ISO 26262 introduction

Copyright exida LLC ® 2000-2012

Singapore +65 6222 5160 Shanghai +86 21 5171 7250Hong Kong +852 2633 7727Germany +49 89 4900 0547USA +1 215 453 1720Switzerland +41 22 364 14 34

Canada +1 403 475 1943United Kingdom +44 2476 456 195Netherlands +31 318 414 505Australia / NZL +64 3 472 7707Mexico +52 55 5611 9858South Africa +27 31 267 1564

exida Contacts

ISO 26262 IntroductionSingapore, 17 October 2012

Koen Leekens

mailto:[email protected]


On the Agenda

ISO 26262 and the Challengesexida Expertise


Safety is Only as Strong as its Weakest Link

exida


Electronics???

Once upon a time…


Many years later…

Anti-Blocking System

Electronic Stability Program Lane Departure Warning

Steering Lock

Reverse Sensors

Backup Camera

Adaptive Cruise Control

Tire Pressure Monitoring

Deflation Detection System

Traction Control System

Infrared Night Vision

Adaptive Headlights

Emergency Brake Assistance

Corner Brake Control

Pre-Crash System

Automatic Steering

AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification

Traffic Sign Recognition


Some Fatality Numbers

Fatalities decreasing too Slow in EuropeFatalities stable but too High in US


Many years later…

Anti-Blocking System

Electronic Stability Program Lane Departure Warning

Steering Lock

Reverse Sensors

Backup Camera

Adaptive Cruise Control

Tire Pressure Monitoring

Deflation Detection System

Traction Control System

Infrared Night Vision

Adaptive Headlights

Emergency Brake Assistance

Corner Brake Control

Pre-Crash System

Automatic Steering

AirbagAutomatic Gearbox ControlAutomated Parking SystemAutomatic Collision Notification

Traffic Sign Recognition

“Actively” function to achieveSafe State


What is…?

Functional Safety

ISO 26262: Absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems

IEC 61508: Part of the overall safety related to the equipment under control (EUC) that depends on the correct functioning of the safety-related system


Why Functional Safety Standards?

BECAUSE…


Why Functional Safety?

BECAUSE…

ELECTRONICS CAN FAIL !!!

Are you Able to Provide the EVIDENCE

that Risks have been Minimized?


Which Standard to Follow?

IEC 61508Functional Safety for E/E/PES Safety Related Systems


ISO 26262 Adaptation of IEC 61508


Why not ideal for Automotive Industry ?


Basic Standard for Functional Safety


Generic “High Level” StandardRoots in Process IndustryAssumes One Company does EverythingNot Designed for the Distributed Development

Why not Ideal for Automotive Industry ?


ISO 26262 Adaptation of IEC 61508


IEC 61513Nuclear

IEC 61511Process Industry

ISO 26262Road Vehicles

IEC 62061Machinery

ISO 13849-1 Machine Safety

ISO 25119Tractors…

ISO 26262 is “State of the Art” For Automotive Developed with OEM


How E/E Systems Fail?

Random Failures: “Usually a permanent or transient failure due to a system component loss of functionality –hardware related

Systematic Failures: “Usually due to a design fault, wrong specification, not fit for purpose , error in software program, ...


Technical Safety MeasuresProcess – Methods - Organization

ISO 26262 Principles

ISO 26262 Functional Safety Principles

Avoidance of Faults Control of Failures

Avoid Systematic Faults Control of Systematic Failures

Control of Random Failures

In OperationBefore Delivery


Technical Safety MeasuresProcess – Methods - Organization

ISO 26262 Principles

ISO 26262 Functional Safety Principles

Avoidance of Faults Control of Failures

Avoid Systematic Faults Control of Systematic Failures

Control of Random Failures

In OperationBefore Delivery

Implement Correctly

Detect and React


Driver Controllability(and Usability)

OtherTechnologies

ExternalMeasures

Back to appropriate lifecycle phase

Planning of Production7.4

Planning of Operation, Service and Decom.7.5

Product DevelopmentSystem

4

Hard- ware5 Soft-

ware6

Release for SOP4.11

Concept of Functional Safety3.7

Production7.4

Operation, Service and Decommissioning7.5

conc

ept p

hase

prod

uct

deve

lopm

ent

afte

r SO

PManagement of Functional Safety2.4 – 2.6

Supporting Processes8.4 – 8.15

Functional Safety Concept3.8

Hazard Analysis and Risk Assessment3.7

Initiation of Safety Life Cycle3.6

Item definition3.5

ISO 26262 follows a Safety LifeCycle

Risk Based Approach


> 100 Work Products

Work Products

Exida Templates


ISO 26262 Structure


ISO 26262 Structure

Vocabulary


Vocabulary is important

English is not English– English – American - KorEnglish – GerEnglish – Singlish…

English is not ISO/IEC – Validation – Verification – Confirmation– Fault – Failure – Error

