© HORIBA MIRA Ltd. 2017
© HORIBA MIRA Ltd. 2017
Click to edit Master title
style
Dr David Ward
Senior Technical Manager
Functional Safety
January 2017
ISO 26262
Update on development of
the standard
© HORIBA MIRA Ltd. 2017
Agenda
Why update ISO 26262?
What is the process for updating the standard?
Current status of Edition 2 draft and key changes
Wider standardization activities
Conclusion and outlook
January 2017 2
© HORIBA MIRA Ltd. 2017
A frequently asked question …
ISO 26262 was officially published on 15 November 2011
Almost immediately on 16 November 2011 …
January 2017 3
What’s going to
be in Edition 2 of
the standard?
© HORIBA MIRA Ltd. 2017
Why update ISO 26262?
Specific requirements to adapt ISO 26262 to
- Extend scope to other types of vehicles (motorcycles, trucks, buses)
o Motorcycles ISO/PAS 19695 and new Part 12 in Edition 2
- Give additional guidance on semiconductor devices
o ISO/PAS 19451 and new Part 11 in Edition 2
- Address ADAS-related hazards caused by “normal operation” of the
sensors
o Currently will be developed as a separate PAS (ISO/PAS 21448)
Other challenges include
- Addressing highly distributed architectures
- Moves towards highly automated vehicles
- Cybersecurity
January 2017 4
© HORIBA MIRA Ltd. 2017
ISO timescales
- Require at least 3 years from first publication before revision starts
- Likely timescale for full Edition 2 is ~ 2018 based on a 36 month project
- Specific needs will be addressed earlier in a PAS (Publicly Available Specification)
Timescales are approximate and may be subject to change!
Preparation CD
ballot Comments processing
DIS ballot
Comments processing
FDIS ballot
Publication
Timescales for the revision (simplified)
January 2017 5
January 2016 September 2016 September 2017 Q1/2018
We are here! The DIS comments are being processed …
© HORIBA MIRA Ltd. 2017
Key changes being considered for Edition 2
Disclaimer: The DIS, although publicly available, is still a draft and many of
the concepts are still subject to discussion and change!
Key changes to be covered today include
- Structure of the standard
- Extensions to other types of vehicles
- Vocabulary – definition of FTTI
- Safety management – process aspects, confirmation measures, link to
cybersecurity
- Concept phase – item definition, low probability situations, examples
- Product development at the hardware level
- Product development at the software level
- Supporting processes
- Semiconductors
January 2017 6
© HORIBA MIRA Ltd. 2017
The structure of ISO 26262 Edition 2
January 2017
Part 1 Vocabulary
Part 2 Management of functional safety
Part 8 Supporting processes
Part 3 Concept
phase
Part 10 Guideline on ISO 26262 (informative)
Part 7
Production,
operation,
service and
decommission-
ing
Part 4 Product development: system level
Part 5 Product
development:
hardware level
Part 6 Product
development:
software level
Part 9 ASIL-oriented and safety-oriented analyses
Part 12
Adaption of
ISO 26262 for
motorcycles
Part 11 Guideline on application of ISO 26262 to semiconductors (informative)
Safety
management
aspects
merged from
Parts 3 to 6
Safety
assessment
moved to
Part 2
New
processes
for T&B
7
© HORIBA MIRA Ltd. 2017
Summary of additions and modifications to ISO 26262 Edition 2 – as at DIS version
Scope update to include motorcycles and trucks and buses (T&B)
- New Part 12 for motorcycles (merge in of ISO/PAS 19695)
- T&B requirements integrated into existing parts
New Part 11 – guideline for semiconductors (merge in of ISO/PAS 19451)
All other Parts have been modified
Functional Safety Assessment now focused on achieving the “Objective”
clauses
- “Objectives” clauses have been improved throughout
Functional safety management from Parts 3 – 6 merged into Part 2
- Reference to “refined” work products generally removed
January 2017 8
© HORIBA MIRA Ltd. 2017
Summary of additions and modifications to ISO 26262 Edition 2 – as at DIS version
Cybersecurity remains out of scope
- High level informative guidance for the safety practitioner in Part 2
- New joint SAE/ISO WG11 will develop a new cybersecurity standard
Safety of the Intended Functionality (SOTIF) e.g. automated features not
explicitly included
- Though NWIP (new work item proposal) initiated to continue this activity
and will be part of WG8 (ISO/PAS 21448)
Definition of ++ and + in tables of methods updated
- For consecutive entries, all listed highly recommended and
recommended methods in accordance with the ASIL apply. It is
allowed to substitute a highly recommended or recommended method by
other one(s) not listed in the table, but a rationale shall be given that these
comply with the corresponding requirement. A recommended method
may be omitted, but a rationale why this method is omitted shall be
given
January 2017 9
© HORIBA MIRA Ltd. 2017
What types of vehicles are in the future scope of ISO 26262?
