Introduction To Functional Safety KDG Seminar 20130424 Handout

Introduction to functional safety
Marc Van Vlimmeren Flanders DRIVE April 24th, 2013
Agenda
Introduction to Flanders DRIVE Introduction to functional safety Overview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development

Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment Software )evelopment
*uestions
2012 Flanders DRIVE all rights reserved
(landers+ ),I#E
,esearc institute for t e ve icle and mo-ility industry developing and presenting tec nological solutions in t e following ,.) domains/
Open innovation approac driven -y t e industry %ig -tec Infrastructure for ve icle0 system and component testing 1ide international networ' of 234 partners
Page 5
6ocated in an inspiring environment
Page 7
8road partners ip wit in t e ve icle and mo-ility industry
Page 9
Safety related ,.) pro:ects
Page 6
Agenda
Introduction to (landers; ),I#E Introduction to functional safety Overview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development

*uestions
<otivation for safety standards

Upcoming desire for safety standards during industrialization
1771: first motorized car accident due to brake failure with first steam car (France)
1800-1839: 69 boiler explosions, 160 fatalities (Great-Brittain) 1884: Blast Furnace Friedrichshtte, 12 fatalities (Silesia)
<ore modern e=amples

Medical Therac 25 Software kills several patients by radiation overdoses (USA, 1985) Railways Accident due to missing automatic braking / ignored safety recommendations. 31 fatalities, inquiries, restructuring (UK, 2000) Aviation Unintentional deployment of jet ejector seat. 1 fatality (J) Automotive Ghost car. Car starts burning, driver removed ignition key and left Then, the car starts and drives away (without key/driver) and crashes into another car. (March 2009)
,ecalls at ig level
2000: Accidents due to detachment of Bridgestone tyre tread Worldwide 700 injured and 203 dead Recall more than 14 million tyres Costs 1.3 billion USD In addition: actions for damages Toyota recently had to recall nine million cars back to the garage because of problems with the accelerator and brake. And more often, this kind of problems have a root cause in mechatronic and software components.
Break by wire example: 30 million USD

(American Auto press, June 1, 2004)
Possible damage to companies: invaluable!
Overview of functional safety

Software error
E/E systems System failure
,andom ardware failure
%arm
Source: Micha Lesemann, eVALUE Final Event
!oncept
)evelopment
Production
<aintenance0 service0 repair
Source: Simon Brewerton, Infineon
,ecycling
Systematic development approach to minimize the risk of system failures resulting into harm
)efinition of functional safety

Safety is the freedom from unreasonable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of hazards caused by damage to property or to the environment.
E tent of E!E "ystem
!ommunications
E/E/PE device
Input devices "e>g> sensors$ Output devices "e>g> actuators$
Functional safety is part of the overall safety that depends on electric, electronic or programmable electronic systems (E/E systems) operating correctly in response to its inputs. E/E systems include power supplies, sensors and other input devices, communication networks, actuators and other output devices.
Unreasonable risk: unacceptable adverse effects on humans or to the environment taking into account its economic, environmental, medical and social benefits and costs. Hazard: potential source of harm. The term includes danger to persons arising within a short time scale (eg. fire, explosion) and also those that have a long term effect (eg. release of toxic substance).
)ifferent types of safety
#assive "afety
features t at elp reduce t e effects of an accident
Active "afety
systems t at use an understanding of t e state of t e ve icle to -ot avoid and minimise t$e effects of an accident>
Functional "afety
Ensures correct functioning of t e E/E systems "including active safety related systems$
Possi-le causes for incorrect functioning of E/E systems

Incorrect specifications of t e system0 ardware and/or software Omissions in t e safety re?uirements specification ,andom ardware failure mec anisms "tin w is'er$ Systematic ardware failure mec anisms Software errors !ommon cause failures Environmental influences

Element A
Failure A
Fault % Root cause Element &
Electromagnetic temperature mec anical p enomena
Failure &
Supply system voltage distur-ances

