5. Copyright exida LLC Âź 2000-2012
Many years laterâŠ
Anti-Blocking System
Electronic Stability Program Lane Departure Warning
Steering Lock
Reverse Sensors
Backup Camera
Adaptive Cruise Control
Tire Pressure Monitoring
Deflation Detection System
Traction Control System
Infrared Night Vision
Adaptive Headlights
Emergency Brake Assistance
Corner Brake Control
Pre-Crash System
Automatic Steering
AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification
Traffic Sign Recognition
6. Copyright exida LLC Âź 2000-2012
Some Fatality Numbers
Fatalities decreasing too Slow in Europe
Fatalities stable but too High in US
7. Copyright exida LLC Âź 2000-2012
Many years laterâŠ
Anti-Blocking System
Electronic Stability Program Lane Departure Warning
Steering Lock
Reverse Sensors
Backup Camera
Adaptive Cruise Control
Tire Pressure Monitoring
Deflation Detection System
Traction Control System
Infrared Night Vision
Adaptive Headlights
Emergency Brake Assistance
Corner Brake Control
Pre-Crash System
Automatic Steering
AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification
Traffic Sign Recognition
âActivelyâ function
to achieve
Safe State
8. Copyright exida LLC Âź 2000-2012
What is�
Functional Safety
ISO 26262: Absence of unreasonable risk due to hazards caused by
malfunctioning behavior of E/E systems
IEC 61508: Part of the overall safety related to the equipment
under control (EUC) that depends on the correct functioning of
the safety-related system
10. Copyright exida LLC Âź 2000-2012
Why Functional Safety?
BECAUSEâŠ
ELECTRONICS CAN FAIL !!!
Are you Able to Provide the
EVIDENCE
that Risks have been Minimized?
11. Copyright exida LLC Âź 2000-2012
Which Standard to Follow?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
12. Copyright exida LLC Âź 2000-2012
ISO 26262 Adaptation of IEC 61508
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
Why not ideal for
Automotive Industry ?
13. Copyright exida LLC Âź 2000-2012
Basic Standard for Functional Safety
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
Generic âHigh Levelâ Standard
Roots in Process Industry
Assumes One Company does Everything
Not Designed for the Distributed Development
Why not Ideal for
Automotive Industry ?
14. Copyright exida LLC Âź 2000-2012
ISO 26262 Adaptation of IEC 61508
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
IEC 61513
Nuclear
IEC 61511
Process Industry
ISO 26262
Road Vehicles
IEC 62061
Machinery
ISO 13849-1
Machine Safety
ISO 25119
TractorsâŠ
ISO 26262 is âState of the Artâ For Automotive
Developed with OEM
15. Copyright exida LLC Âź 2000-2012
How E/E Systems Fail?
Random Failures: âUsually a permanent
or transient failure due to a system
component loss of functionality â
hardware related
Systematic Failures: âUsually due to a
design fault, wrong specification, not fit
for purpose , error in software program,
...
16. Copyright exida LLC Âź 2000-2012
Technical Safety MeasuresProcess â Methods - Organization
ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults
Control of
Systematic Failures
Control of
Random Failures
In OperationBefore Delivery
17. Copyright exida LLC Âź 2000-2012
Technical Safety MeasuresProcess â Methods - Organization
ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults
Control of
Systematic Failures
Control of
Random Failures
In OperationBefore Delivery
Implement
Correctly
Detect and
React
18. Copyright exida LLC Âź 2000-2012
Driver
Controllability
(and Usability)
Other
Technologies
External
Measures
Back to appropriate
lifecycle phase
Planning of
Production
7.4
Planning of Operation,
Service and Decom.
