Professional Documents
Culture Documents
Day1 English 2017 0824
Day1 English 2017 0824
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 2
INTRODUCING KVA
AFSP Seminar – Module K2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 3
INTRODUCING SGS-TÜV
SGS was established in 1878, operating today with more than 1,800
offices and laboratories around the world.
Viewed as the world’s leading inspection, verification, testing and
certification company
With over 90,000 employees, SGS works with customers throughout the
supply chains of 13 global industries
Agriculture and Food; Automotive; Chemical; Construction; Consumer
Goods and Retail; Energy; Finance; Industrial Manufacturing; Life Sciences;
Logistics; Mining; Oil and Gas; and Public Sector
SGS-TÜV Saar GmbH is a joint-venture between SGS-Group and TÜV
Saarland e.V.
AFSP Seminar – Module K2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 4
DAY 1 - CONTENTS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 5
DEFINITION OF FUNCTIONAL SAFETY
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 6
DEFINITION OF FUNCTIONAL SAFETY
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 7
POTENTIAL RISK
Definition of “unreasonable”
Unacceptable
Excessive
Based on societal moral
concepts
Definition of “risk”
Combination of the
probability of harm and
severity of damage
Definition of “damage”
Harm to persons
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 9
POTENTIAL RISK
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 10
MALFUNCTIONS IN ROAD VEHICLES
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 11
POTENTIAL RISK
Answer:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 12
POTENTIAL RISK
Answer:
ISO 26262 provides a
standardized method to determine
the potential risk
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 13
MEASURE FOR THE RISK POTENTIAL OF
VEHICLE FUNCTIONS / SYSTEMS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 14
COMPONENTS OF RISK POTENTIAL
always Unacceptable
risk
Probability of
occurrence of Harm
Probability of
occurrence
Acceptable
extremely (residual) risk
improbable Severity
Answer:
OK
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 16
RISK REDUCTION
Answer:
OK
ISO 26262 describes
standardized actions for the
necessary risk reduction
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 17
CATEGORISATION OF RISK POTENTIAL
always Unacceptable
risk
Probability of
occurrence of Harm
Acceptable
extremely (residual) risk
improbable
The ASIL is described as the distance from the risk acceptance limit
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 18
CONCEPT FOR RISK REDUCTION
Risk partially
Risk partially
covered by Risk partially
covered
safety-relevant covered by
by safety-relevant
systems of other external systems
E/E systems
technologies
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 20
HISTORY OF ISO 26262
SAE ARP
EN 501xx IEC 60601 IEC 61513 IEC 61511 IEC 62061
4754
e.g.: (1999) (2005) (2001) (2004) (2005)
(1996)
similar standards
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 21
SCOPE OF ISO 26262 EDT.1 (2011)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 23
CONTENTS OF ISO 26262 (2011)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 24
CONTENTS OF ISO 26262 (2011)
V-cycle introduced
Reference:
ISO 26262-2,
Figure 1
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 26
TIMING
OF ISO 26262 SECOND EDITION (2018)
New Parts
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 28
PLANNED CHANGES
OF ISO 26262 SECOND EDITION (2018)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 29
SAFETY LIFE CYCLE
Reference:
ISO 26262-2,
Figure 2
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 30
WHY TO APPLY ISO 26262?
Source: Lisa Whalen, Making Products and Systems Functionally Safe, 2012 CTi Conference on ISO 26262, Troy, MI
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 31
WHY TO APPLY ISO 26262?
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 32
WHY TO APPLY ISO 26262?
Aspects to be considered
Technical
Law
Recommendation
Recommended
Mandatory
application
application of legal
of IEC / ISO / FMVSS / SAE
Directives and Regulations
standards for the Relevant for
for
current ISO 26262
Approvals State of the art
Reference: CTi ‘15, Functional safety new questions arise; Andreas Reuter
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 34
WHY TO APPLY ISO 26262?
Reference: CTi ‘15, U.S. Legal Issues – Overview and Practical Considerations; Clay Guise
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 35
WHY TO APPLY ISO 26262?
Reference: CTi ‘15, U.S. Legal Issues – Overview and Practical Considerations; Clay Guise
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 36
WHAT DOES NHTSA SAY?