Fault '
loss of supply reduced voltages re-connection of supply

Common cause failures
A fault in an active suspension leading to a safety critical situation.
8ut it+s not all a-out tec nology@

(alse assumption
ASafety is a ?uestion of tec nologyB
,eality
C e greater t e comple=ity of a tec nical system0 t e more stringent t e re?uirements to -e met -y management@
Prof> %artwig (Safety engineering, Univ. Wuppertal)

A<ainly safety management deficiencies lie -e ind accidentsB
AC e effective answer to most safety pro-lems is a compre$ensive safety cultureB
E=amples of poor safety management

2DE6/ e=plosion of t e c allenger0 3 fatalities !ause was a sealing ring of a fuel tan' Pro-lem was 'nown since D years and an engineer ad warned for t e possi-ility of suc a catastrop e (ypical causes of accidents Organi&ational deficits 8ad communication Poor ris' management Poor management of safety concerns <issing e=perience <issing training Overly ig tec nology trust 1eig t of AcontrollersB decisions "cost of safety$
Agenda
Introduction to (landers; ),I#E Introduction to functional safety )verview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development

System and environment description %a&ard analysis and ris' assessment (unctional safety concept
*uestions
Overview of functional safety standards and regulations

Functional safety standards
Basis for Quality Management
Quality standards
*eneric IE! 6294E
ISO D442/244E ISO CS 26D7D
)n+,ig$way ISO 26262
(QM)
Agriculture ISO 2922D Mac$inery ISO 25E7D
Systems engineering
Process improvement & assessment models
Mac$inery IE! 62462 Eart$ moving mac$ines ISO 29DDE

++SAFE v1.2
EF targets for road safety

The introduction of standards has a positive impact on the reduction of EU fatalities.
ISO D442
Gwaliteitsmanagement
IE! 6294E
(unctionele veilig eid "generie'$
ISO 676D
#eilig eid electrisc e voertuigen
ISO CS 26D7D
!ontinu ver-eteren0 voor'omen van defecten0 H
ISO 26262
Automotive standaard functionele veilig eid
,e?uired standards to follow -y manufacturer
SSC
!onsidered necessary
State of Science and Cec nology State of t e Art
Increasing degree of o-ligation
SOCA I") '-'-' IA,C IE. -%/01 ,egulations
State of Practice Ienerally Accepted ,ules of Cec nology e>g> E!E ,25
6aws / directives
e>g> <ac ine )irective

Source: TV NORD Mobilitt
Agenda
Introduction to (landers; ),I#E Introduction to functional safety Overview of functional safety standards and regulations I") '-'-' for safety+related automotive E!E development

*uestions
Scope of ISO 26262

This International Standard is applicable to safety-related systems that include one or more E/E systems and that are installed in series production passenger cars with a maximum gross weight up to 3500 kg. ISO 26262 does not address unique E/E systems in special purpose vehicles such as vehicles designed for drivers with disabilities; It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy, and similar hazards unless directly caused by malfunctioning behaviour of E/E safety-related systems.
Parts of t e ISO 26262 standard
Source: ISO 26262 standard
E=planation of t e #-model
Fser re?uirements
#alidation tracea-ility
Fser acceptance testing System integration and testing %1/S1 integration and testing Fnit and integration testing
System re?uirements
Arc itectural design
#erification tracea-ility
)etailed design
The purpose of Verification is to ensure that selected work products meet their specified requirements.
)evelopment and coding
The purpose of Validation is to demonstrate that a product or product component fulfills its intended use when placed in its intended environment.
Safety lifecycle according to ISO 26262
1ays of ac ieving ris' reduction

E/E facilities
According to ISO 26262
Ot er tec nologies "eg> safety valves$
Out of scope ISO 26262
E=ternal measures "eg> p ysical containment$

Out of scope ISO 26262
#-model from ve icle to component perspective
,esponsi-ilities of t e OE<
Source: IKV++ technologies
,is' -ased development approac

