WIXLIB

ISO26262Click to edit Master titleUpdateondevelopmentofstylethe standardDr David WardSenior Technical ManagerFunctional SafetyJanuary 2017 HORIBA MIRA Ltd. 2017 HORIBA MIRA Ltd. 2017

Agenda Why update ISO 26262? What is the process for updating the standard? Current status of Edition 2 draft and key changes Wider standardization activities Conclusion and outlook HORIBA MIRA Ltd. 2017January 20172

A frequently asked question ISO 26262 was officially published on 15 November 2011 Almost immediately on 16 November 2011 What’s going tobe in Edition 2 ofthe standard? HORIBA MIRA Ltd. 2017January 20173

Why update ISO 26262? Specific requirements to adapt ISO 26262 to- Extend scope to other types of vehicles (motorcycles, trucks, buses)o Motorcycles ISO/PAS 19695 and new Part 12 in Edition 2- Give additional guidance on semiconductor deviceso ISO/PAS 19451 and new Part 11 in Edition 2- Address ADAS-related hazards caused by “normal operation” of thesensorso Currently will be developed as a separate PAS (ISO/PAS 21448) Other challenges include- Addressing highly distributed architectures- Moves towards highly automated vehicles- Cybersecurity HORIBA MIRA Ltd. 2017January 20174

Timescales for the revision (simplified) ISO timescales-Require at least 3 years from first publication before revision starts-Specific needs will be addressed earlier in a PAS (Publicly Available Specification)Likely timescale for full Edition 2 is 2018 based on a 36 month projectTimescales are approximate and may be subject to change!January 2016PreparationCDballotSeptember 2016CommentsprocessingDISballotSeptember We are here! The DIS comments are being processed HORIBA MIRA Ltd. 2017January 20175

Key changes being considered for Edition 2 Disclaimer: The DIS, although publicly available, is still a draft and many ofthe concepts are still subject to discussion and change! Key changes to be covered today include- Structure of the standard- Extensions to other types of vehicles- Vocabulary – definition of FTTI- Safety management – process aspects, confirmation measures, link tocybersecurity- Concept phase – item definition, low probability situations, examples- Product development at the hardware level- Product development at the software level- Supporting processes- Semiconductors HORIBA MIRA Ltd. 2017January 20176

The structure of ISO 26262 Edition 2Part 1 VocabularySafetymanagementaspectsmerged fromParts 3 to 6Part 2 Management of functional safetyPart 3 ConceptphasePart 12Adaption ofISO 26262 formotorcyclesPart 4 Product development: system levelPart 5 Productdevelopment:hardware levelPart 6 Productdevelopment:software levelSafetyassessmentmoved toPart 2Part 7Production,operation,service anddecommissioningNewprocessesfor T&BPart 8 Supporting processesPart 9 ASIL-oriented and safety-oriented analysesPart 10 Guideline on ISO 26262 (informative)Part 11 Guideline on application of ISO 26262 to semiconductors (informative) HORIBA MIRA Ltd. 2017January 20177

Summary of additions and modifications toISO 26262 Edition 2 – as at DIS version Scope update to include motorcycles and trucks and buses (T&B)- New Part 12 for motorcycles (merge in of ISO/PAS 19695)- T&B requirements integrated into existing parts New Part 11 – guideline for semiconductors (merge in of ISO/PAS 19451) All other Parts have been modified Functional Safety Assessment now focused on achieving the “Objective”clauses- “Objectives” clauses have been improved throughout Functional safety management from Parts 3 – 6 merged into Part 2- Reference to “refined” work products generally removed HORIBA MIRA Ltd. 2017January 20178

