ISO 26262 Overview

ISO 26262 Introduction
Singapore, 17 October 2012

Koen Leekens
exida Contacts
Singapore +65 6222 5160 Canada +1 403 475 1943
Shanghai +86 21 5171 7250 United Kingdom +44 2476 456 195
Hong Kong +852 2633 7727 Netherlands +31 318 414 505
Germany +49 89 4900 0547 Australia / NZL +64 3 472 7707
USA +1 215 453 1720 Mexico +52 55 5611 9858
Switzerland +41 22 364 14 34 South Africa +27 31 267 1564
Copyright exida LLC ® 2000-2012

On the Agenda
ISO 26262 and the Challenges

exida Expertise

Safety is Only as Strong as its Weakest Link
exida
Once upon a time…
Electronics???

Many years later…
Adaptive Headlights
Pre-Crash System
Automatic Steering
Backup Camera
Infrared Night Vision
Steering Lock
Traction Control System
Anti-Blocking System
Corner Brake Control
Adaptive Cruise Control
Automatic Collision Notification Automated Parking System Automatic Gearbox Control Airbag
Electronic Stability Program Tire Pressure Monitoring Reverse Sensors Lane Departure Warning
Deflation Detection System Emergency Brake Assistance Traffic Sign Recognition

Some Fatality Numbers
Fatalities decreasing too Slow in Europe

Fatalities stable but too High in US

Many years later…
Adaptive Headlights
Pre-Crash System
Automatic Steering
Backup Camera
Infrared Night Vision
Steering Lock
Traction Control System
“Actively” function Anti-Blocking System
to achieve Corner Brake Control
Safe State
Adaptive Cruise Control
Automatic Collision Notification Automated Parking System Automatic Gearbox Control Airbag
Electronic Stability Program Tire Pressure Monitoring Reverse Sensors Lane Departure Warning
Deflation Detection System Emergency Brake Assistance Traffic Sign Recognition

What is…?
Functional Safety
ISO 26262: Absence of unreasonable risk due to hazards caused by

malfunctioning behavior of E/E systems
IEC 61508: Part of the overall safety related to the equipment

under control (EUC) that depends on the correct functioning of
the safety-related system

Why Functional Safety Standards?
BECAUSE…

Why Functional Safety?
BECAUSE…
ELECTRONICS CAN FAIL !!!
Are you Able to Provide the

EVIDENCE
that Risks have been Minimized?

Which Standard to Follow?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems

ISO 26262 Adaptation of IEC 61508
IEC 61508
Why not ideal for

Automotive Industry ?

Basic Standard for Functional Safety
IEC 61508
Generic “High Level” Standard

Roots in Process Industry
Assumes One Company does Everything
Not Designed for the Distributed Development
Why not Ideal for

Automotive Industry ?

ISO 26262 Adaptation of IEC 61508
IEC 61508
IEC 61511 IEC 62061 IEC 61513 ISO 26262

Process Industry Machinery Nuclear Road Vehicles
ISO 13849-1
Machine Safety
ISO 25119
Tractors…
ISO 26262 is “State of the Art” For Automotive

Developed with OEM

How E/E Systems Fail?
Random Failures: “Usually a permanent

or transient failure due to a system
component loss of functionality –
hardware related
Systematic Failures: “Usually due to a

design fault, wrong specification, not fit
for purpose , error in software program,
...

ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Control of
Avoid Systematic Faults
Systematic Failures
Control of
Random Failures
Process – Methods - Organization Technical Safety Measures
Before Delivery In Operation

ISO 26262 Principles
ISO 26262 Functional Safety Principles
Avoidance of Faults Control of Failures
Control of
Avoid Systematic Faults
Systematic Failures
Control of
Random Failures
Process – Methods - Organization Technical Safety Measures
Before Delivery In Operation
Implement Detect and

Correctly React
ISO 26262 follows a Safety LifeCycle
2.4 – 2.6 Management of Functional Safety
Risk Based 3.5 Item definition
Approach
concept phase
Initiation of Safety Life

