Professional Documents
Culture Documents
Day3 English 2017 0824
Day3 English 2017 0824
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 2
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 3
PARTS CONSIDERED
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 4
RESPONSIBILITIES AND TARGETS
Responsibilities
The hardware development phase is typically the responsibility of the
hardware suppliers (also Chip supplier, IP supplier), who have the
knowledge for the implementation of safety mechanisms at the hardware level
Chip and IPs can be either developed as so called Safety Element out of
Context (SEooC) or in line with given customer requirements as Safety
Element in Context (SEiC)
Targets
In the hardware development phase an electronic circuit is designed in
accordance with the required safety integrity of safety requirements derived
from the system development phase. The evaluation of the achieved safety
integrity is done by calculation of probabilistic hardware metrics.
Input
Initiation of the
Input
Hardware Development
Hardware Safety
Requirements
Specification
Hardware Design
Design Verification
Hardware Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED
INITIATION OF HW-DEVELOPMENT
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 8
ALLOCATION OF HW REQUIREMENTS
Allocation to Allocation to
Harmonization
Hardware comes via Software
HSI
Refinement of Refinement of
requirement Hardware- requirement
Software
Interface
HW specification (HSI)
SW specification
The interface between hardware and software has to be clarified
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 9
PART 5, CLAUSE 6
DERIVATION OF
HW-SAFETY REQUIREMENTS
Refinement
VBAT
Hardware Development
HW-Safety Supply HS
Driver
Out1
Requirements INP
Input Control
Driver
Control
HW-Circuit
Circuit level ENB
GND
Diagnostics
IC
LS
Driver
Out2
Design
Refinement
HW-Safety 1
1
2
2
3
3
4 5 6
Requirements 4
1
5
2
9
6
3
Block design
7 8
(e.g. IC / IP)
Part 7 8 9
Part
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 10
HARDWARE SAFETY REQUIREMENTS
EXAMPLE INTRODUCTION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 11
HARDWARE SAFETY REQUIREMENTS
EXAMPLE INTRODUCTION
1. Introduction
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 12
HARDWARE SAFETY REQUIREMENTS
EXAMPLE INTRODUCTION
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 14
PART 5, CLAUSE 7
HARDWARE DESIGN
ASIL
Properties
A B C D
1 Hierarchical design + + + +
Precisely defined interfaces of safety-related hardware
2 ++ ++ ++ ++
components
Introduction of possible
hardware design for the
example component
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 17
HARDWARE DESIGN
EXAMPLE INTRODUCTION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 18
HARDWARE DESIGN
EXAMPLE INTRODUCTION
Hard wired
CAN-Bus (Feedback)
Speed signal Power Unit
(ABS item) with Motor
Monitoring
Pedal Motor-ECU E-
Sensor Motor
QM
Hard wired
(Torque off) 400V
HV
Battery
QM
Display
(other item
QM)
Measures current
(dependent on
Torque) Motor current sent
to Motor-ECU for
From Motor-ECU to control motor Torque comparison
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 19
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 20
DEFINITIONS
Fault
abnormal condition that can cause an element or an item to fail
Error
discrepancy between a computed, observed or measured
value or condition and the true, specified, or theoretically
correct value or condition
Failure
termination of the ability of an element or an item to perform a
function as required
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 21
DIFFERENCE:
FAULT – ERROR - FAILURE
Programming Unwanted
fault causes loop endless loop
(non-)termination (leads to Item Level
condition Watchdog
reset) Fault Error Failure
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 22
MORE DEFINITIONS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 23
SAFE FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 24
SINGLE POINT FAULT
Failure mode
Input 1
IN_1 “stuck-at high” at A3 is a
“single point fault”
Input 2 Microcontroller
IN_2
(µC)
Input 3
IN_3
A1
A3 Output
SPI &
A2
External ok
Window
Safety related Watchdog Failure mode
HW elements “short-circuit” at Output
driver is a “single point
Non-safety related fault”
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 26
RESIDUAL FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 27
EXAMPLE: RESIDUAL FAULT
Non-safety related
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 28
DUAL POINT FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 29
EXAMPLE: DUAL POINT FAULT
Example: Microcontroller with external Watchdog
The microcontroller shall activate the Output, if Input 1 has the state low and Input 2 the state high.
