Date post: | 11-Aug-2014 |
Category: |
Automotive |
Upload: | koenleekens |
View: | 2,587 times |
Download: | 8 times |
Copyright exida LLC ® 2000-2012
Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727Germany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34
Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564
exida Contacts
ISO 26262 IntroductionSingapore, 17 October 2012
Koen Leekens
Copyright exida LLC ® 2000-2012
On the Agenda
ISO 26262 and the Challengesexida Expertise
Copyright exida LLC ® 2000-2012
Safety is Only as Strong as its Weakest Link
exida
Copyright exida LLC ® 2000-2012
Electronics???
Once upon a time…
Copyright exida LLC ® 2000-2012
Many years later…
Anti-Blocking System
Electronic Stability Program Lane Departure Warning
Steering Lock
Reverse Sensors
Backup Camera
Adaptive Cruise Control
Tire Pressure Monitoring
Deflation Detection System
Traction Control System
Infrared Night Vision
Adaptive Headlights
Emergency Brake Assistance
Corner Brake Control
Pre-Crash System
Automatic Steering
AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification
Traffic Sign Recognition
Copyright exida LLC ® 2000-2012
Some Fatality Numbers
Fatalities decreasing too Slow in EuropeFatalities stable but too High in US
Copyright exida LLC ® 2000-2012
Many years later…
Anti-Blocking System
Electronic Stability Program Lane Departure Warning
Steering Lock
Reverse Sensors
Backup Camera
Adaptive Cruise Control
Tire Pressure Monitoring
Deflation Detection System
Traction Control System
Infrared Night Vision
Adaptive Headlights
Emergency Brake Assistance
Corner Brake Control
Pre-Crash System
Automatic Steering
AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification
Traffic Sign Recognition
“Actively” function to achieveSafe State
Copyright exida LLC ® 2000-2012
What is…?
Functional Safety
ISO 26262: Absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems
IEC 61508: Part of the overall safety related to the equipment under control (EUC) that depends on the correct functioning of the safety-related system
Copyright exida LLC ® 2000-2012
Why Functional Safety Standards?
BECAUSE…
Copyright exida LLC ® 2000-2012
Why Functional Safety?
BECAUSE…
ELECTRONICS CAN FAIL !!!
Are you Able to Provide the EVIDENCE
that Risks have been Minimized?
Copyright exida LLC ® 2000-2012
Which Standard to Follow?
IEC 61508Functional Safety for E/E/PES Safety Related Systems
Copyright exida LLC ® 2000-2012
ISO 26262 Adaptation of IEC 61508
IEC 61508Functional Safety for E/E/PES Safety Related Systems
Why not ideal for Automotive Industry ?
Copyright exida LLC ® 2000-2012
Basic Standard for Functional Safety
IEC 61508Functional Safety for E/E/PES Safety Related Systems
Generic “High Level” StandardRoots in Process IndustryAssumes One Company does EverythingNot Designed for the Distributed Development
Why not Ideal for Automotive Industry ?
Copyright exida LLC ® 2000-2012
ISO 26262 Adaptation of IEC 61508
IEC 61508Functional Safety for E/E/PES Safety Related Systems
IEC 61513Nuclear
IEC 61511Process Industry
ISO 26262Road Vehicles
IEC 62061Machinery
ISO 13849-1 Machine Safety
ISO 25119Tractors…
ISO 26262 is “State of the Art” For Automotive Developed with OEM
Copyright exida LLC ® 2000-2012
How E/E Systems Fail?
Random Failures: “Usually a permanent or transient failure due to a system component loss of functionality –hardware related
Systematic Failures: “Usually due to a design fault, wrong specification, not fit for purpose , error in software program, ...