Summary of additions and modifications toISO 26262 Edition 2 – as at DIS version Cybersecurity remains out of scope- High level informative guidance for the safety practitioner in Part 2- New joint SAE/ISO WG11 will develop a new cybersecurity standard Safety of the Intended Functionality (SOTIF) e.g. automated features notexplicitly included- Though NWIP (new work item proposal) initiated to continue this activityand will be part of WG8 (ISO/PAS 21448) Definition of and in tables of methods updated- For consecutive entries, all listed highly recommended andrecommended methods in accordance with the ASIL apply. It isallowed to substitute a highly recommended or recommended method byother one(s) not listed in the table, but a rationale shall be given that thesecomply with the corresponding requirement. A recommended methodmay be omitted, but a rationale why this method is omitted shall begiven HORIBA MIRA Ltd. 2017January 20179

What types of vehicles are in the future scope ofISO 26262?Class of vehicleIn scope?L1/L2ExcludedL3/L4/L5In scopeL6/L7Not definedM1In scopeEdition 1M2/M3In scopeIntegration into Edition 2N1/N2/N3In scopeIntegration into Edition 2O1/O2/O3In scopeIntegration into Edition 2Other categoriesNot defined StatusPAS; Part 12Now proposed to replace “series production” with “production road vehicles”Production road vehicles a passenger car, T&B or motorcycle whose intended use isfor public highways and is not a prototype HORIBA MIRA Ltd. 2017January 201710

Trucks and buses Unlike motorcycles, truck and bus requirements are integrated into the mainParts of the standard e.g.- Some specific requirements for hazard analysis and risk assessmento Management of variants in performing the analysiso Integration of truck and bus examples in the tables of Annex B- New supporting processes foro Development of a base vehicle for an application out of scope of ISO 26262o Integration of safety elements developed out of scope of ISO 26262 HORIBA MIRA Ltd. 2017January 201711

Fault tolerant time intervalFaultHazardous eventNo safety mechanism implementedNormaloperationHazardous event developsTimeFault tolerant time interval HORIBA MIRA Ltd. 2017January 201712

Fault tolerant time intervalHazardous eventFaultNo safety mechanism implementedNormaloperationHazardous event developsTimeFault tolerant time intervalFaultNormaloperationFault detectionUndetectedfaultTransition to safestateSafe stateTimeDiagnostic test time intervalsFault detection time interval HORIBA MIRA Ltd. 2017Fault reaction time intervalSafety mechanism implementedJanuary 201713

Fault tolerant time intervalHazardous eventFaultNo safety mechanism implementedNormaloperationHazardous event developsTimeFault tolerant time intervalFaultNormaloperationFault detectionUndetectedfaultDiagnostic test time intervalsFault detection time interval HORIBA MIRA Ltd. 2017Transition toemergencyoperationFault reaction time intervalEmergencyoperationSafe stateEmergency operation time intervalTimeSafety mechanism implemented with emergency operationJanuary 201714

FTTI – fundamentally the same as Edition 1 Modified definition- Minimum time span from occurrence of a fault in an item to occurrence ofa hazardous event could occur [typo!], if a safety mechanism is notactivated FTTI considered/defined without safety mechanisms of the item- “Fault handling time interval” introduced to define time limits at elementlevel FTTI stated as an attribute of Safety Goal at item level- See Notes in Part 1 Clause 3.58 and Part 3 Clause 6.4.4.2 HORIBA MIRA Ltd. 2017January 201715

Fault detection time interval (FDTI) and Faultreaction time interval (FRTI) Fault detection time interval (FDTI)- Time-span from the occurrence of a fault to the detection of a fault- Determined independently of diagnostics test interval Fault reaction time interval (FRTI)- Time-span from the detection of a fault to reaching the safe state or toreaching emergency operationFaultNormaloperationFault detectionUndetectedfaultTransition to safestateSafe stateTimeDiagnostic test time intervalsFault reaction time interval (FRTI)Fault detection time interval (FDTI)Fault handling time interval (FDTI FRTI) HORIBA MIRA Ltd. 2017January 201716

