Professional Documents
Culture Documents
2017
Automotive
Functional Safety
ISO 26262 Synopsis
18.01.2017
19.01.2017
• since 2012: Safety Expert at TÜV SÜD conducting audits, assessments and
trainings acc. IEC 61508 and ISO 26262
• technical certifier for functional safety acc. IEC 61508 and ISO 26262
1
19.01.2017
TÜV SÜD Auto Service GmbH TÜV SÜD Rail GmbH TÜV SÜD Rail GmbH
Team Automotive
Knowledge Knowledge
transfer transfer
2
19.01.2017
Testing Consulting
• Assessments • Workshops
• Supplier Audits • Development
• Penetration Tests accompanying support
Agenda
3
19.01.2017
Functional Safety
What does
it mean?
(FSM)
4
19.01.2017
A simple example.
Function
whip cream
ON è run
OFF è stop
Hazards from
Malfunctions Operation
ON è stop ON + Finger
OFF è run
5
19.01.2017
A simple example.
Hazards from
Function Operation
Malfunctions
ON è stop
Non
Unintended
Functional Functional
loss of
Failures Fire Failures
acceleration
Unintended loss
of deceleration
6
19.01.2017
- Still ”safe”?
- Unintended acceleration!
- Safety beyond the single product: SYSTEM SAFETY!
- Depends on correctness of product’s functions, implemented in
electronics and software:
FUNCTIONAL SAFETY
7
19.01.2017
Valve position
Position
sensor
Throttle Cruise
Drive Control
Engine
Control Stability
Ignition Module Control
Control
Engine Gear Box
Injection Control
Control
BMW recalls more than 1.6million These are the events that led up
Hackers Expose How Airbag
3 Series models over problems to GM’s worldwide recall of 2.6
System can be Hacked in an Audi
with the airbags that could lead to million cars, blamed for at least
Car
passenger injuries 13 deaths
(Hackread)
(Daily Mail) (CNN Money)
8
19.01.2017
How the Risk of Safety or Security Issues can effect your business
Criminal
Regulations
Prosecution
Product Customer
Liability Risk awareness
due to Safety
or Security
issues
e.g.
Prosecutor,
Customers NHTSA (USA) Customers
Attorney
MLIT (Japan)
Market admission,
Punitive will shun the
Damages Punitive
Measures products
Measures
Safety is mandatory!
9
19.01.2017
Probability
always
risk not
acceptable
sporadic
Functional
seldom
Safety
improbable
risk
acceptable
impossibe
Severity
nothing low medium high extreme
Today:
Software-intensive automotive control systems
Event Data Active
Night Driver
Recorder Cabin Noise Cabin
Vision Alertness
Suppression Environment Entertainment
Monitoring
Controls System
Wiper
Control Interior Seat Position Voice/Data
Lighting Control Communications Battery
Engine Management
Accident DSRC
Control
Recorder
Lane Correction
Airbag
Control Instrument Electronic Toll
Cluster Collection
Adaptive
Front Lighting Digital Turn Signals
Navigation System
Adaptive
Cruise Control Security System
Active Exhaust
Automatic
Noise Suppression
Breaking
Electric Power Active Suspension
Steering
Hill-Hold
Electronic
OBDII Transmission Antilock
Control
Electronic Throttle Idle Control Stability
Control Control Braking Regenerative
Stop/Start Active Remote Braking
Vibration Keyless Parking
Electronic Control Entry Lane System
Active Tire
Valve Departure
Cylinder Yaw Pressure
Timing Warning
De-activation Blindspot Control Monitoring
Detection
10
19.01.2017
Immediate future:
Connected car, autonomous driving
21
• Systematic failures
§ Increased complexity of microelectronics and software
§ Increased complexity of project organization
11
19.01.2017
Functional Safety
Principles, Concepts
and Standards
(FSM)
Source: http://www.spiegel.de/fotostrecke/airbus-a400m-der-crash-von-sevilla-fotostrecke-127540-2.html
– Risk-based
§ Requires system approach
§ Hazard identification and risk assessment
– Lifecycle-oriented
12
19.01.2017
– Lifecycle-oriented
– Lifecycle-oriented
13
19.01.2017
14
19.01.2017
ISO 26262 –
An Overview
(FSM)
15
19.01.2017
• ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the
application sector of electrical and/or electronic (E/E) systems within road
vehicles.
