Functional Safety With ISO 26262: 15 Years of Consulting

15 years of
consulting
Functional Safety with ISO 26262
Dr. Christof Ebert, 18. October 2016
V1.0 | 2016-10-18
Welcome
Vector Consulting Services
 … supports clients worldwide in

improving their product Automotive
development and IT and with
interim management
 … with clients such as Aerospace
Accenture, Audi, BMW, Bosch,
Daimler, Ford, Huawei, Hyundai,
IBM, Lufthansa, Munich RE, IT & Finance
Porsche, Siemens, Thales,
Toyota and ZF
Industry
 … offers with the Vector Group a
portfolio of tools, software
components and services Medical
 … is as Vector Group globally
present with 1500 employees
and well over 300 Mio. € sales Railway
 www.vector.com/consulting
2/35 © 2016. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2016-10-18
Agenda
Welcome
 Challenges and Concepts
Vector Safety Experiences
Conclusions and Outlook
Challenges and Concepts
Vector Client Survey on Industry Trends
60% Mid-term
challenges
50% Safety and Efficiency

Security and Cost
40%
Big Data Complexity
Connectivity Innovative
30% Products
Distributed
20% Development
10% Governance
Others Current challenges
0%
0% 10% 20% 30% 40% 50% 60% 70%
Vector Client Survey 2016. Details: www.vector.com/trends. Sum > 100% because 3 answers per question were allowed.
Results from all industries overlap and are thus compiled in this report. Validity big with >4% response rate of 1700 recipients.
Safety and security evolved since 2015 to a major challenge.

Functional Safety Challenge: Complexity and Competences
 Increasing number and complexity of functions

 More and more distributed development
 Rising safety, security and network requirements Car2Car, Car2X
Cloud computing
5G mobile communication
 Quantity: Boost in number of systems Fuel-cell technology
Autonomous driving
 Maturity: Inefficient processes and tools Brake-by-wire
Steer-by-wire
 Quality: Lack of experts Security & safety
Electric powertrain Laser-sourced lighting
Adaptive cruise control 3D displays
Lane assistant Gesture HMI
Stop-/start automatic Ethernet/IP backbone
Hybrid powertrain Emergency break assist Electric powertrain
Electronic stability control Head-up display Adaptive cruise control
Active body control Electronic brake control Lane assistant
Gearbox control Emergency call Tele diagnostics Stop-/start automatic
Traction control Electric power steering Online Software Updates Emergency break assist
CAN FLEXRAY AUTOSAR Head-up display
Electronic fuel Anti lock brakes Gearbox control Hybrid powertrain Electronic brake control
injection Electronic fuel Traction control Electronic stability control Tele diagnostics
Anti-lock brakes injection CAN bus … Active body control ... AUTOSAR ...
1975 1985 1995 2005 2015 2025

Functional Safety – Broad Exposure
ESP Electronic Park Brake

Unintended, single-sided Unintended activation in
brake effect on straight lane motion
Collision Avoidance Airbag

Acceleration instead of Delayed deployment after
deceleration in traffic crash detection
Exposure of practically all E/E functions  Risk of liability

Functional Safety – Major Risk and Cost Driver
Problems with acceleration:

Car unintentionally
accelerates thus causing
personal damage
Japanese OEM
Problem with automatic

gear control:
Gear is unintentionally
switched to neutral
American OEM
Source: autoservicepraxis.de
Increasing amount of incidents  Risk of global visibility

Functional Safety – Wide Impact
Idea
System System
Req. Analysis Test
System System
Design Integration
Component Component
OEM Req. Analysis Test
Supplier Component Component
Management Activity Design Integration
Engineering Activity Component
Affected by ISO 26262
Implementation
Project Configuration Requirements Supplier Quality

Management Management Management Management Management
Wide impact on entire life-cycle  Risk of gaps and inconsistencies

Functional Safety – Many Methods
Effect
Hazard
Inability to perform
the required function Failure Failure Failure
as specified
4 X
Incorrect state that
may lead to a failure Error Error Error
2 X 3 X
Cause of the error,
e.g. code mistake X
1Fault Fault Fault
System layer
1 Fault prevention 2 Fault detection 3 Fault tolerance 4 Robustness
 Guidelines  Code analysis  Redundant design  Redundant shut-off
 Processes  Review, Test  Memory protection  Fail-operational
Many methods and techniques  Risk of uninformed usage

