Transcription
ISO 26262Functional Safety Draft International Standard for Road Vehicles:Background, Status, and OverviewBarbara J. Czerny, Joseph D’Ambrosio, Rami Debouk,General Motors Research and DevelopmentKelly Stashko, General Motors PowertrainISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota
This tutorial presents an overview of the Draft International Standard (DIS) version ofthe proposed ISO 26262 Functional Safety standard for road vehicles It conveys the content of the standard as it is currently drafted Since the release of the DIS, additional technical and editorial changes to the text have been made, butthese will not be covered in the tutorial slides Permission was received from ISO to use content taken directly from the ISO/DIS andcontained in this presentation The process presented in this tutorial, represents the ISO/DIS 26262 process and is notintended to reflect or discuss the processes of any specific individual manufacturerISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota
RoadmaperviewISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, MinnesotavBackgroundStatusPart 1: Vocabulary and Part 10: GuidelinePart 2: Management of Functional SafetyPart 3: Concept PhasePart 4: Product Development: System LevelPart 5: Product Development: Hardware LevelBreakPart 6: Product Development: Software LevelPart 7: Production and OperationPart 8: Supporting ProcessesPart 9: ASIL-oriented and Safety-oriented AnalysesKey aspects that have evolved over timeSummaryQ&AO 3
BackgroundBarbara J. CzernyISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota
What is ISO 26262? Adaptation of IEC 61508 to comply withthe specific needs of E/E systemswithin road vehicles Specifies a functional safety life-cycle forautomotive products Applies to all activities during the safety lifecycle ofsafety-related systems comprised of electrical,electronic, and software components Scope Series production passenger cars Maximum gross weight up to 3500 kg Does not apply to E/E systems in special purpose vehicles e.g., vehicles designed for drivers with disabilitiesISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota5
Origins of ISO 26262 (Automotive IEC 61508)MISRABNAFAKRAOEMsSuppliersTechnical ServicesIEC61508Initial workof individualcompanies2002otherSafety StandardsQuality StandardsEngineering ionbodiesFirst om otive SPICEHIS9.2005ISOTC22SC3WG1611.2005First WG16 MeetingISOTC22 (Automotive)SC3 (E/E)WG16 (Functional Safety)ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota6
ISO 26262 Working Group 16ConvenorCh. Jung, Independent ConsultantSecretaryE. Fritzsche, VDAGermanyBMW, Daimler , VW, Bosch, ContinentalFrancePSA, Renault, Continental, ValeoUKLandrover, MIRA, RenesasSwedenDelphi, Volvo Cars, AB Volvo, MecelItalyCentro Ricerche Fiat, Fiat Auto, TRWJapanDenso, Hitachi, Honda, Nissan, ToyotaUSAGM, IBM, TRW,BelgiumNissan, Toyota Motor EuropeActive membership as of 10/2007ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota7
What’s the Difference Between IEC 61508 and ISO 26262? ISO 26262: IEC 61508:1. Framework standard2. Implied context of Process/Automationindustries (where validation is done after install)3. Safety Integrity Levels, “SIL” SIL 1 – SIL 4 Measure of the reliability of safety functions Includes a quantitative target for the probability of adangerous failure No exact mapping between SIL’s and ASIL’s Loose mapping SIL’s 1, 2, 3Between SIL 2 and SIL 34. Focus on safety functions1. IEC 61508 Automotive Sector adaptation2. Applies to vehicles with 4 wheels (carryingpassengers, goods)3. Automotive SIL, “ASIL” ASIL A-D Based on the violation of a safety goal Provides requirements to achieve acceptable level of risk No exact mapping between SIL’s and ASIL’s Loose mapping ASIL’s A, B, and DASIL C4. Focus on safety goals5. Adds required work productsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota8
Prescriptive (IEC 61508) vs. Goal-Oriented (ISO 26262) Tables Example of Part 4 Table 2 “System design verification” Goal requirement: System design shall be verified for compliance and completeness with regard to thetechnical safety concept. In this aim, the methods and measures in Table 2 shall be considered.MethodsASILABCD1aSystem design inspectiona 1bSystem design walkthrougha oo2aSimulationb 2bSystem prototyping and vehicle tests b 3Safety analysescsee Table 1aMethods 1a and 1b serve as check of complete and correct detailing and implementation of the technical safety requirementsinto system design.bMethods 2a and 2b can be used advantageously as a fault injection technique.cFor conducting safety analyses, see ISO 26262-9: —, Clause 8.Source: ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota9
More Facts About ISO/DIS 26262 Focus is on possible hazards caused by malfunctioning behavior of E/E safety-related systems Bidirectional traceabilitySafety lifecycleValidation, verification and independent assessmentDevelopment, validation, release for production vs. development, installation and commissioning, validation in IEC 61508Supports distributed development Safety plan & safety goalsSafety case & documentationCorresponds to automotive product lifecycle Includes interactions between E/E safety-related systemsProcess Framework includes the following process steps/deliverables: failures or unintended behaviours of an item with respect to its design intente.g., division of work between OEMs/suppliersHazard analysis corresponds to automotive use casesIncludes “Controllability” in Risk AssessmentISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota10