Copyright exida LLC ® 2000-2012
Technical Safety MeasuresProcess – Methods - Organization
ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults Control of Systematic Failures
Control of Random Failures
In OperationBefore Delivery
Copyright exida LLC ® 2000-2012
Technical Safety MeasuresProcess – Methods - Organization
ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Avoid Systematic Faults Control of Systematic Failures
Control of Random Failures
In OperationBefore Delivery
Implement Correctly
Detect and React
Copyright exida LLC ® 2000-2012
Driver Controllability(and Usability)
OtherTechnologies
ExternalMeasures
Back to appropriate lifecycle phase
Planning of Production7.4
Planning of Operation, Service and Decom.7.5
Product DevelopmentSystem
4
Hard- ware5 Soft-
ware6
Release for SOP4.11
Concept of Functional Safety3.7
Production7.4
Operation, Service and Decommissioning7.5
conc
ept p
hase
prod
uct
deve
lopm
ent
afte
r SO
PManagement of Functional Safety2.4 – 2.6
Supporting Processes8.4 – 8.15
Functional Safety Concept3.8
Hazard Analysis and Risk Assessment3.7
Initiation of Safety Life Cycle3.6
Item definition3.5
ISO 26262 follows a Safety LifeCycle
Risk Based Approach
Copyright exida LLC ® 2000-2012
> 100 Work Products
Work Products
Exida Templates
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Vocabulary
Copyright exida LLC ® 2000-2012
Vocabulary is important
English is not English– English – American - KorEnglish – GerEnglish – Singlish…
English is not ISO/IEC – Validation – Verification – Confirmation– Fault – Failure – Error
Different Standard – Different Terminology– Safety Requirement in ISO 26262 vs IEC 61511
Copyright exida LLC ® 2000-2012
ISO 26262 StructureFunctional Safety Management
Copyright exida LLC ® 2000-2012
Overall Requirements for the Organization– Specific Organizational Rules– Competence – Quality
Requirements for Phases– Roles and Responsibilities– Functional Safety Plan– Progression– Safety Case– Confirmation Measures
Management of Functional Safety
Plan – Coordinate - Track
Copyright exida LLC ® 2000-2012
4 Functional Safety Management ................................................................................. 8 4.2 Project Organization ................................................................................................... 8 4.3 Roles and Role Descriptions ...................................................................................... 9 4.5 Team Competence ....................................................................................................14
5 Safety Life Cycle ...................................................................................................... 16 5.2 Scheduling of the safety lifecycle activities ................................................................21 5.3 Concept Phase..........................................................................................................21 5.4 Product development on system level .......................................................................26
5.4.1 Initiation of System Product Development ......................................................26 5.4.2 Specification of Technical Safety Requirements .............................................28 5.4.3 System Design ...............................................................................................30 5.4.4 Item Integration and Testing ...........................................................................33 5.4.5 Safety Validation .............................................................................................34 5.4.6 Functional Safety Assessment ........................................................................36 5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38 5.5.1 Initiation of HW product development .............................................................38 5.5.2 Specification of HW safety requirements ........................................................39 5.5.3 HW design ......................................................................................................41 5.5.4 HW architectural metrics .................................................................................43 5.5.5 Evaluation of safety goal violation due to random HW faults ...........................44 5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46 5.6.1 Initiation of SW product development .............................................................46 5.6.2 Specification of SW safety requirements .........................................................49 5.6.3 SW Architecture design ..................................................................................51 5.6.4 SW Unit design and implementation ...............................................................55 5.6.5 SW Unit testing ...............................................................................................57 5.6.6 SW integration and testing ..............................................................................58 5.6.7 Verification of SW safety requirements ...........................................................59
6 Production and Operation ........................................................................................ 61