GROW AMERICA Act, SEC. 4105
Although NHTSA
currently hasn’t
used this, they
have the
authority to
require a
functional safety
process
Reference: CTi ‘15, NHTSA’s Electronics Reliability – Functional Safety Research; Cem Hatipojlu
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 37
WHY TO APPLY ISO 26262?
Reference: CTi ‘15, Functional safety new questions arise; Andreas Reuter
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 38
LEGAL CONSEQUENCES
Unpredictable risk of
product liability
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 39
WHAT ABOUT EXISTING DESIGNS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 40
WHEN TO APPLY ISO 26262?
Not OK No
Exit Point to
ASIL ≥ A Standard Process QM
(typically ISO/TS16949)
OK
Yes
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 41
HOW IS RISK REDUCTION REALIZED
IN ELECTRONICS?
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 43
DAY 1 - CONTENTS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 44
SAFETY MANAGEMENT PROCESS
Reference:
ISO 26262-2,
Figure 1
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 45
CONTENT OF ISO 26262-2
ISO 26262-2
“Management of
Functional Safety“
2-5: Overall Safety Management
2-6: Safety Management during Concept
Phase and Product Development
2-7: Safety Management after the Item’s
Release for Production
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 47
PART 2, CLAUSE 5
OVERALL SAFETY MANAGEMENT
The Overall Safety Management provides the framework for safety related
E/E-development projects
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 48
PART 2, CLAUSE 5.4.2
SAFETY CULTURE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 50
SAFETY CULTURE (EXAMPLES)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 51
PART 2, CLAUSE 5.4.3
COMPETENCE MANAGEMENT
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 53
PART 2, CLAUSE 5.4.5
PROJECT-INDEPENDENT “TAILORING“
Designate a Safety
Manager for each Proposed responsibilities of Safety Manager:
program
Involvement in selection of safety team
members
Planning and tracking of the required
Ensure Safety Manager phases in the safety lifecycle (safety plan)
has skill, knowledge, Modification of the development process
resources (tailoring)
Performance of evaluations (deadlines,
schedules, preparation, organization)
Initiation of escalation process if
Safety Manager and evaluations are not successfully passed
assigned staff must be Listing of documentation to be prepared
empowered Management of internal (departments) and
external (customer, suppliers, SGS-TÜV)
interfaces
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 58
TYPICAL TASKS OF THE
PROJECT MANAGER ?
Designate a project
manager for each Proposed responsibilities of Project
program Manager:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 59
TYPICAL IMPLEMENTATION STEPS
3. Training guidelines
Training concept
– Understanding of the ISO 26262
– Know-how in the use of the company specific procedures
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 60
EXAMPLE: SAFETY MANAGEMENT
ORGANISATIONAL STRUCTURE #1
Company (Division)
Company (Division)
Safety Manager
Coordination
Feed Back
Level
1 2 n
Company (Division)
Safety Manager
Coordination
Feed Back
Level
Business Unit
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 64
PART 2, CLAUSE 6.4.6
SAFETY CASE
Note: For ASIL A, the creation of a Safety Case is not a mandatory requirement
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 65
PART 2, CLAUSE 6.4.7
CONFIRMATION MEASURES
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 66
AUDIT VS. ASSESSMENT
Automotive Spice
uses the expression Assessment for the evaluation of the maturity level of
the development processes of a company or department
ISO 26262
uses the expression Assessment for the evaluation of the product safety
with respect to Functional Safety.
