Background
Hazard Analysis
Risk reduction
61508 Safety Lifecycle
61508 introduces an explicit safety lifecycle – Basic structure reappears in modified form in 26262 • Important principles include: • Hazard and risk analysis with safety requirements produced • Three types of risk reduction (only 1 in scope) • Phases for operation and disposal
Lifecycle 61508
The 61508 safety lifecycle does not align well with the typical product development processes >> followed by automotive manufacturers and their suppliers This is due to its heritage in industrial process control 61508 is aimed at low volume systems • Generally the system is built and tested, then installed on the plant, • and then safety validation is performed. There is independent safety assessment throughout the lifecycle
Automotive Lifecycles • The automotive industry is a mass-market, highvolume industry
• Safety validation is performed before (series) production – not after, as in 61508 – Makes sense, because of the high volume
• Since there is no concept of “series production” in 61508, it is not covered at all in that standard
• whereas 26262 does address requirements for production
Industry processes 61508 based Automotive industries 26262 based
Design
Production
Validation
Design
MASS Production
Validation
Comparison
61508 constraines
Safety functions are a central concept in 61508 It is important to understand the concept, partly in order to understand why they are not used in 26262 • Safety functions are what needs to be done in order to achieve the required level of safety Some safety functions are “on demand” or “low demand”
Usually found in protection systems that are separate from the EUC control system
Some safety functions are “high demand” or “continuous”
Usually found within the EUC control system
In general, safety functions are not found within the EUC itself
The EUC itself contains just the “normal” functionality Normal Functions
Safety Functions
Automotive Safety?
Is a ABS a safety function? • Consider an Anti-Lock Brake System (ABS)
61508 has stated that ABS is an example of an on demand protection system
– But in reality the functioning of ABS on a modern vehicle is closely bound to the operation of the powertrain itself
•It implements not only ABS but also a variety of
stability control functions
– Therefore it performs both “safety” and
“normal” functions
Source: http://protoncar.files.wordpress.com/2010/11/abspump.jpg
61508 Requirements about Safety
• Hazard analysis produces safety function requirements The functions the system must perform to achieve safe operation
• Risk assessment produces safety integrity requirements The likelihood of a safety function being performed satisfactorily
The 61508 Safety Ranking
61508 introduced a concept of Safety Integrity Levels (SILs) that are associated with Safety Integrity Requirements A modified version reappears in 26262 as Automotive Safety Integrity Levels Safety Integrity Levels do not apply to systems in 61508
– They apply to safety functions!
But we have seen that in the automotive industry it is difficult to separate safety functions from “normal” functions
– In fact, practitioners in the automotive industry tend implicitly to allocate SILs to system rather than functions for that reason
Picture Source: http://www.drucksensor-knowhow.de/wp-content/uploads/2010/04/WIKA-SIL-Logo_20091-e1271422726980.jpg
Proabilitics
Problems with Proabilitics Because of the probabilistic approach to SILs in 61508, a myth has arisen: “Only quantitative risk assessment (e.g. demonstration of a failure rate) can be applied – In fact, the standard recognizes and allows both quantitative and qualitative risk assessment • However, because SILs are stated in probabilistic terms, in practice there is a tendency to use these probabilities as risk reduction requirements / targets >> The Automotive SIL in 26262 has no such probabilistic implications
61508 metrics
61508 specifies required techniques and measures to be applied at the different safety integrity levels.
– 26262 inherits this idea
These techniques and measure are specific and prescriptive
• Many of them are only applicable to the process control sector
• Conversely, many techniques in commonplace use in the automotive sector are not mentioned
26262 metrics
In contrast to 61508, the 26262 standard recommends methods and measures based on automotive practices
– Example: model based development with code generation
• Where possible, these methods and measures have been stated as a goal rather than a specific, prescriptive practice
61508 and Supply chain
61508 has an implicit assumption that the system will be designed and implemented by one organization – It does not address the supply chain structure commonly found in the automotive industry – Automotive systems are generally produced by one or more suppliers of the customer: OEM, Tier-1, etc. • 26262 includes specific requirements for managing development across multiple organizations Example: Development Interface Agreement (DIA)
HMI (Human Interface)
Due to its origins in industrial process control, 61508 actually has a narrower focus than 26262!
26262 must deal with a wider range of issues, because human beings (the drivers, passengers, pedestrians) are an integral part of the overall automotive system and environment
– E.g. “Controllability” concept
Normative status
IEC 61508 has the following parts: – Part 1: General requirements – Part 2: Requirements for E/E/PE safety-related systems – Part 3: Software requirements – Part 4: Definitions and abbreviations – Part 5: Examples of methods for the determination of safety integrity levels – Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 – Part 7: Overview of techniques and measures
• Contrary to popular myth, only the first four parts are normative! – The other three parts are only informative – In particular, Part 5 on hazard classification is only informative
• In 26262, the requirements on hazard classification are normative – That is important for the concrete application of the standard
Classifications
The lack of normative requirements on hazard classification in 61508 can lead to problematic sistuations
• Use of the two different standards 61508 and 26262 often leads to different SIL classifications!
• Indeed there is no perfect mapping between the 61508 SIL and the 26262 ASIL
Conclusion 26262 Features Introduces a concrete safety
lifecycle Introduces the concept of
Safety Integrity Levels Permits both quantitative
and qualitative risk assessment
Independent safety assessment follows the entire lifecycle
Generic with respect to any discipline
Introduces measures and techniques for risk reduction
61508 Issues
Safety lifecycle does not align well with typical automotive lifecycle
No concept of supply chain
No treatment of human factors concepts such as controllability
Techniques and measures are not specific to automotive domain
Techniques and measures in automotive domain are missing
Safety functions are rarely separable from normal functions in automotive systems
Contact
• Fred Kaminski
• Leopoldstrasse 12
• 16548 Glienicke
• Phone: +49 33056 92031
• Fax: +49 33056 92032
• Cell: +49 171 7808084 prefered
• www.collossus.eu