7 Supporting Processes .............................................................................................. 66 7.1 Interfaces within distributed development ..................................................................66 7.2 Specification and management of safety requirements .............................................69 7.3 Configuration management .......................................................................................70 7.4 Change management ................................................................................................70 7.5 Verification ................................................................................................................72 7.7 Qualification of SW tools ...........................................................................................75 7.11 Safety Case ..............................................................................................................79
8 Cross Reference between Project Documentation and ISO 26262 Work Products . 81
11 Annex A: Status of the Team Competence .............................................................. 84
4 Functional Safety Management ................................................................................. 8 4.2 Project Organization ................................................................................................... 8 4.3 Roles and Role Descriptions ...................................................................................... 9 4.5 Team Competence ....................................................................................................14
5 Safety Life Cycle ...................................................................................................... 16 5.2 Scheduling of the safety lifecycle activities ................................................................21 5.3 Concept Phase..........................................................................................................21 5.4 Product development on system level .......................................................................26
5.4.1 Initiation of System Product Development ......................................................26 5.4.2 Specification of Technical Safety Requirements .............................................28 5.4.3 System Design ...............................................................................................30 5.4.4 Item Integration and Testing ...........................................................................33 5.4.5 Safety Validation .............................................................................................34 5.4.6 Functional Safety Assessment ........................................................................36 5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38 5.5.1 Initiation of HW product development .............................................................38 5.5.2 Specification of HW safety requirements ........................................................39 5.5.3 HW design ......................................................................................................41 5.5.4 HW architectural metrics .................................................................................43 5.5.5 Evaluation of safety goal violation due to random HW faults ...........................44 5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46 5.6.1 Initiation of SW product development .............................................................46 5.6.2 Specification of SW safety requirements .........................................................49 5.6.3 SW Architecture design ..................................................................................51 5.6.4 SW Unit design and implementation ...............................................................55 5.6.5 SW Unit testing ...............................................................................................57 5.6.6 SW integration and testing ..............................................................................58 5.6.7 Verification of SW safety requirements ...........................................................59
6 Production and Operation ........................................................................................ 61
7 Supporting Processes .............................................................................................. 66 7.1 Interfaces within distributed development ..................................................................66 7.2 Specification and management of safety requirements .............................................69 7.3 Configuration management .......................................................................................70 7.4 Change management ................................................................................................70 7.5 Verification ................................................................................................................72 7.7 Qualification of SW tools ...........................................................................................75 7.11 Safety Case ..............................................................................................................79
8 Cross Reference between Project Documentation and ISO 26262 Work Products . 81
11 Annex A: Status of the Team Competence .............................................................. 84
Functional Safety Plan
Exida Template
Copyright exida LLC ® 2000-2012
Management of Functional Safety
Safety Case
A clear,comprehensive and defensible argument
that a system is acceptably safe to operatein a particular context.
(Tim Kelly / Rob Weawer University of York)
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Concept
Copyright exida LLC ® 2000-2012
Concept Phase
OEM Defines Item > ESCL Initiation of Safety LifecycleHazard Analyses and Risk Assessment Functional Safety Concept
Prevent use by unauthorized person by mechanical lock