For the evaluation of development processes in the context of Functional
Safety ISO 26262 uses the expression Audit
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 67
REQUIRED INDEPENDENCE FOR THE
CONFIRMATION MEASURES
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 68
REQUIRED INDEPENDENCE FOR THE
CONFIRMATION MEASURES
ASIL
Confirmation Measure Scope
A B C D
The scope of this review shall include the
Confirmation review of the hazard analysis and correctness of the determined ASILs and QM
I3
risk assessment ratings of the identified hazards for the item and
a review of the safety goals
Confirmation review of the safety plan - I1 I2 I3
Confirmation review of the item integration and testing plan I0 I1 I2 I3 Applies to the highest ASIL among the safety
Confirmation review of the validation plan I0 I1 I2 I3 goals of the Item
The Audit Report confirms that processes are followed according to ISO
26262
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 70
PART 2, CLAUSE 6.4.9
ASSESSMENT OF FUNCTIONAL
SAFETY
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 72
ASSESSMENT IN THE SUPPLY CHAIN
Safety FSAR
Car Manufacturer (OEM) WPs
Plan WPs Safety Case FSA
WPs
acc. contract
DIA
Exchange
FSAR
System Supplier (Tier1/2) Safety WPs
Plan WPs Safety Case FSA
WPs
acc. contract
DIA
Exchange
HW Element Supplier FSAR
Safety WPs
e.g. Sensor Supplier Plan WPs Safety Case FSA
WPs
WP = Work Product, FSA = Functional Safety Assessment, FSAR = Functional Safety Assessment Report
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 73
CONTENT OF
ASSESSMENT OF FUNCTIONAL
SAFETY
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 77
ROLES AND RESPONSIBILITIES
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 82
SUMMARY
FUNCTIONAL SAFETY
MANAGEMENT (2)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 84
DAY 1 - CONTENTS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 85
RESPONSIBILITIES AND TARGETS
Responsibilities
Supporting processes are relevant for all parties in the supply chain,
who have to develop according to ISO 26262 requirements
Supporting process have to be established (as far as applicable) as an
extension of existing QM-processes
Supporting processes according to ISO 26262-8 have to be used during
all development projects
Targets
Supporting processes shall ensure a high integrity in avoiding
systematic faults in addition to the standard processes
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 86
SUPPORTING PROCESSES -
OVERVIEW
ISO 26262-8
Interfaces within distributed developments (clause 5)
Specification and management of safety requirements (clause 6)
Project management rules
Configuration management (clause 7)
Change management (clause 8)
Documentation (clause 10)
Verification (clause 9)
Confidence in the use of software tools (clause 11)
Qualification of
Software components (clause 12)
Hardware components (clause 13)
Proven in use argument (clause 14)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 87
PART 8, CLAUSE 5
INTERFACES WITHIN DISTRIBUTED
DEVELOPMENTS
Day 1_2
DIA_Template_en_2017_0321.xlsx
Selection of suppliers
Evaluate whether or not supplier is able to develop in
accordance with ISO 26262
Address proper safety requirements within RFQ
Provide necessary input information to the supplier
Project handling
Agreement of a Development Interface Agreement (DIA)
covering:
– Safety managers of all parties involved
– Tailoring of the safety lifecycle
– Assignment of activities and responsibilities
(e.g. according to RASIC - Responsible, Accountable, Supported,
Informed, Cooperation)
Necessary Input
HW/SW Safety Requirements to
HW/SW-SR (ASILx) 1…n achieve TSR
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 89
PART 8, CLAUSE 6
MANAGEMENT OF SAFETY
REQUIREMENTS – TRACEABILITY
Supply chain Responsible for
Safety Requirements
Safety Requirements
Configuration management
In accordance with the process
– ISO TS 16949 (Quality management systems) or
– ISO 10007 (Quality management systems -- Guidelines for
configuration management) or/and
– ISO 12207 (Systems and software engineering)
To be applied to all work products of the safety
lifecycle and to be documented in the Configuration
Management Plan
To be performed during the entire safety lifecycle
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 91
PART 8, CLAUSE 8
PROJECT MANAGEMENT RULES (2)
CHANGE MANAGEMENT
Changed operating conditions
Systematic failures
Modification of the item
Change request Changed safety requirements
Accident experience
Amended legislation
Hazard
and risk Impact analysis
assessment Back to
relevant phase
Impact analysis
of the safety
report
lifecycle
Approval and
documentation of
change
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 92
PROJECT MANAGEMENT RULES (3)
Documentation
Standard QM requirements
Documents must be referenced to work products
(traceability)
ISO 26262 does not provide requirements regarding
retention period
Project Management Rules are also apply for safety relevant developments
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 93
PART 8, CLAUSE 9
VERIFICATION
Test environment
Criteria for “pass / fail”
Clear reference to the safety requirements
(traceability)
Tools used
Verification steps shall be continously planned and refined
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 94
VERIFICATION - METHODS
Alternative values (1a, 1b, 1c, etc.):
•an appropriate combination of methods shall be applied
Consecutive entry (marked by a sequence number in the leftmost column, e.g. 1, 2, 3), or
1c Semi-formal verification + + ++ ++
1d Formal verification o + + +
”++” Method is highly recommended for this ASIL; rationale must be documented if not applied
“+“ Method is recommended for this ASIL
“o“ Method is neither recommended nor not recommended.
