Documente Academic
Documente Profesional
Documente Cultură
Agenda
Introduction to Flanders DRIVE Introduction to functional safety Overview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development
Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment Software )evelopment
*uestions
(landers+ ),I#E
,esearc institute for t e ve icle and mo-ility industry developing and presenting tec nological solutions in t e following ,.) domains/
Open innovation approac driven -y t e industry %ig -tec Infrastructure for ve icle0 system and component testing 1ide international networ' of 234 partners
Page 5
Page 7
Page 9
Page 6
Agenda
Introduction to (landers; ),I#E Introduction to functional safety Overview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development
Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment Software )evelopment
*uestions
1800-1839: 69 boiler explosions, 160 fatalities (Great-Brittain) 1884: Blast Furnace Friedrichshtte, 12 fatalities (Silesia)
,ecalls at ig level
2000: Accidents due to detachment of Bridgestone tyre tread Worldwide 700 injured and 203 dead Recall more than 14 million tyres Costs 1.3 billion USD In addition: actions for damages Toyota recently had to recall nine million cars back to the garage because of problems with the accelerator and brake. And more often, this kind of problems have a root cause in mechatronic and software components.
%arm
!oncept
)evelopment
Production
,ecycling
Systematic development approach to minimize the risk of system failures resulting into harm
2012 Flanders DRIVE all rights reserved
E/E/PE device
Input devices "e>g> sensors$ Output devices "e>g> actuators$
Functional safety is part of the overall safety that depends on electric, electronic or programmable electronic systems (E/E systems) operating correctly in response to its inputs. E/E systems include power supplies, sensors and other input devices, communication networks, actuators and other output devices.
Unreasonable risk: unacceptable adverse effects on humans or to the environment taking into account its economic, environmental, medical and social benefits and costs. Hazard: potential source of harm. The term includes danger to persons arising within a short time scale (eg. fire, explosion) and also those that have a long term effect (eg. release of toxic substance).
#assive "afety
features t at elp reduce t e effects of an accident
Active "afety
systems t at use an understanding of t e state of t e ve icle to -ot avoid and minimise t$e effects of an accident>
Functional "afety
Ensures correct functioning of t e E/E systems "including active safety related systems$
Element A
Failure A
Failure &
Fault '
,eality
C e greater t e comple=ity of a tec nical system0 t e more stringent t e re?uirements to -e met -y management@
Agenda
Introduction to (landers; ),I#E Introduction to functional safety )verview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development
Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept
*uestions
Quality standards
(QM)
Systems engineering
IE! 6294E
(unctionele veilig eid "generie'$
ISO 676D
#eilig eid electrisc e voertuigen
ISO CS 26D7D
!ontinu ver-eteren0 voor'omen van defecten0 H
ISO 26262
Automotive standaard functionele veilig eid
SSC
!onsidered necessary
State of Practice Ienerally Accepted ,ules of Cec nology e>g> E!E ,25
6aws / directives
Agenda
Introduction to (landers; ),I#E Introduction to functional safety Overview of functional safety standards and regulations I") '-'-' for safety+related automotive E!E development
Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment Software )evelopment
*uestions
E=planation of t e #-model
Fser re?uirements
#alidation tracea-ility
Fser acceptance testing System integration and testing %1/S1 integration and testing Fnit and integration testing
System re?uirements
#erification tracea-ility
)etailed design
The purpose of Verification is to ensure that selected work products meet their specified requirements.
The purpose of Validation is to demonstrate that a product or product component fulfills its intended use when placed in its intended environment.
,esponsi-ilities of t e OE<
%A,A
ASI6
)evelopment process
Safety integrity/ pro-a-ility of a safety-related system satisfactorily performing t e re?uired safety functions under all t e stated conditions wit in a stated period of time> Safety integrity level/ e=presses t e level of ris' reduction re?uired to prevent a specific a&ard>
SIL 1 SIL 2 SIL 3 SIL 3 ASIL A ASIL B ASIL C ASIL D PL a PL b PL c PL d AgPL a AgPL b AgPL c AgPL d AgPL e
Organi&ational processes
Closer look
Safety-oriented analyses
The boundaries of the system The elements of the system The systems interfaces Requirements received from other systems and the environment Requirements on other systems and the environment The allocation and distribution of functions among the systems
)perating modes %ill descent control mode Agility control mode Craction !ontrol mode H
,azardous events Side collision wit anot er ve icle )perational situations Pedestrian accident !ity driving (ront collision wit an o-:ect "eg> Cree$ Snow and ice H <ountain pass Ve$icle states H )riving at constant speed Accelerating stand-still0 H
The risk assessment of hazardous events focuses on the harm to each endangered person including the driver or the passengers of the vehicle causing the hazardous event, and other endangered persons such as cyclists, pedestrians or occupants of other vehicles.