Copyright exida LLC ® 2000-2012
Concept Phase
OEM Defines Item > ESCL Initiation of Safety Lifecycle > New Hazard Analyses and Risk Assessment Functional Safety Concept
Integration TestConfiguration Control
Regression testing
ModificationsVersion Control
Problem Analysis
Change ControlBoardChange Control
Board
Change Request
Decide on lifecyclere-entry point
Newrelease
Productization
Modified product - hardware & softwareUser documentation incl.changed product safety propertiesAssociated development & test doc.Release history
Safety AlertRecall
Documentsyellow: newgreen: update existing
Legend
Safety Case
Database entriesyellow: newgreen: update existing
Problem Report FunctionalEnhancement
Request
Update RegressionTest Suite
Modification ProposalSafety CriticalityAffected Modules
Stop
System Test
Module Test
Update Safety Case& Probability Model
Impact Analysis
Exida Modification
Process
Copyright exida LLC ® 2000-2012
Concept Phase
OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment Functional Safety Concept
What Can Go Wrong?> Steering locks when driving
Copyright exida LLC ® 2000-2012
Concept Phase
OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment Functional Safety Concept
SG No. HRA Reg Safety Goal ASIL Safe State
SG1 ESCL_001 Unintended locking of ESCL while vehicle is moving shall be avoided ? Unlocked
ESCL
SAFETY GOAL Avoid a Dangerous
Situation
Copyright exida LLC ® 2000-2012
Concept Phase
OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment Functional Safety Concept
How “Risky” is that?> Need ASILD
Copyright exida LLC ® 2000-2012
Consequence – Likelihood
Moderation Always with OEM
Copyright exida LLC ® 2000-2012
Concept Phase
Functionality to meet
SAFETY GOAL…
OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment > ASILD Functional Safety Concept
Copyright exida LLC ® 2000-2012
Concept Phase
ASIL DVehicle Speed
Server
ASIL DSG1
ASIL DSteering Column
Lock
Vehicle speedASIL D
Lock SequenceASIL D
Unlock Steering Column when Vehicle is moving
OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment > ASILD Functional Safety Concept
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
System Level Development
Copyright exida LLC ® 2000-2012
Objectives TSC and System-Design– Requirements allocation – Specification of Safety Measures– Integration– Validation
Functional Safety Concept
Technical Safety Concept
System Design
HW Design SW Design
Concept Phase
Product Development
Product Development System Level
INTEGRITY
Copyright exida LLC ® 2000-2012
Product Development System Level
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
HSI
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
HW Level Development
Copyright exida LLC ® 2000-2012
Product Development Hardware Level
ASIL B ASIL C ASIL D
Single point faults metric
≥ 90 %+
≥ 97 %++
≥ 99 %++
Latent faults metric
≥ 60 %+
≥ 80 %+
≥ 90 %++
5.8 Architectural
ASIL Random hardware failure target values
D < 10-8 h-1
C < 10-7 h-1
B < 10-7 h-1
5.9 Random
Copyright exida LLC ® 2000-2012
Dual Core versus 2 µC Solution
Optimized Vehicle + Safety FeaturesAURIX covers Random HW Fault issues
Focus Mainly on Application
ALURAMReg
ALURAMReg
I/O
Flash
Voter
I/O
I/O I/O
I/O
I/OµC1
µC2
2x SW Development,Communication, Testing, PCB Space, Justification,
Supply voltage,
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
SW Level Development
Copyright exida LLC ® 2000-2012
Product Development Software Level
System Validation
Software Validation
Test
Verification during Design
Test
E/E System-Design
Software Safety Requirements
E/E System Integration
Software Architecture and Design
Software Implementation Software Unit Test
Software Integration and Test
Software Safety Validation
Test
Pha
ses
Design Phases
Verification during Design
Verification during Design
Scop
eof
Par
t 6
Scopeof Part 6
Scopeof Part 4
Scop
eof
Par
t 4
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Production Operation
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Supporting Processes
Copyright exida LLC ® 2000-2012
Interfaces within Distributed Developments (DIA)Specification and Management of RequirementsConfiguration ManagementChange ManagementVerificationDocumentationConfidence of Use in SW ToolsQualification of HW/SW ComponentsProven in Use Arguments
Supporting Processes
Other Partsreference
“Supporting Processes”
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Safety Analyses
Copyright exida LLC ® 2000-2012
Safety Analyses
Decomposition ASIL TailoringCriteria for CoexistenceDependent Failure AnalysisSafety Analyses
Copyright exida LLC ® 2000-2012
H&R FMEA
SWCA
FMEA
FMEDAHAZAN
FTA
SCA
H&R: Hazard & RiskSCA: System CriticalityFTA: Fault TreeFMEA: Failure Mode Effect FMEDA: FMEA with DiagnosticsSWCA: SW-CriticalityHAZAN: Hazard Analysis
Where are Safety Analyses in ISO?
Copyright exida LLC ® 2000-2012
SafetyCaseDB Requirements and Safety Case Management and ISO 26262 knowledgebaseSILCal FMEDA Component FMEA with integrated Failure Mode DatabaseSILCap Safety Criticality Analysis, System FMEA and S/W-HAZOP
exida Tools for Automotive
Tool-Based Design Support
Copyright exida LLC ® 2000-2012
ISO 26262 Structure
Guideline
Copyright exida LLC ® 2000-2012
ISO 26262: If you did it well…
You are Able to Show:– Completeness:
Everything accounted for Requirements under Control Everything tested – pass Used the toolsets
– Traceability: Structured Process Model Documents linked Evidence for Everything Understandable for external
– Consistency This is visible for external
auditor even when projectmembers have left
– Documentation: All activities planned Execution documented in SC Inspected - Archived For a life-time (15year?)