Different Standard – Different Terminology– Safety Requirement in ISO 26262 vs IEC 61511


ISO 26262 StructureFunctional Safety Management


Overall Requirements for the Organization– Specific Organizational Rules– Competence – Quality

Requirements for Phases– Roles and Responsibilities– Functional Safety Plan– Progression– Safety Case– Confirmation Measures

Management of Functional Safety

Plan – Coordinate - Track


4 Functional Safety Management ................................................................................. 8 4.2 Project Organization ................................................................................................... 8 4.3 Roles and Role Descriptions ...................................................................................... 9 4.5 Team Competence ....................................................................................................14

5 Safety Life Cycle ...................................................................................................... 16 5.2 Scheduling of the safety lifecycle activities ................................................................21 5.3 Concept Phase..........................................................................................................21 5.4 Product development on system level .......................................................................26

5.4.1 Initiation of System Product Development ......................................................26 5.4.2 Specification of Technical Safety Requirements .............................................28 5.4.3 System Design ...............................................................................................30 5.4.4 Item Integration and Testing ...........................................................................33 5.4.5 Safety Validation .............................................................................................34 5.4.6 Functional Safety Assessment ........................................................................36 5.4.7 Release for Production ...................................................................................36

5.5 Product development HW level .................................................................................38 5.5.1 Initiation of HW product development .............................................................38 5.5.2 Specification of HW safety requirements ........................................................39 5.5.3 HW design ......................................................................................................41 5.5.4 HW architectural metrics .................................................................................43 5.5.5 Evaluation of safety goal violation due to random HW faults ...........................44 5.5.6 HW integration and testing..............................................................................45

5.6 Product development SW level .................................................................................46 5.6.1 Initiation of SW product development .............................................................46 5.6.2 Specification of SW safety requirements .........................................................49 5.6.3 SW Architecture design ..................................................................................51 5.6.4 SW Unit design and implementation ...............................................................55 5.6.5 SW Unit testing ...............................................................................................57 5.6.6 SW integration and testing ..............................................................................58 5.6.7 Verification of SW safety requirements ...........................................................59

6 Production and Operation ........................................................................................ 61

7 Supporting Processes .............................................................................................. 66 7.1 Interfaces within distributed development ..................................................................66 7.2 Specification and management of safety requirements .............................................69 7.3 Configuration management .......................................................................................70 7.4 Change management ................................................................................................70 7.5 Verification ................................................................................................................72 7.7 Qualification of SW tools ...........................................................................................75 7.11 Safety Case ..............................................................................................................79

8 Cross Reference between Project Documentation and ISO 26262 Work Products . 81

11 Annex A: Status of the Team Competence .............................................................. 84

4 Functional Safety Management ................................................................................. 8 4.2 Project Organization ................................................................................................... 8 4.3 Roles and Role Descriptions ...................................................................................... 9 4.5 Team Competence ....................................................................................................14

5 Safety Life Cycle ...................................................................................................... 16 5.2 Scheduling of the safety lifecycle activities ................................................................21 5.3 Concept Phase..........................................................................................................21 5.4 Product development on system level .......................................................................26

5.4.1 Initiation of System Product Development ......................................................26 5.4.2 Specification of Technical Safety Requirements .............................................28 5.4.3 System Design ...............................................................................................30 5.4.4 Item Integration and Testing ...........................................................................33 5.4.5 Safety Validation .............................................................................................34 5.4.6 Functional Safety Assessment ........................................................................36 5.4.7 Release for Production ...................................................................................36

5.5 Product development HW level .................................................................................38 5.5.1 Initiation of HW product development .............................................................38 5.5.2 Specification of HW safety requirements ........................................................39 5.5.3 HW design ......................................................................................................41 5.5.4 HW architectural metrics .................................................................................43 5.5.5 Evaluation of safety goal violation due to random HW faults ...........................44 5.5.6 HW integration and testing..............................................................................45

5.6 Product development SW level .................................................................................46 5.6.1 Initiation of SW product development .............................................................46 5.6.2 Specification of SW safety requirements .........................................................49 5.6.3 SW Architecture design ..................................................................................51 5.6.4 SW Unit design and implementation ...............................................................55 5.6.5 SW Unit testing ...............................................................................................57 5.6.6 SW integration and testing ..............................................................................58 5.6.7 Verification of SW safety requirements ...........................................................59

6 Production and Operation ........................................................................................ 61

7 Supporting Processes .............................................................................................. 66 7.1 Interfaces within distributed development ..................................................................66 7.2 Specification and management of safety requirements .............................................69 7.3 Configuration management .......................................................................................70 7.4 Change management ................................................................................................70 7.5 Verification ................................................................................................................72 7.7 Qualification of SW tools ...........................................................................................75 7.11 Safety Case ..............................................................................................................79

8 Cross Reference between Project Documentation and ISO 26262 Work Products . 81

11 Annex A: Status of the Team Competence .............................................................. 84

Functional Safety Plan

Exida Template


Management of Functional Safety

Safety Case

A clear,comprehensive and defensible argument

that a system is acceptably safe to operatein a particular context.