Source: ISO 26262 standard
10 9
8 7 6
Creation of error functions with different error amplitudes and error durations in different driving manoeuvres
Safety Criteria
Analysis of dynamic driving data. Determination of error limits: via statistical analysis of subjective scores of malfunctions
A safety goal is a top-level safety requirement for the system. Failure of the safety goal will result in an immediate increase of the risk.
ASIL D = highest safety requirements ASIL A = lowest safety requirements QM = Quality Management (no safety requirements)
Source: ISO 26262 standard
6et+s Practice
8uild t e %A,A for an electric ve icle wit one electric motor providing tor?ue to t e front w eel via an automatic transmission -o=>
Page 75
The magnitude and sign of the torque delivered to each front wheel shall not destabilize the vehicle in all driving situations. The sign shall be correct. The magnitude shall be within +/-5% of the required value. No torque shall be delivered by the system when the vehicle is connected to a charging spot. The time and phase lag of the torque transfer shall not destabilize the vehicle in all driving situations. Time lag shall be less than 100 ms. Phase lag shall be less than 20 ms.
Safety goal K
Criteria for FSRs: - Unique label. - Unambiguous - Comprehensible - Atomic - Consistent - Feasible - Verifiable
At least one functional safety requirement shall be specified for each safety goal.
Deductive approach
Main Question: what is the reason? Can also be called TOP-DOWN What led to the top event? Sherlock Holmesian approach Deductive system analysis: Fault Tree Analysis (FTA)
Agenda
Introduction to (landers; ),I#E Introduction to functional safety Overview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development
Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept ,ardware Development Software )evelopment
*uestions
%ardware development
Re3uired activities and processes
%ardware implementation of t e tec nical safety concept Analysis of potential ardware faults and t eir effects !oordination wit Software development
Page 92
%ardware development
,ardware faults
Safe fault
fault w ose occurrence will not significantly increase t e pro-a-ility of violation of a safety goal>
Single-Point (ault
fault in an element t at is not covered -y a safety mec anism and t at leads directly to t e violation of a safety goal>
,esidual (ault
portion of a fault t at -y itself leads to t e violation of a safety goal0 occurring in a ardware element0 w ere t at portion of t e fault is not covered -y safety mec anisms>
Page 95
%ardware development
,ardware faults 4continued5
)etected (ault
fault w ose presence is detected wit in a prescri-ed time -y a safety mec anism t at prevents t e fault from -eing latent>
Perceived (ault
(ault w ose presence is deduced -y t e driver wit in a prescri-ed time interval>
6atent (ault
multiple-point fault w ose presence is not detected -y a safety mec anism nor perceived -y t e driver wit in t e multiple-point fault detection interval>
Page 97
%ardware development
,ardware metrics
C e single point faults metric reflects t e ro-ustness of t e item to single point faults> C e latent faults metric reflects t e ro-ustness of t e item to latent faults> #ro6a6ilistic Metric for random ,ardware Failures "P<%($ metric reflects t e residual pro-a-ility of accidental ardware failure>
Page 99
%ardware development
"ingle point faults metric
Page 96
%ardware development
7atent faults metric
Page 93
%ardware development
E ample
Page 9E
%ardware development
E ample 4continued5
Page 9D
%ardware development
E ample 4continued58 demo (9V :or;6enc$
Page 64
%ardware development
E ample 4continued58 demo (9V :or;6enc$
Page 62
Agenda
Introduction to (landers; ),I#E Introduction to functional safety Overview of functional safety standards and regulations ISO 26262 for safety-related automotive E/E development
Scope Parts of t e standard Safety lifecycle !ore safety engineering processes "#-model$
System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment "oftware Development
*uestions
Software development
Reference #$ase Model
Page 65
Software development
Is a6out
S1 as neit er potential to wear out nor produce random failures> S1 ?uality is determined -y its development process> C e more rigorous and systematic t e development process0 t e ig er t e ASI6 rating can -e ac ieved> Programming language selection 5rd party software selection and ?ualification "e>g> ,COS$ Cool selection and ?ualification S1 !onfiguration Integration in ardware And muc more H>
Page 67
Software development
"oftware "afety Re3uirements< some e amples
C e safety state s all -e activated -y a switc off of driver 5> C e 6ogic Solver "!PF$ s all run self tests of t e internal registers> C e input cloc' s all -e tested to detect faults> )uring t en operating p ase0 plausi-ility c ec's of specific varia-les according to t e appropriate range s all -e performed> C e ma=imum start-up tome is 2 seconds> C e reaction time to a normal input c ange is ma=imum 2 millisecond> HH
