Transcription
TMSeptember 2013
Introduction Functional Safety Requirements SafeAssure ProgramRole of the Semiconductor Supplier System Challenges Freescale System SolutionsSafetyHardwareSafety Concepts of Freescale‘s Auto MCUs Integrated Safety Architecture Example Safety Software Safety Support SafetyProcess Dynamic FMEDA System level (beyond MCU)SafetySupportSummaryTMSafetySoftware2
TM3
19801985DO 178DO 178AAeronautic1990199520002005DO 178B20102015DO 178CARP 4761DO 254ARP 4754ARP 4754AIEC 61508EN 50155EN 5012XRail TransportEN 50159GenericStandardIEC61508IEC 61508IEC 61508Edition 2IEC 61508IndustrialAutomationIEC 61511IEC 61508Edition 2IEC 62061(IEC 61508)ISO 26262AutomotiveIEC 60601Edition 3MedicalSelect Freescale products are being defined anddesigned from the ground up to comply withIEC 61508 ed2.0 (2010-04) and ISO 26262(2011-11-15)ISO 26262-1:9 published 15th Nov 2011ISO/FDIS 26262-10 published 9th Mar 2012TM4
The market trends have one thing in common: If theunderlying systems fail, humans can be put at risk Functional Safety means “absence of unreasonable risk dueto hazards caused by malfunctioning behavior of E/Esystems” ISO 26262 is the International Standard for FunctionalSafety. It is applicable to safety-related automotive systemsthat include one or more E/E systems and that are installedin series production passenger cars with a max gross weightup to 3.5t” ISO 26262 addresses architectural & functional aspects procedural aspects (incl. safety lifecycle) to avoid systematic faults and to control random faults Safety management is needed from the start of the productdevelopment Functional Safety will become a standard requirement infuture RFQ’s, across most applicationsTM5
The ISO 26262 standard provides an automotive safety lifecycle which outlines handling ofsafety system development and operation from project initiationto system decommission provides an automotive specific risk-based approach fordetermining risk classes based on severity, exposure (probability)and controllability of the hazard uses four Automotive Safety Integrity Levels (ASIL) for specifyingthe item’s safety requirements ASIL A: the lowest ASIL level ASIL B: at least 90% SPF and at least 60% latent fault (LF, a fault thatisn’t detected but doesn’t lead directly to violation of a safety goal) beingdetected ASIL C: at least 99% SPF and 90% LF detected ASIL D: the highest ASIL level, at least 99.9% SPF and 99% LFdetectedprovides requirements for validation and confirmationrequirements to ensure the required safety level is achievedTM6
Class of severityClass of probability ofexposure regardingoperational situationsS1(Light and moderateinjuries)S2(Severe and lifethreatening injuries[survival probable])S3(Life threateninginjuries,fatal injuries)Classes of controllable)E1 (very low)QMQMQME2 (low)QMQMQME3 (medium)QMQMAE4 (high)QMABE1 (very low)QMQMQME2 (low)QMQMAE3 (medium)QMABABCE1 (very low)QMQMAE2 (low)QMABE3 (medium)ABCE4 (high)BCDE4 (high)(QM: “quality managed” no requirements from standard applied explicitly)TM7
InstrumentClusterSpeedometer notavailableASIL BSmart Rear ViewCamera SystemNo valid videoBrake Lightssensor dataLoss of BrakeASIL BLightsASIL BFront ViewCamera SystemNo valid videosensor dataASIL BRear LightsFailure on bothsidesASIL AActiveSuspensionSuspensionoscillatesASIL B to CAirbag SystemInadvertentDeploymentASIL D77GHzRADAR ACCInadvertentBrakingASIL CEngine ManagementUnwanted vehicleaccelerationASIL C to DBraking andStability SystemsUnintended fullpower brakeASIL DDriving LightsFailureon both sidesASIL BSource: Freescale: Expectations based on global customer feedbackTM8Safety & ChassisElectric PowerSteeringSelf-steeringASIL DPowertrainBodyDIS
