WIXLIB

V – Management ofFunctional SafetyPart 2Requirements during developpement phase ¾Confirmation measures for ensuring functional safetyFunctional safety auditConfirmation reviewFunctional safetyassessmentSubjectImplementation of the processes Work productrequired for functional safetyResultAudit reportaConfirmation review reporta Assessment report onfunctional safety of theitemResponsibility oftheAuditor/Reviewer/Safety AssessorAdequate evaluation of theprocesses against the definitionof the activity, referenced orlisted in the safety plan.Adequate evaluation of the Adequate evaluation ofthe achieved functionalcompliance of the workproduct with the respective safety levelrequirements of ISO 26262Timing duringlifecycleDuring implementation of therequired processesAfter completion of thecorresponding safetyactivityCompletion before productreleaseProgressively duringdevelopment, or in asingle blockCompletion beforeproduct releaseScope and depthDetermined by the auditorPlanned prior to thereview, in accordance withthe safety planReview of processes andsafety measures requiredfor functional safetyaMAJ 07/03/2010Item as described in theitem definition (seeISO 26262-3, Clause 5)can be included in a functional safety assessment reportIntroduction à la norme ISO 2626229/134

V – Management ofFunctional SafetyPart 2Requirements during developpement phase Confirmation measuresConfirmation review of the hazard analysis & riskassessment, of the item that is dealt with in accordancewith ISO 26262 (see ISO 26262-3, Clause 7 and ifapplicable, ISO 26262-8, Clause 5)-The confirmationmeasures shall beperformedaccording to theirASIL andfollowing table.independent from the developers of the itemConfirmation review of the safety plan (see Clause 6)- independent from the developers of the item / projectmanagementConfirmation review of the integration and testing plan(see ISO 26262-4, Clause 5)-independent from the developers of the item / projectmanagementConfirmation review of the validation plan (seeISO 26262-4, Clause 5)-independent from the developers of the item / projectmanagementConfirmation review of the safety analyses (FMEA, FTA):(see ISO 26262-9, 8.4.8)Confirmation review of the qualification of software tools(see ISO 26262-8, Clause 11)- independent from the person performing thequalification of the software toolConfirmation review of the proven in use arguments(analysis, data and credit), of the candidates. SeeISO 26262-8, Clause 14.-independent from the supplier of the argumentConfirmation review of the completeness of the safetycase (see 6.4.5)- independent from authors of safety caseAudit of functional safety processes (see 6.4.6)- independent from the persons working in accordancewith the processes required for functional safetyFunctional safety assessment (see 6.4.6.7)-independent from the supplier of the safety caseMAJ 07/03/2010For all ASILs, and includinghazards rated as QMI3Aapplies to ASILBCD-I1I2I3highest ASIL among safetygoals of the itemI0I1I2I2highest ASIL among safetygoals of the itemI0I1I2I2highest ASIL among safetygoals of the itemI1I1I2I3highest ASIL among safetygoals of the item-I0I1I1highest ASIL among safetygoals of the itemI0I1I2I3ASIL of the safety goal orrequirement related to theconsidered behaviour, orfunction, of the candidateI0I1I2I3highest ASIL among safetygoals of the item-I0I2I3highest ASIL among safetygoals of the item-I0I2I3highest ASIL among safetygoals of the itemIntroduction à la norme ISO 26262of the30/134

V – Management ofFunctional SafetyPart 2Requirements during developpement phase ¾ Safety assessment shall consider :o Confirmation plano Recommendations from the functionnal safety assessment,if availableo Results from the functional safety audits and confirmationreviewsOne or more persons shall be appointed to carry out a functionalsafety assessment and shall provide a judgement of functionalsafetyMAJ 07/03/2010Introduction à la norme ISO 2626231/134

V – Management ofFunctional SafetyPart 2Requirements for complianceWhen claiming compliance with ISO 26262, each requirementshall be complied with, unless one of the following applies:1) Tailoring in accordance with ISO 26262-2 has been plannedand shows that the requirement does not apply.2) A rationale is available that the non-compliance isacceptable and the rationale has been assessed in accordancewith ISO 26262-2.Information marked as a "NOTE" is only for guidance inunderstanding, or for clarification of, the associatedrequirement and shall not be interpreted as a requirement itself.MAJ 07/03/2010Introduction à la norme ISO 2626232/134