January 2017 10
Now proposed to replace “series production” with “production road vehicles”
Production road vehicles = a passenger car, T&B or motorcycle whose intended use is
for public highways and is not a prototype
Class of vehicle In scope? Status
L1/L2 Excluded
L3/L4/L5 In scope PAS; Part 12
L6/L7 Not defined
M1 In scope Edition 1
M2/M3 In scope Integration into Edition 2
N1/N2/N3 In scope Integration into Edition 2
O1/O2/O3 In scope Integration into Edition 2
Other categories Not defined
© HORIBA MIRA Ltd. 2017
Trucks and buses
Unlike motorcycles, truck and bus requirements are integrated into the main
Parts of the standard e.g.
- Some specific requirements for hazard analysis and risk assessment
o Management of variants in performing the analysis
o Integration of truck and bus examples in the tables of Annex B
- New supporting processes for
o Development of a base vehicle for an application out of scope of ISO 26262
o Integration of safety elements developed out of scope of ISO 26262
January 2017 11
© HORIBA MIRA Ltd. 2017
Fault tolerant time interval
January 2017
Fault Hazardous event
Normal
operation Hazardous event develops
Fault tolerant time interval
Time
No safety mechanism implemented
12
© HORIBA MIRA Ltd. 2017
Fault tolerant time interval
January 2017
Fault Hazardous event
Normal
operation Hazardous event develops
Fault tolerant time interval
Time
Fault Fault detection
Normal
operation
Transition to safe
state Safe state
Undetected
fault
Diagnostic test time intervals Fault reaction time interval
Time
Fault detection time interval Safety mechanism implemented
No safety mechanism implemented
13
© HORIBA MIRA Ltd. 2017
Fault tolerant time interval
January 2017
Fault Hazardous event
Normal
operation Hazardous event develops
Fault tolerant time interval
Time
Fault Fault detection
Normal
operation
Transition to
emergency
operation
Emergency
operation
Undetected
fault
Diagnostic test time intervals Fault reaction time interval Time
Fault detection time interval Safety mechanism implemented with emergency operation
No safety mechanism implemented
Safe state
Emergency operation time interval
14
© HORIBA MIRA Ltd. 2017
FTTI – fundamentally the same as Edition 1
Modified definition
- Minimum time span from occurrence of a fault in an item to occurrence of
a hazardous event could occur [typo!], if a safety mechanism is not
activated
FTTI considered/defined without safety mechanisms of the item
- “Fault handling time interval” introduced to define time limits at element
level
FTTI stated as an attribute of Safety Goal at item level
- See Notes in Part 1 Clause 3.58 and Part 3 Clause 6.4.4.2
January 2017 15
© HORIBA MIRA Ltd. 2017
Fault detection time interval (FDTI) and Fault reaction time interval (FRTI)
Fault detection time interval (FDTI)
- Time-span from the occurrence of a fault to the detection of a fault
- Determined independently of diagnostics test interval
Fault reaction time interval (FRTI)
- Time-span from the detection of a fault to reaching the safe state or to
reaching emergency operation
Fault Fault detection
Normal
operation
Transition to safe
state Safe state
Undetected
fault
Diagnostic test time intervals Fault reaction time interval (FRTI)
Time
Fault detection time interval (FDTI) Fault handling time interval (FDTI+FRTI)
January 2017 16
© HORIBA MIRA Ltd. 2017
Partitioning of FTTI in requirements hierarchy
FTTI at item level
FDTI and FRTI specified as part of safety concept (FSC and/or TSC)
FDTI and FRTI partitioned and allocated to system, hardware or software
elements
- Verified against the parent
FTTI (SG)
FDTI
(FSC)
FRTI
(FSC)
FDTI
(TSC SW)
FDTI
(TSC HW)
FRTI
(TSC SW)
FRTI
(TSC HW)
+
+ + +
January 2017 17
© HORIBA MIRA Ltd. 2017
Functional safety management
Many “planning” activities being moved into Part 2 so that most process-
related requirements are in that Part
Key new requirement to create and maintain effective communication
channels between functional safety and other disciplines that are related to
functional safety
- Cybersecurity is the key activity but other disciplines can also be related