Stuck-at low:
dual point fault
A fault of a µC internal safety mechanism
Input 1 leads to a dual point fault in combination
IN_1
with the initial fault it was protecting (i.e.,
Input 2 Microcontroller memory write error + MPU, etc.).
AND IN_2
(µC)
Input 3
IN_3
A1
Stuck-at high: A3 Output
SPI AND &
dual point fault
External A2
ok
Window
Safety related Watchdog
HW elements Both the output of the µC
(A1) and External Window
Watchdog (A2) fail high
Non-safety related
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 30
MULTIPLE POINT FAULT
Non-safety related
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 32
LATENT FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 33
SUMMARY OF
HW FAULT CATEGORIES
ltotal =
lS Safe fault (ls)
Fault that leads to a safe condition or has no impact on the respective safety goal
+
Detected multiple point fault (lMPF detected)
lMPF,D Detected multiple fault (detected by system/hardware elements)
No safety goal violation
+
Perceived multiple point fault (lMPF perc.)
lMPF,P Multiple fault detected by the driver
No safety goal violation
+
Residual fault (lRF)
lRF Portion of a fault not detected by the safety mechanism
Leads to safety goal violation
+
Latent multiple point fault (lMPF latent)
Undetected multiple fault or portion of multiple point fault that is undetected by the safety mechanism
lMPF,L Leads to safety goal violation
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 34
PART 5, CLAUSE 9
RANDOM HARDWARE FAILURE
Practical Note:
1 FIT = 10-9
failures/hour
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 35
QUANTITATIVE DESIGN
VERIFICATION IN PRACTICE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 38
RANDOM HARDWARE FAULT
CATEGORIES IN AN FMEDA
Does this
Does this
failure mode
Is this a safety- Diagnostic failure mode
have the Safety mechanism(s) Latent
related Coverage with Residual or have potential Safety Diagnostic Multi-point
potential to that prevent the multi- Safe
Component component to Base Failure Failure Failure mode respect to Single-point to violate a SG mechanisms that Coverage with failure rate,
violate a failure mode from point failure
Name be considered Rate [FIT] Mode distribution single- failure rate in combination prevent the failure respect to detected/perc
safety goal, in violating the safety failure rate [FIT]
in the point/residual [FIT] with a 2nd from being latent: latent faults eived [FIT]
the absence of goal: rate [FIT]
calculations? faults independent
safety
failure?
mechanisms ? , , , /
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 39
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
B recommended recommended
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 40
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
Calculation of
Single Point Fault Metric (SPFM)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 41
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
Calculation of
Latent Fault Metric (LFM)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 42
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
A Hardware Element has a failure rate of 10 FIT which is all safety related
• Example 1: There is a D.C. of the SPF of 0% and a D.C. of the LF of 90%:
– λspf = ?
– λrf = ?
SPFM = ?
– λmpf,l = ?
– λmpf,d = ?
• Example 2: There is a D.C of the SPF of 70% and a D.C. of the LF of 50%:
– λspf = ?
– λrf = ?
– λmpf,l = ?
SPFM = ?
– λmpf,d = ? LFM = ?