V – Management ofFunctional SafetyPart 2Interpretation of tables¾ Tables may be normative or informative depending on their context.¾The different methods listed in a table contribute to the level of confidence that thecorresponding requirement shall apply.Each method in a table is either a consecutive entry (marked by a sequence number in theleftmost column,e.g. 1, 2, 3) or an alternative entry (marked by a number followed by aletter in leftmost column, e.g., 2a, 2b, 2c).¾For consecutive entries all methods are recommended in accordance with the ASIL.¾ For alternative entries an appropriate combination of methods shall be applied inaccordance with the ASIL,independently of whether they are listed in the table or not. Ifmethods are listed with different degrees of recommendation for an ASIL the higher oneshould be preferred.¾For each method, the degree of recommendation to use the corresponding methoddepends on the ASIL and is categorized as follows:” ” The method is highly recommended for this ASIL.“ “ The method is recommended for this ASIL.“o“ The method has no recommendation for or against its usage for this ASIL.MAJ 07/03/2010Introduction à la norme ISO 2626233/134

VI – Concept phaseMAJ 07/03/2010Introduction à la norme ISO 26262Part 334/134

VI – Concept phasePart 3Objectives¾ The objective of this part is :o to define & describe the itemo to develop an adequate understanding of itemo to select the applicable safety lifecycleo to identify and categorize the potentiel hazard of the itemo to formulate the safety goalso to define the preliminary architecture elementMAJ 07/03/2010Introduction à la norme ISO 2626235/134

VI – Concept phasePart 3Item definition¾ Information needed :o purpose and content of the itemo functional requirements of the itemo futher requirement for the item regarding the environmentalconditions in which the item is usedo boundary of the itemo interfaces with other itemso requirements from other itemso allocation & distribution of functions among the itemsinvolvedMAJ 07/03/2010Introduction à la norme ISO 2626236/134

VI – Concept phasePart 3Initiation of the safety lifecycle¾ Determination of the development categoryIt shall be determined whether the item is a modification of an existingitem or if it is a new developmento In case of a new development, the entire safety lifecycle shall beappliedo In case of a modification the relevant lifecycle sub-phases andactivities shall be determined¾ Impact analysis & adapted safety lifecycleo In case of a modification of the item, an impact analysis shall beconducted to determine the areas affected by the modificationMAJ 07/03/2010Introduction à la norme ISO 2626237/134

VI – Concept phasePart 3Hazard risk analysis¾ The hazard analysis and risk assessment sub-phase comprises threesteps :a) Situation analysis and hazard identification :The goal of thesituation analysis and hazard identification is to identify thepotential unintended behaviours of the item that could lead to ahazardous eventb) Hazard classification : The hazard classification schemacomprises the determination of the severity (S), the probability ofExposure (E) and the Controllability (C) associated with theconsidered hazard of the itemc) ASIL determination : Determining the required automotive safetyintegrity levelMAJ 07/03/2010Introduction à la norme ISO 2626238/134

VI – Concept phasePart 3a) Situation analysis & hazard identification¾ The operational situations and operating modes in which an item'smalfunctioning behaviour is able to trigger hazards shall be described;both for cases when the item is correctly used and when it isincorrectly used in a foreseeable way.¾ A list of operational situations to be evaluated shall be prepared¾The failure modes and hazards shall be detailed¾The consequences of hazardous events shall be identified forrelevant operational situations and operating modesMAJ 07/03/2010Introduction à la norme ISO 2626239/134

VI – Concept phasePart 3a) Situation analysis & hazard identificationThe operational situation addresses the limits within which the item isexpected to behave in a safe manner. For example, a normal passengerroad vehicle is not expected to travel cross country at high speed.Example : Operational situations include visibility, road surfacetraction, road surface unevenness, road surface bank angle change,road surface pitch change, objects in the path of the vehicle, objectson a trajectory intersecting the path of the vehicle, relative velocity ofthe vehicle and the object it is approaching, relative to the distance(gap).Only the item without any safety mechanism shall be evaluated duringsituation analysis and hazard identification (i.e. safety mechanismsintended to be implemented or that have already been implemented inpredecessor systems shall not be considered as a means for providingrisk reduction).MAJ 07/03/2010Introduction à la norme ISO 2626240/134

VI – Concept phasePart 3b) Hazard classification¾ Estimation of potential severityThe severity of potential harm shall be estimated. The severityshall be assigned to one of the severity classes S0, S1, S2 or S3 inaccordance with following tableThe severity class can be based on a combination of injuries, andthis can lead to a higher evaluation of S than would result fromjust looking at single injuries.MAJ 07/03/2010Introduction à la norme ISO 2626241/134

