ISO 26262 introduction

Copyright exida LLC ® 2000-2012
Singapore +65 6222 5160
Shanghai +86 21 5171 7250
Hong Kong +852 2633 7727
Germany +49 89 4900 0547
USA +1 215 453 1720
Switzerland +41 22 364 14 34
Canada +1 403 475 1943
United Kingdom +44 2476 456 195
Netherlands +31 318 414 505
Australia / NZL +64 3 472 7707
Mexico +52 55 5611 9858
South Africa +27 31 267 1564
exida Contacts
ISO 26262 Introduction
Singapore, 17 October 2012
Koen Leekens

On the Agenda
ISO 26262 and the Challenges
exida Expertise

Safety is Only as Strong as its Weakest Link
exida

Electronics???
Once upon a time…

Many years later…
Anti-Blocking System
Electronic Stability Program Lane Departure Warning
Steering Lock
Reverse Sensors
Backup Camera
Adaptive Cruise Control
Tire Pressure Monitoring
Deflation Detection System
Traction Control System
Infrared Night Vision
Adaptive Headlights
Emergency Brake Assistance
Corner Brake Control
Pre-Crash System
Automatic Steering
AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification
Traffic Sign Recognition

Some Fatality Numbers
Fatalities decreasing too Slow in Europe
Fatalities stable but too High in US

Many years later…
Anti-Blocking System
Electronic Stability Program Lane Departure Warning
Steering Lock
Reverse Sensors
Backup Camera
Adaptive Cruise Control
Tire Pressure Monitoring
Deflation Detection System
Traction Control System
Infrared Night Vision
Adaptive Headlights
Emergency Brake Assistance
Corner Brake Control
Pre-Crash System
Automatic Steering
AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification
Traffic Sign Recognition
“Actively” function
to achieve
Safe State

What is…?
Functional Safety
ISO 26262: Absence of unreasonable risk due to hazards caused by
malfunctioning behavior of E/E systems
IEC 61508: Part of the overall safety related to the equipment
under control (EUC) that depends on the correct functioning of
the safety-related system

Why Functional Safety Standards?
BECAUSE…

Why Functional Safety?
BECAUSE…
ELECTRONICS CAN FAIL !!!
Are you Able to Provide the
EVIDENCE
that Risks have been Minimized?

Which Standard to Follow?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems

ISO 26262 Adaptation of IEC 61508
IEC 61508
Why not ideal for
Automotive Industry ?

Basic Standard for Functional Safety
IEC 61508
Generic “High Level” Standard
Roots in Process Industry
Assumes One Company does Everything
Not Designed for the Distributed Development
Why not Ideal for
Automotive Industry ?

ISO 26262 Adaptation of IEC 61508
IEC 61508
IEC 61513
Nuclear
IEC 61511
Process Industry
ISO 26262
Road Vehicles
IEC 62061
Machinery
ISO 13849-1
Machine Safety
ISO 25119
Tractors…
ISO 26262 is “State of the Art” For Automotive
Developed with OEM

How E/E Systems Fail?
Random Failures: “Usually a permanent
or transient failure due to a system
component loss of functionality –
hardware related
Systematic Failures: “Usually due to a
design fault, wrong specification, not fit
for purpose , error in software program,
...

Technical Safety MeasuresProcess – Methods - Organization
ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults
Control of
Systematic Failures
Control of
Random Failures
In OperationBefore Delivery

Technical Safety MeasuresProcess – Methods - Organization
ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults
Control of
Systematic Failures
Control of
Random Failures
In OperationBefore Delivery
Implement
Correctly
Detect and
React

Driver
Controllability
(and Usability)
Other
Technologies
External
Measures
Back to appropriate
lifecycle phase
Planning of
Production
7.4
Planning of Operation,
Service and Decom.
7.5
Product Development
System
4
Hard-
ware
5
Soft-
ware
6
Release for SOP4.11
Concept of Functional
Safety
3.7
Production7.4
Operation, Service
and Decommissioning
7.5
conceptphaseproductdevelopmentafterSOP
Management of Functional Safety2.4 – 2.6
Supporting Processes8.4 – 8.15
Functional Safety
Concept
3.8
Hazard Analysis and
Risk Assessment
3.7
Initiation of Safety Life
Cycle
3.6
Item definition3.5
ISO 26262 follows a Safety LifeCycle
Risk Based
Approach

