Comparison 61508-26262

By

Fred Kaminski

kaminski@collossus.eu

Background

Hazard Analysis

Risk reduction

61508 Safety Lifecycle

61508 introduces an explicit safety lifecycle – Basic structure reappears in modified form in 26262 • Important principles include: • Hazard and risk analysis with safety requirements produced • Three types of risk reduction (only 1 in scope) • Phases for operation and disposal

Lifecycle 61508

The 61508 safety lifecycle does not align well with the typical product development processes >> followed by automotive manufacturers and their suppliers This is due to its heritage in industrial process control 61508 is aimed at low volume systems • Generally the system is built and tested, then installed on the plant, • and then safety validation is performed. There is independent safety assessment throughout the lifecycle

Automotive Lifecycles • The automotive industry is a mass-market, highvolume industry

• Safety validation is performed before (series) production – not after, as in 61508 – Makes sense, because of the high volume

• Since there is no concept of “series production” in 61508, it is not covered at all in that standard

• whereas 26262 does address requirements for production

Industry processes 61508 based Automotive industries 26262 based

Design

Production

Validation

Design

MASS Production

Validation

Comparison

61508 constraines

Safety functions are a central concept in 61508 It is important to understand the concept, partly in order to understand why they are not used in 26262 • Safety functions are what needs to be done in order to achieve the required level of safety Some safety functions are “on demand” or “low demand”

Usually found in protection systems that are separate from the EUC control system

Some safety functions are “high demand” or “continuous”

Usually found within the EUC control system

In general, safety functions are not found within the EUC itself

The EUC itself contains just the “normal” functionality Normal Functions

Safety Functions

Automotive Safety?

Is a ABS a safety function? • Consider an Anti-Lock Brake System (ABS)

61508 has stated that ABS is an example of an on demand protection system

– But in reality the functioning of ABS on a modern vehicle is closely bound to the operation of the powertrain itself

•It implements not only ABS but also a variety of

stability control functions

– Therefore it performs both “safety” and

“normal” functions

Source: http://protoncar.files.wordpress.com/2010/11/abspump.jpg

61508 Requirements about Safety

• Hazard analysis produces safety function requirements The functions the system must perform to achieve safe operation

• Risk assessment produces safety integrity requirements The likelihood of a safety function being performed satisfactorily

The 61508 Safety Ranking

61508 introduced a concept of Safety Integrity Levels (SILs) that are associated with Safety Integrity Requirements A modified version reappears in 26262 as Automotive Safety Integrity Levels Safety Integrity Levels do not apply to systems in 61508

– They apply to safety functions!

But we have seen that in the automotive industry it is difficult to separate safety functions from “normal” functions

– In fact, practitioners in the automotive industry tend implicitly to allocate SILs to system rather than functions for that reason

Picture Source: http://www.drucksensor-knowhow.de/wp-content/uploads/2010/04/WIKA-SIL-Logo_20091-e1271422726980.jpg

Proabilitics

Problems with Proabilitics Because of the probabilistic approach to SILs in 61508, a myth has arisen: “Only quantitative risk assessment (e.g. demonstration of a failure rate) can be applied – In fact, the standard recognizes and allows both quantitative and qualitative risk assessment • However, because SILs are stated in probabilistic terms, in practice there is a tendency to use these probabilities as risk reduction requirements / targets >> The Automotive SIL in 26262 has no such probabilistic implications

61508 metrics

61508 specifies required techniques and measures to be applied at the different safety integrity levels.

– 26262 inherits this idea

These techniques and measure are specific and prescriptive

• Many of them are only applicable to the process control sector

• Conversely, many techniques in commonplace use in the automotive sector are not mentioned

26262 metrics

In contrast to 61508, the 26262 standard recommends methods and measures based on automotive practices

– Example: model based development with code generation

• Where possible, these methods and measures have been stated as a goal rather than a specific, prescriptive practice

61508 and Supply chain

61508 has an implicit assumption that the system will be designed and implemented by one organization – It does not address the supply chain structure commonly found in the automotive industry – Automotive systems are generally produced by one or more suppliers of the customer: OEM, Tier-1, etc. • 26262 includes specific requirements for managing development across multiple organizations Example: Development Interface Agreement (DIA)

HMI (Human Interface)

Due to its origins in industrial process control, 61508 actually has a narrower focus than 26262!

26262 must deal with a wider range of issues, because human beings (the drivers, passengers, pedestrians) are an integral part of the overall automotive system and environment

– E.g. “Controllability” concept

Normative status

IEC 61508 has the following parts: – Part 1: General requirements – Part 2: Requirements for E/E/PE safety-related systems – Part 3: Software requirements – Part 4: Definitions and abbreviations – Part 5: Examples of methods for the determination of safety integrity levels – Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 – Part 7: Overview of techniques and measures

• Contrary to popular myth, only the first four parts are normative! – The other three parts are only informative – In particular, Part 5 on hazard classification is only informative

• In 26262, the requirements on hazard classification are normative – That is important for the concrete application of the standard

Classifications

The lack of normative requirements on hazard classification in 61508 can lead to problematic sistuations

• Use of the two different standards 61508 and 26262 often leads to different SIL classifications!

• Indeed there is no perfect mapping between the 61508 SIL and the 26262 ASIL

Conclusion 26262 Features Introduces a concrete safety

lifecycle Introduces the concept of

Safety Integrity Levels Permits both quantitative

and qualitative risk assessment

Independent safety assessment follows the entire lifecycle

Generic with respect to any discipline

Introduces measures and techniques for risk reduction

61508 Issues

Safety lifecycle does not align well with typical automotive lifecycle

No concept of supply chain

No treatment of human factors concepts such as controllability

Techniques and measures are not specific to automotive domain

Techniques and measures in automotive domain are missing

Safety functions are rarely separable from normal functions in automotive systems

Contact

• Fred Kaminski

• Leopoldstrasse 12

• 16548 Glienicke

• Phone: +49 33056 92031

• Fax: +49 33056 92032

• Cell: +49 171 7808084 prefered

• kaminski@collossus.eu

• www.collossus.eu