Commercial Vehicles Effects Of ISO 26262 On Commercial .
DE VELO PMENT C ommercial V ehiclesEffects of ISO 26262 onCommercial Vehicle andSteering System Mobil ElektronikAUTHORSDr.-Ing. Marco Völkeris Head of R&D at Mobil ElektronikGmbH in Langenbrettach(Germany).So far the automotive international standard ISO 26262 for the development of safety relevant electrical and electronic components is usedfor vehicles up to 3500 kg gross weight. The foreseeable extension ofthis standard to heavier commercial vehicles will have effects on vehicle manufacturers and their suppliers. The medium-sized enterpriseMobil Elektronik has already organised itself accordingly and developsits auxiliary steering systems ISO 26262 compliant.WHY IS THE ISO 26262NECESSARY AT ALL?Dipl.-Ing. (FH) Wolfgang Stadieis Head of Sales & Marketing atMobil Elektronik GmbH in Langenbrettach (Germany).66With the complexity of electronic – especially programmable – systems the diversity of the fault potential increases inautomotive technology, too. Besides, theorigins of the “functional safety” topiclie in industries such as plant engineering, nuclear power plant technology, aviation and railway industry, where theseries of standards IEC 61508 [1] is usedfor a longer time. This series of standards requires the use of diverse methods
to avoid systematic errors (errors in thespecification, the implementation etc. ofthe system) and for a safe mastery ofmalfunctions and breakdowns (often byphysical phenomena or operating errors).For automobiles this series of standardswas transferred and adapted into thestandard ISO 26262 [2]. The standardincludes an automotive-specific risk-basedapproach for determining risk classes,so-called ASIL levels, FIGURE 1. Therewiththe established Safety Integrity Levels(SIL) were transferred to the AutomotiveSafety Integrity Levels (ASIL). The determination of the risk classes or hazard andrisk analysis (G R) is the responsibilityof the vehicle manufacturer. The methodsfor it are regulated by ISO 26262.The choice of the electric and electronic components used conforms to theresult of this hazard and risk analysis.Basis of all safety standards is IEC 61508,which has relevance besides automotivearea also in nuclear or medical technology, FIGURE 2.WHAT KIND OF EFFORT REQUIRESTHE ISO 26262 FOR A MEDIUMSIZED ENTERPRISE?Mobil Elektronik GmbH, family-ownedwith 110 employees, develops electrohydraulic auxiliary steering systems forrear axles of commercial vehicles. Thesesteering systems consist of safety steering computer, angle transducer and proportional valve hydraulic units, whichrepresent a closed control loop. Primar-ily, these systems are used in trucks,buses, mobile cranes and agriculturalvehicles, what means in vehicleslicensed for use on public roads withmore than 3500 kg total weight. Thecompany would be directly affected bythe ISO 26262, as soon as the standard isextended to this weight category.As mentioned previously, the goal of theISO 26262 is to reduce the safety risks ofelectric and electronic components bystricter requirements than mandatory inthe IEC 61508. In the ISO 26262 the entiresafety life cycle of the product to be developed is considered. All activities duringthe different stages of this life cycle needto be assessed and documented. Especiallythe effects of safety-related modificationsduring the project need to be assessed indetail, to meet the requirements of thesafety life cycle in each development stage.Here the ISO 26262 requires a continuous change management. Changes needto be assessed regarding their effects onfunctional safety (impact analysis),traceably implemented and documented.This issue has significant influence onthe entire business process landscape ofa company, since a lot of new processsteps need to be newly implemented.Requirements for the validation measures of the individual development stepshave to be defined exactly. Basis for thedevelopment process defined in the ISO26262 is the traditional V-model, FIGURE 3.The V-model is used for developmentwork on system level as well as for hardware and software development. Theend-to-end traceability of requirementsis of particular importance. A requirement needs to be traceable at any timefrom the system to the module level andvice versa. Likewise the connectionbetween requirements and tests on theright hand side of the V-model needs toexist. Usually the creation and maintenance of the traceability of requirementsand tests highly challenges medium-sized enterprises with their typicalbusiness structures. Apart from that theprocesses described here have inevitablyinfluence on product liability.Basis for the implementation of processes according to ISO 26262 is anexisting and established ISO 9001 qualitymanagement