> 100 Work
Products
Work Products
Exida
Templates

ISO 26262 Structure

ISO 26262 Structure
Vocabulary

Vocabulary is important
English is not English
– English – American - KorEnglish – GerEnglish – Singlish…
English is not ISO/IEC
– Validation – Verification – Confirmation
– Fault – Failure – Error
Different Standard – Different Terminology
– Safety Requirement in ISO 26262 vs IEC 61511

ISO 26262 Structure
Functional Safety Management

Overall Requirements for the Organization
– Specific Organizational Rules
– Competence
– Quality
Requirements for Phases
– Roles and Responsibilities
– Functional Safety Plan
– Progression
– Safety Case
– Confirmation Measures
Management of Functional Safety
Plan – Coordinate - Track

4 Functional Safety Management .................................................................................8
4.2 Project Organization................................................................................................... 8
4.3 Roles and Role Descriptions ...................................................................................... 9
4.5 Team Competence....................................................................................................14
5 Safety Life Cycle......................................................................................................16
5.2 Scheduling of the safety lifecycle activities................................................................21
5.3 Concept Phase..........................................................................................................21
5.4 Product development on system level .......................................................................26
5.4.1 Initiation of System Product Development ......................................................26
5.4.2 Specification of Technical Safety Requirements .............................................28
5.4.3 System Design ...............................................................................................30
5.4.4 Item Integration and Testing ...........................................................................33
5.4.5 Safety Validation.............................................................................................34
5.4.6 Functional Safety Assessment........................................................................36
5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38
5.5.1 Initiation of HW product development .............................................................38
5.5.2 Specification of HW safety requirements ........................................................39
5.5.3 HW design......................................................................................................41
5.5.4 HW architectural metrics.................................................................................43
5.5.5 Evaluation of safety goal violation due to random HW faults...........................44
5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46
5.6.1 Initiation of SW product development .............................................................46
5.6.2 Specification of SW safety requirements.........................................................49
5.6.3 SW Architecture design ..................................................................................51
5.6.4 SW Unit design and implementation...............................................................55
5.6.5 SW Unit testing...............................................................................................57
5.6.6 SW integration and testing..............................................................................58
5.6.7 Verification of SW safety requirements ...........................................................59
6 Production and Operation ........................................................................................61
7 Supporting Processes..............................................................................................66
7.1 Interfaces within distributed development..................................................................66
7.2 Specification and management of safety requirements .............................................69
7.3 Configuration management .......................................................................................70
7.4 Change management................................................................................................70
5.4.3 System Design ...............................................................................................30
5.4.4 Item Integration and Testing ...........................................................................33
5.4.5 Safety Validation.............................................................................................34
5.4.6 Functional Safety Assessment........................................................................36
5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38
5.5.1 Initiation of HW product development .............................................................38
5.5.2 Specification of HW safety requirements ........................................................39
5.5.3 HW design......................................................................................................41
5.5.4 HW architectural metrics.................................................................................43
5.5.5 Evaluation of safety goal violation due to random HW faults...........................44
5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46
5.6.1 Initiation of SW product development .............................................................46
5.6.2 Specification of SW safety requirements.........................................................49
5.6.3 SW Architecture design ..................................................................................51
5.6.4 SW Unit design and implementation...............................................................55
5.6.5 SW Unit testing...............................................................................................57
5.6.6 SW integration and testing..............................................................................58
5.6.7 Verification of SW safety requirements ...........................................................59
6 Production and Operation ........................................................................................61
7 Supporting Processes..............................................................................................66
7.1 Interfaces within distributed development..................................................................66
7.2 Specification and management of safety requirements .............................................69
7.3 Configuration management .......................................................................................70
7.4 Change management................................................................................................70
7.5 Verification ................................................................................................................72
7.7 Qualification of SW tools ...........................................................................................75
7.11 Safety Case ..............................................................................................................79
8 Cross Reference between Project Documentation and ISO 26262 Work Products.81
11 Annex A: Status of the Team Competence..............................................................84
Functional Safety Plan
Exida
Template

Management of Functional Safety
Safety Case
A clear,
comprehensive and defensible argument
that a system is acceptably safe to operate
in a particular context.
(Tim Kelly / Rob Weawer University of York)

ISO 26262 Structure
Concept

Concept Phase
OEM Defines Item > ESCL
Initiation of Safety Lifecycle
Hazard Analyses and Risk Assessment
Functional Safety Concept
Prevent use by
unauthorized person
by mechanical lock

