it can be acceptable without any impact on

the safety goal, then no action is taken.
2. If the difference is deemed to impact the safety goal, a change is necessary
to either the item definition or to the functional safety concept.
3. If the difference is deemed to impact the safety goal, safety metrics needs to
be recalculated. (Lower ASIL targets)
4. If the difference is deemed to impact many safety goal(s), possibly this
SEooC might not be suitable for our development.
Impact analysis during SW SEooC integration

When the software component is integrated with other software components, the
validity of all the assumptions made on this SEooC are checked. This includes the
assumed software safety requirements with their ASIL capability, and all the
assumptions made on the purpose, boundaries, target environment, functionalities
and properties of the software component meet with the functional safety
requirements of the item.

During this process an impact analysis is conducted as described in ISO 26262 and in
case of any mismatch assumption following actions are done.

1. The discrepancies are acceptable about the achievement of the safety

requirements applicable at the software architectural design level, then no
further action is taken.
2. The discrepancies impact the achievement of the safety requirements
applicable at the software architectural design level and a change can be
necessary to these requirements in accordance with ISO 26262-8:2018,
Clause 8.
3. The discrepancies impact the achievement of the safety requirements
applicable at the software architectural design level and a change is required
to the SEooC component (including possibly a change of component)

Below example is one of the templates which can be used for Impact analysis at the
Item and element level.
Below example is one of the templates which can be used for Impact analysis for
SEooC elements.

After performing impact analysis at the system, element and SEooC. Impact analysis
will help us to understand those safety work products which can be reused, modified
or tailored away to meet the customer requirements.

The following entries are allowed for planned activity:

• “Reuse” the existing work product from the <source project> without any
changes,
• “Modify” the existing work product from the <source project> with some
modifications or adaption,
• “New” generated work products as a result of performed safety activities,
and
• “Tailor Away” of unneeded work products if there is justification (e.g. the
lifecycle phase is not applicable)
The ratings for the impact should be given as below:

Low Impact Medium impact High impact

Low impact may be used to indicate that no impact on this safety work product is
expected, but the confirmation activity is required. The results of this needs to be
covered in the Safety Case.
Medium Impact may be used to indicate that minor modifications are required to
the existing work products to meet the customer requirements. A new Baseline of
the work product needs to be done.
High Impact may be used when a new safety document needs to be done /
created to meet the safety requirements. Entire new document needs to be done to
meet the customer requirements.

Impact analysis Benefits

Impact analysis identifies the necessary safety lifecycle activities and safety work
products to create a safety case for the current project based on the source project.

Impact analysis document helps to understand these scenarios at very early stages
in the project

1) The potential impact of the change on safety life cycle of the product.
2) Identify and describe the safety work products which are affected due to the
change.
3) Identification of Schedule and Responsibilities of those parties who are
involved due to the potential change.
4) Requirements and verifications which needs to be adhered/modified because
of the change.
5) The safety work products which can be tailored away or reused.
6) Budget required to meet the impacted modifications.

Hence the standard considers impact analysis as an important safety document and
recommends performing I3 confirmation review.
Real world challenges for Impact analysis

Actual product life cycle would take around two to three years, from the initial
concept phase to the final production phase. During these phases of product
development, the requirements from the customer would change hence the impact
analysis which was done at the very beginning of the project would not necessary be
same or valid over the course of product development.

However, the Standard does say that Design modifications during the development
phase are implemented through a change management process. But most of the
change management process documents don’t analyze the safety documents in
detail as it is analyzed during the impact analysis.

In order to resolve this issue, it is better to perform Impact analysis at the start of
each development phase of the project. Safety case would have three (Concept,
Design, Production) impact analysis to show the safety activities were managed
during each phase of the product lifecycle and these three documents will have I3
confirmation reviews which also to make your safety process more robust.

Reference

ISO 26262 Documents