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 43
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
A Hardware Element has a failure rate of 10 FIT which is all safety related
• Example 1: There is a D.C. of the SPF of 0% and a D.C. of the LF of 90%:
– λspf = 10 FIT
– λrf = 0 FIT
SPFM = 0%
– λmpf,l = 0 FIT
– λmpf,d = 0 FIT
• Example 2: There is a D.C of the SPF of 70% and a D.C. of the LF of 50%:
– λspf = 0 FIT
– λrf = 3 FIT
– λmpf,l = 3.5 FIT
SPFM = 70%
– λmpf,d = 3.5 FIT LFM = 50%
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 44
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 45
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 46
STEP 2A
VERIFICATION OF SAFETY GOAL
VIOLATING FAILURE RATE
B verification recommended
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 47
STEP 2A
VERIFICATION OF SAFETY GOAL
VIOLATING FAILURE RATE
Note: This formula will be deleted in Edition 2 and substituted by more detailled considerations.
Calculation of PMHF acc. to ISO 26262-10
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 48
STEP 2A
VERIFICATION OF SAFETY GOAL
VIOLATING FAILURE RATE
Attention: Above formula represents a rough and usually conservative estimation, which is
not shown in ISO 26262.
Instead we recommend to use mathematical models (e.g. quantitative FTA).
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 49
STEP 2A
VERIFICATION OF SAFETY GOAL
VIOLATING FAILURE RATE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 51
DAY 3
EXERCISE 8
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 52
STEP 1.6
DETERMINE THE ARCHITECTURE
METRIC
• Task: Populate the FMEDA Matrix for this element and calculate SPFM,
LFM, PMHF, ASIL:
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 53
STEP 1.6
DETERMINE THE ARCHITECTURE
METRIC
SPFM:
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 56
STEP 1.1
DETERMINE THE ARCHITECTURE
METRIC
1.2
1.3
element name
Description
1.4
Hardware
1.5
R1 Shunt Resistor
1.6 R2 Resistor
T1 Transistor
K1 Relay
D1 Diode
IC1 Amplifier
M Motor
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 57
STEP 1.2
DETERMINE THE ARCHITECTURE
METRIC
1.5
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 58
DAY 3
EXERCISE
Safety Related
element name
Description
Hardware
R1 Shunt Resistor
R2 Resistor
T1 Transistor
K1 Relay
D1 Diode
IC1 Amplifier
M Motor
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 60
DAY 3
EXERCISE
Safety Related
element name
Description
T1: Failed T1 gate could cause unintentional
Hardware
switching
K1: This is part of the safe state actuator path
R1 Shunt Resistor Y
D1: D1 protects from motor transients. A failed D1 R2 Resistor Y
could lead to T1 failures T1 Transistor Y
K1 Relay Y
IC1: Could translate current wrong. See R1. D1 Diode Y
M: Some short failures could cause continuous IC1 Amplifier Y
M Motor Y
operation
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 61
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 62
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
• SN29500 Developed by
Siemens AG and states failure
rates under reference
conditions. User must find
base failure rates from other
reference. Does not consider
mission profiles.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 63
DAY 3
EXERCISE
environment, p(E)
Correction factor-
Correction factor-
Correction factor-
Correction factor-
Correction factor-
Correction factor-
Operat. temp. °C
Reference temp.
FIT value at ref.
failure criterion,
element name
voltage, p(Q)
voltage, p(U)
temperature
quality, p(D)
Technology
Description
temp., p(T)
Hardware
load, p(L)
Value
FIT
°C
R1 Shunt Resistor Wire Wound SN29500 0.20 55 50 0.89 1 1 1 1 1 1 0.18
R2 Resistor Metal film SN29500 0.20 55 70 1.4 1 1 1 1 1 1 0.28
T1 Transistor TO3 MOS-FET SN29500 60.00 100 80 0.43 1 1 1 1 1 1 25.80
K1 Relay Power SN29500 30.00 70 70 1 1 1 1 1 1 1 30.00
D1 Diode Standard SN29500 1.00 40 70 3.7 1 1 1 1 1 1 3.70
IC1 Amplifier AD8200 Dual Diff OP SN29500 3.00 55 70 1.8 1 1 1 1 1 1 5.40
M Motor DC Supplier 50.00 1 1 1 1 1 1 1 50.00
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 64
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
1.2
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 65
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
population parameter.