Reference: ISO 26262-8, §6.4.3.3 Table 2
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 95
PART 8, CLAUSE 11
CONFIDENCE IN THE USE OF
SOFTWARE TOOLS
Evidence for
Functional Safety by
qualification Applicable Applicable Applicable Not applicable
(acc. AEC-Q
standards)
Evidence for
Functional Safety by
development acc. ISO
Not applicable Not applicable Applicable Applicable
26262
Acc .ISO 26262-8, Table 6, modified by SGS-TÜV Saar
Note: The standard describes a dependence between HW-complexity and the requirement to
develop the hardware according to ISO 26262. In reality it makes more sense to
develop HW according to ISO 26262, when Functional Safety Requirements are
inherited to the HW-part or HW-component to be developed
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 99
PART 8, CLAUSE 14
PROVEN IN USE ARGUMENT
NOTE 3 Table 8 gives an example of the required minimum service period without observable
incident which is necessary to achieve 70 % confidence:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 101
SUMMARY
SUPPORTING PROCESSES (1)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 102
SUMMARY
SUPPORTING PROCESSES (2)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 103
DAY 1 - CONTENTS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 104
HARA AS PART OF THE CONCEPT
PHASE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 105
RESPONSIBILITIES AND TARGETS
Responsibilities
Typically the responsibility of the car manufacturer (OEM) or Tier 1 supplier,
who have the knowledge about the behavior of the vehicle in the event of
malfunctions together with all operational conditions.
If the final context (item to be implemented) is not known in detail, a so called
Safety Element out of Context (SEooC) can be supplied. The SEooC is
based on assumptions for the Concept Phase of development
Targets
Identification of potential risks due to a malfunctioning behavior of E/E-
functions at vehicle level
26262-4
HW/SW-Safety
Input requirements and Input
design
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED
PART 3, CLAUSE 5
ITEM DEFINITION
INPUT INFORMATION FOR HARA
Introduction to a simplified
example, which will be the
basis for the training exercises
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 109
ITEM DEFINITION:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 110
ITEM DEFINITION:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 111
ITEM DEFINITION:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 112
ITEM DEFINITION:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 113
ITEM DEFINITION:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 114
PART 3, CLAUSE 7
HAZARD ANALYSIS
AND RISK ASSESSMENT(HARA)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 115
HAZARD ANALYSIS PROCEDURE
always Unacceptable
risk
Factor C
Probability of
occurrence of Harm (Un)-Controllability
of the dangerous
caused by E/E system
Probability
situation
malfunction
Factor E
Exposure
Acceptable
extremely to the dangerous
(residual) risk
improbable Severity (Factor S) situation
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 116
TYPICAL STEPS
HAZARD ANALYSIS AND RISK
ASSESSMENT
Step 1: Responsibilities
Step 2: Identification of possible malfunctions of the item
Step 3: Selection of scenarios under consideration
Step 4: Alignment of the risk assessment matrix and
determination of the risk parameters
Step 5: Evaluation of the results
Step 6: Verification of the analysis results
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 117
STEP 1:
RESPONSIBILITIES
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 118
STEP 2:
IDENTIFICATION OF POSSIBLE
MALFUNCTIONS OF THE ITEM
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 119
STEP 3:
SELECTION OF SCENARIOS TO BE
CONSIDERED
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 120
STEP 4:
ALIGNMENT OF THE RISK
ASSESSMENT MATRIX
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 121
PARAMETER “S“ (SEVERITY)
Class S0 S1 S2 S3
Severe injuries, Life-threatening
Light and possibly life- injuries (survival
Description No injuries
moderate injuries threatening, uncertain) or fatal
survival probable injuries
AIS 0
Damage that
Reference cannot be More than 10% More than 10%
More than 10%
for single classified safety- probability of probability of
probability of
injuries (from related, e.g. AIS 1-6 (and not AIS 3-6 (and not
AIS 5-6
AIS scale) bumps with S2 or S3) S3)
roadside
infrastructure
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 122
AIS-SCALE
AIS 0: No injury
AIS 1: Light injuries such as superficial wounds, muscular pains, etc.