7.5
Product Development
System
4
Hard-
ware
5
Soft-
ware
6
Release for SOP4.11
Concept of Functional
Safety
3.7
Production7.4
Operation, Service
and Decommissioning
7.5
conceptphaseproductdevelopmentafterSOP
Management of Functional Safety2.4 â 2.6
Supporting Processes8.4 â 8.15
Functional Safety
Concept
3.8
Hazard Analysis and
Risk Assessment
3.7
Initiation of Safety Life
Cycle
3.6
Item definition3.5
ISO 26262 follows a Safety LifeCycle
Risk Based
Approach
19. Copyright exida LLC Âź 2000-2012
> 100 Work
Products
Work Products
Exida
Templates
22. Copyright exida LLC Âź 2000-2012
Vocabulary is important
English is not English
â English â American - KorEnglish â GerEnglish â SinglishâŠ
English is not ISO/IEC
â Validation â Verification â Confirmation
â Fault â Failure â Error
Different Standard â Different Terminology
â Safety Requirement in ISO 26262 vs IEC 61511
24. Copyright exida LLC Âź 2000-2012
Overall Requirements for the Organization
â Specific Organizational Rules
â Competence
â Quality
Requirements for Phases
â Roles and Responsibilities
â Functional Safety Plan
â Progression
â Safety Case
â Confirmation Measures
Management of Functional Safety
Plan â Coordinate - Track
25. Copyright exida LLC Âź 2000-2012
4 Functional Safety Management .................................................................................8
4.2 Project Organization................................................................................................... 8
4.3 Roles and Role Descriptions ...................................................................................... 9
4.5 Team Competence....................................................................................................14
5 Safety Life Cycle......................................................................................................16
5.2 Scheduling of the safety lifecycle activities................................................................21
5.3 Concept Phase..........................................................................................................21
5.4 Product development on system level .......................................................................26
5.4.1 Initiation of System Product Development ......................................................26
5.4.2 Specification of Technical Safety Requirements .............................................28
5.4.3 System Design ...............................................................................................30
5.4.4 Item Integration and Testing ...........................................................................33
5.4.5 Safety Validation.............................................................................................34
5.4.6 Functional Safety Assessment........................................................................36
5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38
5.5.1 Initiation of HW product development .............................................................38
5.5.2 Specification of HW safety requirements ........................................................39
5.5.3 HW design......................................................................................................41
5.5.4 HW architectural metrics.................................................................................43
5.5.5 Evaluation of safety goal violation due to random HW faults...........................44
5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46
5.6.1 Initiation of SW product development .............................................................46
5.6.2 Specification of SW safety requirements.........................................................49
5.6.3 SW Architecture design ..................................................................................51
5.6.4 SW Unit design and implementation...............................................................55
5.6.5 SW Unit testing...............................................................................................57
5.6.6 SW integration and testing..............................................................................58
5.6.7 Verification of SW safety requirements ...........................................................59
6 Production and Operation ........................................................................................61
7 Supporting Processes..............................................................................................66
7.1 Interfaces within distributed development..................................................................66
7.2 Specification and management of safety requirements .............................................69
7.3 Configuration management .......................................................................................70
7.4 Change management................................................................................................70
5.4.3 System Design ...............................................................................................30
5.4.4 Item Integration and Testing ...........................................................................33
5.4.5 Safety Validation.............................................................................................34
5.4.6 Functional Safety Assessment........................................................................36
5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38
5.5.1 Initiation of HW product development .............................................................38
5.5.2 Specification of HW safety requirements ........................................................39
5.5.3 HW design......................................................................................................41
5.5.4 HW architectural metrics.................................................................................43
5.5.5 Evaluation of safety goal violation due to random HW faults...........................44
5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46
5.6.1 Initiation of SW product development .............................................................46
5.6.2 Specification of SW safety requirements.........................................................49
5.6.3 SW Architecture design ..................................................................................51
5.6.4 SW Unit design and implementation...............................................................55
5.6.5 SW Unit testing...............................................................................................57
5.6.6 SW integration and testing..............................................................................58
5.6.7 Verification of SW safety requirements ...........................................................59
6 Production and Operation ........................................................................................61
7 Supporting Processes..............................................................................................66
7.1 Interfaces within distributed development..................................................................66
7.2 Specification and management of safety requirements .............................................69
7.3 Configuration management .......................................................................................70
7.4 Change management................................................................................................70
7.5 Verification ................................................................................................................72
7.7 Qualification of SW tools ...........................................................................................75
7.11 Safety Case ..............................................................................................................79
8 Cross Reference between Project Documentation and ISO 26262 Work Products.81
11 Annex A: Status of the Team Competence..............................................................84
Functional Safety Plan
Exida
Template
26. Copyright exida LLC Âź 2000-2012
Management of Functional Safety
Safety Case
A clear,
comprehensive and defensible argument
that a system is acceptably safe to operate
in a particular context.
