A Safety Argumentation for Fail-Operational Automotive Systems in Compliance with ISO 26262

For highly automated driving, fail-operational driving systems are indispensable to prevent hazardous situations in case of an E/E failure. That requires redundant system design and enhanced safety analysis for ensuring fault tolerance and further operation. Existing work addresses attributes of fail-operational systems relevant for safety, however the sufficiency of safety analysis has not been investigated. We therefore aim to identify relevant safety aspects for fail-operational systems in ISO 26262 which require analysis to ensure compliance. Further we deduce a fault model for a fail-operational driving system containing the relevant failure modes. By consolidating the fault-model and ISO 26262 into a safety argumentation using the goal structure notation we provide a safety argumentation for a fail-operational driving system sufficient according to ISO 26262. Whereas conventional fail-silent systems can be analysed on the sub-system level, fail-operational systems requires overarching analysis on the system level. We therefore determine objectives of this analysis, structure those according to the necessary level and determine the relations given by mutual contributions. With our work, we provide a framework for safety argumentation of a fail-operational driving system in compliance with ISO 26262 regarding safety analysis.