Part 3VI – Concept phaseClassS0S1S2S3DescriptionNo injurieslight and moderate injuriesSevere injuries, possibly lifethreatening, survival probableLife-threatening injuries(survival uncertain) or fatalinjuriesReference for single injuries(from AIS scale)AIS 0Damage that cannot be classifiedsafety-related, e.g. bumps withroadside infrastructuremore than 10% probability ofAIS 1-6 (and not S2 or S3)more than 10% probability ofAIS 3-6 (and not S3)more than 10% probability ofAIS 5-6Informative examples-Pushing over roadside infrastructure,e.g. post or fence Δv 15km/h15 Δv 25 km/hΔv 25 km/h v 15km/hΔ15 Δv 35 km/hΔv 35 km/hRear/front collision betweentwo passenger cars v 20km/hΔ20 Δv 40 km/hΔv 40 km/h,Other collisions-Scrape collision with littlevehicle to vehicle overlap ( 10%)-Roof or side collision withconsiderable deformationUnder riding a truckWithout deformation of thepassenger cellWith deformation of thepassenger cell-Light collision-Light grazing damage-Damage while entering or leaving aparking spacetyirvees-Side collision, e.g. crashingof tionsinto a tree (impactltoe isappassenger cell)15 m Δgvo r25km/h xaE withataeSide collision c-Leaving the road without collision orrolloverpassenger car (impact topassenger cell)Pedestrian/bicycle accidentMAJ 07/03/2010E.g. during a turningmanoeuvre inside built-upareaIntroduction à la norme ISO 26262Outside built-up area42/134

VI – Concept phasePart 3AIS : Abbreviated Injury ScaleMAJ 07/03/2010Introduction à la norme ISO 2626243/134

Part 3VI – Concept phaseb) Hazard classification¾ Estimation of the probability of exposureThe probability of exposure of each operational situations shall beestimated. The probability of exposure shall be assigned to one ofthe probability classes E0,E1, E2, E3 and E4 in accordance withfollowing tableClassE0E1E2E3E4DescriptionincredibleVery lowprobabilityLow probabilityMediumprobabilityHigh probabilityThe number of vehicles equipped with the item shall not be consideredwhen estimating the probability of exposureThe hazard analysis and risk assessment is performed for individualvehicles equipped with the itemMAJ 07/03/2010Introduction à la norme ISO 2626244/134

Part 3VI – Concept phaseIllustration ClassE1E2E3DescriptionVery lowprobabilityLow probabilityMediumprobabilityHigh probabilityDefinition ofduration/probability ofexposureNot specified 1% of average operatingtime1% - 10% ofaverageoperating time 10% of averageoperating timeHighway – lostcargo/obstacle onroadMountain pass –driving down hillwith the engine offJump startGarage – vehicleon roller rigPulling a trailerDriving with roof rackDriving on a mountain passwith an unsecured steepslopeSnow and iceDriving backwardsFuellingOvertakingCar washCity driving – drivingbackwardsCity driving – parkingsituationCountry road – crossingCountry road – snow andiceCountry road –slippery/leavesHighway – enteringHighway – exitHighway – approaching endof congestionParking – sleeping person inthe vehicleParking – parking with trailerGarage – diagnosisGarage – vehicle on auto liftTunnelsHill holdNight driving onroads withoutstreetlightsWet roadsCongestionCity driving – oneway streetHighway – heavytraffic/stop andgoAcceleratingBrakingSteeringParkingDriving onhighwaysDriving onsecondary roadsCity driving –changing laneCity driving –stopping at trafficlightsCountry road –free drivingHighway – freedrivingHighway –changing laneParking – parkinglotreInformativeusexamplesfoopxyf e bilitoity robaliba/p vingbnooripr ratidfo d u e in sssnrgCla rdin posu uatioa exsitregMAJ 07/03/2010Introduction à la norme ISO 26262E445/134

