introduzione alla norma iso 26262
TRANSCRIPT
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di
prodotti smart - - -
Introduzione alla norma ISO 26262
Seminario “La necessità di sicurezza per i prodotti Smart”
16 Maggio 2016 Centro Congressi Unione industriale di Torino
Renato Librino
2 ISO 26262 Overview Introduction
Rev. 0.6 2 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Framework
Road safety Environmental protection
New electric/electronic systems
EC target: to reduce by 75 % (vs. 2001) the dead rate due
to road accidents before 2020
EC target: to reduce greenhouse gases emissions by at least 20% below 1990 levels before 2020
New functionalities for active safety:
Vehicle dynamic control ADAS - Advanced Driver
Assistance Systems
Alternative propulsion vehicles: Electric Hybrid
3 ISO 26262 Overview Introduction
Rev. 0.6 3 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Framework
New electric/electronic systems
Safety-related systems Systems, which interact closely with the vehicle dynamics, in case of failure may cause unwanted effects for the control of the vehicle, resulting in harm to
persons
Safety-critical systems If are not adopted measures to avoid unwanted effects, the systems shall also be
considered "safety-critical"
4 ISO 26262 Overview Introduction
Rev. 0.6 4 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Framework
Safety-critical systems
Characteristics of the new E/E systems that imply to be considered "safety-critical" Complexity of the control systems, distributed on various electronic control units Interaction between the functions performed by the various systems, which may
result in a fault propagation difficult to control Advanced sensor technology that acquire information until now processed by the
driver Actions on the vehicle dynamic control Complexity of managing different suppliers of the various systems (consistency of
specifications, difficulties of integration, intellectual property constraints, etc.).
5 ISO 26262 Overview Introduction
Rev. 0.6 5 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Framework
Safety and Functional Safety
Safety Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment
Functional Safety Absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems
6 Torino, 16 maggio 2016 Unione Industriale
Seminario “La necessità di sicurezza per i prodotti Smart”
Explosion
Fire
Malfunctioning behaviour of E/E systems
Toxicity
Radiation Electric shock
Corrosion
Smoke
Hazards
The possible sources of hazards
Addressed by ISO 26262
Indirectly addressed by
ISO 26262
7 ISO 26262 Overview Introduction
Rev. 0.6 7 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Framework
Functional Safety
The functional safety concept involves the management of risks by means of: identification of the hazards related to a specific scenario (hazardous event)
application of appropriate measures (safety requirements, safety functions) at the level of system architecture and/or hardware or software components, or vehicle, aimed at mitigating the effects of hazard themselves.
Exa
mpl
e
Harm serious accident
Malfunction A malfunction of the VDC system (Vehicle Dynamic Control), which is manifested by the lack of action of the yaw correction
Hazard loss of control of the vehicle
Operational situation while driving on a road at low speed grip
may result in
causing
8 ISO 26262 Overview Introduction
Rev. 0.6 8 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Contents
1 – Vocabulary
2 – Management of functional safety3 – Concept phase 7 – Production and
operation4 – Product development: system level
6 – Productdevelopment:software level
5 – Productdevelopment:hardware level
8 – Supporting processes
9. ASIL-oriented and safety-oriented analyses
10. (Informative) Guidelines on ISO 26262
Safety lifecycle
Part 1: Vocabulary Terms, definitions and acronims Part 2: Management of functional safety
• Requirements for functional safety management: overall safety management and project-specific requirements regarding the management activities in the safety lifecycle
• Confirmation measures management
9 ISO 26262 Overview Introduction
Rev. 0.6 9 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Contents
1 – Vocabulary
2 – Management of functional safety3 – Concept phase 7 – Production and
operation4 – Product development: system level
6 – Productdevelopment:software level
5 – Productdevelopment:hardware level
8 – Supporting processes
9. ASIL-oriented and safety-oriented analyses
10. (Informative) Guidelines on ISO 26262
Safety lifecycle
Part 3: Concept phase Requirements for the concept phase, including: • item definition • initiation of the safety lifecycle • hazard analysis & risk assessment • functional safety concept definition.
Part 4: Product development: System level Methods and processes during product development at the system level up to the product release. Particularly, definition of the methods for the integration, verification and validation of the system.
10 ISO 26262 Overview Introduction
Rev. 0.6 10 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Contents
1 – Vocabulary
2 – Management of functional safety3 – Concept phase 7 – Production and
operation4 – Product development: system level
6 – Productdevelopment:software level
5 – Productdevelopment:hardware level
8 – Supporting processes
9. ASIL-oriented and safety-oriented analyses
10. (Informative) Guidelines on ISO 26262
Safety lifecycle
Part 5: Product development: hardware level Methods and processes to be applied during the hardware development. Particularly relevant are the metrics for diagnostic coverage.
Part 6: Product development: software level Methods and processes to be applied during the software development. Especially, definition of the requirements for the software integration & testing.