AIS 2: Moderate injuries such as deep flesh wounds, brain concussion with loss of consciousness up
to 15 min, uncomplicated tubular bone fractures, uncomplicated rib fractures, etc.
AIS 3: Severe, non-life-threatening injuries such as skull fractures without brain injury, spinal column
dislocations below the fourth cervical vertebra without spinal cord involvement, multiple rib
fractures without paradoxical breathing, etc.
AIS 4: Severe injuries (life-threatening, survival probable) such as brain concussion with or without
skull fracture with unconsciousness up to 12 hours, paradoxical breathing
AIS 5: Critical injuries (life-threatening, survival uncertain) such as spinal column fractures below the
fourth cervical vertebra with spinal cord involvement, intestinal ruptures, heart ruptures,
unconsciousness of more than 12 hrs including cerebral hemorrhage
AIS 6: Severest or fatal injuries such as cervical vertebra fractures above the third cervical vertebra
with spinal cord involvement, severest open dual cavity injuries (thoracic and abdominal
cavities) etc.
Reference: https://en.wikipedia.org/wiki/Abbreviated_Injury_Scale
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 123
EXAMPLES
(ONLY INFORMATIVE)
S0 S1 S2 S3
Bumps with roadside Side impact with a narrow Side impact with a narrow Side impact with a narrow
infrastructure stationary object, e.g. crashing stationary object, e.g. crashing
stationary object, e.g. crashing
into a tree (impact to into a tree (impact to into a tree (impact to
Pushing over roadside post,
passenger cell) with very low passenger cell) with low speed passenger cell) with medium
fence, etc.
speed Side collision with a passenger speed
Light collision
Side collision with a passenger car (e.g. intrudes upon Side collision with a passenger
Light grazing damage car (e.g. intrudes upon passenger compartment) with car (e.g. intrudes upon
Damage entering/exiting passenger compartment) with low speed passenger compartment) with
very low speed
parking space Rear/front collision with another medium speed
Leaving the road without Rear/front collision with another passenger car with low speed Rear/front collision with another
collision or rollover passenger car with very low passenger car with medium
Pedestrian/bicycle accident
speed speed
while turning (city intersection
Collision with minimal vehicle and streets) Pedestrian/bicycle accident
overlap (10-20%) (e.g., 2-lane road)
Front collision (e.g., rear- Front collision (e.g., rear-
ending another vehicle, semi- ending another vehicle, semi-
truck, etc.) without passenger truck, etc.) with passenger
compartment deformation compartment deformation
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 124
PARAMETER E (EXPOSURE)
E0 E1 E2 E3 E4
Incredible Very low probability Low probability Medium probability High probability
the hazardous event occurs due to the sudden malfunction during the
situation under consideration
malfunction exists and the hazardous event only occurs, when the situation
under consideration occurs (typically change from one driving situation to
another)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 125
EXAMPLE
DURATION - FREQUENCY
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 126
EXAMPLES FOR PARAMETER E
(ONLY INFORMATIVE)
On hoist
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 128
EXAMPLES FOR PARAMETER E
(ONLY INFORMATIVE)
In tunnel
Nearby elements In car wash
Traffic Congestion
Stopped, requiring
engine restart Trailer attached Vehicle being refuelled
Vehicle stationary (at railway crossing)
state Vehicle on
Vehicle being towed Roof rack attached a hill (hill hold)
Vehicle during jump start
Evasive manoeuvre,
deviating from desired Overtaking Starting from standstill
path
Shifting transmission
gears
Accelerating
Manoeuvre Braking
Executing a turn
(steering)
Using indicators
Manoeuvring vehicle into
parking position
Driving in reverse
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 131
PARAMETER C (CONTROLLABILITY)
C0 C1 C2 C3
Normally Difficult to Control or
Controllable in general Simply Controllable
Controllable Uncontrollable
Less than 90% of all
99% or more of all 90% or more of all
drivers or other traffic
drivers or other traffic drivers or other
Controllable in participants are
participants are traffic participants
general usually able, or
usually able to avoid are usually able to
barely able, to avoid
harm avoid harm
harm
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 132
EXAMPLES FOR PARAMETER C
(ONLY INFORMATIVE)
Class C0 C1 C2 C3
Situations that are Maintain intended
considered distracting driving path
Maintain intended
Warning message - gas low
driving path
Class C0 C1 C2 C3
Headlights fail while night Steer to side of
driving at medium/high speed road or brake to
on unlighted road stop.