Overview of ISO/DIS 26262Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota11
Flow and Organization of ISO 26262ASIL-O riented and Safety-Oriented AnalysisSource ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota12
Status of Development ISO Draft International Standard made available for review by all SC 3 countries July2009 First time a version of the standard was made publically available DIS ballot held in November 2009 and ballot passed Preparing Final Draft International Standard (FDIS) Working on resolving comments received with DIS Ballot FDIS version will be handed over to ISO for publication in late 2010 Review of FDIS will only be for editorial changes Part 10 will have a second DIS ballot Expect publication as a full International Standard in mid-2011ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota13
Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota14
Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota15
Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota16
Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota17
Checkpoint Questions – Background and Status1.On what standard is ISO 26262 based?2.Is there a top Level probability associated with an ASIL3.A.B.C.D.ISO/IEC 12207 – Systems Software engineering – Software life cycle processesISO/IEC 15504 – AutoSpiceIEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systemsNone – ISO 26262 is completely new and developed for Automotive SafetyA.B.YesNoA.Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andindependent assessmentSafety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verificationand independent assessmentSafety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification andexternal assessmentName the fundamental steps/deliverables of the ISO26262 Process Framework.B.C.4.Is Controllability included in the Risk AssessmentA.B.YesNoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota18
Part 1: Vocabulary&Part 10: Guideline on ISO 26262 (Informative)Rami DeboukISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota
Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota20
ISO/DIS 26262 TermsSafetyAbsence of unreasonable riskRiskCombination of the probability of occurrence ofharm and the severity of that harmExposureSeverityState of being in an operationalsituation that can be hazardousif coincident with the failure modeunder analysismeasure of the extent of harmto an individualin a specific situationHarmPhysical injury or damageto the health of peopleControllabilityavoidance of the specified harm or damagethrough the timely reactions of the personsinvolvedISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota21
ISO/DIS 26262 TermsItem, system, element, & componentSystem ArrayItemSystemE/E ComponentsSensorCommunicationController Other reComponentsHardwareComponentsSoftware ware PartsSoftware UnitsHardware PartsSoftware UnitsHardware PartsSoftware UnitsElementComponentA software component consists of one or more software components, or software units, or bothISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota22
ISO/DIS 26262 TermsFailure Types Random Hardware Failures failure that may occur unpredictably during the lifetime of a hardware element andthat follows a probability distribution Systematic Failures failure of an element or item that is caused in a deterministic way duringdevelopment, manufacturing, or maintenance all software faults and a subset of hardware faults are systematicISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota23
ISO 26262 TermsSafety MechanismSafety Mechanism Activity or technical solution to detect / avoid / control failures or mitigatetheir harmful effects Implemented by an E/E function or element or in other technologies The safety mechanism is either able to switch to or maintain the item in a safe state or able to alert the driver such that the driver is expected to control the effect of thefailureISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota24
ISO 26262 TermsWork ProductsWork product Information or data The result of one or more system safety process activities Format appropriate to the work product’s content Data files, models, source code, etc. May include currently existing documents Several work products may be in one documentISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota25
ISO 26262 TermsConfirmation MeasuresConfirmation measures Ensure the sufficient completion of work products and proper execution ofthe safety lifecycle. Provide for the evaluation of the system safety activities and work productsas a whole Used to determine the adequacy of achievement of the functional safetygoalsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota26
ISO 26262 TermsSafety CaseSafety case Communicates a clear, comprehensive and defensible argument (supported byevidence) that a system is acceptably safe to operate in a particular context. Includes references to safety requirements and supporting evidence AND a “safety argument” that describes how the safety requirements have beeninterpreted, allocated, decomposed, etc., and fulfilled as shown by the supportingevidence.ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota27
Part 2: Management of Functional SafetyRami DeboukISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota
Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota29