11 ISO 26262 Overview Introduction
Rev. 0.6 11 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 Contents
1 – Vocabulary
2 – Management of functional safety3 – Concept phase 7 – Production and
operation4 – Product development: system level
6 – Productdevelopment:software level
5 – Productdevelopment:hardware level
8 – Supporting processes
9. ASIL-oriented and safety-oriented analyses
10. (Informative) Guidelines on ISO 26262
Safety lifecycle
Part 8: Supporting processes Requirements for supporting processes management, including: • interfaces within distributed
developments (DIA) • configuration management • change management • verification to ensure that the
work products comply with their requirements
• documentation • qualification of sw tool and
sw&hw components • proven in use argument.
Part 7: Production and operation Requirements for production, operation, service and decommissioning.
Part 9: ASIL-oriented and safety-oriented analyses Methods and criteria for: • ASIL decomposition • management of the coexistence
within the same element of sub-elements with different ASILs
• safety analysis to be performed during the concept and product development phases (FMEA, FTA, Markov models, RBD, etc.)
Part 10: Guideline on ISO 26262 Informative Part, with additional explanation and application examples
12 ISO 26262 Overview Introduction
Rev. 0.6 12 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Hazard Analysis & Risk assessment
Scenario
Harm • severity
Malfunction
Hazard
• exposure time • controllability
QM: Quality Management, not safety critical functions
ASIL D: most severe ASIL C ASIL B ASIL A
ASIL
Hazardous event
Risk assessment • Assessment of the risk related to every hazard referred to each scenario, by
classification according to the Automotive Safety Integrity Level, ASIL • ASIL determination by:
• Exposure time • Controllability • Severity
Hazard analysis Risk classification
13 ISO 26262 Overview Introduction
Rev. 0.6 13 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Severity of Damage
S0 S1 S2 S3
Description No injuries Light and moderate injuries
Severe injuries, possibly life-threatening, survival probable
Life-threatening injuries (survival uncertain) or fatal injuries
Reference for single injuries
AIS 0 Damage that cannot be classified safety related, e.g. bumps with the infrastructure
More than 10% probability of AIS 1-6 (and not S2 or S3)
More than 10% probability of AIS 3-6 (and not S3)
More than 10% probability of AIS 5 and 6
Probability of Exposure
E1 E2 E3 E4
Description Very low probability Low probability Medium probability High probability
Definition of duration/ probability of exposure
Not specified < 1% of average operating time
1% - 10% of average operating time
> 10% of average operating time
Definition of frequency
Situations that occur less often than once a year for the great majority of drivers
Situations that occur a few times a year for the great majority of drivers
Situations that occur once a month or more often for an average driver
All situations that occur during almost every drive on average
Controllability C0 C1 C2 C3
Description Controllable in general
Simply controllable Normally controllable Difficult to control or uncontrollable
Definition Distracting More than 99% of average drivers or other traffic participants are usually able to control the damage.
More than 90% of average drivers or other traffic participants are usually able to control the damage.
The average driver or other traffic participant is usually unable, or barely able, to control the damage.
ASIL C1 C2 C3
S1
E1 QM QM QM
E2 QM QM QM
E3 QM QM A
E4 QM A B
S2
E1 QM QM QM
E2 QM QM A
E3 QM A B
E4 A B C
S3
E1 QM QM A
E2 QM A B
E3 A B C
E4 B C D
ASIL Criteria: Severity – Exposure - Controllability
14 ISO 26262 Overview Introduction
Rev. 0.6 14 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Safety requirements
scenario
scenario
Safety requirements • Safety goal • Possible safe state • Functional safety requirements:
functional requirements that enable the achievement of safety goals associated to the hazards and the relative ASILs
Scenario
Harm
Malfunction
Hazard
Safety goal Safe state
Functional safety requirements
ASIL X
Hazardous event
ASIL X Hazard analysis & Risk assessment
To identify and categorize hazardous events and to specify ASILs and safety goals related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk
15 ISO 26262 Overview Introduction
Rev. 0.6 15 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Safety requirements
Functional safety concept • Allocation of functional safety requirements into the subsystems • ASIL decomposition/assignment to the
components according to the rules of ASIL decomposition
• Assignment of additional requirements (plausibility check, no single mode of failure, etc.)
Technical safety requirements • Architecture, HW and SW components
Functional safety requirements
Subsystem A Subsystem B
Subsystem C
Functional requirements A Functional
requirements B
Functional requirements B
ASIL D
ASIL D ASIL D
ASIL D
Subsystem A1
Subsystem A2
ASIL C
ASIL A
Functional requirements A1
Functional requirements A2
Additional requirements 1-2
Technical specifications
Part
ition
ing
ASIL
dec
ompo
sitin
16 ISO 26262 Overview Introduction
Rev. 0.6 16 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Basic concepts: Verification & Validation
Verification & Validation Mandatory the verification and validation of the safety requirements:
• The safety requirements are verified by ensuring the coverage in the implementation
• The safety requirements are validated by examination and testing using various methods to ensure the achievement of the safe state and the safety goals against failures (e.g. fault injection)
6-5 Initiation of product development at the software level6-6 Specification of software safety requirements6-7 Software architectural design6-8 Software unit design and implementation
5-5 Initiation of product development at the hardware level5-6 Specification of hardware safety requirements5-7 Hardware design5-8 Hardware architectural metrics
4. Product development: system level
4-5 Initiation of product development at the system level
4-7 System design 4-8 Item integration and testing
4-9 Safety validation
4-10 Functional safety assessment
4-11 Release for production
6. Product development:software level
5. Product development:hardware level
4-6 Specification of the technical safety requirements
Validation
Verification
Safety goal Safe state
Functional safety requirements
17 ISO 26262 Overview Introduction
Rev. 0.6 17 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Key points
Hazard Analysis & Risk Assessment
Safety Goal Safe State
Functional Safety requirements
Concept phase
ASIL determination: identification and classification of the hazards.