Distribution of
Population parameter
“I am pretty sure the true value of a number I
am approximating is within this range”
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 66
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 67
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
I’m 95% certain the failure rate is between 0 and 100 FIT
I’m 80% certain the failure rate is between 0 and 1.5 FIT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 68
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
Example: 1 failure (r
= 1) and want to
calculate for 95% (
= 0.05) confidence
level:
9.488
<
2
Ref: http://flylib.com/books/en/3.287.1.235/1/
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 70
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 71
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
.
• For 60% confidence: <
.
• For 90% confidence: <
Width of the
interval
. increases with
• For 95% confidence: < increase in
confidence level
99% is 5 times
.
• For 99% confidence: < larger than 60%
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 72
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
0.92 0.92
= ℎ ≈ 0.02
48065534164
2.3 2.3
= ℎ ≈ 0.05
48065534164
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 73
STEP 1.3
DETERMINE THE ARCHITECTURE
METRIC
1.2 E.g. for a resistor the failure modes “short, open and drift” must
be analyzed.
1.3 Failure mode “Functional” refers to the specified function of the
Hardware component (e.g. Filter, amplifier etc.)
1.4 Possible resources
– IEC 62061: 2005, Annex D (IEC 62061: “Safety of machinery – Functional
safety of safety-related electrical, electronic and programmable electronic
1.5 control systems”); IEC 62380; SN29500
– A. Birolini: e.g. “Reliability Engineering - Theory and Practice”.
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 76
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 77
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 78
STEP 1.4
DETERMINE THE ARCHITECTURE
METRIC
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 79
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 80
HW Part
R2
R1
HW Part type
R-M
R-M
x
x
Safety-relevant?
Failure mode
Short
Short
Open
Open
Drift 2,0
Drift 0,5
Drift 2,0
Drift 0,5
Failure mode
0%
0%
distribution
30%
30%
40%
30%
30%
40%
Fault potential if no
o
o
o
o
o
o
o
x
safety mechanism
DAY 3
exists?
SPF/RF?
SM1
SM
EXERCISE
DC safety mechanism
DC
[%]
[FIT]
Rate [Fit]
Fault potential in
combination with
x
x
o
o
o
o
o
o
LF?
another independent
fault
DC safety mechanism
Analysis with respect to Safety Goal1 (Unintended acceleration has to be avoided)
DC
[%]
81
DAY 3
EXERCISE
Analysis with respect to Safety Goal1 (Unintended acceleration has to be avoided)
DC safety mechanism
another independent
Residual Point Fault
Fault potential if no
safety mechanism
combination with
Fault potential in
Safety-relevant?
Failure mode
Failure mode
HW Part type
distribution
Rate [Fit]
HW Part
exists?
[FIT]
fault
[%]
[%]
λ value [FIT] SPF/RF? SM DC λSP λRF LF? SM DC λLF
Open 40%
x If R2 fails open, then T1’s ogate is floating which
Short 0% could cause unintentional switching and could
o o
R2 R-M 0.28 x potentially violate the safety goal
Drift 0,5 30%
o o
Drift 2,0 30%
o o
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 82
DAY 3
EXERCISE
Analysis with respect to Safety Goal1 (Unintended acceleration has to be avoided)
DC safety mechanism
another independent
Residual Point Fault
Fault potential if no
safety mechanism
combination with
Fault potential in
Safety-relevant?
Failure mode
Failure mode
HW Part type
distribution
Rate [Fit]
HW Part
exists?