Part 2: Management of Functional Safety2.4 – 2.6concept phaseManagement of Functional Safety3.4Item Definition3.5Initiation of theSafety Lifecycle3.7Hazard Analysis andRisk Assessment3.8Functional SafetyConcept7.57.6OperationPlanningafter SOPproduct dev elopment48.4 – 8.13ProductionPlanningMgmt & QualityAdvanced Eng’gProduct Eng’gProductionServiceProduct DevelopmentSystem ilityExternalMeasures4.11 Release for production7.5Production7.6Operation, Service &DecommissioningBack to appropriatelif ecycle phaseSupporting ProcessesISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota30
OverviewFunctional Safety Management requires: Planning, coordinating, and documenting activities related to functional safety Implementing management plan for all phases of the safety lifecycle, including: Overall project-independent functional safety management activities Safety management during development Safety management after Start of Production (SOP)ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota31
Overall Project Independent Safety ManagementObjectives Define responsibilities of persons, departments and organisations in charge of each phase during the overall safetylifecycleDefine management activities during the complete safety lifecycleManagement plan to incorporate: Safety cultureQuality managementContinuous improvementTraining and qualificationApplication of the lifecycleISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota32
Safety Management during DevelopmentObjectives To define responsibilities of the persons, departments and organisations in charge of functional safety for eachphase during developmentIncludes activities to ensure functional safety of the itemIncludes activities for confirmation of functional safety measuresDefine management activities during the development phasesManagement plan to incorporate: Allocation of safety responsibilities and dutiesAll safety management activities during developmentSafety caseConfirmation measures for assessment of functional safetyISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota33
Safety Management during DevelopmentConfirmation MeasuresConfirmation review Purpose: Evaluate the safety activity work products for compliance with the requirements of ISO 26262How: Work products are evaluated for compliance after completion of select safety activities, and a subsequent review of thiscompliance evidence is conducted, resulting in confirmation review reportsFunctional safety audit Purpose: Evaluate the development process applied (as defined by the product’s safety plan)How: Phased reviews during the development process, resulting in audit reportsFunctional safety assessment Purpose: Evaluate the achieved functional safety of the itemHow: Progressive review of processes and safety measures applied during development to achieve functional safety of the itemISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota34
Confirmation Measures Requirements Depending on the work product and the ASIL assigned to safety goals, confirmationmeasures are either recommended or required In the case of required confirmation measures: There are no requirements on the person performing the confirmation measureThe confirmation measure shall be performed by a person from a different team, not reporting tothe same direct superiorThe confirmation measure shall be performed, by a person from a different department ororganization, i.e., independent from the relevant department, regarding management, resources, andresponsibility for release for productionISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota35
Safety Management after Start of Production (SOP)Objectives To define responsibilities of persons, departments and organisations in charge of functional safety after SOPRelates to general activities necessary to ensure the required functional safety of the itemRequirements Organizational measures to achieve functional safetyManagement of functional safety after SOPField monitoring and collection of dataMalfunction surveyMalfunction analysisMalfunction solutionISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota36
Part 2 Work Products Company-specific standard for functional safetyTraining and qualification programQuality management systemSafety planOverall project planSafety caseResults of the Confirmation measuresConfirmation planFunctional safety assessment planEvidence of a field monitoring processISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota37
Checkpoint Questions –Part 2: Management of Functional Safety1. What are the requirements for Project Independent Safety Management?A.B.C.D.Safety culture and Quality managementContinuous improvement, Training, and qualificationApplication of the lifecycleAll of the above2. Are a Safety Plan, Confirmation Plan, and a Safety Case required Work productsA. YesB. NoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota38
Checkpoint Questions –Part 2: Management of Functional Safety1. What are the requirements for Project Independent Safety Management?A.B.C.D.Safety culture and Quality managementContinuous improvement, Training, and qualificationApplication of the lifecycleAll of the above2. Are a Safety Plan, Confirmation Plan, and a Safety Case required Work productsA. YesB. NoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota39
Checkpoint Questions –Part 2: Management of Functional Safety1. What are the requirements for Project Independent Safety Management?A.B.C.D.Safety culture and Quality managementContinuous improvement, Training, and qualificationApplication of the lifecycleAll of the above2. Are a Safety Plan, Confirmation Plan, and a Safety Case required Work productsA. YesB. NoISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota40