Safety re?uirements must -e early derived / specified>
%A,A
ASI6
)evelopment process
%a&ard analysis and ris' assessment "%A,A$

)etermination of safety goals and ASI6 attri-utes Identification of t e need for and amount of re?uirements regarding functional safety
)evelopment process compliant wit re?uirements "ASI6-ad:usted$ -y measures ta'en in/

Procedures %1 arc itecture )esign0 verification0 H
Safety integrity level "2/7$
Safety integrity/ pro-a-ility of a safety-related system satisfactorily performing t e re?uired safety functions under all t e stated conditions wit in a stated period of time> Safety integrity level/ e=presses t e level of ris' reduction re?uired to prevent a specific a&ard>
SIL 1 SIL 2 SIL 3 SIL 3 ASIL A ASIL B ASIL C ASIL D PL a PL b PL c PL d AgPL a AgPL b AgPL c AgPL d AgPL e

C e ASI6 level defines t e re?uirements0 met ods0 tec ni?ues and measures to manage systematic failures "system0 %1 and S1$ and random failures "%1$
Source for tables: ISO 26262 standard parts 4 and 5
(irst steps in t e process
Organi&ational processes
Closer look
!ore systems and safety engineering processes Supporting processes

Source: Flanders DRIVE FLAME methodology
Safety-oriented analyses
Fse-case/ electric powertrain
!reate system and environment description "Jitem definition$

Fnderstanding of t e system0 its environment and actors to facilitate t e a&ard analysis and ris' assessment
The boundaries of the system The elements of the system The systems interfaces Requirements received from other systems and the environment Requirements on other systems and the environment The allocation and distribution of functions among the systems
E=ecute a&ard analysis and ris' assessment "2/2$

!onte=t for t e a&ard analysis and ris' assessment
Definition of safety goals to prevent $azardous events leading to $arm2
E=ecute a&ard analysis and ris' assessment "2/2$

System and environment description
Functional behaviour of the system at vehicle level Operating modes, operational situations, vehicle states Already known hazards Systematic determination of system hazards Brainstorming, checklists, quality history, FMEA,
)perating modes %ill descent control mode Agility control mode Craction !ontrol mode H
,azardous events Side collision wit anot er ve icle )perational situations Pedestrian accident !ity driving (ront collision wit an o-:ect "eg> Cree$ Snow and ice H <ountain pass Ve$icle states H )riving at constant speed Accelerating stand-still0 H
!lassification of Severity "S$
The risk assessment of hazardous events focuses on the harm to each endangered person including the driver or the passengers of the vehicle causing the hazardous event, and other endangered persons such as cyclists, pedestrians or occupants of other vehicles.
!lasses of pro-a-ility of e=posure "E$
)efining t e controlla-ility "!$
Vehicle no longer controllable
10 9
Neukum and Krger method
System reaction dangerous
8 7 6
System reaction disturbing
! System reaction noticeable " 1 #othing noticed 0
Creation of error functions with different error amplitudes and error durations in different driving manoeuvres
Safety Criteria
Analysis of dynamic driving data. Determination of error limits: via statistical analysis of subjective scores of malfunctions
)etermine safety goals and ASI6 levels
Risk graph from ISO 26262
A safety goal is a top-level safety requirement for the system. Failure of the safety goal will result in an immediate increase of the risk.
ASIL D = highest safety requirements ASIL A = lowest safety requirements QM = Quality Management (no safety requirements)
Severity (S) Exposure (E) Controllability (C)
6et+s Practice
8uild t e %A,A for an electric ve icle wit one electric motor providing tor?ue to t e front w eel via an automatic transmission -o=>
Page 75
E=ample functional safety goals

Functional Safety Goal = toplevel functional safety requirement
The magnitude and sign of the torque delivered to each front wheel shall not destabilize the vehicle in all driving situations. The sign shall be correct. The magnitude shall be within +/-5% of the required value. No torque shall be delivered by the system when the vehicle is connected to a charging spot. The time and phase lag of the torque transfer shall not destabilize the vehicle in all driving situations. Time lag shall be less than 100 ms. Phase lag shall be less than 20 ms.
)erive functional safety re?uirements