system, which nowadaysshould not anymore be a problem formedium-sized enterprises.However, for ISO 26262 compliant processes a so-called functional safety manager is additionally required, who is formally and organisationally independentfrom the development department.Depending on the customer’s requirements regarding the ASIL level of thecomponents to be produced independenttester and reviewer might also benecessary.Depending on the ASIL level the ISO26262 requires for the safety assessmentand confirmation reviews differentdegrees of independence of the reviewer.Medium-sized enterprises often cannotrealise the required independence internally. The new processes increase theamount of work for the development ofClasses of severityS0S1S2S3No injuriesLight &moderate injuriesSevere & lifethreatening injuriesLife-threateninginjuries, Fatal injuriesAIS 0AIS 1 & 2AIS 3 & 4AIS 5 & 6Severity classClasses of probability of exposure regarding operational situationsE2E3E4Very robability 0.01 0.1 0.1Not spec.S2Classes of controllabilityC0C1C2C3Controllable ficult to control oruncontrollableNot spec. 99 % 90 % 90 %S3Controllability classC1C2C3QMQMQME2QMQMQME3QMQMASIL AE4QMASIL AASIL BE1QMQMQME2QMQMASIL AE3QMASIL AASIL BE4ASIL AASIL BASIL CE1QMQMASIL AE2QMASIL AASIL BE1S1E1Probability classE3ASIL AASIL BASIL CE4ASIL BASIL CASIL DFIGURE 1 Determination of the risk classes according to the safety standard ISO 26262-3 and its tables 1, 2, 3, 4 and B1, B2, B4 – source: ISO 26262-3:2011,Beuth-Verlag ( Mobil Elektronik)ATZ worldwide12 201767
DE VELO PMENT C ommercial V ehiclesproducts. This increase results in highercosts reflected accordingly in salesprices. In case these prices are not feasible it influences significantly the margin.IEC 61508Functional safety of electrical / electronic /programmable electronic safety-related systemsHOW HAS ISO 26262 BEENSUCCESSFULLY IMPLEMENTED?EN 62061EN 50271EN 50402Gas measuringEN ISO 13849IEC 61513IEC 60880NuclearDO 178BAviationEN 50126EN 50128EN 50129RailwayIEC 62304MedicalISO 26262AutomotiveEN ISO 13849Control systemsFIGURE 2 Overview of existing standards with IEC 61508 as starting point, automotive relevance is markedin red ( Mobil Elektronik)ages in the development initiated.Although the ISO 26262 standard isstricter than its IEC 61508 prior version,it nevertheless offers possibilities to limitthe necessary effort by tailor-madeprocesses.TAILOR-MADE PROCESSESMedium-sized enterprises are often facedwith both large-scale and very small projects. That is why it is necessary andalso possible to tailor the processesItem testing44-8 Item integration andtestingpeScoSoftware testing6-6 Specification ofsoftware safetyrequirements6-11 Verification ofsoftware safetyrequirementsTest phaseverificationSoftware testing6Test phaseverification6-10 Softwareintegration andtestingart6-7 Softwarearchitectural designof partfpopeSco6Design f pof pTest phaseverificationpeSco4-7 System design6-5 Initiation of product development at the software levelIEC 61511AutomationartThe basis for a successful implementation of the standard is a continuous, usually new, process landscape of the company in line with the ISO 26262.Mobil Elektronik has analysed its status quo within an extensive internal project, detected deviations and establisheda new process landscape with the nameMobil Elektronik Product DevelopmentProcess (ME-PEP), FIGURE 4. The projectwas started in 2014 with the support ofexternal business consulting and finished in mid-2015.The different quality gates 1 to 8assure that customer requirements andchanges are assessed regarding theirinfluence on the safety system at eachstage of the product development process, FIGURE 3. If it is influenced, thesafety concept can be changed accordingly and the necessary working pack-ManufacturingDesign phaseverification6-8 Software unitdesign andimplementationSoftwaretestingxTest phaseverification6-9 Softwareunit testingFIGURE 3 Traditional V-model of the product development process according to the safety standard ISO 26262-6 – source: ISO 26262-6:2011, Beuth-Verlag( Mobil Elektronik)68