3.6
Cycle
Hazard Analysis and

3.7
Risk Assessment
Concept
Functional
of Functional
Safety
3.7
3.8
Concept
Safety
product development
4 Product Development
Other Driver External
System
Technologies Controllability Measures
Planning of (and Usability)
7.4 Hard- Soft-
Production 5 6
ware ware
Planning of Operation,
7.5
Service and Decom.
4.11 Release for SOP
after SOP
7.4 Production
Back to appropriate
lifecycle phase
Operation, Service
7.5
and Decommissioning
8.4 – 8.15 Supporting Processes

Work Products
> 100 Work

Products
Exida
Templates

ISO 26262 Structure

ISO 26262 Structure
Vocabulary

Vocabulary is important
English is not English

– English – American - KorEnglish – GerEnglish – Singlish…
English is not ISO/IEC
– Validation – Verification – Confirmation
– Fault – Failure – Error
Different Standard – Different Terminology
– Safety Requirement in ISO 26262 vs IEC 61511

ISO 26262 Structure
Functional Safety Management

Management of Functional Safety
Overall Requirements for the Organization

– Specific Organizational Rules
– Competence
– Quality
Plan – Coordinate - Track

Requirements for Phases
– Roles and Responsibilities
– Functional Safety Plan
– Progression
– Safety Case
– Confirmation Measures

5.4.3 System Design ...............................................................................................30
Functional Safety Plan

5.4.4 Item Integration and Testing ...........................................................................33
5.4.5 Safety Validation.............................................................................................34
5.4.6 Functional Safety Assessment ........................................................................36
5.4.7 Release for Production ...................................................................................36
5.5 Product development HW level .................................................................................38
5.5.1 Initiation of HW product development .............................................................38
5.5.2 Specification of HW safety requirements ........................................................39
5.5.3 HW design ......................................................................................................41
5.5.4 HW architectural metrics .................................................................................43
5.5.5 Evaluation of safety goal violation due to random HW faults ...........................44
5.5.6 HW integration and testing..............................................................................45
4 Functional Safety Management ................................................................................. 8 5.6 Product development SW level .................................................................................46
4.2 Project Organization ................................................................................................... 8 5.6.1 Initiation of SW product development .............................................................46
4.3 Roles and Role Descriptions ...................................................................................... 9 5.6.2 Specification of SW safety requirements.........................................................49
4.5 Team Competence....................................................................................................14 5.6.3 SW Architecture design ..................................................................................51
5 Safety Life Cycle ...................................................................................................... 16 5.6.4 SW Unit design and implementation ...............................................................55
5.2 Scheduling of the safety lifecycle activities ................................................................21 5.6.5 SW Unit testing ...............................................................................................57
5.3 Concept Phase..........................................................................................................21 5.6.6 SW integration and testing ..............................................................................58
5.4 Product development on system level .......................................................................26 5.6.7 Verification of SW safety requirements ...........................................................59
5.4.1 Initiation of System Product Development ......................................................26 6 Production and Operation ........................................................................................ 61
5.4.2 Specification of Technical Safety Requirements .............................................28
7 Supporting Processes .............................................................................................. 66
5.4.3 System Design ...............................................................................................30
7.1 Interfaces within distributed development ..................................................................66
5.4.4 Item Integration and Testing ...........................................................................33
7.2 Specification and management of safety requirements .............................................69
5.4.5 Safety Validation.............................................................................................34
7.3 Configuration management .......................................................................................70
5.4.6 Functional Safety Assessment ........................................................................36
7.4 Change management ................................................................................................70
5.4.7 Release for Production ...................................................................................36
7.5 Verification ................................................................................................................72
5.5 Product development HW level .................................................................................38
7.7 Qualification of SW tools ...........................................................................................75
5.5.1 Initiation of HW product development .............................................................38
7.11 Safety Case ..............................................................................................................79
5.5.2 Specification of HW safety requirements ........................................................39
5.5.3 HW design ......................................................................................................41
8 Cross Reference between Project Documentation and ISO 26262 Work Products . 81
5.5.4 HW architectural metrics .................................................................................43 11 Annex A: Status of the Team Competence .............................................................. 84
5.5.5 Evaluation of safety goal violation due to random HW faults ...........................44
5.5.6 HW integration and testing..............................................................................45
5.6 Product development SW level .................................................................................46
5.6.1 Initiation of SW product development .............................................................46
5.6.2 Specification of SW safety requirements.........................................................49
5.6.3 SW Architecture design ..................................................................................51
5.6.4 SW Unit design and implementation ...............................................................55
5.6.5 SW Unit testing ...............................................................................................57 Exida
5.6.6 SW integration and testing ..............................................................................58
6
5.6.7 Verification of SW safety requirements ...........................................................59
Production and Operation ........................................................................................ 61
Template
7 Supporting Processes .............................................................................................. 66
7.1 Interfaces within distributed development ..................................................................66
7.2 Specification and management of safety requirements .............................................69
7.3 Copyright exida LLC
Configuration management .......................................................................................70 ® 2000-2012
7.4 Change management ................................................................................................70
Management of Functional Safety
Safety Case
A clear,
comprehensive and defensible argument
that a system is acceptably safe to operate
in a particular context.
(Tim Kelly / Rob Weawer University of York)