Derive the functional safety requirements (FSR), from the safety goals, and allocate them to preliminary architectural elements of the system in order to ensure the required functional safety.
,esults of a&ard analysis and ris' assessment
Safety goal A ASI6 !
Safety goal 8 ASI6 )
Safety goal K
Techniques to define FSRs: FMEA, FTA, brainstorming, HAZOP,
(unctional safety re?uirement ASI6 !
(unctional safety re?uirement ASI6 !
(unctional safety re?uirement ASI6 )
Criteria for FSRs: - Unique label. - Unambiguous - Comprehensible - Atomic - Consistent - Feasible - Verifiable
At least one functional safety requirement shall be specified for each safety goal.
System arc itecture for Electric Powertrain
E=ample functional safety re?uirements
(<EA "(ailure <odes and Effects Analysis$

Inductive approach
Main Question: what are the consequences? Can also be called BOTTOM-UP From individual cases to general conclusions
(CA "(ault Cree Analysis$
Deductive approach
Main Question: what is the reason? Can also be called TOP-DOWN What led to the top event? Sherlock Holmesian approach Deductive system analysis: Fault Tree Analysis (FTA)
(urt er system design0 integration . testing and validation

The technical safety concept is a statement of how the safety functions are implemented in hardware or software. This is stated in the technical safety requirements. Hardware and software safety requirements state the specific safety requirements that will be implemented as part of the software and hardware design
Agenda

System and environment description %a&ard analysis and ris' assessment (unctional safety concept ,ardware Development Software )evelopment
*uestions
%ardware development
Re3uired activities and processes
%ardware implementation of t e tec nical safety concept Analysis of potential ardware faults and t eir effects !oordination wit Software development
Page 92
,ardware faults
Safe fault
fault w ose occurrence will not significantly increase t e pro-a-ility of violation of a safety goal>
Single-Point (ault
fault in an element t at is not covered -y a safety mec anism and t at leads directly to t e violation of a safety goal>
<ultiple Point (ault

individual fault t at0 in com-ination wit ot er independent faults0 leads to a multiple-point failure>
,esidual (ault
portion of a fault t at -y itself leads to t e violation of a safety goal0 occurring in a ardware element0 w ere t at portion of t e fault is not covered -y safety mec anisms>
Page 95
,ardware faults 4continued5
)etected (ault
fault w ose presence is detected wit in a prescri-ed time -y a safety mec anism t at prevents t e fault from -eing latent>
Perceived (ault
(ault w ose presence is deduced -y t e driver wit in a prescri-ed time interval>
6atent (ault
multiple-point fault w ose presence is not detected -y a safety mec anism nor perceived -y t e driver wit in t e multiple-point fault detection interval>
Page 97
,ardware metrics
C e single point faults metric reflects t e ro-ustness of t e item to single point faults> C e latent faults metric reflects t e ro-ustness of t e item to latent faults> #ro6a6ilistic Metric for random ,ardware Failures "P<%($ metric reflects t e residual pro-a-ility of accidental ardware failure>
Page 99
"ingle point faults metric
Page 96
7atent faults metric
Page 93
E ample
Page 9E
E ample 4continued5
Page 9D
E ample 4continued58 demo (9V :or;6enc$
Page 64
E ample 4continued58 demo (9V :or;6enc$
Page 62
Agenda