ygateQualitygateQualitygate1234567A nfrageIInquirynquiuiryiryryKu n d eA nge bot sQuotationQuotuootatt tit iop hass eProjectProojojjeecpstarh nilinilil ssiningQualitygate8SeriesSeriiS erii eproductiond ionon pprocessroocProjektProjProjrooj eektkktt mammanagememanaanaannagaggeggementemeemmeennntt (PM)(PPM)Serieseriei sn PMSeriesSeries-PMSeSPb etreuungSystemSystSystestetemem ddevelopmentdeeeveevvvevelog nttiiioonaall ssafetysaaafetyafffeeetttyy evelopmentEDDeeevelevvveveloelloopoopmpmeentgnt ooff comccompocomponentsommponenentsnen tI n tttyyy lliflifeiiffe cycycleycyclcleecleFIGURE 4 Structure of the Mobil Elektronik Product Development Process (ME-PEP) ( Mobil Elektronik)depending on the project size. Thismeans the processes need to be designedin a way that they can be tailored. It isnecessary to individually analyse foreach project, which work products andwhich processes are required in the particular case. However, tailoring has itslimits. Especially when developing components for functional safety it is important to tailor the work products to be initiated regarding the specific project.For instance it is always required todefine the responsibilities during productdevelopment clearly towards the customer but also towards the supplier. Thecorresponding work product in the ISO26262 is called Development InterfaceAgreement, DIA in short. A DIA is fundamentally important for each projectrelated to functional safety and cannotbe omitted.TOOL-BASED APPROACHFurthermore it is essential to reduce theeffort for the traceability of requirementsand their allocation to tests on the different test levels. An increasing number ofrequirements results in a disproportionate increase of effort. To establish andmaintain the connection between systemrequirements, component requirements,component tests and system tests manuATZ worldwide12 2017ally is not reasonably realisable even fora relatively small number of requirements. That is why it is important formiddle-sized enterprises to switch totool-based approaches for it at an earlystage. Appropriate requirements management software tools or more generalapplication lifecycle management toolssupport the user when establishing andmaintaining requirements and tests aswell as connecting individual elements –this in part specifically in regard to ISO26262.The proof required by the standardthat each requirement is covered by atleast one test is therewith created fullautomatically in the background. Thesetools also simplify further supportingprocesses required by the standard considerably (for example the configurationmanagement). That way the efforts arekept in limits and the cost-price structure is not unnecessarily put underpressure.tainment system) needs a simple, buthighly rated safety function (for example“the entertainment must not be usedwhen driving”). With decomposition thecomplex basic function can be developedwith a low or no ASIL, while the complex development of the safety functionwith high ASIL is only required for asimple function block.In the entertainment example an independent path would have to be created,in which a simple circuit assesses thevehicle’s speed and switches off theentertain system above a defined threshold. Usually decomposition of a systemresults in less total efforts as if todevelop the entire function with a highASIL.Decomposition is linked to differentboundary conditions. For instance it isonly permitted if common cause errorscan be excluded from all ASIL paths ofthe decomposition. Corresponding analyses help to discover common causeerrors.DECOMPOSITIONISO 26262 offers the possibility of theso-called decomposition, so that highASIL levels can be divided into severalparallel paths of lower ASIL levels. Thisparticularly makes sense if a complexbasic function (for example the enter-IMPLEMENTATIONThe ISO 26262 has also influence on theactual implementation. Depending onthe required ASIL degree, differentrequirements are specified regarding theprogramming language used and the69
DE VELO PMENT C ommercial V ehiclesusage standards. For instance, it is advisable to limit the huge language range ofthe programming language C by usingthe Misra rules [3].Similar high requirements as for thespecification the ISO 26262 specifies forverification and validation. Tests takeplace on different levels. Here too therequirements are difficult to handlewithout a tool-based approach for module tests and system tests.RESULTS AND CURRENT USE CASEThe new development process at MobilElektronik has already been confirmedby TÜV Nord after a process audit as ISO26262 compliant. A major commercialvehicle manufacturer approached MobilElektronik with very high requirements.The electrohydraulic auxiliary steeringfor a rear axle should comply with theASIL-D level, because the hazard andrisk analysis of the manufacturer specified this.Solely by the early implementation ofthe processes described here and strictcompliance Mobil Elektronik succeededin developing a new safety steering computer for this project based on a newsoftware and hardware architecture.First article inspections have alreadytaken place.70FUTURE MARKET REQUIREMENTSManufacturers of vehicles with morethan 3500 kg total weight will be forcedfor the medium term to accept the newregulations and to comply with the ISO26262 standard. Although the ISO 26262is currently still limited to road vehicleswith maximum 3500 kg gross weight itbecomes apparent that