ISO 26262 Structure
Concept

Concept Phase
OEM Defines Item > ESCL Prevent use by

unauthorized person
Initiation of Safety Lifecycle by mechanical lock
Hazard Analyses and Risk Assessment
Functional Safety Concept

Concept Phase
OEM Defines Item > ESCL

Initiation of Safety Lifecycle > New
Hazard Analyses and Risk Assessment Problem Report
Functional
Enhancement
Request

Problem Analysis
Safety Case Change Request

Impact Analysis
Safety Alert
Change Control
Change Control Recall
Board
Board
Stop
Modification Proposal
Safety Criticality Decide on lifecycle Update Safety Case
Affected Modules re-entry point & Probability Model
Modifications
Version Control Update Regression
Test Suite
Module Test
Productization
Integration Test
Configuration Control
Legend New
System Test release
Database entries
yellow: new
green: update existing
Exida Documents
yellow: new
green: update existing
Regression testing
Modified product - hardware & software
User documentation incl.
changed product safety properties
Associated development & test doc.
Release history
Modification
Process

Concept Phase

Initiation of safety Lifecycle > New
What Can Go Wrong?

> Steering locks when driving

Concept Phase

SAFETY GOAL
Avoid a Dangerous
Situation
SG No. HRA Reg Safety Goal ASIL Safe State
Unintended locking of ESCL while Unlocked

SG1 ESCL_001 ?
vehicle is moving shall be avoided ESCL

Concept Phase

How “Risky” is that?

> Need ASILD

Consequence – Likelihood
Moderation Always
with OEM

Concept Phase

Hazard Analyses and Risk Assessment > ASILD
Functionality to
meet
SAFETY GOAL…

Concept Phase

Hazard Analyses and Risk Assessment > ASILD
Unlock Steering Column when Vehicle is moving
ASIL D ASIL D
Vehicle speed ASIL D Lock Sequence
Vehicle Speed ASIL D ASIL D Steering Column
SG1
Server Lock

ISO 26262 Structure
System Level Development

Product Development System Level
Objectives TSC and System-Design

Concept Phase
– Requirements allocation
– Specification of Safety Measures Functional Safety
– Integration Concept
– Validation
Product Development
Technical Safety
INTEGRITY Concept
System Design
HW Design SW Design

Product Development System Level

ISO 26262 Structure
HSI

ISO 26262 Structure
HW Level Development

Product Development Hardware Level
5.8 Architectural ASIL B ASIL C ASIL D
Single point ≥ 90 % ≥ 97 % ≥ 99 %
faults metric + ++ ++
Latent faults ≥ 60 % ≥ 80 % ≥ 90 %
metric + + ++
5.9 Random
ASIL Random hardware failure target values
D < 10-8 h-1