Functional Safety – Complex Standard
10 Parts
43 Chapters
100 work products
180 engineering methods
500 pages
600 requirements Source: ISO 26262
Complex standard  Risk of overheads and bureaucracy

Liability
Product Liability
Idea
A product, that is put in

Manufacturer's Liability service, must provide the
level of safety which can be
The manufacturer has to organize
expected by general public.
the company in a way that design,
production and documentation
Manufacturer's liability is
faults are eliminated or detected by
excluded, if a failure can not
checks.
be detected using current
state of science and
Reversal of Evidence technology at the time the
The manufacturer has to show that manufacturer put the product
he is not responsible for a fault. into market.
Legal Liability: State of the Practice
Functional Safety
Process Technology Methods

- Safety Management - Measures against random HW - FMEA,FTA
- Project Management failures
- FMEDA
- Risk Management - Measures against systematic
- Quality Assurance failures (System, HW, SW) - Analysis of dependent
- Requirements-Mgmt. - Development of safety concepts failures
- Configuration-Mgmt. - Implementation of safety - ASIL decomposition
- Test Management mechanisms - …
- … -…
Process Maturity
Application of methodological Frameworks Automotive SPICE® or CMMI
Product Development Process
ISO/TS 16949 ISO 9001

A Structured Approach
Management
Development
Supporting Processes
Source: ISO 26262-1:2011

Basic Concept of ISO 26262: Risk Classification by „ASIL“
Risk = Severity x Probability S: Severity

E: Exposure
C: Controllability
I: necessary Integrity
R = S x PE x PC x PI
ASIL
Automotive Safety Integrity Level
(= required integrity of a function)
Residual Tolerated Risk by

Risk Risk add. Function
E/E functions
Safety functions
Risk level
Source: IEC 61508:2010
Development – Example Classification Brake-by-wire-System
Failure Mode Vehicle State Road Environment E C S ASIL

Condition Condition
No Braking Effect > 100 km/h Wet Highway E3 C3 S3 C
Unexpected > 50 km/h Dry Main Road E4 C2 S3 C

Braking Effect < 100 km/h
Asymmetric Parking Dry Side Road E4 C2 S1 A

Braking Effect < 10 km/h
 Exposure:
 E3: 1-10% of average operating time
 E4: >10% of average operation time
 Controllability (Average Driver):
 C2: Hazardous situation is usually controllable
 C3: Hazardous situation is usually not controllable
 Severity:
 S1: Light to moderate injuries
 S3: Critical injuries
Approaches to Risk Reduction
Risk level (ASIL)
Product measures Development process
Technical measures Technical measures against Methodological measures to

against random HW systematic system, HW ensure the application of a
failures: and SW failures: safety-conform development
process:
 Redundancy  Redundancy
 Diagnostics  Diagnostics  Design methods
 Self-tests  Self-tests  Analysis techniques
 …  …  Test methods
 Safety case
 Modular HW/SW
 Configuration management
architecture
 …
 Architecture patterns
 Defensive programming
 …
ASIL = Automotive Safety
Integrity Level
Goals: Avoid failures – Make unavoidable failures safe

Fail-safe vs. Fail-operational
2a: Failure
Intended
detection and
operation
reaction
1: 2b:
Fail-
Fail-safe
operational
 Bring the system into the fail-  System remains operational

safe state to avoid any hazard.  E.g. degraded - but safe -
 Two approaches: operation mode.
1. Fail-safe by design (default)  Availability of elements assuring
2. Failure mitigation and
the required safety
transition to fail-safe state  Diverse / redundant architecture
 Sufficient for most “classic”  Required for continuous and
automotive systems, often with automated safe operation
mechanical back-up
The safety related system has always to be in one safe state!
Agenda
Welcome
 Vector Safety Experiences
Vector Experiences – Support Throughout the Life-Cycle
System System
Req. Analysis Test
Item Definition System System Safety Case