System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment "oftware Development
*uestions
Software development
Reference #$ase Model
Page 65
Is a6out
S1 as neit er potential to wear out nor produce random failures> S1 ?uality is determined -y its development process> C e more rigorous and systematic t e development process0 t e ig er t e ASI6 rating can -e ac ieved> Programming language selection 5rd party software selection and ?ualification "e>g> ,COS$ Cool selection and ?ualification S1 !onfiguration Integration in ardware And muc more H>
Page 67
"oftware "afety Re3uirements< some e amples
C e safety state s all -e activated -y a switc off of driver 5> C e 6ogic Solver "!PF$ s all run self tests of t e internal registers> C e input cloc' s all -e tested to detect faults> )uring t en operating p ase0 plausi-ility c ec's of specific varia-les according to t e appropriate range s all -e performed> C e ma=imum start-up tome is 2 seconds> C e reaction time to a normal input c ange is ma=imum 2 millisecond> HH
Page 69
,ow to program "afety .ritical Microcontrollers=
<icrocontroller manufacturer provides a safety manual0 w ic descri-es t e safety mec anisms and t e assumptions of use> E=ample/ CI+s %erculesC< A,<L Safety !ritical <icrocontrollers

)ual !ore 6oc'step !PF Self Cest !ontroller <emory Protection Fnit Programma-le <emory 8uilt In Self Cest ,A< E!! correction !loc' monitoring H>>
"demo$
Page 66
C an's for your attendance@
For more information, please contact
Marc Van Vlimmeren

Functional safety engineer tel. +32 11 790 577 Marc.vanvlimmeren@flandersdrive.be
Bert Dexters
Project leader Automotive Safety Integrity Level tel. +32 11 790 545 bert.dexters@flandersdrive.be
www.flandersdrive.be
Ilossary "2/5$
Active safety Systems assisting in the prevention of a crash Error (1) Mistake in engineering, requirement specification, or design. (2) Mistake in design, implementation or operation which could cause a failure. Failure The inability of a system or component to perform its required functions within specified performance requirements. Fault Any change in state of an item that is considered to be anomalous and may warrant some type of corrective action. Examples of faults included device errors reported by Built-In Test (BIT)/Built-In Test Equipment (BITE), out-of-limits conditions on sensor values, loss of communication with devices, loss of power to a device, communication error on bus transaction, software exceptions (e.g., divide by zero, file not found), rejected commands, measured performance values outside of commanded or expected values, an incorrect step, process, or data definition in a computer program, etc. Faults are preliminary indications that a failure may have occurred. Fault Injection Process The process of deliberately inserting faults into a system (by manual or automatic methods) to test the ability of the system to safely handle the fault or to fail to a safe state. Usually, fault injection criteria is defined by system safety and is implemented by the software test engineering group to measure the systems ability to mitigate potential mishaps to an acceptable level of risk.
Page 6D
Ilossary "2/5$
Hazard Any real or potential condition that can cause injury, illness, or death to personnel; damage to or loss of a system, equipment or property; or damage to the environment. Passive safety Features of the vehicle (primarily airbags, seatbelts and the physical structure of the vehicle) that help to protect occupants during a crash Risk A measure of the uncertainty of attaining a goal, objective, or requirement pertaining to technical performance, cost, and schedule. Risk level is categorized by the probability of occurrence and the consequences of occurrence. Risk is assessed for program, product, and process aspects of the system. This includes the adverse consequences of process variability. The sources of risk include technical (e.g., feasibility, operability, producibility, testability, and systems effectiveness); cost (e.g., estimates, goals); schedule (e.g., technology/material availability, technical achievements, milestones); and programmatic (e.g., resources, contractual). Risk Assessment The process by which the results of risk analysis are used to make decisions. Safe General term denoting an acceptable level of risk of, relative freedom from, and low probability of harm. The associated risks that have been identified have been accepted Safe State A state in which the system poses an acceptable level of risk for the operational mode and environment.
Page 34
Ilossary "5/5$
Safety Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. Safety Analysis A systematic examination to determine system functionality, to identify potential hazards, and analyze the adequacy of measures taken to eliminate, control, or mitigate identified hazards; and analyze and evaluate potential accidents and their associated risks Safety Critical Function A function whose failure to operate, or incorrect operation, will directly result in a high risk mishap (i.e., death, serious injury, system loss, environmental damage). Safety Integrity The ability of a control system to work safely (this includes shutting down safely if a fault occurs), which depends on the entire system, not just the computer Automotive Safety Integrity Level (ASIL) One of four levels to specify the item's or element's necessary requirements of ISO 26262 and safety measures to apply for avoiding an unreasonable residual risk , with D representing the most stringent and A the least stringent level .
Page 32
A--reviations "2/2$
ASI6 8<S !<<I E/E (CE (6A<E %A,A %1 IE! IK!OSE ISO
Automotive Safety Integrity 6evel 8attery <anagement System !apa-ility <aturity <odel Integration Electrical and/or Electronic (ull Cime E?uivalent (landers ASI6 <et odology %a&ard Analysis and ,is' Assessment %ardware International Electrotec nical !ommission International !ouncil on Systems Engineering International Standardi&ation Institute
Page 32
A--reviations "2/2$
OE< *< ,.) SPI!E S1 C8I
Original E?uipment <anufacturer *uality <anagement ,esearc . )evelopment Software Process Improvement and !apa-ility )etermination Soft1are Cruc's0 8usses0 Industrial #e icles
Page 35