Concept Phase
Initiation of Safety Lifecycle > New
Integration Test
Configuration Control
Regression testing
Modifications
Version Control
Problem Analysis
Change Control
BoardChange Control
Board
Change Request
Decide on lifecycle
re-entry point
New
release
Productization
Modified product - hardware & software
User documentation incl.
changed product safety properties
Associated development & test doc.
Release history
Safety Alert
Recall
Documents
yellow: new
green: update existing
Legend
Safety Case
Database entries
yellow: new
green: update existing
Problem Report
Functional
Enhancement
Request
Update Regression
Test Suite
Modification Proposal
Safety Criticality
Affected Modules
Stop
System Test
Module Test
Update Safety Case
& Probability Model
Impact Analysis
Exida
Modification
Process

Concept Phase
Initiation of safety Lifecycle > New
What Can Go Wrong?
> Steering locks when driving

Concept Phase
SG No. HRA Reg Safety Goal ASIL Safe State
SG1 ESCL_001
Unintended locking of ESCL while
vehicle is moving shall be avoided
?
Unlocked
ESCL
SAFETY GOAL
Avoid a Dangerous
Situation

Concept Phase
How “Risky” is that?
> Need ASILD

Consequence – Likelihood
Moderation Always
with OEM

Concept Phase
Functionality to
meet
SAFETY GOAL…
Hazard Analyses and Risk Assessment > ASILD

Concept Phase
ASIL D
Vehicle Speed
Server
ASIL D
SG1
ASIL D
Steering Column
Lock
Vehicle speed
ASIL D
Lock Sequence
ASIL D
Unlock Steering Column when Vehicle is moving
Hazard Analyses and Risk Assessment > ASILD

ISO 26262 Structure
System Level Development

Objectives TSC and System-Design
– Requirements allocation
– Specification of Safety Measures
– Integration
– Validation
Functional Safety
Concept
Technical Safety
Concept
System Design
HW Design SW Design
Concept Phase
Product Development
Product Development System Level
INTEGRITY

Product Development System Level

ISO 26262 Structure
HSI

ISO 26262 Structure
HW Level Development

Product Development Hardware Level
ASIL B ASIL C ASIL D
Single point
faults metric
≥ 90 %
+
≥ 97 %
++
≥ 99 %
++
Latent faults
metric
≥ 60 %
+
≥ 80 %
+
≥ 90 %
++
5.8 Architectural
ASIL Random hardware failure target values
D < 10-8 h-1
C < 10-7 h-1
B < 10-7 h-1
5.9 Random

Dual Core versus 2 µC Solution
Optimized Vehicle + Safety Features
AURIX covers Random HW Fault issues
Focus Mainly on
Application
ALU
RAM
Reg
ALU
RAM
Reg
I/O
Flash
Voter
I/O
I/O I/O
I/O
I/O
µC1
µC2
2x SW Development,
Communication, Testing,
PCB Space, Justification,
Supply voltage,

ISO 26262 Structure
SW Level Development

Product Development Software Level
System Validation
Software Validation
Test
Verification
during Design
Test
E/E System-Design
Software Safety
Requirements
E/E System Integration
Software Architecture
and Design
Software
Implementation
Software Unit Test
Software Integration
and Test
Software Safety
Validation
TestPhases
DesignPhasesVerification
during Design
Verification
during Design
ScopeofPart6
ScopeofPart6
ScopeofPart4
ScopeofPart4

ISO 26262 Structure
Production
Operation

ISO 26262 Structure
Supporting Processes

Interfaces within Distributed Developments (DIA)
Specification and Management of Requirements
Configuration Management
Change Management
Verification
Documentation
Confidence of Use in SW Tools
Qualification of HW/SW Components
Proven in Use Arguments
Supporting Processes
Other Parts
reference
“Supporting Processes”

ISO 26262 Structure
Safety Analyses

Safety Analyses
Decomposition ASIL Tailoring
Criteria for Coexistence
Dependent Failure Analysis
Safety Analyses

H&R FMEA
SWCA
FMEA
FMEDA
HAZAN
FTA
SCA
H&R: Hazard & Risk
SCA: System Criticality
FTA: Fault Tree
FMEA: Failure Mode Effect
FMEDA: FMEA with Diagnostics
SWCA: SW-Criticality
HAZAN: Hazard Analysis
Where are Safety Analyses in ISO?