(Tim Kelly / Rob Weawer University of York)
28. Copyright exida LLC Âź 2000-2012
Concept Phase
OEM Defines Item > ESCL
Initiation of Safety Lifecycle
Hazard Analyses and Risk Assessment
Functional Safety Concept
Prevent use by
unauthorized person
by mechanical lock
29. Copyright exida LLC Âź 2000-2012
Concept Phase
OEM Defines Item > ESCL
Initiation of Safety Lifecycle > New
Hazard Analyses and Risk Assessment
Functional Safety Concept
Integration Test
Configuration Control
Regression testing
Modifications
Version Control
Problem Analysis
Change Control
BoardChange Control
Board
Change Request
Decide on lifecycle
re-entry point
New
release
Productization
Modified product - hardware & software
User documentation incl.
changed product safety properties
Associated development & test doc.
Release history
Safety Alert
Recall
Documents
yellow: new
green: update existing
Legend
Safety Case
Database entries
yellow: new
green: update existing
Problem Report
Functional
Enhancement
Request
Update Regression
Test Suite
Modification Proposal
Safety Criticality
Affected Modules
Stop
System Test
Module Test
Update Safety Case
& Probability Model
Impact Analysis
Exida
Modification
Process
30. Copyright exida LLC Âź 2000-2012
Concept Phase
OEM Defines Item > ESCL
Initiation of safety Lifecycle > New
Hazard Analyses and Risk Assessment
Functional Safety Concept
What Can Go Wrong?
> Steering locks when driving
31. Copyright exida LLC Âź 2000-2012
Concept Phase
OEM Defines Item > ESCL
Initiation of safety Lifecycle > New
Hazard Analyses and Risk Assessment
Functional Safety Concept
SG No. HRA Reg Safety Goal ASIL Safe State
SG1 ESCL_001
Unintended locking of ESCL while
vehicle is moving shall be avoided
?
Unlocked
ESCL
SAFETY GOAL
Avoid a Dangerous
Situation
32. Copyright exida LLC Âź 2000-2012
Concept Phase
OEM Defines Item > ESCL
Initiation of safety Lifecycle > New
Hazard Analyses and Risk Assessment
Functional Safety Concept
How âRiskyâ is that?
> Need ASILD
44. Copyright exida LLC Âź 2000-2012
Product Development Software Level
System Validation
Software Validation
Test
Verification
during Design
Test
E/E System-Design
Software Safety
Requirements
E/E System Integration
Software Architecture
and Design
Software
Implementation
Software Unit Test
Software Integration
and Test
Software Safety
Validation
TestPhases
DesignPhasesVerification
during Design
Verification
during Design
ScopeofPart6
ScopeofPart6
ScopeofPart4
ScopeofPart4
47. Copyright exida LLC Âź 2000-2012
Interfaces within Distributed Developments (DIA)
Specification and Management of Requirements
Configuration Management
Change Management
Verification
Documentation
Confidence of Use in SW Tools
Qualification of HW/SW Components
Proven in Use Arguments
Supporting Processes
Other Parts
reference
âSupporting Processesâ
50. Copyright exida LLC Âź 2000-2012
H&R FMEA
SWCA
FMEA
FMEDA
HAZAN
FTA
SCA
H&R: Hazard & Risk
SCA: System Criticality
FTA: Fault Tree
FMEA: Failure Mode Effect
FMEDA: FMEA with Diagnostics
SWCA: SW-Criticality
HAZAN: Hazard Analysis
Where are Safety Analyses in ISO?
51. Copyright exida LLC Âź 2000-2012
SafetyCaseDB
Requirements and Safety Case Management and ISO 26262
knowledgebase
SILCal FMEDA
Component FMEA with integrated Failure Mode Database
SILCap
Safety Criticality Analysis, System FMEA and S/W-HAZOP
exida Tools for Automotive
Tool-Based Design
Support
53. Copyright exida LLC Âź 2000-2012
ISO 26262: If you did it wellâŠ
You are Able to Show:
â Completeness:
ï§ Everything accounted for
ï§ Requirements under Control
ï§ Everything tested â pass
ï§ Used the toolsets
â Traceability:
ï§ Structured Process Model
ï§ Documents linked
ï§ Evidence for Everything
ï§ Understandable for external
â Consistency
ï§ This is visible for external
auditor even when project
members have left
â Documentation:
ï§ All activities planned
ï§ Execution documented in SC
ï§ Inspected - Archived
ï§ For a life-time (15year?)