Part 3: Concept PhaseRami DeboukISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota
Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota42
Functional Safety during Concept PhaseFor a given Product “Item”:2) Perform a Hazard AnalysisDetermine ASILASILA, B, C, D3) Identify Safety Goals1) Identify relevant safetylifecycle stepsSAFETYGOALS4) Identify FunctionalSafety ConceptSystemRequirementsSystemRequirementISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, MinnesotaFunctional SafetyConceptFunctionalSafetyRequirement43
Identify relevant safety lifecycle stepsSafety Lifecycle for given item is adapted based on: “New development” Consider all safety lifecycle steps relevant“Modification” of an existing component/system Tailor safety lifecycle following an impact analysis of the modifications Impact analysis considers the “proven in use argument” if original component/system was notdeveloped based on ISO 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota44
Perform a Hazard AnalysisDetermine ASIL Situation Analysis & Hazard Identification“Identify potential unintended behaviors of the item that could lead to ahazardous event.” Vehicle UsageEnvironmental ConditionsForeseeable driver use and misuseInteraction between vehicle systemsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota45
Perform a Hazard AnalysisDetermine ASILRISK ASSESSMENTRisk Severity x Frequency x ControllabilitySECASILASIL: Automotive Safety Integrity LevelISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota46
Perform a Hazard AnalysisDetermine ASIL For each identified hazardous scenario, evaluate S0S1S2S3No injuriesLight and moderate injuriesSevere and life-threatening injuries(survival probable)Life-threatening injuries (survivaluncertain), fatal injuriesE0E1E2E3E4IncredibleVery low probabilityLow probabilityMedium probabilityHigh probabilityC0C1C2C3Controllable ingeneralSimply controllableNormally controllableDifficult to control or uncontrollableSource ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota47
Perform a Hazard Analysis,Determine ASIL Use Severity, Exposure, Controllability to set ASILS1S2S3C1C2C3E1QMQMQME2QMQMQME3QMQMASIL AE4QMASIL AASIL BE1QMQMQME2QMQMASIL AE3QMASIL AASIL BE4ASIL AASIL BASIL CE1QMQMASIL AE2QMASIL AASIL BE3ASIL AASIL BASIL CE4ASIL BASIL CASIL DSource ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota48
Identify Safety Goals Safety Goals are top-level safety requirement as a result of the hazard analysis and risk assessment A safety goal is to be determined for each hazardous event evaluated in the hazard analysis ASIL determined for the hazardous event is to be assigned to the corresponding safety goal. Potential hazard may have more than one safety goal If similar safety goals are determined, they can be combined into one safety goal that will beassigned the highest ASIL of the similar goalsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota49
Identify Safety Goals - CombinationHazard ASafety Goal MASIL BFault XFault YHazard BSafety Goal NASIL CFault YFault ZPer analysis results, Fault Y is implicated for bothGoals M and N but since Goal N is associated with ahigher ASIL (C), safety mechanisms to cover for FaultY must satisfy ASIL C requirements.ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota50
Identify Functional Safety ConceptFunctional Safety Conceptis composed of theFunctional Safety Requirements.Source ISO/DIS 26262ISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota51
Part 3 Work Products Item definitionImpact AnalysisHazard analysis and risk assessmentSafety goalsReview of hazard analysis, risk assessment and the safety goalsFunctional safety conceptReview of the functional safety requirementsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota52
Checkpoint Questions - Part 3: Concept Phase1.What determines the activities needed for a modification of a previous product?2.What 3 factors determine an ASIL?3.A.B.C.D.ASILItem DefinitionImpact AnalysisHazard and Risk AnalysisA.B.C.Severity, Occurrence, and Detection.Risk, Controllability and Severity.Severity, Controllability, and ExposureA.B.C.A, B, C, D1,2,3,4Critical, Severe, serious, and moderateWhat are the 4 ASILsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota53
Checkpoint Questions - Part 3: Concept Phase1.What determines the activities needed for a modification of a previous product?2.What 3 factors determine an ASIL?3.A.B.C.D.ASILItem DefinitionImpact AnalysisHazard and Risk AnalysisA.B.C.Severity, Occurrence, and Detection.Risk, Controllability and Severity.Severity, Controllability, and ExposureA.B.C.A, B, C, D1,2,3,4Critical, Severe, serious, and moderateWhat are the 4 ASILsISO 26262 Road Vehicles - Functional SafetyDraft International Standard TutorialISSC 2010 Minneapolis, Minnesota54
Checkpoint Questions - Part 3: Concept Phase1.What determines the activities needed for a modification of a previous product?2.What 3 factors determine an ASIL?3.A.B.C.D.ASILItem DefinitionImpact AnalysisHazard and Risk AnalysisA.B.C.Severity, Occurrence, and Detection.Risk, Controllability and Severity.Severity, Controllability, and
Prescriptive (IEC 61508) vs. Goal-Oriented (ISO 26262) Tables Example of Part 4 Table 2 “System design verification” Goal requirement: System design shall be verified for compliance and completeness with regard to the technical safety concept. In this aim,