C < 10-7 h-1
B < 10-7 h-1

Dual Core versus 2 µC Solution
Optimized Vehicle + Safety Features

AURIX covers Random HW Fault issues
Voter
I/O I/O
µC1
ALU ALU
RAM RAM
I/O I/O
Reg Reg
µC2
I/O Flash I/O
2x SW Development,
Communication, Testing, Focus Mainly on
PCB Space, Justification, Application
Supply voltage,

ISO 26262 Structure
SW Level Development

Product Development Software Level
System Validation
Sc
4
E/E System-Design E/E System Integration
art
ope
of P
of P
Verification
pe
art
Sco
during Design
4
Software Safety Software Validation Software Safety

Requirements Validation
De
sig
es
Verification
has
nP
during Design
tP
has
Tes
es
Sc
6
ope
art
Software Architecture Test Software Integration
of P
of P
and Design and Test
pe
art
Sco
6
Verification
during Design
Test
Software
Software Unit Test
Implementation

ISO 26262 Structure
Production
Operation

ISO 26262 Structure
Supporting Processes

Supporting Processes
Interfaces within Distributed Developments (DIA)

Specification and Management of Requirements
Configuration Management Other Parts
Change Management reference
“Supporting Processes”
Verification
Documentation
Confidence of Use in SW Tools
Qualification of HW/SW Components
Proven in Use Arguments

ISO 26262 Structure
Safety Analyses

Safety Analyses
Decomposition ASIL Tailoring

Criteria for Coexistence
Dependent Failure Analysis
Safety Analyses

Where are Safety Analyses in ISO?
SCA
FTA
H&R FMEA
FMEA
SWCA HAZAN
FMEDA
H&R: Hazard & Risk
SCA: System Criticality
FTA: Fault Tree
FMEA: Failure Mode Effect
FMEDA: FMEA with Diagnostics
SWCA: SW-Criticality
HAZAN: Hazard Analysis

exida Tools for Automotive
SafetyCaseDB
Requirements and Safety Case Management and ISO 26262
knowledgebase
SILCal FMEDA
Component FMEA with integrated Failure Mode Database
SILCap
Safety Criticality Analysis, System FMEA and S/W-HAZOP
Tool-Based Design
Support

ISO 26262 Structure
Guideline
ISO 26262: If you did it well…
You are Able to Show:

– Completeness: – Consistency
 Everything accounted for  This is visible for external
 Requirements under Control auditor even when project
 Everything tested – pass members have left
 Used the toolsets
– Traceability: – Documentation:
 Structured Process Model  All activities planned
 Documents linked  Execution documented in SC
 Evidence for Everything  Inspected - Archived
 Understandable for external  For a life-time (15year?)

ISO 26262: If you did it well…
You are Able to Show:

– Completeness: – Consistency
Everything accounted for  This is visible for external
Requirements under Control auditor even when project
Everything tested – pass members have left
Used the toolsets A clear,
comprehensive and defensible argument
– Traceability:that a system is acceptably safe to operate
– Documentation:
in a particular context.
 Structured Process Model  All activities planned
(Tim Kelly / Rob Weawer University of York)
 Documents linked  Execution documented in SC
 Evidence for Everything  Inspected - Archived
 Understandable for external  For a life-time (15year?)

On the Agenda
ISO 26262 and the Challenges

exida Expertise

Who we are
Founded in 1999 by experts from Manufacturers, End Users,

Engineering Companies and TÜV SÜD
Today: LARGEST Functional Safety and Cyber Security
consultancy and certification body worldwide
“Provide independent services and tools to help customers

comply to any industry standards for Functional Safety, Cyber
Security and Alarm Management”
Rainer Faller Dr. William Goble
Former Head of TÜV Product Services Former Director Moore Industries
Chairman German IEC 61508 Developed FMEDA Technique (PhD)
Intervener ISO 26262 / IEC 61508 Author of several Safety Books
Co-Authored IEC 61508 parts Author of several Reliability Books
Author of several Safety Publications

What we do
EXIDA SCOPE
Functional SERVICES
INDUSTRIES
Safety Tools CUSTOMERS
Process
Industry End Users
Cyber Training Equipment
Automotive
Security Manufacturer
Consultancy Machine
Industry Car
Manufacturer
Reliability Certification Power
Industry System
Integrators
Alarm Reference Rail
Management Materials

