introduzione alla norma iso 26262

La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di

prodotti smart - - -

Introduzione alla norma ISO 26262

Seminario “La necessità di sicurezza per i prodotti Smart”

16 Maggio 2016 Centro Congressi Unione industriale di Torino

Renato Librino

2 ISO 26262 Overview Introduction

Rev. 0.6 2 Torino, 16 maggio 2016 Unione Industriale

La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart

ISO 26262 Framework

Road safety Environmental protection

New electric/electronic systems

EC target: to reduce by 75 % (vs. 2001) the dead rate due

to road accidents before 2020

EC target: to reduce greenhouse gases emissions by at least 20% below 1990 levels before 2020

New functionalities for active safety:

Vehicle dynamic control ADAS - Advanced Driver

Assistance Systems

Alternative propulsion vehicles: Electric Hybrid




ISO 26262 Framework

New electric/electronic systems

Safety-related systems Systems, which interact closely with the vehicle dynamics, in case of failure may cause unwanted effects for the control of the vehicle, resulting in harm to

persons

Safety-critical systems If are not adopted measures to avoid unwanted effects, the systems shall also be

considered "safety-critical"




ISO 26262 Framework

Safety-critical systems

Characteristics of the new E/E systems that imply to be considered "safety-critical" Complexity of the control systems, distributed on various electronic control units Interaction between the functions performed by the various systems, which may

result in a fault propagation difficult to control Advanced sensor technology that acquire information until now processed by the

driver Actions on the vehicle dynamic control Complexity of managing different suppliers of the various systems (consistency of

specifications, difficulties of integration, intellectual property constraints, etc.).




ISO 26262 Framework

Safety and Functional Safety

Safety Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment

Functional Safety Absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems

6 Torino, 16 maggio 2016 Unione Industriale

Seminario “La necessità di sicurezza per i prodotti Smart”

Explosion

Fire

Malfunctioning behaviour of E/E systems

Toxicity

Radiation Electric shock

Corrosion

Smoke

Hazards

The possible sources of hazards

Addressed by ISO 26262

Indirectly addressed by

ISO 26262




ISO 26262 Framework

Functional Safety

The functional safety concept involves the management of risks by means of: identification of the hazards related to a specific scenario (hazardous event)

application of appropriate measures (safety requirements, safety functions) at the level of system architecture and/or hardware or software components, or vehicle, aimed at mitigating the effects of hazard themselves.

Exa

mpl

e

Harm serious accident

Malfunction A malfunction of the VDC system (Vehicle Dynamic Control), which is manifested by the lack of action of the yaw correction

Hazard loss of control of the vehicle

Operational situation while driving on a road at low speed grip

may result in

causing




ISO 26262 Contents

1 – Vocabulary

2 – Management of functional safety3 – Concept phase 7 – Production and

operation4 – Product development: system level

6 – Productdevelopment:software level

5 – Productdevelopment:hardware level

8 – Supporting processes

9. ASIL-oriented and safety-oriented analyses

10. (Informative) Guidelines on ISO 26262

Safety lifecycle

Part 1: Vocabulary Terms, definitions and acronims Part 2: Management of functional safety

• Requirements for functional safety management: overall safety management and project-specific requirements regarding the management activities in the safety lifecycle

• Confirmation measures management




ISO 26262 Contents

1 – Vocabulary








Safety lifecycle

Part 3: Concept phase Requirements for the concept phase, including: • item definition • initiation of the safety lifecycle • hazard analysis & risk assessment • functional safety concept definition.

Part 4: Product development: System level Methods and processes during product development at the system level up to the product release. Particularly, definition of the methods for the integration, verification and validation of the system.




ISO 26262 Contents

1 – Vocabulary








Safety lifecycle

Part 5: Product development: hardware level Methods and processes to be applied during the hardware development. Particularly relevant are the metrics for diagnostic coverage.

Part 6: Product development: software level Methods and processes to be applied during the software development. Especially, definition of the requirements for the software integration & testing.




ISO 26262 Contents

1 – Vocabulary








Safety lifecycle

Part 8: Supporting processes Requirements for supporting processes management, including: • interfaces within distributed

developments (DIA) • configuration management • change management • verification to ensure that the

work products comply with their requirements

• documentation • qualification of sw tool and

sw&hw components • proven in use argument.