ISO 26262Automotive Industry standard,adaptation of IEC 61508 forelectrical/electronic systems withinroad vehiclesIntegrity levelsASIL A, ASILB, ASIL C, ASILDPub date: 2011Functional Safety StandardsAutomotiveIndustrialISO 26262MicrocontrollersLockstep Cores, ECC on MemoriesRedundant Functions, InternalMonitors, Built In Self Test, FaultCollection & ControlIEC 61508SafetySupportAnalog and Power ManagementVoltage Monitors, External ErrorMonitor, Advanced Watchdog,Built In Self TestOrganizationSafety is an integral part of theFreescale world wide organizationProject ManagementConfiguration & ChangeManagement, Quality Management,Requirements Management,Architecture & Design, Verification& ValidationSafetySoftwareSafetyProcessQuality ManagementISO TS 16949 Certified QualityManagement SystemHardware - Zero DefectsSoftware – SPICE Level 3Freescale Quality FoundationTMPeopleRegional functional safety expertsDocumentationSafety Application Notes / SafetyManual / FMEDAAutomotive SoftwareAUTOSAR OS & MCALCore Self TestDevice Self Test; Complex DriversSafetyHardwareSensorsTiming Checker, Digital Scan ofSignal Chains, DSI3 or PSI5 SafetyData linksIEC 61508Generic Industry standard,applicable to electrical / electronic /programmable electronic safetyrelated systems.Integrity levelsSIL 1, SIL 2, SIL 3, SIL 4Pub date: More than 10 years ago9Software PartnershipsPartnering with leading third-partysoftware providers for automotiveand industrialSafety AnalysisSelected products defined &designed from the ground up withsafety analysis being done at eachstep of the processAssessments / AuditsSafety Confirmation MeasuresContinuous ImprovementProcess evaluation, assessments /audits and gap-analysis exist toensure processes are continuallyoptimized
TMSafetyProcessFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire , CWare, the Energy Efficient Solutions logo, Kinetis, mobileGT, PEG, PowerQUICC, ProcessorExpert, QorIQ, Qorivva, SafeAssure, the SafeAssure logo, StarCore, Symphony and VortiQa aretrademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. Airfast, BeeKit, BeeStack,CoreNet, Flexis, Layerscape, MagniV, MXC, Platform in a Package, QorIQ Qonverge, QUICCEngine, Ready Play, SMARTMOS, Tower, TurboLink, Vybrid and Xtrinsic are trademarks ofFreescale Semiconductor, Inc. All other product or service names are the property of theirrespective owners. 2013 Freescale Semiconductor, Inc.
ISO 26262 safety lifecycle defined as top down approach Next level requirements result from previous level In practice also “push-back” due to availability of products with desiredfunctionality and safety measures Safety architecture needs to be defined such that it is safe and can berealized in an efficient wayPossible development options: Commission custom ASICs with application specific safety measures Use off-the shelf components with an integrated safety architecture Many new components emerging in light of ISO 26262 adoptionDefine major elements of safety architecture at system level Use “standard” off-the shelf components discrete (component) safetyarchitecture Traditional way of designing a functional safety systemTM11
Every embedded application has its very specifics!Microcontroller are successful due to the general purpose nature(can be adapted to the specifics of an application)Therefore Freescale provides products withdifferent Multi-Core safety architectures:Monolithic integration (safety system on chip)Multiple device system level integration (multiple chipECU)Distributed system integration (multiple ECU system) Customer may select their most suitable architecture!TM12
Discrete HW Safety Architecture Integrated HW Safety Architecture Redundancy resolved at system leveland at component level with redundantmodules within a component Example: Electric power steering withdual-core lock-step uC Component designer performsdependent failure analysis forredundancy at module levelRedundancy resolved at system levelby means of redundant components Example: Traditional airbag systemconsisting of MCU and Safing ASIC System designer performs dependentfailure analysisMain uC – Redundancy A1Main uCMain uC – Redundancy A2Safing ASICWatchdogTM13
Integrated Safety ArchitectureDiscrete Safety ArchitectureAt system level and at componentlevelSafetyArchitectureResolved at system levelOne or more devices containdedicated safety measures basedon an underlying safety conceptDevice LevelSafetyMeasuresNo underlying safety concept atdevice level, typically, however,measures exploitable as safetymeasures availableAvailable for integrated safetymeasuresDevice LevelSafety ManualNoneFMEDA, FTA for dedicated safetymeasuresDevice LevelSafetyAnalysisNone, typically general supportinginformation sufficientSafety case, with complete devicelevel argument for ISO 26262compliance at device levelDevice LevelSafetyArgumentQualification optional evaluationof measures in developmentprocess against systematic faultsTM14