Automotive Customers (extract)
Services Tools IC‘s

exida Development Support Services
Setting up Functional Safety Management / Act as FSM Coordinator

Safety System Development and Design support
– Requirements Management & Engineering (SafetyCaseDB + Doors® incl. Setup)
– Safety Concept development and documentation (also pre-existing systems)
– Tool based Safety Criticality Analysis (SILCap)
– Hardware design support  Tool based FMEA and Quantitative FMEDA
– Software design support  UML design  Tool based Software HAZOP/FMEA
(SILCap)
Tool based Safety Case development
– IEC/ISO knowledgebase
– Document templates per development phase:
FSM plan, SRS, Safety concept, Test plans
Tool-based Safety Verification of Automotive Applications

exida Certifications
exida Certification S.A.

– Clean separation from the exida Consulting business
– English language based assessment and certification system
– International alternative to TÜV
Open exida Certification Scheme

– IEC 61508 and ISO 26262 compliant using exida Safety Case
methodology (SafetyCaseDB) and audits
– Assessment Process and Requirements Publicly available

exida is Part of your Team
Safety and Standards Advisor

– Questions, advice
– Interpretation of standards
Moderator and Participant
One or more Roles
– FMEDA, Dependent Failure Analysis
– Software analysis
– Project Bottlenecks
Participant (joint activities)
– Write development documents and procedures
– Help with test specification, FIT, safety validation
Be your “Lawyer” vs. the Assessment Body
– Argue your safety case
– Manage all activities with the assessor
exida Certification S.A. – the Assessment Body

Automotive Projects (extract)
Steering (Active Front Steering, Electronic Power Steering)

Gearbox
Driver assistance (e.g. ACC, ESP)
Body control
H2 Clean-Energy
Battery monitoring
Software platforms (AUTOSAR, communication, hardware drivers, self-tests)
Safety IC Assessment support (µC, system chips)

ISO 26262 Overview

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ISO 26262 Overview

Încărcat de

Drepturi de autor:

Formate disponibile

ISO 26262 Introduction

Singapore, 17 October 2012

Copyright exida LLC ® 2000-2012

ISO 26262 and the Challenges

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

Fatalities decreasing too Slow in Europe

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

ISO 26262: Absence of unreasonable risk due to hazards caused by

IEC 61508: Part of the overall safety related to the equipment

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

ELECTRONICS CAN FAIL !!!

Are you Able to Provide the

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

Why not ideal for

Copyright exida LLC ® 2000-2012

Generic “High Level” Standard

Why not Ideal for

Copyright exida LLC ® 2000-2012

IEC 61511 IEC 62061 IEC 61513 ISO 26262

ISO 26262 is “State of the Art” For Automotive

Copyright exida LLC ® 2000-2012

Random Failures: “Usually a permanent

Systematic Failures: “Usually due to a

Copyright exida LLC ® 2000-2012

ISO 26262 Functional Safety Principles

Avoidance of Faults Control of Failures

Process – Methods - Organization Technical Safety Measures

Before Delivery In Operation

Copyright exida LLC ® 2000-2012

ISO 26262 Functional Safety Principles

Avoidance of Faults Control of Failures

Process – Methods - Organization Technical Safety Measures

Before Delivery In Operation

Implement Detect and

Risk Based 3.5 Item definition

Initiation of Safety Life

Hazard Analysis and

8.4 – 8.15 Supporting Processes

Copyright exida LLC ® 2000-2012

> 100 Work

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

English is not English

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

Overall Requirements for the Organization

Plan – Coordinate - Track

Copyright exida LLC ® 2000-2012

Functional Safety Plan

Copyright exida LLC ® 2000-2012

Copyright exida LLC ® 2000-2012

OEM Defines Item > ESCL Prevent use by

Copyright exida LLC ® 2000-2012

OEM Defines Item > ESCL

Functional Safety Concept

Safety Case Change Request

Copyright exida LLC ® 2000-2012

OEM Defines Item > ESCL