Page 69
Software development
,ow to program "afety .ritical Microcontrollers=
<icrocontroller manufacturer provides a safety manual0 w ic descri-es t e safety mec anisms and t e assumptions of use> E=ample/ CI+s %erculesC< A,<L Safety !ritical <icrocontrollers
)ual !ore 6oc'step !PF Self Cest !ontroller <emory Protection Fnit Programma-le <emory 8uilt In Self Cest ,A< E!! correction !loc' monitoring H>>
"demo$
Page 66
Bert Dexters
Project leader Automotive Safety Integrity Level tel. +32 11 790 545 bert.dexters@flandersdrive.be
www.flandersdrive.be
Ilossary "2/5$
Active safety Systems assisting in the prevention of a crash Error (1) Mistake in engineering, requirement specification, or design. (2) Mistake in design, implementation or operation which could cause a failure. Failure The inability of a system or component to perform its required functions within specified performance requirements. Fault Any change in state of an item that is considered to be anomalous and may warrant some type of corrective action. Examples of faults included device errors reported by Built-In Test (BIT)/Built-In Test Equipment (BITE), out-of-limits conditions on sensor values, loss of communication with devices, loss of power to a device, communication error on bus transaction, software exceptions (e.g., divide by zero, file not found), rejected commands, measured performance values outside of commanded or expected values, an incorrect step, process, or data definition in a computer program, etc. Faults are preliminary indications that a failure may have occurred. Fault Injection Process The process of deliberately inserting faults into a system (by manual or automatic methods) to test the ability of the system to safely handle the fault or to fail to a safe state. Usually, fault injection criteria is defined by system safety and is implemented by the software test engineering group to measure the systems ability to mitigate potential mishaps to an acceptable level of risk.
Page 6D
Ilossary "2/5$
Hazard Any real or potential condition that can cause injury, illness, or death to personnel; damage to or loss of a system, equipment or property; or damage to the environment. Passive safety Features of the vehicle (primarily airbags, seatbelts and the physical structure of the vehicle) that help to protect occupants during a crash Risk A measure of the uncertainty of attaining a goal, objective, or requirement pertaining to technical performance, cost, and schedule. Risk level is categorized by the probability of occurrence and the consequences of occurrence. Risk is assessed for program, product, and process aspects of the system. This includes the adverse consequences of process variability. The sources of risk include technical (e.g., feasibility, operability, producibility, testability, and systems effectiveness); cost (e.g., estimates, goals); schedule (e.g., technology/material availability, technical achievements, milestones); and programmatic (e.g., resources, contractual). Risk Assessment The process by which the results of risk analysis are used to make decisions. Safe General term denoting an acceptable level of risk of, relative freedom from, and low probability of harm. The associated risks that have been identified have been accepted Safe State A state in which the system poses an acceptable level of risk for the operational mode and environment.
Page 34
Ilossary "5/5$
Safety Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. Safety Analysis A systematic examination to determine system functionality, to identify potential hazards, and analyze the adequacy of measures taken to eliminate, control, or mitigate identified hazards; and analyze and evaluate potential accidents and their associated risks Safety Critical Function A function whose failure to operate, or incorrect operation, will directly result in a high risk mishap (i.e., death, serious injury, system loss, environmental damage). Safety Integrity The ability of a control system to work safely (this includes shutting down safely if a fault occurs), which depends on the entire system, not just the computer Automotive Safety Integrity Level (ASIL) One of four levels to specify the item's or element's necessary requirements of ISO 26262 and safety measures to apply for avoiding an unreasonable residual risk , with D representing the most stringent and A the least stringent level .
Page 32
A--reviations "2/2$
ASI6 8<S !<<I E/E (CE (6A<E %A,A %1 IE! IK!OSE ISO
Automotive Safety Integrity 6evel 8attery <anagement System !apa-ility <aturity <odel Integration Electrical and/or Electronic (ull Cime E?uivalent (landers ASI6 <et odology %a&ard Analysis and ,is' Assessment %ardware International Electrotec nical !ommission International !ouncil on Systems Engineering International Standardi&ation Institute
Page 32
A--reviations "2/2$
Original E?uipment <anufacturer *uality <anagement ,esearc . )evelopment Software Process Improvement and !apa-ility )etermination Soft1are Cruc's0 8usses0 Industrial #e icles
Page 35