54. Copyright exida LLC Âź 2000-2012
ISO 26262: If you did it wellâŠ
You are Able to Show:
â Completeness:
ï§ Everything accounted for
ï§ Requirements under Control
ï§ Everything tested â pass
ï§ Used the toolsets
â Traceability:
ï§ Structured Process Model
ï§ Documents linked
ï§ Evidence for Everything
ï§ Understandable for external
â Consistency
ï§ This is visible for external
auditor even when project
members have left
â Documentation:
ï§ All activities planned
ï§ Execution documented in SC
ï§ Inspected - Archived
ï§ For a life-time (15year?)
A clear,
comprehensive and defensible argument
that a system is acceptably safe to operate
in a particular context.
(Tim Kelly / Rob Weawer University of York)
55. Copyright exida LLC Âź 2000-2012
On the Agenda
ISO 26262 and the Challenges
exida Expertise
56. Copyright exida LLC Âź 2000-2012
Who we are
Founded in 1999 by experts from Manufacturers, End Users,
Engineering Companies and TĂV SĂD
Today: LARGEST Functional Safety and Cyber Security
consultancy and certification body worldwide
âProvide independent services and tools to help customers
comply to any industry standards for Functional Safety, Cyber
Security and Alarm Managementâ
Rainer Faller
Former Head of TĂV Product Services
Chairman German IEC 61508
Intervener ISO 26262 / IEC 61508
Co-Authored IEC 61508 parts
Author of several Safety Publications
Dr. William Goble
Former Director Moore Industries
Developed FMEDA Technique (PhD)
Author of several Safety Books
Author of several Reliability Books
57. Copyright exida LLC Âź 2000-2012
What we do
EXIDA SCOPE
Functional
Safety
Cyber
Security
Alarm
Management
SERVICES
Tools
Training
Consultancy
Certification
Reference
Materials
INDUSTRIES
Process
Industry
Automotive
Machine
Industry
Power
Industry
Rail
End Users
Equipment
Manufacturer
Car
Manufacturer
System
Integrators
CUSTOMERS
Reliability
59. Copyright exida LLC Âź 2000-2012
exida Development Support Services
Setting up Functional Safety Management / Act as FSM Coordinator
Safety System Development and Design support
â Requirements Management & Engineering (SafetyCaseDB + DoorsÂź incl. Setup)
â Safety Concept development and documentation (also pre-existing systems)
â Tool based Safety Criticality Analysis (SILCap)
â Hardware design support ï Tool based FMEA and Quantitative FMEDA
â Software design support ï UML design ï Tool based Software HAZOP/FMEA
(SILCap)
Tool based Safety Case development
â IEC/ISO knowledgebase
â Document templates per development phase:
FSM plan, SRS, Safety concept, Test plans
Tool-based Safety Verification of Automotive Applications
60. Copyright exida LLC Âź 2000-2012
exida Certification S.A.