ASIL AASIL BASIL CFeasible Discrete safety architectureFeasible Discrete safety architecture usinguC & separate watchdog or uC Functional and temporal alignmentbetween uC & 2nd channel oftenchallenging Fast recovery from transient faultspotentially challengingFeasible However, redundancy oncomponent level is typically atechnical overkill Functional safety enablementsimplifies demonstration ofcomplianceFeasible Integrated safety architecture usingdual-core lockstep uC Functional and temporal alignmentbetween two channels simplified Fast recovery from transient faultsmore feasibleDiscreteHW SafetyArchitectureIntegratedHW SafetyArchitectureASIL DTM15
different chipsdifferent die areasHW related Tradeoff: HWapproachesComplexitydifferent modulesdifferent submodulesTime related Tradeoff :approaches Performancedifferent FFsdifferentclockcyclesconcurrent one afterthreadsanotherAlgorithm related Tradeoff : SW ComplexityapproachesTM16
Functional safety is not just an issue on systemlevel but also on component level Functional safety standards explicitly addresscomponent level Integrated safety devices (customer has no “direct”access to details of safety functions)ISO 26262: Safety Element out of Context (SEooC)Basic approach is to assume a system context (orseveral) of the component Safety Application Guide (Safety Manual) specifieshow the component is applied correctly in theassumed system contextTM17
Customer asks for a “safe ladder”The “safe ladder” in the field18The “safe ladder”TM18
Gen 1 Safety More than 10 years experience of safety development in the area ofMCU & SBCGen 2 Safety First general market MCU, MPC5643L Certified ISO 26262!Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain arebeing designed and developed according to ISO 26262 Gen 3 SafetyFunctional Safety Solutions2012MPC5744P/MPC5777K/etc 55nmPowerSBC Gen 2 32-bit Dual/Quad-Core MCU Developed according to ISO 26262 Target Applications Chassis & P/T for – ASILD Safe methodology, Architecture, SW and tools Voltage Supervision Fail-Safe State Machine Fail-Safe IO Advanced Watchdog2008Gen 1 SafetyGen 2 Safety2000MPC5643L – 90nmPowerSBC 32-bit Dual-Core MCU Developed according to ISO 26262 Target Applications for Chassis – ASILDCustom Safety Platform for BrakingCustom IC Started to ship in 2000 first safe MCU for braking applications IEC 61508 / ISO 26262 compliance achieved at system level(top down approach) MCU features are a key enabler for SIL3 / ASILDTM Voltage Supervision Fail-Safe State Machine Fail-Safe IO Advanced Watchdog19
Ideal partitioning between HW and SW measures dependant on ASILtarget and complexity of safety functionExample Safety Applications High RedundancyRedundancy of application datasimple SafetyFunctioncomplex SafetyFunctionASIL DtargetEPS, ESP, ASIL CtargetSWASIL BtargetRADAR andVision basedADAS, Airbag, Decomposition to reducecomplexity of single instancesHWExample:ASIL D ASIL A ASIL CASIL AtargetFunctionalSafetyEffortTM20
Offering products that scale to application specific safety requirementssimple SafetyFunctionASIL Dtargetcomplex SafetyFunctionSafe AssureLockstepEPS,ESP, RADAR andSoCsVisionbased systemsSafe AssureMulticoreADAS, Safe Assure SingleAirbag, core SoCASIL CtargetHWSWASIL BtargetASIL AtargetFunctionalSafetyEffortSpanning the whole range efficiently TM21
To view the latest SafeAssure product table visitwww.freescale.com/SafeAssureTM22
TMSafetyHardwareFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire , CWare, the Energy Efficient Solutions logo, Kinetis, mobileGT, PEG, PowerQUICC, ProcessorExpert, QorIQ, Qorivva, SafeAssure, the SafeAssure logo, StarCore, Symphony and VortiQa aretrademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. Airfast, BeeKit, BeeStack,CoreNet, Flexis, Layerscape, MagniV, MXC, Platform in a Package, QorIQ Qonverge, QUICCEngine, Ready Play, SMARTMOS, Tower, TurboLink, Vybrid and Xtrinsic are trademarks ofFreescale Semiconductor, Inc. All other product or service names are the property of theirrespective owners. 2013 Freescale Semiconductor, Inc.