many commercialvehicle manufacturers have startedimplementing the standard by now. If anASIL safety level is specified instead ofan established SIL in the specificationsfor electric and electronic components,which usually are supplied externally, itthen has direct effects on the supplierwho also has to comply with this safety.Mobil Elektronik was faced with therequirement to realise the safety levelASIL-D for some safety related functions.A new hardware platform and new software architecture were necessary forthis. The development process for software and hardware was restructuredahead to be ISO 26262 compliant, so thaton this basis could be built on.SUMMARY AND OUTLOOKThe ISO 26262 safety standard highlychallenges companies since implementation is expensive and time-consuming.To keep costs within limits, the standardoffers the option to adapt tailor-made therequired processes to the requirementsand needs of the individual project.However, the newly created processstructure also has many advantages forthe companies. It increases competitiveness because the new customer requirements can be met. Furthermore theseprocesses lead to a considerable step forward regarding quality, documentationand project management in the company. Therefore it is recommended toestablish the required processes early, tobe ready in time for the compliance toISO 26262. External consulting mightsupport it.REFERENCES[1] IEC 61508-1:2010: Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 1: General en-61508-1/135302584, access: 29 September2017[2] ISO 26262:2011: Road vehicles – Functionalsafety. Part 1 to10. Online: https://www.iso.org/standard/43464.html, access: 29 September 2017[3] Misra C:2012: Guidelines for the Use of the CLanguage in Critical Systems. ISBN 978-1-90640010-1 (paperback), ISBN 978-1-906400-11-8 (PDF),March 2013
ATZ worldwide12 201771
the ISO 26262, as soon as the standard is extended to this weight category. As mentioned previously, the goal of the ISO 26262 is to reduce the safety risks of electric and electronic components by stricter requirements than mandatory in the IEC 61508. In the ISO 26262 the entire safety li
ISO 10381-1:2002 da ISO 10381-2:2002 da ISO 10381-3:2001 da ISO 10381-4:2003 da ISO 10381-5:2001 da ISO 10381-6:1993 da ISO 10381-7:2005 ne ISO 10381-8:2006 ne ISO/DIS 18512:2006 ne ISO 5667-13 da ISO 5667-15 da Priprema uzoraka za laboratorijske analize u skladu s normama: HRN ISO 11464:2004 ne ISO 14507:2003 ne ISO/DIS 16720:2005 ne
ISO 10771-1 ISO 16860 ISO 16889 ISO 18413 ISO 23181 ISO 2941 ISO 2942 ISO 2943 ISO 3724 ISO 3968 ISO 4405 ISO 4406 ISO 4407 ISO 16232-7 DIN 51777 PASSION TO PERFORM PASSION TO PERFORM www.mp ltri.com HEADQUARTERS MP Filtri S.p.A. Via 1 Maggio, 3 20060 Pessano con Bornago (MI) Italy 39 02 957
ISO 18400-107, ISO 18400-202, ISO 18400-203 and ISO 18400-206, cancels and replaces the first editions of ISO 10381-1:2002, ISO 10381-4:2003, ISO 10381-5:2005, ISO 10381-6:2009 and ISO 10381-8:2006, which have been structurally and technically revised. The new ISO 18400 series is based on a modular structure and cannot be compared to the ISO 10381
The DIN Standards corresponding to the International Standards referred to in clause 2 and in the bibliog-raphy of the EN are as follows: ISO Standard DIN Standard ISO 225 DIN EN 20225 ISO 724 DIN ISO 724 ISO 898-1 DIN EN ISO 898-1 ISO 3269 DIN EN ISO 3269 ISO 3506-1 DIN EN ISO 3506-1 ISO 4042 DIN
ISO 8402 was published in 1986, with ISO 9000, ISO 9001, ISO 9002, ISO 9003 and ISO 9004 being published in 1987. Further feedback indicated that there was a need to provide users with application guidance for implementing ISO 9001, ISO 9002 and ISO 9003. It was then agreed to re-number ISO 9000 as ISO 9000-1, and to develop ISO 9000-2 as the .
ISO 37120. PAS 181/ISO 37106. PAS 183 – data sharing & IT. PAS 184. PAS 185. a security-minded approach. ISO/IEC 30145 . reference architecture. ISO/IEC . 30146. ISO 37151. ISO 37153. ISO 37156. Data exchange. ISO 37154. ISO 37157. ISO 37158. Monitor and analyse . data. PAS 182/ ISO/IEC 30182. PD 8101. PAS 212. Hypercat. BIM. PAS 184. Role of .
ISO 14644‐1 FEDERAL STANDARD 209E ISO Class English Metric ISO 1 ISO 2 ISO 31 M1.5 ISO 410 M2.5 ISO 5 100 M3.5 ISO 6 1,000 M4.5 ISO 7 10,000 M5.5 ISO 8 100,000 M6.5 ISO 9N/A N/A Standard 209E classifications are out‐of‐date. This standard was officially retired in 2001. Increasing Cleanliness
ISO 45001 Established:-ISO 10006 -Quality in project management-ISO 10007 -Configuration management-ISO 15161 -Food safety (ISO 9000 and HACCP)-ISO 19600 -Compliance management systems-ISO 20000 -IT services-ISO 20121 -Sustainable event management-ISO 20400 -Sustainable purchasing-ISO 22000 -Food safety-ISO 22301 -Business continuity management