[FIT]
fault
[%]
[%]
λ value [FIT] SPF/RF? SM DC λSP λRF LF? SM DC λLF
Open 40%
IfoR1 failed short, or drifted to a ox
lower resistance (indicating a
Short 0%
R1 R-M 0.18 x
smaller
o torque then actual), in x
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 86
DAY 3
EXERCISE 6
Safety
Description ref. to ISO 26262 DC achievable
Mechanism
ISO 26262-5, Table
SM1 Sensor correlation
D.11 – Sensors
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 87
DAY 3
EXERCISE 6
Sensor correlation
Aim: To detect sensor-in-range drifts, offsets or other errors using a redundant sensor.
Description: Comparison of two identical or similar sensors to detect in-range
failures such as drifts, offsets or stuck-at failures.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 88
DAY 3
EXERCISE 6
Safety
Description ref. to ISO 26262 DC achievable
Mechanism
ISO 26262-5, Table
SM1 Sensor correlation
D.11 – Sensors
99%
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 89
STEP 1.6
DETERMINE THE ARCHITECTURE
METRIC
1.2
Fill in the sums in the formulas for SPFM, LFM and PMHF.
Comparison with the required target values
1.3
If necessary, optimize the HW architecture
1.4
1.5
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 90
DAY 3
EXERCISE 7
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 91
HW Part
R2
R1
HW Part type
R-M
R-M
x
x
Safety-relevant?
Failure mode
Short
Short
Open
Open
Drift 2,0
Drift 0,5
Drift 2,0
Drift 0,5
Failure mode
0%
0%
distribution
30%
30%
40%
30%
30%
40%
Fault potential if no
o
o
o
o
o
o
o
x
safety mechanism
DAY 3
exists?
SPF/RF?
SM1
prevents this fault (SM)
EXERCISE 7
DC safety mechanism
DC
99% [%]
[FIT]
Rate [Fit]
Fault potential in
combination with
x
ox
o
o
o
o
xo
ox
LF?
another independent
fault
SM1
DC safety mechanism
Analysis with respect to Safety Goal1 (Unintended acceleration has to be avoided)
DC
[%]
99%
99%
99%
92
HW Part
R2
R1
HW Part type
R-M
R-M
x
x
Safety-relevant?
Failure mode
Short
Short
Open
Open
Drift 2,0
Drift 0,5
Drift 2,0
Drift 0,5
Failure mode
0%
0%
distribution
30%
30%
40%
30%
30%
40%
Fault potential if no
o
o
o
o
o
o
o
x
safety mechanism
DAY 3
exists?
SPF/RF?
SM1
prevents this fault (SM)
EXERCISE 7
DC safety mechanism
DC
99% [%]
[FIT]
Rate [Fit]
0.0011
Fault potential in
combination with
x
ox
o
o
o
o
xo
ox
LF?
another independent
fault
SM1
DC safety mechanism
Analysis with respect to Safety Goal1 (Unintended acceleration has to be avoided)
DC
[%]
99%
99%
99%
0
0.0011
0.00053
93
DAY 3
EXERCISE 7
DC safety mechanism
another independent
Residual Point Fault
Fault potential if no
Safety mechanism
safety mechanism
combination with
Fault potential in
Safety-relevant?
HW Part type
Failure mode
Failure mode
distribution
λ value [FIT]
Rate [Fit]
HW Part
exists?
(SM)
[FIT]
fault
fault
[%]
[%]
SPF/RF? SM DC λSP λRF LF? SM DC λLF
open circuit Gate 5% SM1
x 99% 0.013 o
open circuit Drain 5%
o o
open circuit Source 5%
o o
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 94
DAY 3
EXERCISE 7
Failure mode
λ value [FIT]
HW Part
[Fit]
SPF/RF? SM DC λSP λRF LF? SM DC λLF
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 95
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 96
DAY 3
EXERCISE
ltotal,SR = 115.4 FIT
lS SPFM =
+
lMPF,D
+ LFM =
lMPF,P
+
lRF = 0.13 FIT PMHF ≈
+
lMPF,L = 44.79 FIT
+ Achievable ASIL =
lSPF = 0 FIT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 97
DAY 3
EXERCISE
ltotal,SR = 115.4 FIT
lS SPFM = 99.9% [ASIL D]
+
lMPF,D
+ LFM = 61.1% [ ASIL B]
lMPF,P
+
lRF = 0.13 FIT PMHF ≈ 0.13 FIT or 4.6 FIT [ASIL D]
+
Using simplified RF + Using β = 10%
lMPF,L = 44.79 FIT LF formula coefficient approach
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 99
STEP 2B
VERIFICATION OF FAILURE CLASSES
PER HARDWARE COMPONENT
B verification recommended
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 100
STEP 2B
VERIFICATION OF FAILURE CLASSES
PER HARDWARE COMPONENT
Process for single point faults (SPF and RF)
Begin
Single-point fault?