Single Point Failure (SPF)potential to cause a hazard Quick detection or mitigation input Immediatewrongoutput ComponentLatent Failure (LF) CanLFComponentcorrectoutput inputbecome dangerous in conjunction witha second fault Can aggregate Periodic detectionCommon Cause Failure (CCF)24ComponentOKTMComponentinputseveral component to fail Can possibly annul redundancy-basedmeasures Mitigation or quick detectionComparator Causes
Single Point Failure (SPF) E2E ECC, EDC on CacheLatent Failure (LF) Memory, logic 90% stuck-atLFComponentcorrectoutputHW-Self testinput ComponentInformation redundancy Core, DMAwrongoutputStructural redundancyinput Common Cause Failure (CCF) TM25OKComponentComparatorComponentinputDelayed Checker Core Supervision of clock, power and temperature Independent safety clock Independent failure signaling
Target applications Safety applications that require ahigh safety integrity level, suchas: Electric power steering Electronic stability controlItem must be in safe state formodes of (non)operation: Completely unpowered Reset Operating correctly Indicating an internal error Safety mechanism: technicalsolution to detect faults orcontrol failures in order toachieve a safe stateTM26
Safety mechanisms: Built-inself tests (memory,logic, ADC) Duplicate computationalelements in lock-step ECC for FLASH/SRAM Temperature, clock andvoltage monitors Fault Collection and ControlUnit (FCCU) with redundantfault notification path Independent safety clock eDMA and CRC Access protection (MPU,register) .TM27
Elements having lowapplication dependency Safetyarchitecture may notinterfere with application Hardware drivenComputational ShellSystem Safety mechanisms Elements having highapplication dependency Functionalsafety of theperiphery is ensured bysystem-level measures Flexible usage withinapplication softwareI/O & Communication PeripheralsTM28
Certified by exida – an independentaccredited assessor Certificate issued based on asuccessful assessment of theproduct design and applieddevelopment and productionprocesses against all requirementsand work product definitions of ISO26262 identified as applicable to anMCU part MPC5643L MCU certified for usefor all Automotive Safety IntegrityLevels (ASIL), up to and includingthe most stringent level, ASIL DReleased on 6th September, 2012TM29
Assessment of the MPC5643L SafetyCase Assessment and audit of Freescale’sdevelopment processes used for theMPC5643L Assessment of the FMEDA (FailureModes Effects and Diagnostic Analysis)of the MPC5643L to confirm it satisfiesthe SPFM, LFM and PMHF metricsrequired for ASIL D Assessment of the MPC5643Lhardware design, implementation andverification activities Over 50 work products were providedto exida during the assessment and onsite auditsTM30MPC5643L MCU
TMSafetySoftwareFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire , CWare, the Energy Efficient Solutions logo, Kinetis, mobileGT, PEG, PowerQUICC, ProcessorExpert, QorIQ, Qorivva, SafeAssure, the SafeAssure logo, StarCore, Symphony and VortiQa aretrademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. Airfast, BeeKit, BeeStack,CoreNet, Flexis, Layerscape, MagniV, MXC, Platform in a Package, QorIQ Qonverge, QUICCEngine, Ready Play, SMARTMOS, Tower, TurboLink, Vybrid and Xtrinsic are trademarks ofFreescale Semiconductor, Inc. All other product or service names are the property of theirrespective owners. 2013 Freescale Semiconductor, Inc.