New Annex showing example interfaces between functional safety and
cybersecurity
- Does not mention specific cybersecurity work products
- Some examples included in Part 4; comments on DIS to put similar
content into Part 6
Revisions to confirmation reviews – now much more focussed on
“assessment” style than simply a tick-box exercise
Safety case now explicitly required to be an argument
January 2017 18
© HORIBA MIRA Ltd. 2017
Confirmation measures Independence requirements
Confirmation measure QM ASIL A ASIL B ASIL C ASIL D
Impact analysis I3 I3 I3 I3 I3
Hazard analysis I3 I3 I3 I3 I3
Safety plan I1 I1 I2 I3
Functional safety concept I1 I1 I2 I3
Technical safety concept I1 I1 I2 I3
Item integration and verification specification I0 I1 I2 I2
Safety validation specification I0 I1 I2 I2
Safety analyses (FMEA, FTA, etc.) I1 I1 I2 I3
Completeness of safety case I1 I1 I2 I3
Functional safety audit I0 I0 I2 I3
Functional safety assessment I0 I1 I2 I3
January 2017
ISO/DIS 26262:2018 Part 2 Table 1
19
© HORIBA MIRA Ltd. 2017
Requirements for T&B in Parts 2 and 8 Interfaces and integration to other standards/domains
Integration of ISO 26262 developed item integrated into vehicle out of scope
(Part 8 Clause 15)
- Safety goals of item/vehicle are not violated in another domain
- e.g. brake “item” developed to ISO 26262 used in agricultural equipment
Item integration with other systems/subsystems that are not developed to
ISO 26262 (Part 8 Clause 16)
- e.g. subsystem supplier develops to ISO 13849
Application according to ISO 26262
January 2017 20
© HORIBA MIRA Ltd. 2017
Concept phase
Still some debate over meaning of “item” definition vs “function” definition
Previous proposal to include a new class E0* for combination of rare events
(e.g. EV crashes and it’s into a lake and HV is exposed)
- E0* not included in DIS, instead possibility to reduce { S3, C3 , E1 } from
ASIL A to QM if an additional argument is provided
Annex B tables shortened to emphasize they are examples
January 2017 21
© HORIBA MIRA Ltd. 2017
Product development at the hardware level
Evaluation of safety goal violations due to random hardware failures
- Probabilistic metric (PMHF / Method 1)
o Possibility to increase target values by up to one order of magnitude for items
composed of multiple systems
- Previous proposal for a new “residual risk assessment method” was
withdrawn
Example architectures for fault tolerant implementations
January 2017 22
© HORIBA MIRA Ltd. 2017
Example of PMHF budget assignment for item consisting of two systems (Annex G)
Provides an example procedure for budgeting PMHF across two systems
which both contribute to the same safety goal
Considers an example item architecture with two systems
Provides an example PMHF target allocation
January 2017 23
© HORIBA MIRA Ltd. 2017
ISO 26262 Part 6 reference phase model
January 2017 24
Item testing
Software analysis and testing
Design phase verification
4-7 System design
6-5
In
itia
tio
n o
f p
rod
uct d
eve
lop
me
nt
at th
e s
oft
wa
re le
ve
l
Design phase verification
Test phase verification
Test phase verification
Test phase verification
4-8 Item integration and
testing
6-6 Specification of
software safety
requirements
6-7 Software
architectural design
6-8 Software unit
design and
implementation
6-9 Software unit
verification
6-10 Software
integration and
verification
6-11 Testing of the
embedded software
Test phase verification
Software analysis and
testing
Software testing
Design phase verification
© HORIBA MIRA Ltd. 2017
Part 6 Annexes (expanded Annex B, new Annex E)
Annex B (informative) rewritten and expanded to cover wider aspects of
model-based development approaches (not only code generation)
New Annex E (informative) “Application of safety analyses and analyses of
dependent failures at the software architectural level” (Figure E.1 describes
restructure of clause 6.4.1)
January 2017 25
© HORIBA MIRA Ltd. 2017
Supporting processes – Part 8
Clause 11 – confidence in the use of software tools
- New proposals were introduced in the CD including a further TI level to