Part 7: Production and operation Requirements for production, operation, service and decommissioning.

Part 9: ASIL-oriented and safety-oriented analyses Methods and criteria for: • ASIL decomposition • management of the coexistence

within the same element of sub-elements with different ASILs

• safety analysis to be performed during the concept and product development phases (FMEA, FTA, Markov models, RBD, etc.)

Part 10: Guideline on ISO 26262 Informative Part, with additional explanation and application examples




Hazard Analysis & Risk assessment

Scenario

Harm • severity

Malfunction

Hazard

• exposure time • controllability

QM: Quality Management, not safety critical functions

ASIL D: most severe ASIL C ASIL B ASIL A

ASIL

Hazardous event

Risk assessment • Assessment of the risk related to every hazard referred to each scenario, by

classification according to the Automotive Safety Integrity Level, ASIL • ASIL determination by:

• Exposure time • Controllability • Severity

Hazard analysis Risk classification




Severity of Damage

S0 S1 S2 S3

Description No injuries Light and moderate injuries

Severe injuries, possibly life-threatening, survival probable

Life-threatening injuries (survival uncertain) or fatal injuries

Reference for single injuries

AIS 0 Damage that cannot be classified safety related, e.g. bumps with the infrastructure

More than 10% probability of AIS 1-6 (and not S2 or S3)

More than 10% probability of AIS 3-6 (and not S3)

More than 10% probability of AIS 5 and 6

Probability of Exposure

E1 E2 E3 E4

Description Very low probability Low probability Medium probability High probability

Definition of duration/ probability of exposure

Not specified < 1% of average operating time

1% - 10% of average operating time

> 10% of average operating time

Definition of frequency

Situations that occur less often than once a year for the great majority of drivers

Situations that occur a few times a year for the great majority of drivers

Situations that occur once a month or more often for an average driver

All situations that occur during almost every drive on average

Controllability C0 C1 C2 C3

Description Controllable in general

Simply controllable Normally controllable Difficult to control or uncontrollable

Definition Distracting More than 99% of average drivers or other traffic participants are usually able to control the damage.

More than 90% of average drivers or other traffic participants are usually able to control the damage.

The average driver or other traffic participant is usually unable, or barely able, to control the damage.

ASIL C1 C2 C3

S1

E1 QM QM QM

E2 QM QM QM

E3 QM QM A

E4 QM A B

S2

E1 QM QM QM

E2 QM QM A

E3 QM A B

E4 A B C

S3

E1 QM QM A

E2 QM A B

E3 A B C

E4 B C D

ASIL Criteria: Severity – Exposure - Controllability




Safety requirements

scenario

scenario

Safety requirements • Safety goal • Possible safe state • Functional safety requirements:

functional requirements that enable the achievement of safety goals associated to the hazards and the relative ASILs

Scenario

Harm

Malfunction

Hazard

Safety goal Safe state

Functional safety requirements

ASIL X

Hazardous event

ASIL X Hazard analysis & Risk assessment

To identify and categorize hazardous events and to specify ASILs and safety goals related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk




Safety requirements

Functional safety concept • Allocation of functional safety requirements into the subsystems • ASIL decomposition/assignment to the

components according to the rules of ASIL decomposition

• Assignment of additional requirements (plausibility check, no single mode of failure, etc.)

Technical safety requirements • Architecture, HW and SW components


Subsystem A Subsystem B

Subsystem C

Functional requirements A Functional

requirements B

Functional requirements B

ASIL D

ASIL D ASIL D

ASIL D

Subsystem A1

Subsystem A2

ASIL C

ASIL A

Functional requirements A1

Functional requirements A2

Additional requirements 1-2

Technical specifications

Part

ition

ing

ASIL

dec

ompo

sitin




Basic concepts: Verification & Validation

Verification & Validation Mandatory the verification and validation of the safety requirements:

• The safety requirements are verified by ensuring the coverage in the implementation

• The safety requirements are validated by examination and testing using various methods to ensure the achievement of the safe state and the safety goals against failures (e.g. fault injection)

6-5 Initiation of product development at the software level6-6 Specification of software safety requirements6-7 Software architectural design6-8 Software unit design and implementation

5-5 Initiation of product development at the hardware level5-6 Specification of hardware safety requirements5-7 Hardware design5-8 Hardware architectural metrics

4. Product development: system level

4-5 Initiation of product development at the system level

4-7 System design 4-8 Item integration and testing

4-9 Safety validation

4-10 Functional safety assessment

4-11 Release for production

6. Product development:software level

5. Product development:hardware level

4-6 Specification of the technical safety requirements

Validation

Verification

Safety goal Safe state





Key points

Hazard Analysis & Risk Assessment

Safety Goal Safe State

Functional Safety requirements

Concept phase

ASIL determination: identification and classification of the hazards.