Freescale Automotive Software is mostly focused onNot all modules are shown hereAUTOSAR MCAL and OSApplication LayerAUTOSAR Runtime Environment (RTE)System ServicesMemory ServicesCommunication ServicesTpDriver forext.ADCASICDriver forext.I/O ASICext.DrvTrcv.Communication DriversI/O rsI/O Signal InterfaceNmxxx InterfaceFeeMemory DriversPduRNmIfCommunicationHardware AbstractionMemIfEaTMDebuggingIpduMXCPEcuMMemory HardwareAbstractionWdgIfMicrocontroller R OSOnboard DeviceAbstractionNvMI/O HardwareAbstraction
However, also about Instruction-based core self-test Libraries such as math library, motor control libraries, etc. Complex drivers such as Pulse Width Modulator (PWM) andEthernetISO26262 imposes that all hardware and software elements are designedand developed to minimize the risk of causing hazardous events.Freescale software for SafeAssure meets ISO26262 supports hardware to meet ISO26262 requirements detection of HW random faults supports efficient achievement of safety goals detection of SW systematic faults assuring freedom from interference or preventing interference following ISO26262 compliant FSL SW development process reaction to faultsTM33
Ordinary Software Offering SafeAssure Software OfferingMCALsMCALOSsOSICSTsCSTMCLib (Beta)sMCLibsPTLibSafeLib TM34
Support efficient achievement of safety goals up to ASIL-D Safetywith minimized performance degradation Safetysimplified for integrators Cross-platform consistent architectureSupport achievement of hardware architectural metrics upto ASIL-DAll products in the Software SafeAssure portfolio areSafety Element out of Context (SEooC) safety-related requirements are assumed safety-related role is assumed deployment is envisionedTM35
Software functionalcomponents that maycarry out safety-relatedfunctionsSoftwarecomponents thatfacilitate andsupport safetyrelated applications.Safety-Related Functional LayerSafety Service LayerSoftware componentsfor detectinghardware faults tosupport compliancewith ISO26262hardwarearchitectural metrics: SPFM LFMHW Safety LayerFreescale MicroprocessorTM36µPs with different set ofsafety measures andsafety support functions
Freescale SoftwareProduct ClassSafety-Related FunctionalComponentsProducts safety MCAL (sMCAL) safety Motor Control Lib (sMCLib) Safety Library (SafeLib) Microcontroller Error Management Software support for FCCU, MEMU, LBIST, MBISTHardware error collection Safety Error Reporting and Reaction Collect both Hardware and Software faultsProvides reaction mechanisms Resource ManagerSafety ServiceComponents Manages peripheral control to enable run-time invocation ofperipheral tests CRC driver Abstracts HW/SW implementation DMA protection Software Integrity Universal Checker tbd safety Operating System (sOS) FSL sOS / external sOSHW Safety ComponentsTM safety Core Self Test (sCST) safety Peripheral Test Library (sPTLib)37
TMSafetySupportFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire , CWare, the Energy Efficient Solutions logo, Kinetis, mobileGT, PEG, PowerQUICC, ProcessorExpert, QorIQ, Qorivva, SafeAssure, the SafeAssure logo, StarCore, Symphony and VortiQa aretrademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. Airfast, BeeKit, BeeStack,CoreNet, Flexis, Layerscape, MagniV, MXC, Platform in a Package, QorIQ Qonverge, QUICCEngine, Ready Play, SMARTMOS, Tower, TurboLink, Vybrid and Xtrinsic are trademarks ofFreescale Semiconductor, Inc. All other product or service names are the property of theirrespective owners. 2013 Freescale Semiconductor, Inc.