apply to verification tools
- Agreement wasn’t reached so for DIS are reverting to Edition 1 scheme
- This may however be revisited in a future Edition …
Clause 13 – qualification of hardware components
- New approach to defining “complexity”
- This is likely to be further developed during DIS FDIS phase
January 2017 26
© HORIBA MIRA Ltd. 2017
Confidence in the use of software tools (Clause 11)
Simplified overview of tool confidence activities
January 2017 27
© HORIBA MIRA Ltd. 2017
Evaluation of hardware elements (Clause 13)
Clause 13 heading changed
- From “Qualification of hardware components” to “Evaluation of hardware
elements”
The objective has been expanded to include COTS hardware components/parts or
custom hardware components/parts that are not developed to ISO 26262 (or do not
achieve compliance with ISO 26262)
New approach to defining “complexity” in terms of Class of element
- Class I – if element has no or a few states and can be tested; all safety-
related failure modes can be evaluated without detailed knowledge of the
element; has no internal safety mechanisms
- Class II – if element has manageable state space and can be analysed;
documented systematic faults; no internal safety mechanisms
- Class III – if elements has state space impossible to analyse; sources of
systematic faults only understood with detailed knowledge of
development/production; element has internal safety mechanisms
January 2017 28
© HORIBA MIRA Ltd. 2017
Semiconductors
• Intellectual property
• Base failure rate estimation
• Semiconductor dependent failures analysis
• Fault injection
• Production and operation
• Interfaces within distributed developments
• Confirmation measures and functional safety audit
• Clarification of hardware integration and testing
Common topics
• Digital components and memories
• Analogue/mixed signal components
• Programmable logic devices
• Multi-core components
• Sensors and transducers
Specific semiconductor technologies and use cases
January 2017 29
© HORIBA MIRA Ltd. 2017
Motorcycles
Part 12 contains requirements for
- Functional safety management (concept phase and product development)
o Maximum I2 independence
o Reference to cybersecurity removed several national comments on DIS
objecting to this
- Hazard analysis and risk assessment
o Use of MSILs
o Example tables
Chapters from PAS on vehicle integration and testing and safety validation
have been re-included in Part 12 as at DIS version
UK has argued for deeper integration but this has been rejected by the
motorcycle lobby
January 2017 30
© HORIBA MIRA Ltd. 2017
What are the challenges we perceive?
Differing approaches to interpreting and applying the standard still exist
globally
Discussions on cybersecurity highlight the narrow focus of ISO 26262
compared to system safety and wider issues of system dependability
Some issues associated with autonomous vehicles have been acknowledged
but it is unlikely the standard will fully address autonomy in the timescales
being discussed for their deployment
- Availability requirements and SOTIF are a start however …
Vision for 2025 (personal opinion!)
- Edition 3 of ISO 26262?
- Majority of cars on the road will have at least one SAE Level 1 (or above)
application
- Level 3+ systems will become more prevalent along with new entrants /
new modes
January 2017 31
© HORIBA MIRA Ltd. 2017
Conclusions
ISO 26262 is already well established as the “state of the art” in development
of automotive safety-related systems
Still some variance in actual practice
Edition 2 is under preparation addressing some of the issues in application of
Edition 1 and future trends
Further work remains to be done, particularly addressing wider issues for
example
- System assurance
- Highly automated vehicles
January 2017 32
© HORIBA MIRA Ltd. 2017
Contact details
January 2017 33
HORIBA MIRA Ltd
Watling Street,
Nuneaton, Warwickshire,
CV10 0TU, UK
T: (024) 7635 5000
F: (024) 7635 8000
www.horiba-mira.com
Dr David Ward MA (Cantab), PhD, CEng, CPhys, MInstP, MIEEE, MSAE
Senior Technical Manager, Functional Safety
Direct T: (024) 7635 5430