Motor failure at high lateral Maintain intended
acceleration (motorway exit) driving path
Failure of ABS when braking
Maintain intended driving
on low friction road surface
path, stay in lane
while executing a turn
Brake to slow/stop
Failure of brakes
vehicle
Incorrect steering angle with
high angular speed at medium
Maintain intended driving
or high vehicle speed (steering
path, stay in lane
angle change not aligned to
driver intent)
Maintain intended driving
Faulty driver airbag release path, stay in lane
when travelling at high speed Brake to slow/stop
vehicle
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 134
RISK MATRIX
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 135
STEP 5:
EVALUATION OF THE HARA RESULTS
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 136
STEP 6:
VERIFICATION OF THE H&R RESULTS
QM to ASIL D
ISO 26262-2, Table D.1 — Verification reviews and confirmation measures, including independence
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 138
HARA:
EXAMPLE
1 Attendees
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 139
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 140
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 141
HARA EXERCISE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 142
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 143
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 144
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 145
HARA:
EXAMPLE
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
Scenario 2 – Fault 1: Providing torque without driver request Parking car in parking garage
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 146
HARA:
EXAMPLE
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
Scenario 4 – Fault 1: Providing torque without driver request Driving at country road, overtaking
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 147
HARA:
EXAMPLE
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
Scenario 2 – Fault 2: Providing no torque although driver requested torque Parking car in parking garage
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 148
HARA:
EXAMPLE
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
Scenario 4 – Fault 2: Providing no torque although driver requested torque Driving at country road, overtaking
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 149
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 150
HARA EXERCISE
Results
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 151
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 152
HARA:
EXAMPLE
Consequence of fault: Car moves unintended and could strike pedestrians near by
Reason for S0: The unintended movement is avoided by transmission in Park state (mechanical prevention)
Reason for E:
Reason for C:
Scenario 2 – Fault 1: Providing torque without driver request Parking car in parking garage
Consequence of fault: Car moves unintended and could strike pedestrians near by
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 153
HARA:
EXAMPLE
Consequence of fault: Car moves unintentionally into a crossing way with crossing traffic
Reason for S3: Side impact with medium to high speed is expected
Reason for E4: Stopped at a crossing or red traffic light occurs often
Reason for C1: 99% can control the situation, driver can still brake and steer
Scenario 4 – Fault 1: Providing torque without driver request Driving at country road, overtaking
Reason for S3: Could cause head-on collision with on-coming traffic
Reason for E1: Duration of the critical situation is very short, oncoming traffic is required
Reason for C2: Driver can still brake and steer
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 154
HARA:
EXAMPLE
Reason for S:
Reason for E:
Reason for C:
Scenario 2 – Fault 2: Providing no torque although driver requested torque Parking car in parking garage
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 155
HARA:
EXAMPLE
Reason for S:
Reason for E:
Reason for C0: Car is stalled at stop light. It is expected that car behind recognize the situation.
Scenario 4 – Fault 2: Providing no torque although driver requested torque Driving at country road, overtaking
Consequence of fault: The overtaking cannot be completed as planned. This is critical in the case of oncoming traffic.
Reason for S3: Collision with oncoming traffic at medium to high speed
Reason for E1: Duration of the critical situation is very short, oncoming traffic is required
Reason for C2: The situation is controlled by most drivers by aborting the overtaking
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 156
HARA:
EXAMPLE
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 157
SUMMARY OF DAY 1
HAZARD ANALYSIS AND RISK
ASSESSMENT (HARA)
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 158