VI – Concept phasereusfoopxyf e bilitoity robalibp inga/bnpro ratio drivfo d u e in sssr iongE1tCla rdin posu uaClassatVery low probabilityex DescriptionsiregDefinition of frequency Situations that occurPart 3IllustrationInformative examplesMAJ 07/03/2010less often thanonce a year for thegreat majority ofdriversStop at railwaycrossing, whichrequires the engineto be restartedTowingJump startE2Low probabilitySituations that occura few times a yearfor the great majorityof driversE3Medium probabilitySituations that occuronce a month ormore often for anaverage driverE4High probabilityAll situations thatoccur during almostevery drive onaveragePulling a trailer,driving with a roofrackDriving on amountain pass withan unsecured steepslopeDriving situation witha deviation from thedesired pathSnow and iceFuellingOvertakingTunnelsHill holdCar washWet roadsCongestionStartingShifting gearsAcceleratingBrakingSteeringUsing indicatorsParkingDriving backwardsIntroduction à la norme ISO 2626246/134

VI – Concept phasePart 3b) Hazard classification¾ Estimation of controllabilityThe controllability by the driver or other traffic participants shall beestimated. The controllability shall be assigned to one of thecontrollability classes C0, C1, C2 and C3 in accordance with followingtable.The evaluation of possibilities of the avoidance of a specific harm, thatis the controllability, is an estimation of the probability that the driveror other endangered persons are able to gain control of the hazardousevent that is arising and are able to avoid the specific harm.MAJ 07/03/2010Introduction à la norme ISO 2626247/134

Part 3VI – Concept tiveexamplesC0Controllable ingeneralControllable ingeneralUnexpectedincrease in radiovolumeSituations that areconsidereddistractingUnavailability of adriver assistingsystemlebaollrto n y th ecbly or bisos iver spof e dr ualsle th ividpam ds by indxE aredrzeha a ngendMAJ 07/03/2010C1Simply controllableC2C3Normally controllableDifficult to control oruncontrollable99% or more of all drivers 90% or more of all drivers or Less than 90% of allor other traffic participants other traffic participants are drivers or other trafficare usually able to avoid a usually able to avoid aparticipants are usuallyspecific harm.specific harm.able, or barely able, toavoid a specific harm.When starting the vehicle Driver can normally avoidWrong steering with highwith a locked steeringdeparting from the lane inangular speed at mediumcolumn, the car can becase of a failure of ABSor high vehicle speed canbrought to stop by almost during emergency braking.hardly be controlled by theall drivers early enough todriver.avoid a specific harm toDriver is normally able toDriver normally cannotpersons nearby.avoid departing from theavoid departing from theFaulty adjustment of seats lane in case of a motorlane on snow or ice on awhile driving can befailure at high lateralbend in case of a failure ofcontrolled by almost allacceleration (motorwayABS during emergencydrivers by bringing theexit).braking.vehicle to a stop.Driver is normally able toDriver normally cannotbring the vehicle to a stop in bring the vehicle to a stopcase of a total lightingif a total loss of brakingfailure at medium or highperformance occurs.speed on an unlightedIn the case of faulty airbagcountry road withoutrelease at high ordeparting from the lane inmoderate vehicle speed,an uncontrolled manner.the driver usually cannotDriver is normally able toprevent vehicle fromavoid hitting an unlit vehicle departing from the lane.on an unlit country road.Introduction à la norme ISO 2626248/134

VI – Concept phasePart 3c) ASIL classificationAn ASIL shall be determined for each hazardous event using the estimationparameters severity (S), probability of exposure (E) and controllability (C) inaccordance with following table.The work product of the ASILdetermination shall include:the operational situations andoperating modes with severity,probability of exposure,controllability and theresulting ASILMAJ 07/03/2010Introduction à la norme ISO 26262the lowestsafety level49/134

Part 3VI – Concept phasec) ASIL classificationScenario 1Exposure yControlability xAccident zASIL AASIL max(ASIL A,ASIL B)HazardExposure vControlability uAccident wASIL BScenario 2MAJ 07/03/2010Introduction à la norme ISO 2626250/134

ASIL level (A to D)Probability per hour(runtime)AlwaysProbability of exposition todriving situation where accidentcan potentially happenSeverity of possible accidentSometimesRisk Reduction external totechnical system:e.g. driver controls situationnot acceptableRarelyTol erableRacceptableSafetyclass(ASIL)Reliabilityof system andabsence of systematic faultssafety class(ASIL)iskVery rarely

System or array of systems or a function to which ISO 26262 is applied. Safety. Absence of unreasonable risk. Functional safety. Absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems. Safety case. Argument that the safety goals for an item are complete and satisfied by evidence compiled from work products .