SW Safety req

HW Safety req

Functional safety requirements: specification of implementation-independent safety behaviour, or implementation-independent safety measure, including its safety-related attributes. Technical safety requirement: requirement derived for implementation of associated functional safety requirements.

Safety requirements for manufacturing, serviceability and decommissioning.

Production, maintenance,

decommissioning

Product development

Technical Safety requirements

Testing & Validation Safety Validation: assurance, based on examination and tests, that the safety goals are sufficient and have been achieved.

Production & operation

Safety Goal: top-level safety requirement as a result of the hazard analysis and risk assessment. Safe State: operating mode of an item without an unreasonable level of risk.




Proper components

Safety mechanisms

Development methods

Safety mechanisms Manufacturing,

servicing… processes

Fault categories and countermeasures

Systematic failure

Random hardware failure

Mitigation measures via proper design

Heterogeneous redundancy (diversity)

Redundancy Low λ

components

Diagnosis

Design criteria

For SW faults: SW development methodologies

Proper testing

Fault controls




Confirmation measures

Means of demonstrating the proper execution of the management processes and the achievement of functional safety

Confirmation measures • Confirmation Reviews • Functional Safety Audits • Functional Safety Assessments

Demonstrate the compliance of the processes and the outcomes (work products) against the ISO 26262 requirements

Ensure the functional safety of the system or network of systems (item) that performs the functions at the vehicle level

Activities to be performed by the vehicle manufacturers and their suppliers




ISO 26262 application to the product lifecycle




ISO 26262 integration in the company processes

Integrated Company Management System The Company Management Processes are integrated to include in them

all the applicable requirements

Quality ISO 9001

ISO/TS 16949

Environment ISO 14001

H&S OHSAS 18001

Q-E-S MS Functional Safety requirements

ISO 26262

ISO/IEC 15504-10

Process Improvement Models

CMMI A-SPICE ISO/IEC 15504

Synergy Simplification

Effectiveness Efficiency




Maintenance

Manufacturing

Systematic failures

Design

Incorrect specification

Technology limitation

Critical environment conditions

Malicious attacks

Possible source of malfunctioning New issues to be covered?

Addressed by ISO 26262

Not addressed (yet) by ISO

26262

Safety of intended functionality (SIF) Operational safety …

Security




ISO 26262 implications

Functional Safety and Product Liability

The ISO 26262 standard: • is intended to minimize the risks that can arise in all operating conditions • represents the state of the art in safety in the automotive sector

Applying this standard, even if voluntary: is essential for the purposes of Product Liability, because protect companies from lawsuits in case of an accident caused by

malfunctions of E/E safety-critical systems.




ISO 26262 implications

Main actions required at Company level

All companies involved in the development of automotive E/E systems shall:

increase the know-how on functional safety define their own functional safety development process consistently adapt the organizational structure creation of new professional roles, as Safety Manager, Safety Specialist,

internal/external Assessors develop new products by applying the ISO 26262 perform independent Assessment provide testing tools for validation, e.g. including test benches for fault

injection




Conclusioni

• L'automotive è un settore ricco di sistemi smart

• La norma ISO 26262 persegue criteri automotive: alta integrazione, basso costo, sicurezza… propri dei sistemi smart

• La ricerca delle soluzioni tecniche si avvale di opportunità di scomposizione che consentono la compatibilità con eventuali vincoli tecnologici e di costo

• L'applicazione della norma ha, comunque, un significato impatto sull'azienda, sia in termini organizzativi che di cultura

• L'applicazione della norma è comunque una strada obbligata, anche se non imposta dalla legislazione

introduzione alla norma iso 26262

Documents