Introduction To Functional Safety KDG Seminar 20130424 Handout

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Introduction To Functional Safety KDG Seminar 20130424 Handout

Încărcat de

Drepturi de autor:

Formate disponibile

Introduction to functional safety

Marc Van Vlimmeren Flanders DRIVE April 24th, 2013

2012 Flanders DRIVE all rights reserved

2012 Flanders DRIVE all rights reserved

6ocated in an inspiring environment

2012 Flanders DRIVE all rights reserved

8road partners ip wit in t e ve icle and mo-ility industry

2012 Flanders DRIVE all rights reserved

Safety related ,.) pro:ects

2012 Flanders DRIVE all rights reserved

2012 Flanders DRIVE all rights reserved

<otivation for safety standards

2012 Flanders DRIVE all rights reserved

<ore modern e=amples

2012 Flanders DRIVE all rights reserved

Break by wire example: 30 million USD

Possible damage to companies: invaluable!

2012 Flanders DRIVE all rights reserved

Overview of functional safety

Source: Micha Lesemann, eVALUE Final Event

<aintenance0 service0 repair

Source: Simon Brewerton, Infineon

)efinition of functional safety

2012 Flanders DRIVE all rights reserved

)ifferent types of safety

2012 Flanders DRIVE all rights reserved

Possi-le causes for incorrect functioning of E/E systems

Fault % Root cause Element &

Electromagnetic temperature mec anical p enomena

Supply system voltage distur-ances

loss of supply reduced voltages re-connection of supply

2012 Flanders DRIVE all rights reserved

A fault in an active suspension leading to a safety critical situation.

2012 Flanders DRIVE all rights reserved

8ut it+s not all a-out tec nology@

Prof> %artwig (Safety engineering, Univ. Wuppertal)

2012 Flanders DRIVE all rights reserved

E=amples of poor safety management

2012 Flanders DRIVE all rights reserved

2012 Flanders DRIVE all rights reserved

Overview of functional safety standards and regulations

*eneric IE! 6294E

ISO D442/244E ISO CS 26D7D

)n+,ig$way ISO 26262

Agriculture ISO 2922D Mac$inery ISO 25E7D

Process improvement & assessment models

Mac$inery IE! 62462 Eart$ moving mac$ines ISO 29DDE

2012 Flanders DRIVE all rights reserved

EF targets for road safety

2012 Flanders DRIVE all rights reserved

,e?uired standards to follow -y manufacturer

State of Science and Cec nology State of t e Art

Increasing degree of o-ligation

SOCA I") '-'-' IA,C IE. -%/01 ,egulations

e>g> <ac ine )irective

2012 Flanders DRIVE all rights reserved

2012 Flanders DRIVE all rights reserved

Scope of ISO 26262

2012 Flanders DRIVE all rights reserved

Parts of t e ISO 26262 standard

Source: ISO 26262 standard

2012 Flanders DRIVE all rights reserved

Arc itectural design