Copyright exida LLC ® 2000-2012
ISO 26262: If you did it well…
You are Able to Show:– Completeness:
Everything accounted for Requirements under Control Everything tested – pass Used the toolsets
– Traceability: Structured Process Model Documents linked Evidence for Everything Understandable for external
– Consistency This is visible for external
auditor even when projectmembers have left
– Documentation: All activities planned Execution documented in SC Inspected - Archived For a life-time (15year?)
A clear,comprehensive and defensible argument
that a system is acceptably safe to operatein a particular context.
(Tim Kelly / Rob Weawer University of York)
Copyright exida LLC ® 2000-2012
On the Agenda
ISO 26262 and the Challengesexida Expertise
Copyright exida LLC ® 2000-2012
Who we are
Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV SÜDToday: LARGEST Functional Safety and Cyber Security consultancy and certification body worldwide
“Provide independent services and tools to help customers comply to any industry standards for Functional Safety, Cyber
Security and Alarm Management”
Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Intervener ISO 26262 / IEC 61508Co-Authored IEC 61508 partsAuthor of several Safety Publications
Dr. William GobleFormer Director Moore IndustriesDeveloped FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books
Copyright exida LLC ® 2000-2012
What we do
EXIDA SCOPE
Functional Safety
Cyber Security
Alarm Management
SERVICES Tools
Training
Consultancy
Certification
Reference Materials
INDUSTRIESProcess Industry
Automotive
Machine Industry
Power Industry
Rail
End Users
Equipment Manufacturer
Car Manufacturer
System Integrators
CUSTOMERS
Reliability
Copyright exida LLC ® 2000-2012
Services
Automotive Customers (extract)
Tools IC‘s
Copyright exida LLC ® 2000-2012
exida Development Support Services
Setting up Functional Safety Management / Act as FSM Coordinator
Safety System Development and Design support– Requirements Management & Engineering (SafetyCaseDB + Doors® incl. Setup)– Safety Concept development and documentation (also pre-existing systems)– Tool based Safety Criticality Analysis (SILCap)– Hardware design support Tool based FMEA and Quantitative FMEDA– Software design support UML design Tool based Software HAZOP/FMEA
(SILCap)
Tool based Safety Case development– IEC/ISO knowledgebase– Document templates per development phase:
FSM plan, SRS, Safety concept, Test plans
Tool-based Safety Verification of Automotive Applications
Copyright exida LLC ® 2000-2012
exida Certification S.A. – Clean separation from the exida Consulting business– English language based assessment and certification system– International alternative to TÜV
Open exida Certification Scheme– IEC 61508 and ISO 26262 compliant using exida Safety Case
methodology (SafetyCaseDB) and audits– Assessment Process and Requirements Publicly available
exida Certifications
Copyright exida LLC ® 2000-2012
Safety and Standards Advisor– Questions, advice– Interpretation of standards
Moderator and Participant– FMEDA, Dependent Failure Analysis– Software analysis– Project Bottlenecks
Participant (joint activities)– Write development documents and procedures– Help with test specification, FIT, safety validation
Be your “Lawyer” vs. the Assessment Body– Argue your safety case– Manage all activities with the assessor
exida Certification S.A. – the Assessment Body
One or more Roles
exida is Part of your Team
Copyright exida LLC ® 2000-2012
Steering (Active Front Steering, Electronic Power Steering)
Gearbox
Driver assistance (e.g. ACC, ESP)
Body control
H2 Clean-Energy
Battery monitoring
Software platforms (AUTOSAR, communication, hardware drivers, self-tests)
Safety IC Assessment support (µC, system chips)
Automotive Projects (extract)