Partitioning of FTTI in requirements hierarchy FTTI at item level FDTI and FRTI specified as part of safety concept (FSC and/or TSC) FDTI and FRTI partitioned and allocated to system, hardware or softwareelements- Verified against the parentFTTI (SG)FDTI(FSC)FDTI(TSC SW) HORIBA MIRA Ltd. 2017 FRTI(FSC) FDTI(TSC HW) FRTI(TSC SW) FRTI(TSC HW)January 201717

Functional safety management Many “planning” activities being moved into Part 2 so that most processrelated requirements are in that Part Key new requirement to create and maintain effective communicationchannels between functional safety and other disciplines that are related tofunctional safety- Cybersecurity is the key activity but other disciplines can also be related New Annex showing example interfaces between functional safety andcybersecurity- Does not mention specific cybersecurity work products- Some examples included in Part 4; comments on DIS to put similarcontent into Part 6 Revisions to confirmation reviews – now much more focussed on“assessment” style than simply a tick-box exercise Safety case now explicitly required to be an argument HORIBA MIRA Ltd. 2017January 201718

Confirmation measuresIndependence requirementsConfirmation measureQMASIL AASIL BASIL CASIL DImpact analysisI3I3I3I3I3Hazard analysisI3I3I3I3I3Safety planI1I1I2I3Functional safety conceptI1I1I2I3Technical safety conceptI1I1I2I3Item integration and verification specificationI0I1I2I2Safety validation specificationI0I1I2I2Safety analyses (FMEA, FTA, etc.)I1I1I2I3Completeness of safety caseI1I1I2I3Functional safety auditI0I0I2I3Functional safety assessmentI0I1I2I3ISO/DIS 26262:2018 Part 2 Table 1 HORIBA MIRA Ltd. 2017January 201719

Requirements for T&B in Parts 2 and 8Interfaces and integration to other standards/domains Integration of ISO 26262 developed item integrated into vehicle out of scope(Part 8 Clause 15)- Safety goals of item/vehicle are not violated in another domain- e.g. brake “item” developed to ISO 26262 used in agricultural equipment Item integration with other systems/subsystems that are not developed toISO 26262 (Part 8 Clause 16)- e.g. subsystem supplier develops to ISO 13849Application according to ISO 26262 HORIBA MIRA Ltd. 2017January 201720

Concept phase Still some debate over meaning of “item” definition vs “function” definition Previous proposal to include a new class E0* for combination of rare events(e.g. EV crashes and it’s into a lake and HV is exposed)- E0* not included in DIS, instead possibility to reduce { S3, C3 , E1 } fromASIL A to QM if an additional argument is provided Annex B tables shortened to emphasize they are examples HORIBA MIRA Ltd. 2017January 201721

Product development at the hardware level Evaluation of safety goal violations due to random hardware failures- Probabilistic metric (PMHF / Method 1)o Possibility to increase target values by up to one order of magnitude for itemscomposed of multiple systems- Previous proposal for a new “residual risk assessment method” waswithdrawn Example architectures for fault tolerant implementations HORIBA MIRA Ltd. 2017January 201722

Example of PMHF budget assignment foritem consisting of two systems (Annex G) Provides an example procedure for budgeting PMHF across two systemswhich both contribute to the same safety goal Considers an example item architecture with two systems Provides an example PMHF target allocation HORIBA MIRA Ltd. 2017January 201723

ISO 26262 Part 6 reference phase modelItem testing4-8 Item integration andtesting4-7 System designTest phaseverificationDesign phaseverificationat the software level6-5 Initiation of product development6-6 Specification ofsoftware safetyrequirementsSoftware testing6-11 Testing of theembedded softwareTest phaseverificationDesign phaseverification6-7 Softwarearchitectural designSoftware analysis andtestingTest phaseverificationDesign phaseverification6-8 Software unitdesign andimplementation6-10 Softwareintegration andverificationSoftwareanalysis andtesting6-9 Software unitverificationTest phase verification HORIBA MIRA Ltd. 2017January 201724