No
Yes
Residual fault? Evaluation procedure
No for dual-point failures
Yes
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 101
STEP 2B
VERIFICATION OF FAILURE CLASSES
PER HARDWARE COMPONENT
Begin
No
Plausible dual-
point failure?
No
Yes
Yes
ISO 26262-5, Figure 4
End
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 102
STEP 2B
VERIFICATION OF FAILURE RATE
CLASSES PER HARDWARE PART
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 103
STEP 2B
VERIFICATION OF FAILURE CLASSES
PER HARDWARE COMPONENT
ASIL of the
Safety Goal Failure rate Failure rate Failure rate Failure rate class 2 +
C
class 5 class 4 class 3 dedicated measures
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 105
STEP 2B
VERIFICATION OF FAILURE CLASSES
PER HARDWARE COMPONENT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 106
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 107
DAY 3
EXERCISE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 108
DAY 3
EXERCISE
failure FIT
rate
class For very low failure rate HW
1 < 0.1 elements, the FRC method
2 <1 can be much quicker to
3 < 10 evaluate
i < 100 However, in most cases a
safety mechanism is
FRC 2 required and therefore time
isn’t save
The FRC method is only a
substitute for PMHF, the
quantitative analysis would
FRC 2 still be required for
calculating the SPFM and
LFM
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 109
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 110
DERIVING TEST CASES (1)
ASIL
Methods
A B C D
1a Analysis of requirements ++ ++ ++ ++
1b Analysis of internal and external interfaces + ++ ++ ++
1c Generation and analysis of equivalence classesa + + ++ ++
1d Analysis of boundary valuesb + + ++ ++
1e Knowledge or experience based error guessingc ++ ++ ++ ++
1f Analysis of functional dependencies + + ++ ++
1g Analysis of common limit conditions, sequences and sources of common
cause failures
+ + ++ ++
1h Analysis of environmental conditions and operational use cases + ++ ++ ++
1i Standards if existingd + + + +
1j Analysis of significant variantse ++ ++ ++ ++
a In order to derive the necessary test cases efficiently, analysis of similarities can be conducted.
b EXAMPLE values approaching and crossing the boundaries between specified values, and out of range values
c “Error guessing tests” can be based on data collected through a lessons learned process, or expert judgment, or both. It can be supported by
FMEA.
d Existing standards include ISO 16750 and ISO 11452.
e The analysis of significant variants includes worst case analysis.
ISO 26262, Table 10 — Methods for deriving test cases for hardware integration testing
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 111
CHOICE OF TEST METHODS (1)
ASIL
Methods
A B C D
1 Functional testinga ++ ++ ++ ++
2 Fault injection testing + + ++ ++
3 Electrical testing ++ ++ ++ ++
ISO 26262-5, Table 11 — Hardware integration tests to verify the completeness and correctness of the safety
mechanisms implementation with respect to the hardware safety requirements
aThe HW is given input data, which adequately characterizes the expected normal operation.