Failure Mode, Effect and Diagnostic Analysis A systematic way to identify and evaluate failure modes, effects and diagnostic techniques, and todocument the system. target values can be assigned to MCU FMEDA for MCU for system-level FMEDAASIL D targetsfor whole itemTypical results forMCU with integr.safety architecturePMHF 10-8 h-1 10-8 h-1SPFM 99% 99%LFM 90% 90%Raw failureratesElementgate count / sizeFailure Mode /DistributionMCUFMEDATechnologydependentfailure rateSafety MechanismTM39
Old SEooC assumption forces systemvendors to implement unnecessary safetymeasures! Example: First generation safety application guide forhad 68 mandatory requirementsTM40
Without application context, anSEooC analysis requires safetymeasures lockControllerMMUCACHECACHEDMA Core SubsystemHigh Speed BusTM41SRAMADCADCConsequence: over-engineering ofarchitecture and suboptimalpartitioning of software andhardware effort oftenADCFLASHI/OBridgeSPISPIPWM NexusPWM DebugCorePWM PowerManagement
A new approach shall complement thesafety measures of a context, notduplicate what the context alreadyprovides!TM42
FMEDA for MPC5643L Processing units (core, etc.) Power supply Clock Non-volatile memory (FLASH) Volatile memory (SRAM)Safety concept on systemlevel not known Raw failure rates for Digital I/O Analogue I/O External communicationTM43
Freescale introduces dynamic FMEDA approach:Customer communicates implemented safety measures andFreescale delivers respective tailored FMEDA (within e.g. 1 hour)E.g. MPC5675K has more than 1 million different FMEDAs in database – so truly back to the world of general purpose!No longer applications have to fulfill FMEDA assumptionbut FMEDA tailors to applicationTM44
TM45
FSL QM Products - Typical Deliverables Safety Analysis of Architecture: Safety FMEA or FTA User Guide: Safety Application Note Development Process evidence: PPAP, Quality Plan(Mapping to ISO 26262 / IEC 61508 checklists)ISO 26262 or IEC 61508 Products – TypicalDeliverables Safety Analysis of Architecture: FMEDA, CCA orFTA User Guide: Safety Manual Development Process evidence: PPAP, Safety Plan,CertificatesLocal Support Functional Safety Field ExpertsLearning Field Training / workshops – delivered by LocalFunctional Safety FAE ExpertsTM46
Objective Tailor FMEDA to match application configuration Enables customers, by supporting their system levelarchitectural choicesContent FMEDA methods aligned with functional safetystandards SPFM & LFM, PMFH – ISO 26262SFF & PFH- IEC 61508 ed-2.0bic – IEC 61508 ed-2.0 part 2, Annex EDynamic FMEDA covers elements with lowapplication dependency: Clock, Power Supply, Flash,STM, SRAM, Processing Unit Work flow and result Customer specifies the Safety Integrity Levelrequired by their application, and then confirms theSafety Measures that will be used A tailored FMEDA is then supplied to customer’s fortheir specific applicationTM47
Objective Enables customers to extract the full value ofFreescale’s functional safety offering Simplify integration of Freescale’s safety productsinto applications A comprehensible description of all informationrelating to FS in a single entity to ensure integrity ofinformation and links with datasheetSafety Manual for MCU SolutionSafety Manual for MPC574xPContent SoC Safety Concept description System level assumptions of use (Safety specificusage considerations) Pseudo-code or C-Code to simplify adoption of safetyapplication requirements FMEDA results Safety Manual for Analog SolutionLatent Fault Matrix (LFM)Single Point Fault Matrix (SPFM)Probabilistic Metric for random Hardware Failures (PMHF)Provisions against Dependent FailuresTM48
Design Guidelines for Integration of Microcontroller and Analog& Power Management device Explains main individual product Safetyfeatures Uses a typical Electrical Power steeringapplication to explain product alignment Covers the ASIL D safety requirementsthat are satisfied by using both products: MPC5643Lrequires external measures tosupport a system level ASIL D safety level MC33907/08 providesthose externalmeasures: External power supply and monitor External watchdog timer Error output monitorTM49
ISO 26262 has been widely adopted for Automotive functional safety Systems with safety goals according to ISO 26262 are no longer an exception Freescale support OEMs and Tier1s to achieve their ISO 26262 safety goals Discrete and integrated safety architectures System level chip set solutions – beyond MCU Combined with a range of Safety HW products, Freescale supports customers byproviding a set of differentiating collateral that enable our customers and cansignificantly reduce their development time Dynamic FMEDA, Safety Manual, System Level Application NotesTM50
TM
DO 178 DO 178A ARP 4761 DO 254 Medical IEC 60601 Edition 3 Select Freescale products are being defined and designed from the ground up to comply with IEC 61508 ed2.0 (2010-04) and ISO 26262 (2011-11-15) DO 178B ARP 4754 DO 178C ARP 4754A IEC 61508 IEC 61511 IEC 62061 ISO 26262-1:9 published 15th Nov 2011 ISO/FDIS 26262-10 published 9th Mar 2012
