ISO 26262 Functional Safety Draft International Standard .

3y ago
34 Views
6 Downloads
2.95 MB
160 Pages
Last View : 9d ago
Last Download : 2m ago
Upload by : Grant Gall
Transcription

ISO 26262Functional Safety Draft International Standard for Road Vehicles:Background, Status, and OverviewBarbara J. Czerny, Joseph D’Ambrosio, Rami Debouk,General Motors Research and DevelopmentKelly Stashko, General Motors PowertrainISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota

This tutorial presents an overview of the Draft International Standard (DIS) version ofthe proposed ISO 26262 Functional Safety standard for road vehicles It conveys the content of the standard as it is currently drafted Since the release of the DIS, additional technical and editorial changes to the text have been made, butthese will not be covered in the tutorial slides Permission was received from ISO to use content taken directly from the ISO/DIS andcontained in this presentation The process presented in this tutorial, represents the ISO/DIS 26262 process and is notintended to reflect or discuss the processes of any specific individual manufacturerISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota

RoadmaperviewISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, MinnesotavBackgroundStatusPart 1: Vocabulary and Part 10: GuidelinePart 2: Management of Functional SafetyPart 3: Concept PhasePart 4: Product Development: System LevelPart 5: Product Development: Hardware LevelBreakPart 6: Product Development: Software LevelPart 7: Production and OperationPart 8: Supporting ProcessesPart 9: ASIL-oriented and Safety-oriented AnalysesKey aspects that have evolved over timeSummaryQ&AO 3

BackgroundBarbara J. CzernyISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota

What is ISO 26262? Adaptation of IEC 61508 to comply withthe specific needs of E/E systemswithin road vehicles Specifies a functional safety life-cycle forautomotive products Applies to all activities during the safety lifecycle ofsafety-related systems comprised of electrical,electronic, and software components Scope Series production passenger cars Maximum gross weight up to 3500 kg Does not apply to E/E systems in special purpose vehicles e.g., vehicles designed for drivers with disabilitiesISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota5

Origins of ISO 26262 (Automotive IEC 61508)MISRABNAFAKRAOEMsSuppliersTechnical ServicesIEC61508Initial workof individualcompanies2002otherSafety StandardsQuality StandardsEngineering ionbodiesFirst om otive SPICEHIS9.2005ISOTC22SC3WG1611.2005First WG16 MeetingISOTC22 (Automotive)SC3 (E/E)WG16 (Functional Safety)ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota6

ISO 26262 Working Group 16ConvenorCh. Jung, Independent ConsultantSecretaryE. Fritzsche, VDAGermanyBMW, Daimler , VW, Bosch, ContinentalFrancePSA, Renault, Continental, ValeoUKLandrover, MIRA, RenesasSwedenDelphi, Volvo Cars, AB Volvo, MecelItalyCentro Ricerche Fiat, Fiat Auto, TRWJapanDenso, Hitachi, Honda, Nissan, ToyotaUSAGM, IBM, TRW,BelgiumNissan, Toyota Motor EuropeActive membership as of 10/2007ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota7

What’s the Difference Between IEC 61508 and ISO 26262? ISO 26262: IEC 61508:1. Framework standard2. Implied context of Process/Automationindustries (where validation is done after install)3. Safety Integrity Levels, “SIL” SIL 1 – SIL 4 Measure of the reliability of safety functions Includes a quantitative target for the probability of adangerous failure No exact mapping between SIL’s and ASIL’s Loose mapping SIL’s 1, 2, 3Between SIL 2 and SIL 34. Focus on safety functions1. IEC 61508 Automotive Sector adaptation2. Applies to vehicles with 4 wheels (carryingpassengers, goods)3. Automotive SIL, “ASIL” ASIL A-D Based on the violation of a safety goal Provides requirements to achieve acceptable level of risk No exact mapping between SIL’s and ASIL’s Loose mapping ASIL’s A, B, and DASIL C4. Focus on safety goals5. Adds required work productsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota8