SW Safety req
HW Safety req
Functional safety requirements: specification of implementation-independent safety behaviour, or implementation-independent safety measure, including its safety-related attributes. Technical safety requirement: requirement derived for implementation of associated functional safety requirements.
Safety requirements for manufacturing, serviceability and decommissioning.
Production, maintenance,
decommissioning
Product development
Technical Safety requirements
Testing & Validation Safety Validation: assurance, based on examination and tests, that the safety goals are sufficient and have been achieved.
Production & operation
Safety Goal: top-level safety requirement as a result of the hazard analysis and risk assessment. Safe State: operating mode of an item without an unreasonable level of risk.
18 ISO 26262 Overview Introduction
Rev. 0.6 18 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Proper components
Safety mechanisms
Development methods
Safety mechanisms Manufacturing,
servicing… processes
Fault categories and countermeasures
Systematic failure
Random hardware failure
Mitigation measures via proper design
Heterogeneous redundancy (diversity)
Redundancy Low λ
components
Diagnosis
Design criteria
For SW faults: SW development methodologies
Proper testing
Fault controls
19 ISO 26262 Overview Introduction
Rev. 0.6 19 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Confirmation measures
Means of demonstrating the proper execution of the management processes and the achievement of functional safety
Confirmation measures • Confirmation Reviews • Functional Safety Audits • Functional Safety Assessments
Demonstrate the compliance of the processes and the outcomes (work products) against the ISO 26262 requirements
Ensure the functional safety of the system or network of systems (item) that performs the functions at the vehicle level
Activities to be performed by the vehicle manufacturers and their suppliers
20 ISO 26262 Overview Introduction
Rev. 0.6 20 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 application to the product lifecycle
21 ISO 26262 Overview Introduction
Rev. 0.6 21 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 integration in the company processes
Integrated Company Management System The Company Management Processes are integrated to include in them
all the applicable requirements
Quality ISO 9001
ISO/TS 16949
Environment ISO 14001
H&S OHSAS 18001
Q-E-S MS Functional Safety requirements
ISO 26262
ISO/IEC 15504-10
Process Improvement Models
CMMI A-SPICE ISO/IEC 15504
Synergy Simplification
Effectiveness Efficiency
22 ISO 26262 Overview Introduction
Rev. 0.6 22 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Maintenance
Manufacturing
Systematic failures
Design
Incorrect specification
Technology limitation
Critical environment conditions
Malicious attacks
Possible source of malfunctioning New issues to be covered?
Addressed by ISO 26262
Not addressed (yet) by ISO
26262
Safety of intended functionality (SIF) Operational safety …
Security
23 ISO 26262 Overview Introduction
Rev. 0.6 23 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 implications
Functional Safety and Product Liability
The ISO 26262 standard: • is intended to minimize the risks that can arise in all operating conditions • represents the state of the art in safety in the automotive sector
Applying this standard, even if voluntary: is essential for the purposes of Product Liability, because protect companies from lawsuits in case of an accident caused by
malfunctions of E/E safety-critical systems.
24 ISO 26262 Overview Introduction
Rev. 0.6 24 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
ISO 26262 implications
Main actions required at Company level
All companies involved in the development of automotive E/E systems shall:
increase the know-how on functional safety define their own functional safety development process consistently adapt the organizational structure creation of new professional roles, as Safety Manager, Safety Specialist,
internal/external Assessors develop new products by applying the ISO 26262 perform independent Assessment provide testing tools for validation, e.g. including test benches for fault
injection
25 ISO 26262 Overview Introduction
Rev. 0.6 25 Torino, 16 maggio 2016 Unione Industriale
La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart
Conclusioni
• L'automotive è un settore ricco di sistemi smart
• La norma ISO 26262 persegue criteri automotive: alta integrazione, basso costo, sicurezza… propri dei sistemi smart
• La ricerca delle soluzioni tecniche si avvale di opportunità di scomposizione che consentono la compatibilità con eventuali vincoli tecnologici e di costo
• L'applicazione della norma ha, comunque, un significato impatto sull'azienda, sia in termini organizzativi che di cultura
• L'applicazione della norma è comunque una strada obbligata, anche se non imposta dalla legislazione