(Tim Kelly / Rob Weawer University of York)


ISO 26262 Structure

Concept


Concept Phase

OEM Defines Item > ESCL Initiation of Safety LifecycleHazard Analyses and Risk Assessment Functional Safety Concept

Prevent use by unauthorized person by mechanical lock


Concept Phase

OEM Defines Item > ESCL Initiation of Safety Lifecycle > New Hazard Analyses and Risk Assessment Functional Safety Concept

Integration TestConfiguration Control

Regression testing

ModificationsVersion Control

Problem Analysis

Change ControlBoardChange Control

Board

Change Request

Decide on lifecyclere-entry point

Newrelease

Productization

Modified product - hardware & softwareUser documentation incl.changed product safety propertiesAssociated development & test doc.Release history

Safety AlertRecall

Documentsyellow: newgreen: update existing

Legend

Safety Case

Database entriesyellow: newgreen: update existing

Problem Report FunctionalEnhancement

Request

Update RegressionTest Suite

Modification ProposalSafety CriticalityAffected Modules

Stop

System Test

Module Test

Update Safety Case& Probability Model

Impact Analysis

Exida Modification

Process


Concept Phase

OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment Functional Safety Concept

What Can Go Wrong?> Steering locks when driving


Concept Phase


SG No. HRA Reg Safety Goal ASIL Safe State

SG1 ESCL_001 Unintended locking of ESCL while vehicle is moving shall be avoided ? Unlocked

ESCL

SAFETY GOAL Avoid a Dangerous

Situation


Concept Phase


How “Risky” is that?> Need ASILD


Consequence – Likelihood

Moderation Always with OEM


Concept Phase

Functionality to meet

SAFETY GOAL…

OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment > ASILD Functional Safety Concept


Concept Phase

ASIL DVehicle Speed

Server

ASIL DSG1

ASIL DSteering Column

Lock

Vehicle speedASIL D

Lock SequenceASIL D

Unlock Steering Column when Vehicle is moving

OEM Defines Item > ESCL Initiation of safety Lifecycle > New Hazard Analyses and Risk Assessment > ASILD Functional Safety Concept


ISO 26262 Structure

System Level Development


Objectives TSC and System-Design– Requirements allocation – Specification of Safety Measures– Integration– Validation

Functional Safety Concept

Technical Safety Concept

System Design

HW Design SW Design

Concept Phase

Product Development

Product Development System Level

INTEGRITY


Product Development System Level


ISO 26262 Structure

HSI


ISO 26262 Structure

HW Level Development


Product Development Hardware Level

ASIL B ASIL C ASIL D

Single point faults metric

≥ 90 %+

≥ 97 %++

≥ 99 %++

Latent faults metric

≥ 60 %+

≥ 80 %+

≥ 90 %++

5.8 Architectural

ASIL Random hardware failure target values

D < 10-8 h-1

C < 10-7 h-1

B < 10-7 h-1

5.9 Random


Dual Core versus 2 µC Solution

Optimized Vehicle + Safety FeaturesAURIX covers Random HW Fault issues

Focus Mainly on Application

ALURAMReg

ALURAMReg

I/O

Flash

Voter

I/O

I/O I/O

I/O

I/OµC1

µC2

2x SW Development,Communication, Testing, PCB Space, Justification,

Supply voltage,


ISO 26262 Structure

SW Level Development


Product Development Software Level

System Validation

Software Validation

Test

Verification during Design

Test

E/E System-Design

Software Safety Requirements

E/E System Integration

Software Architecture and Design

Software Implementation Software Unit Test

Software Integration and Test

Software Safety Validation

Test

Pha

ses

Design Phases



Scop

eof

Par

t 6

Scopeof Part 6

Scopeof Part 4

Scop

eof

Par

t 4


ISO 26262 Structure

Production Operation


ISO 26262 Structure

Supporting Processes


Interfaces within Distributed Developments (DIA)Specification and Management of RequirementsConfiguration ManagementChange ManagementVerificationDocumentationConfidence of Use in SW ToolsQualification of HW/SW ComponentsProven in Use Arguments

Supporting Processes

Other Partsreference

“Supporting Processes”


ISO 26262 Structure

Safety Analyses


Safety Analyses

Decomposition ASIL TailoringCriteria for CoexistenceDependent Failure AnalysisSafety Analyses


H&R FMEA

SWCA

FMEA

FMEDAHAZAN

FTA

SCA

H&R: Hazard & RiskSCA: System CriticalityFTA: Fault TreeFMEA: Failure Mode Effect FMEDA: FMEA with DiagnosticsSWCA: SW-CriticalityHAZAN: Hazard Analysis

Where are Safety Analyses in ISO?