Design Integration
Component Component
Hazard and Req. Analysis Test
Risk Analysis Validation
Component Component
Design Integration
System Safety Company Project
Concept Processes Manual Verification
Component
Implementation
Project
Qualitative Quantitative
Safety Analyses DIA Schedule Safety Analyses
Consistently plan and systematically maintain safety artefacts

Vector Experiences – Including the Customer and Supplier
 Often insufficient information shared between OEM and Tier-1 supplier and
Tier-1 and Tier-2 suppliers concerning safety-critical functions and related
hazards
 Risk that system and component design is not optimized to balance safety
and costs
 Our experience shows that companies which tried more intense supplier-
collaboration, continue to do so for all critical interfaces
OEM Tier-1 OEM
Tier-1 Tier-2 Tier-1
Tier-2
Perform joint workshops on requirements and design

Vector Experiences – Development Interface Agreement (DIA)
List of relevant Minimum scope: Project specific tailoring, application

artefacts ~ 60 artefacts and tracking
OEM
Use the DIA for comprehensive definition of the customer/supplier

interfaces. Extend the usage to not safety related artefacts
Vector Experiences – Performing Audits and Assessments
Safety Audit Safety Assessment

 Purpose: Evaluate implementation  Purpose: Evaluate achieved
of the processes required for functional safety within the defined
functional safety item for product and process
 Perform periodic audits in projects  Continuously compile the safety
 Combine with SPICE assessments case as basis for the assessment
 Perform short supplier audits before  If the OEM requests assessment
nomination, and comprehensive by a third party, involve the third
audits in B sample stage party early
Demand audit and assessment results from suppliers, consider the

independency requirements for auditors and assessors
Vector Experiences – Efficient Traceability and Consistency
Hazard List and Risk

Assessment
Item Definition HZ1 ASIL B Hazard 1
HARA HZ2 ASIL D Hazard 2

... ...
Determination
of Safety Goals
Functional Safety Requirements Safety Goals
FSR 1 SG1 ASIL B Funct. Safety Req. 1 SG1 HZ1, HZ3 ASIL B Safety Goal 1
FSR 2 SG1 ASIL B Funct. Safety Req. 2 SG2 HZ2 ASIL D Safety Goal 2
... ... ... ... Functional Safety ... ... ... ...
Technical Safety Concept

Concept
Technical Safety Requirements

TSR 1.1 FSR Technical
1 ASIL B Safety Requirements
Komp1 Tech. Safety Req. 1.1
TSR 1.1 Technical
FSR 1 ASIL B Safety Requirements
Komp1 Tech. Safety Req. 1.1
Testspecification
TSR 1.2 FSR 1 ASIL B Komp1 Tech. Safety Req. 1.2
TSR 1.1 FSR 1 ASIL B HW/SW Tech. Safety Req. 1.1 TC 1 Test description
TSR 1.2 FSR 1 ASIL B Komp1 Tech. Safety Req. 1.2
... ... ... ... ...
TSR 1.2 FSR 1 ASIL B HW/SW Tech. Safety Req. 1.2 TC 2 Test description
... ... ... ... ...
... ... ... ... ... ...
Vector Experiences – Systematic Analysis and Design
Support by Vector Consulting Services and PREEvision tool:

 Single source for item definition, based on features, requirements,
operating scenarios, dependencies
 Model-based design of functional and technical safety concept, including
ASIL decomposition and requirement based tests
Vector Experiences – Master Necessary Analysis Methods
Level Safety Analyses Dependent Failure Analyses

Functional  Definition of FSR „can be supported“  Redundancy and independence „can
Safety Concept safety analyses be checked“ by DFA
Technical Safety  Avoidance of systematic failures  Independence

Concept  External sources  Common cause failures and
 Internal sources cascading failures
 Validation of the technical safety  Safety function from safety
concepts (TSC) mechanism
 ASIL-decomposition
Hardware  Qualitative analyses (from part 9):  Allocation and design decisions
 Verification of hardware design
 Effectiveness of safety  Freedom from interference
mechanisms  Cascading failures only
 (B), C, D: Quantitative analysis:  Partitioning
 Random hardware failures
Software  Safety mechanisms