â Clean separation from the exida Consulting business
â English language based assessment and certification system
â International alternative to TĂV
Open exida Certification Scheme
â IEC 61508 and ISO 26262 compliant using exida Safety Case
methodology (SafetyCaseDB) and audits
â Assessment Process and Requirements Publicly available
exida Certifications
61. Copyright exida LLC Âź 2000-2012
Safety and Standards Advisor
â Questions, advice
â Interpretation of standards
Moderator and Participant
â FMEDA, Dependent Failure Analysis
â Software analysis
â Project Bottlenecks
Participant (joint activities)
â Write development documents and procedures
â Help with test specification, FIT, safety validation
Be your âLawyerâ vs. the Assessment Body
â Argue your safety case
â Manage all activities with the assessor
exida Certification S.A. â the Assessment Body
One or more Roles
exida is Part of your Team
62. Copyright exida LLC Âź 2000-2012
Steering (Active Front Steering, Electronic Power Steering)
Gearbox
Driver assistance (e.g. ACC, ESP)
Body control
H2 Clean-Energy
Battery monitoring
Software platforms (AUTOSAR, communication, hardware drivers, self-tests)
Safety IC Assessment support (”C, system chips)
Automotive Projects (extract)
Hinweis der Redaktion
Who is Koen? > Disclaimer Process Industry
What is my objective for today:Overview and background of ISO26262 > main challengesShow that exida can help overcome challenges and can help to implement the ISO 26262 requirements efficiently> help fill gap with processes> use templates> fill contents upto 10%...We try to leverage knowledge of OEM â TIER-1 â Tier-n > help to get up to speed fast and prevent going wrong direction.E.g. very often we find that our customers have the process documents but the details are missing âŠor vice versa details are there but the overview and traceability is missing.Processes, and Technical and Management have to be done
For the past 15 years, I have been using this slide.Meaning is obviousâŠSpecial challenge for automotiveâŠthere are many many many links in the chain. ISO 26262 will guide to overcome this challengeâŠLets go back in historyâŠ
Safety is controlled with mechanical/hydraulical steering and pedals. Very robust.Steering, Brakes, mirrors, lights ⊠I remember installing the seatbelts in my fathers carâŠ
In recent years, not only have the various in-vehicle functions grown in number and complexity; they are also more often being distributed throughout the vehicle. On the one hand, this trend was enabled by significant growth in computing power of the processors used, and on the other by the larger bandwidth available in networking. Manfred Broy of the InstitutfĂŒrInformatik, TechnischeUniversitĂ€tMĂŒnchen provides some illustrative figures[4]: a premium car currently contains âmore than ten million linesâ of code, covering â[m]ore than 2000â functions; software and electronics together account for â[u]p to 40% of the production costs of a carâ. In addition, the number of cars is increasing â time to market getting shorterâŠIt has become a challenge to produce quantities of electronics with the right quality (safety). Need to make sure that new functions do not introduce new hazardsâŠ
The Drivers are the weak elements.Electronics reduce the risk from Driver inefficiency but might introduce product liability. No CEO wants to be called to the US to discuss safety issues.The functional safety is delivered with the car yet FS is hiddenâŠBurden of Proof: Evidence required to show that electronics are safe to be used. Ensure that the risk is as low as reasonably practical. Ensure that no new hazards are introduced.Public awarenessGovernmental focus on lowering road fatalities ï Driver assistanceElectronics transfer Risk from Driver to Product ï Product Liability Environmental Requirements introduce new hazards ï eSteering, eDriveComfort Functions might require Safety ï ESP, ACC, PowertrainNew technologies to reduce production/maintenance cost (reduce hydraulics)
Explain what is riskâŠ
Specification error
Avoidance = Manage Safety over a lifecycleâŠItem description upto decommissioningWrite correct SW â Test etcâŠUse competent peoplePlan â Execute â Verify - DocumentControl = if bug escapes during developâŠshow that it is most likely detected in runtime. ASIL is the measure of the required risk reduction or the measure of the fault avoidance and failure control we have implemented.(ASIL C/ASILD > Diverse software design: Systematic failures must be covered by detection⊠e.g. program sequence monitoring)
Avoidance = Manage Safety over a lifecycleâŠItem description upto decommissioningWrite correct SW â Test etcâŠUse competent peoplePlan â co-ordinate - DocumentControl = if bug escapes during developâŠshow that it is most likely detected in runtime. ASIL is the measure of the required risk reduction or the measure of the fault avoidance and failure control we have implemented.(ASIL C/ASILD > Diverse software design: Systematic failures must be covered by detection⊠e.g. program sequence monitoring)
Lifecycle model:Starts with Idea of OEMâŠEnds with decommissioning the carWhat happens if one step is not performed?e.g. hazard and risk analysis> do not notice need for Safetye.g. airbag requires trained personnel > connect to laptop and have all airbag deployed. Special command to deploy all airbags since 20 yearsâŠ.great.
Fault Abnormal condition that can cause an element or an item to fail âAdjudged causeâError Discrepancy between a computed, observed or measured value or condition and the true, specified, or theoretically correct value orCondition âCorrupted stateâFailure Termination of the ability of an element or an item to perform a function as required âTermination of correctservice at output interfaceâ