Prescriptive (IEC 61508) vs. Goal-Oriented (ISO 26262) Tables Example of Part 4 Table 2 “System design verification” Goal requirement: System design shall be verified for compliance and completeness with regard to thetechnical safety concept. In this aim, the methods and measures in Table 2 shall be considered.MethodsASILABCD1aSystem design inspectiona 1bSystem design walkthrougha oo2aSimulationb 2bSystem prototyping and vehicle tests b 3Safety analysescsee Table 1aMethods 1a and 1b serve as check of complete and correct detailing and implementation of the technical safety requirementsinto system design.bMethods 2a and 2b can be used advantageously as a fault injection technique.cFor conducting safety analyses, see ISO 26262-9: —, Clause 8.Source: ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota9

More Facts About ISO/DIS 26262 Focus is on possible hazards caused by malfunctioning behavior of E/E safety-related systems Bidirectional traceabilitySafety lifecycleValidation, verification and independent assessmentDevelopment, validation, release for production vs. development, installation and commissioning, validation in IEC 61508Supports distributed development Safety plan & safety goalsSafety case & documentationCorresponds to automotive product lifecycle Includes interactions between E/E safety-related systemsProcess Framework includes the following process steps/deliverables: failures or unintended behaviours of an item with respect to its design intente.g., division of work between OEMs/suppliersHazard analysis corresponds to automotive use casesIncludes “Controllability” in Risk AssessmentISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota10

Overview of ISO/DIS 26262Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota11

Flow and Organization of ISO 26262ASIL-O riented and Safety-Oriented AnalysisSource ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota12

Status of Development ISO Draft International Standard made available for review by all SC 3 countries July2009 First time a version of the standard was made publically available DIS ballot held in November 2009 and ballot passed Preparing Final Draft International Standard (FDIS) Working on resolving comments received with DIS Ballot FDIS version will be handed over to ISO for publication in late 2010 Review of FDIS will only be for editorial changes Part 10 will have a second DIS ballot Expect publication as a full International Standard in mid-2011ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota13

Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota14

Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota15

Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota16

Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota17

Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota18

Part 1: Vocabulary&Part 10: Guideline on ISO 26262 (Informative)Rami DeboukISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota

Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota20

ISO/DIS 26262 TermsSafetyAbsence of unreasonable riskRiskCombination of the probability of occurrence ofharm and the severity of that harmExposureSeverityState of being in an operationalsituation that can be hazardousif coincident with the failure modeunder analysismeasure of the extent of harmto an individualin a specific situationHarmPhysical injury or damageto the health of peopleControllabilityavoidance of the specified harm or damagethrough the timely reactions of the personsinvolvedISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota21

ISO/DIS 26262 TermsItem, system, element, & componentSystem ArrayItemSystemE/E ComponentsSensorCommunicationController Other reComponentsHardwareComponentsSoftware ware PartsSoftware UnitsHardware PartsSoftware UnitsHardware PartsSoftware UnitsElementComponentA software component consists of one or more software components, or software units, or bothISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota22

ISO/DIS 26262 TermsFailure Types Random Hardware Failures failure that may occur unpredictably during the lifetime of a hardware element andthat follows a probability distribution Systematic Failures failure of an element or item that is caused in a deterministic way duringdevelopment, manufacturing, or maintenance all software faults and a subset of hardware faults are systematicISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota23

ISO 26262 TermsSafety MechanismSafety Mechanism Activity or technical solution to detect / avoid / control failures or mitigatetheir harmful effects Implemented by an E/E function or element or in other technologies The safety mechanism is either able to switch to or maintain the item in a safe state or able to alert the driver such that the driver is expected to control the effect of thefailureISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota24

ISO 26262 TermsWork ProductsWork product Information or data The result of one or more system safety process activities Format appropriate to the work product’s content Data files, models, source code, etc. May include currently existing documents Several work products may be in one documentISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota25

ISO 26262 TermsConfirmation MeasuresConfirmation measures Ensure the sufficient completion of work products and proper execution ofthe safety lifecycle. Provide for the evaluation of the system safety activities and work productsas a whole Used to determine the adequacy of achievement of the functional safetygoalsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota26

ISO 26262 TermsSafety CaseSafety case Communicates a clear, comprehensive and defensible argument (supported byevidence) that a system is acceptably safe to operate in a particular context. Includes references to safety requirements and supporting evidence AND a “safety argument” that describes how the safety requirements have beeninterpreted, allocated, decomposed, etc., and fulfilled as shown by the supportingevidence.ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota27

Part 2: Management of Functional SafetyRami DeboukISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota

Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota29

Part 2: Management of Functional Safety2.4 – 2.6concept phaseManagement of Functional Safety3.4Item Definition3.5Initiation of theSafety Lifecycle3.7Hazard Analysis andRisk Assessment3.8Functional SafetyConcept7.57.6OperationPlanningafter SOPproduct dev elopment48.4 – 8.13ProductionPlanningMgmt & QualityAdvanced Eng’gProduct Eng’gProductionServiceProduct DevelopmentSystem ilityExternalMeasures4.11 Release for production7.5Production7.6Operation, Service &DecommissioningBack to appropriatelif ecycle phaseSupporting ProcessesISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota30

OverviewFunctional Safety Management requires: Planning, coordinating, and documenting activities related to functional safety Implementing management plan for all phases of the safety lifecycle, including: Overall project-independent functional safety management activities Safety management during development Safety management after Start of Production (SOP)ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota31

Overall Project Independent Safety ManagementObjectives Define responsibilities of persons, departments and organisations in charge of each phase during the overall safetylifecycleDefine management activities during the complete safety lifecycleManagement plan to incorporate: Safety cultureQuality managementContinuous improvementTraining and qualificationApplication of the lifecycleISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota32

Safety Management during DevelopmentObjectives To define responsibilities of the persons, departments and organisations in charge of functional safety for eachphase during developmentIncludes activities to ensure functional safety of the itemIncludes activities for confirmation of functional safety measuresDefine management activities during the development phasesManagement plan to incorporate: Allocation of safety responsibilities and dutiesAll safety management activities during developmentSafety caseConfirmation measures for assessment of functional safetyISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota33

Safety Management during DevelopmentConfirmation MeasuresConfirmation review Purpose: Evaluate the safety activity wor

ISO TC22 SC3 WG16 First drafts of requirement specifications RESPONSE Automotive SPICE HIS OEMs Suppliers Technical Services 2002 2003 1.2004 9.2005 Origins of ISO 26262 (Automotive IEC 61508) FAKRA BNA MISRA 11.2005 First WG16 Meeting ISO TC22 (Automotive) SC3 (E/E) WG16 (Functional Safety)

Related Documents:

26262-4, ISO 26262-5, ISO 26262-6 and ISO 26262-8:2011 The planning of the confirmation reviews, the initiation of the functional safety audit(s) and the initiation of the functional safety assessment in accor

In general we will refer to numbered sections within the ISO/DIS 26262 document using the format ISO 26262-P:C Where P is the part number, and C is the (sub-)clause number within that part. For example, “ISO 26262-6:4.5” refers to sub-clause 4.5 of ISO 26262

Coverage of ISO 26262:2018 Objectives 1Introduction to ISO 26262:2018 ISO 26262:2018, “Road vehicles — Functional safety”, is a series of international functional-safety standards for the automotive industry. It adapts the IEC 61508 series of standards to the functional safety of e

the ISO 26262, as soon as the standard is extended to this weight category. As mentioned previously, the goal of the ISO 26262 is to reduce the safety risks of electric and electronic components by stricter requirements than mandatory in the IEC 61508. In the ISO 26262 the entire safety li

Comparison: ISO 26262 & ISO SAE 21434 Main Concepts of Safety & Security 9. ASIL-oriented and safety-oriented analyses 3. Concept phase 4. Product development at the system level 5. Product development at the hardware level 6. Product development at the software level 12. Adaption of ISO 26262

ISO 26262-8:2018(E) Introduction The ISO 26262 series of standards is the adaptation of IEC61508 series of standards to address the sector specific needs of electrical and/or electronic (E/E) systems within road vehicles. This adaptation applies to all activities during

2 STARTING POINT ISO 26262 released in November 2011 Second edition available for review as ISO/DIS 26262:2018 Final publication scheduled for 2018 Impact on model-based development – Changes of part 6? 1) Use cases of model- based development 2) Evolution of best practices 3) Handling of concurrency MODEL

(e.g. Kerala, Goa, Andhra Pradesh, Gujarat) N/a 95% average 90% average 85% average . Description / Offer making : . (with or without Maths), Social Studies, Arts or Science. Students normally take English plus an Indian language and a range of elective subjects. Exeter’s recognition is normally on the basis of a group of 5 or more subjects excluding the Indian language and subjects like .