Architecture  Effectiveness
 Error detection
 Error handling
General  Complete safety item  Focused analyses

Requirement  Confirmation reviews  No requirements on reviews
 Verification reviews
Vector Experiences – Thorough Hazard & Risk Analysis

 Predefined operation scenarios and operating modes
 Automatic ASIL calculation
 Traceability of safety goals to requirements and design artefacts
Vector Experiences – Consistent Support for FMEA

 System requirements and design data with full traceability, thus avoiding to
replicate system structure in a separate FMEA tool, while achieving
significant cost savings
 Automatic consistency checks to ensure coverage
Vector Experiences – Security Directly Impacts Safety
Functional Safety Assets, Threats

Op.
Safety Security
Scenarios,
(IEC 61508, ISO 26262) and Risk
Assessment
Hazard, Risk
Management
after SOP
Management
in Service
Assessment
 Hazard and risk analysis Security

Goals and
Safety Goals
and
Safety Case,
Certification,
Security
Case, Audit,
 Functions and risk mitigation Requirements Requirements Approval Compliance
 Safety engineering Technical

Functional
and Technical Safety Security
Security
Security only implicitly addressed Concept
Safety-
Concept
Validation Validation
Security Safety
Safety Security
Implemen- Implemen-
Verification Verification
tation tation
+ Security (ISO 15408, J3061)

 architecture
  Threat and risk analysis
methods
  Abuse, misuse,&confuse
data formats cases
functionality
 Security engineering
Security and Safety are interacting

and demand holistic systems engineering
For fast start security engineering should
be connected to safety framework
Safety and Security must be addressed in parallel
Innovative functionality...
 Distributed systems
 Complex feature interaction
 High data volume
 External interfaces (V2X; vehicle as IP node)
... Drives new challenges

 Fail-operational robust behaviors
 High-performance micro-controllers
 Software development for critical systems
 Safety functions must be secured against attacks
 Cost-effective evolution and support over the entire life-cycle
Apply holistic systems engineering for safety and security

Agenda
Welcome
 Conclusions and Outlook
Success Factor – Change Towards Safety Culture
Classic Development Culture Safety Culture

Insufficient budget and time for relevant Necessary measures are planned
safety measures according to safety analysis – and reliably
implemented
Shadow organization of safety experts and Safety expertise is embedded into the
staff teams regular line and project organization
Risk analysis is done superficially for Risk analysis and FMEA are developed at
documentation purposes and not the beginning of system development and
maintained are continuously updated
System architecture is not considered in System architecture explicitly covers the
safety goals and requirements safety goals and requirements
Changes are accepted at any time for Changes are analyzed with respect to their
practically all system parts effects on functional safety using a strict
change management
Safety audits are conducted only Safety audits are established as a normal
sporadically and standardized behavior
… …
Implementing functional safety implies a profound culture change

ISO26262 Experience
 Increasing functional safety capabilities

 Majority of OEM´s include ISO26262 compliance in their contracts
 Independent audits and assessments are performed
 Methods for qualitative and quantitative analysis are available
 ASIL D capable MCU´s are available
 But…
 Many suppliers do not have full ISO26262 compliance because they
develop based on legacy systems
 Suppliers and OEMs need to further improve field observation and
abilities to efficiently maintain a safety case
 New suppliers, e.g. for electric powertrain or ADAS, struggle with
ramping up a safety process
 Security risks increasingly hamper functional safety
 Functional safety processes in many cases create overheads
– which could be done at much lower cost
Functional safety can be efficiently achieved on the basis of mature

development processes together with a competent partner.
ISO26262 Will Further Evolve
Committee Draft (CD) on 17. Dec. 2015 Release ISO26262 ed. 2
2015 2016 2017 2018
Evolution – Some Topics

1. Extension of scope by 50% to 729 pages
2. Application to commercial vehicles and motor cycles
3. Fully new section on semiconductors
4. Improved Safety Analysis Methods for software
5. Support for safety case for ADAS, fail-operational, diversified redundancy
6. “Objective” Assessment and Audit process improvement
Vector with its partners contributes to the evolution of ISO 26262