• It provides:
– an automotive safety lifecycle (management, development, production, operation,
service, decommissioning)
– an automotive-specific risk-based approach to determine integrity levels [Automotive
Safety Integrity Levels (ASIL)];
– requirements for validation and confirmation measures to ensure a sufficient and
acceptable level of safety being achieved;
– requirements for relations with suppliers.
16
19.01.2017
17
19.01.2017
18
19.01.2017
Major Concepts
of ISO 26262
Functional Safety
Management
(FSM)
• Impacts: Organization
Staff competence
19
19.01.2017
Item Development
Safety Development
Capability
Management of Functional
Supporting Processes
Safety
Configuration Management
FSM before SoP
Qualification of Hardware
Distributed Development
Qualification of Software
Change Management
Safety Requirements
Management
Documentation
Software Tools
Safety Culture Verification
Safety Culture
• "The organization [executing the safety lifecycle] shall create, foster, and
sustain a safety culture that supports and encourages the effective
achievement of functional safety." (ISO 26262-2, 5.4.2.1 )
20
19.01.2017
Competence management
Confirmation Measures
21
19.01.2017
• ISO 26262 is within the ISO/TS 16949 process frame; it extends and
instantiates the requirements.
– Instantiation: ISO/TS clause 7.3 ”Design and Development” is addressed by
ISO 26262’s core processes on System, HW and SW level.
§ ISO 26262 is strongly inspired by ISO 15288 (System Engineering) and ISO 12207
(SW Engineering)
– Extension: ISO 26262 implements the system approach (vehicle ”items”) and
relies on final OEM responsibility, ...
... whereas ISO/TS is focused on component / sub-system supplier responsibility.
New IATF16949
– „Some of the new enhancements to the automotive quality standard to address recent issues in
the automotive industry include the following:
§ Requirements for safety-related parts and processes /* FMEAs, training of staff involved, transfer of
safety requirements throughout supply chain */
§ Enhanced product traceability requirements to support latest regulatory changes /* ISO 26262
implies responsibility to monitor and maintain functional safety after release for production*/
§ Requirements for products with embedded software /* Embedded software is crucial for functional
safety, ISO 26262-6 and supporting processes of ISO 26262-8*/
§ Warranty management process including addressing NTF (no trouble found) and use of
automotive industry guidance /* ISO 26262 is primarily about avoiding (but not guaranteeing!) NTF
situations. If a safety-related NTF cannot be avoided nevertheless, then full adherence to ISO 26262
requirements provides the best level of legal protection.*/
§ Clarification of sub-tier supplier management and development requirements /* ISO 26262 has
specific supplier-related requirements, e.g.: supplier selection and functional safety assessment,
development interface agreement (DIA)*/
§ Addition of corporate responsibility requirements /* Functional Safety management is not only
project-specific, but impacts corporate level*/“
22
19.01.2017
Major Concepts of
ISO 26262
Concept- and System
Level
(FSM)
23
19.01.2017
FS BS
FS BS
S2
ECU-S
S1
A
ECU-B
24
19.01.2017
ECU-DSC
switch
S1
A
ECU-B
25
19.01.2017
Chart compilation
BASE FAILURE RATE
FAILURE
λ Multi-point fault
DISTRIBUTION
Example Value
λ Latent
Part No
λ SAFE
PART
TYPE
SAFE
No
1 10
Resistance Drift < 0,5*R 0,300 0 1 0 0 3 0,3 Wrong measurement 0,9 2,7 NA 2,7
Resistance Drift > 2*R 0,300 0 1 0 0 3 1,2 Wrong measurement 0,6 1,8 NA 1,8
26
19.01.2017
=
ASIL B ASIL C ASIL D
•90 % •97 % •99 %
=
ASIL B ASIL C ASIL D
•60 % •80 % •90 %
ISO 26262-5; Figure C.1 — Fault classification of safety-
related hardware elements of an item
• Or: Individual evaluation of each residual and single-point fault, and of each dual-
point failure leading to the violation of the considered safety goal.
– This analysis method can also be considered to be a cut-set analysis.
27
19.01.2017
28
19.01.2017
29
19.01.2017
– This is particularly true for the system level and software level development
processes
30
19.01.2017
mailto:christian.nowak@tuev-sued.de
http://www.tuev-sued.de
http://www.tuev-sued.de/rail/training
31