SafetyCaseDB
Requirements and Safety Case Management and ISO 26262
knowledgebase
SILCal FMEDA
Component FMEA with integrated Failure Mode Database
SILCap
Safety Criticality Analysis, System FMEA and S/W-HAZOP
exida Tools for Automotive
Tool-Based Design
Support

ISO 26262 Structure
Guideline

ISO 26262: If you did it well…
You are Able to Show:
– Completeness:
 Everything accounted for
 Requirements under Control
 Everything tested – pass
 Used the toolsets
– Traceability:
 Structured Process Model
 Documents linked
 Evidence for Everything
 Understandable for external
– Consistency
 This is visible for external
auditor even when project
members have left
– Documentation:
 All activities planned
 Execution documented in SC
 Inspected - Archived
 For a life-time (15year?)

ISO 26262: If you did it well…
You are Able to Show:
– Completeness:
 Everything accounted for
 Requirements under Control
 Everything tested – pass
 Used the toolsets
– Traceability:
 Structured Process Model
 Documents linked
 Evidence for Everything
 Understandable for external
– Consistency
 This is visible for external
auditor even when project
members have left
– Documentation:
 All activities planned
 Execution documented in SC
 Inspected - Archived
 For a life-time (15year?)
A clear,
comprehensive and defensible argument
that a system is acceptably safe to operate
in a particular context.
(Tim Kelly / Rob Weawer University of York)

Who we are
Founded in 1999 by experts from Manufacturers, End Users,
Engineering Companies and TÜV SÜD
Today: LARGEST Functional Safety and Cyber Security
consultancy and certification body worldwide
“Provide independent services and tools to help customers
comply to any industry standards for Functional Safety, Cyber
Security and Alarm Management”
Rainer Faller
Former Head of TÜV Product Services
Chairman German IEC 61508
Intervener ISO 26262 / IEC 61508
Co-Authored IEC 61508 parts
Author of several Safety Publications
Dr. William Goble
Former Director Moore Industries
Developed FMEDA Technique (PhD)
Author of several Safety Books
Author of several Reliability Books

What we do
EXIDA SCOPE
Functional
Safety
Cyber
Security
Alarm
Management
SERVICES
Tools
Training
Consultancy
Certification
Reference
Materials
INDUSTRIES
Process
Industry
Automotive
Machine
Industry
Power
Industry
Rail
End Users
Equipment
Manufacturer
Car
Manufacturer
System
Integrators
CUSTOMERS
Reliability

Services
Automotive Customers (extract)
Tools IC‘s

exida Development Support Services
Setting up Functional Safety Management / Act as FSM Coordinator
Safety System Development and Design support
– Requirements Management & Engineering (SafetyCaseDB + Doors® incl. Setup)
– Safety Concept development and documentation (also pre-existing systems)
– Tool based Safety Criticality Analysis (SILCap)
– Hardware design support  Tool based FMEA and Quantitative FMEDA
– Software design support  UML design  Tool based Software HAZOP/FMEA
(SILCap)
Tool based Safety Case development
– IEC/ISO knowledgebase
– Document templates per development phase:
FSM plan, SRS, Safety concept, Test plans
Tool-based Safety Verification of Automotive Applications

exida Certification S.A.
– Clean separation from the exida Consulting business
– English language based assessment and certification system
– International alternative to TÜV
Open exida Certification Scheme
– IEC 61508 and ISO 26262 compliant using exida Safety Case
methodology (SafetyCaseDB) and audits
– Assessment Process and Requirements Publicly available
exida Certifications

Safety and Standards Advisor
– Questions, advice
– Interpretation of standards
Moderator and Participant
– FMEDA, Dependent Failure Analysis
– Software analysis
– Project Bottlenecks
Participant (joint activities)
– Write development documents and procedures
– Help with test specification, FIT, safety validation
Be your “Lawyer” vs. the Assessment Body
– Argue your safety case
– Manage all activities with the assessor
exida Certification S.A. – the Assessment Body
One or more Roles
exida is Part of your Team

Steering (Active Front Steering, Electronic Power Steering)
Gearbox
Driver assistance (e.g. ACC, ESP)
Body control
H2 Clean-Energy
Battery monitoring
Software platforms (AUTOSAR, communication, hardware drivers, self-tests)
Safety IC Assessment support (µC, system chips)
Automotive Projects (extract)

ISO 26262 introduction

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (11)

Ähnlich wie ISO 26262 introduction

Ähnlich wie ISO 26262 introduction (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

ISO 26262 introduction

Hinweis der Redaktion