SafetyCaseDB Requirements and Safety Case Management and ISO 26262 knowledgebaseSILCal FMEDA Component FMEA with integrated Failure Mode DatabaseSILCap Safety Criticality Analysis, System FMEA and S/W-HAZOP

exida Tools for Automotive

Tool-Based Design Support


ISO 26262 Structure

Guideline


ISO 26262: If you did it well…

You are Able to Show:– Completeness:

Everything accounted for Requirements under Control Everything tested – pass Used the toolsets

– Traceability: Structured Process Model Documents linked Evidence for Everything Understandable for external

– Consistency This is visible for external

auditor even when projectmembers have left

– Documentation: All activities planned Execution documented in SC Inspected - Archived For a life-time (15year?)


ISO 26262: If you did it well…

You are Able to Show:– Completeness:

Everything accounted for Requirements under Control Everything tested – pass Used the toolsets

– Traceability: Structured Process Model Documents linked Evidence for Everything Understandable for external

– Consistency This is visible for external

auditor even when projectmembers have left

– Documentation: All activities planned Execution documented in SC Inspected - Archived For a life-time (15year?)

A clear,comprehensive and defensible argument

that a system is acceptably safe to operatein a particular context.

(Tim Kelly / Rob Weawer University of York)


On the Agenda

ISO 26262 and the Challengesexida Expertise


Who we are

Founded in 1999 by experts from Manufacturers, End Users, Engineering Companies and TÜV SÜDToday: LARGEST Functional Safety and Cyber Security consultancy and certification body worldwide

“Provide independent services and tools to help customers comply to any industry standards for Functional Safety, Cyber

Security and Alarm Management”

Rainer FallerFormer Head of TÜV Product ServicesChairman German IEC 61508Intervener ISO 26262 / IEC 61508Co-Authored IEC 61508 partsAuthor of several Safety Publications

Dr. William GobleFormer Director Moore IndustriesDeveloped FMEDA Technique (PhD) Author of several Safety BooksAuthor of several Reliability Books


What we do

EXIDA SCOPE

Functional Safety

Cyber Security

Alarm Management

SERVICES Tools

Training

Consultancy

Certification

Reference Materials

INDUSTRIESProcess Industry

Automotive

Machine Industry

Power Industry

Rail

End Users

Equipment Manufacturer

Car Manufacturer

System Integrators

CUSTOMERS

Reliability


Services

Automotive Customers (extract)

Tools IC‘s


exida Development Support Services

Setting up Functional Safety Management / Act as FSM Coordinator

Safety System Development and Design support– Requirements Management & Engineering (SafetyCaseDB + Doors® incl. Setup)– Safety Concept development and documentation (also pre-existing systems)– Tool based Safety Criticality Analysis (SILCap)– Hardware design support Tool based FMEA and Quantitative FMEDA– Software design support UML design Tool based Software HAZOP/FMEA

(SILCap)

Tool based Safety Case development– IEC/ISO knowledgebase– Document templates per development phase:

FSM plan, SRS, Safety concept, Test plans

Tool-based Safety Verification of Automotive Applications


exida Certification S.A. – Clean separation from the exida Consulting business– English language based assessment and certification system– International alternative to TÜV

Open exida Certification Scheme– IEC 61508 and ISO 26262 compliant using exida Safety Case

methodology (SafetyCaseDB) and audits– Assessment Process and Requirements Publicly available

exida Certifications


Safety and Standards Advisor– Questions, advice– Interpretation of standards

Moderator and Participant– FMEDA, Dependent Failure Analysis– Software analysis– Project Bottlenecks

Participant (joint activities)– Write development documents and procedures– Help with test specification, FIT, safety validation

Be your “Lawyer” vs. the Assessment Body– Argue your safety case– Manage all activities with the assessor

exida Certification S.A. – the Assessment Body

One or more Roles

exida is Part of your Team


Steering (Active Front Steering, Electronic Power Steering)

Gearbox

Driver assistance (e.g. ACC, ESP)

Body control

H2 Clean-Energy

Battery monitoring

Software platforms (AUTOSAR, communication, hardware drivers, self-tests)

Safety IC Assessment support (µC, system chips)

Automotive Projects (extract)

ISO 26262 introduction

Automotive

sw product

hw product

safety lifecycle

risk assessment

sw safety

random hw

hw safety

systematic