Vector – Complete Safety Solution Portfolio
Introduction of Safety Processes (Examples)
 Introducing ISO 26262, starting with analysis of the current state,

including technical and process measures and building up safety culture
 Training und coaching for functional safety and safety culture
 Implementing consistent tool support, such as PREEvision
Safety Management (Examples)
 Operationally supporting with interim safety managers

 Performing safety audits and supplier safety audits
Safety Engineering (Examples)
 Providing software components and platforms, such as MICROSAR Safe

 Developing and reviewing safety concepts and safety analyses
 Combined safety and cyber security concepts
© 2016. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2016-10-18
Vector Safety Portfolio
Safety Solutions
 Consulting
Vector Safety Check, Interim Safety Manager, …
 Tools
PLM with PREEvision, Test, Diagnosis, …
 Software
AUTOSAR up to ASIL-D…
 www.vector.com/safety
Trainings and media

 Training “Functional Safety with ISO 26262”
Stuttgart, continuously
www.vector.com/training-safety
 In-house trainings tailored to
your needs available worldwide
 Free white papers…
www.vector.com/media-safety
Thank you for your attention.
Contact us for further support on functional safety,
cyber security, and product development.
Passion. Partner. Value.
Vector Consulting Services
Phone +49 711 80670-0 www.vector.com/consulting

Fax +49 711 80670-444 consulting-info@vector.com
© 2016. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2016-10-18

Functional Safety With ISO 26262: 15 Years of Consulting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Functional Safety With ISO 26262: 15 Years of Consulting

Uploaded by

Copyright:

Available Formats

15 years of

Functional Safety with ISO 26262

Dr. Christof Ebert, 18. October 2016

 … supports clients worldwide in

50% Safety and Efficiency

Safety and security evolved since 2015 to a major challenge.

 Increasing number and complexity of functions

1975 1985 1995 2005 2015 2025

ESP Electronic Park Brake

Collision Avoidance Airbag

Exposure of practically all E/E functions  Risk of liability

Problems with acceleration:

Problem with automatic

Increasing amount of incidents  Risk of global visibility

Project Configuration Requirements Supplier Quality

Wide impact on entire life-cycle  Risk of gaps and inconsistencies

Many methods and techniques  Risk of uninformed usage

100 work products

180 engineering methods

600 requirements Source: ISO 26262

Complex standard  Risk of overheads and bureaucracy

A product, that is put in

Process Technology Methods

Product Development Process

ISO/TS 16949 ISO 9001

Source: ISO 26262-1:2011

Risk = Severity x Probability S: Severity

Residual Tolerated Risk by

Failure Mode Vehicle State Road Environment E C S ASIL

No Braking Effect > 100 km/h Wet Highway E3 C3 S3 C

Unexpected > 50 km/h Dry Main Road E4 C2 S3 C

Asymmetric Parking Dry Side Road E4 C2 S1 A

Risk level (ASIL)

Product measures Development process

Technical measures Technical measures against Methodological measures to

Goals: Avoid failures – Make unavoidable failures safe

 Bring the system into the fail-  System remains operational

Item Definition System System Safety Case

Consistently plan and systematically maintain safety artefacts

OEM Tier-1 OEM

Tier-1 Tier-2 Tier-1

Perform joint workshops on requirements and design

List of relevant Minimum scope: Project specific tailoring, application

Use the DIA for comprehensive definition of the customer/supplier

Safety Audit Safety Assessment

Demand audit and assessment results from suppliers, consider the

Hazard List and Risk

HARA HZ2 ASIL D Hazard 2

Technical Safety Concept

Technical Safety Requirements

Support by Vector Consulting Services and PREEvision tool:

Level Safety Analyses Dependent Failure Analyses

Technical Safety  Avoidance of systematic failures  Independence

Software  Safety mechanisms

General  Complete safety item  Focused analyses

Support by Vector Consulting Services and PREEvision tool:

Support by Vector Consulting Services and PREEvision tool:

Functional Safety Assets, Threats

 Hazard and risk analysis Security

 Safety engineering Technical

+ Security (ISO 15408, J3061)

Security and Safety are interacting

... Drives new challenges