The outputs are observed and their response is compared with that given by the specification.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 112
CHOICE OF TEST METHODS (2)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 113
CHOICE OF TEST METHODS (3)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 114
MORE HW INTEGRATION TESTS
ISO 26262-5, Table 12 — Hardware integration tests to verify robustness and operation under external stresses
ASIL
Methods
A B C D
1a Environmental testing with basic functional verificationa ++ ++ ++ ++
1b Expanded functional testingb o + + ++
1c Statistical testingc o o + ++
1d Worst case testingd o o o +
1e Over limit testing e + + + +
1f Mechanical testing ++ ++ ++ ++
1g Accelerated life testf + + ++ ++
1h Mechanical Endurance testg ++ ++ ++ ++
1i EMC and ESD testh ++ ++ ++ ++
1j Chemical testingi ++ ++ ++ ++
a During environmental testing with basic functional verification the hardware is put under various environmental conditions during which the hardware requirements are
assessed. ISO 16750-4 (Road vehicles -- Environmental conditions and testing for electrical and electronic equipment -- Part 4: Climatic loads) can be applied.
b Expanded functional testing checks the functional behaviour of the item in response to input conditions that are expected to occur only rarely (for instance extreme mission
profile values), or that are outside the specification of the hardware (for instance an incorrect command). In these situations, the observed behaviour of the hardware element is
compared with the specified requirements.
c Statistical tests aim at testing the hardware element with input data selected in accordance with the expected statistical distribution of the real mission profile. The
acceptance criteria are defined so that the statistical distribution of the results confirms the required failure rate.
d Worst case testing aims at testing cases found during worst case analysis. In such a test, environmental conditions are changed to their highest permissible marginal values
defined by the specification. The related responses of the hardware are inspected and compared with the specified requirements.
e In over limit testing, the hardware elements are submitted to environmental or functional constraints increasing progressively to values more severe than specified until they
stop working or they are destroyed. The purpose of this test is to determine the margin of robustness of the elements under test with respect to the required performance.
f Accelerated life test aims at predicting the behaviour evolution of a product in its normal operational conditions by submitting it to stresses higher than those expected during
its operational lifetime. Accelerated testing is based on an analytical model of failure mode acceleration.
g The aim of these tests is to study the mean time to failure or the maximum number of cycles that the element can withstand. Test can be performed up to failure or by damage
evaluation.
h ISO 11452-2; ISO 11452-4; ISO 7637-2; ISO 10605 and ISO 7637- 3 can be applied for EMC tests and ISO 16750-2 can be applied for ESD tests.
I For chemical test, ISO 16750–5 can be applied.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 115
HARDWARE TESTS SUMMARY
Test methods are the same for safety relevant and non-
safety relevant requirements
Reference to other well-known industry standards
An analysis of the existing test strategies is required,
whether they are sufficient
Assure focus on safety related HW parts
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 117
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 118
CONSIDERED PARTS
OF THE SOFTWARE DEVELOPMENT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 119
RESPONSIBILITIES AND TARGETS
Responsibilities
The software development phase typically is in the responsibility of the
software suppliers, who have the knowledge for the implementation
of software safety mechanisms at component level
Targets
In the software development phase, a software is designed in
accordance with the required safety integrity of safety requirements
derived from the system development phase (TSC)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 121
INITIATION OF PRODUCT
DEVELOPMENT AT SOFTWARE
LEVEL - ACTIVITIES
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 124
SUITABLE PROGRAMMING LANGUAGE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 125
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 126
PART 6, CLAUSE 6
SPECIFICATION OF SOFTWARE
SAFETY REQUIREMENTS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 127
SPECIFICATION OF SOFTWARE
SAFETY REQUIREMENTS - ACTIVITIES
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 131
SOLUTION TO EXERCISE 10 (DAY 3)
© SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 132
SOLUTION TO EXERCISE 10 (DAY 3)
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 134
PART 6, CLAUSE 7
SOFTWARE ARCHITECTURAL DESIGN
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 135
WHAT IS A SOFTWARE
ARCHITECTURE?
Component
2
Dispatcher
Interface 2-3
Component
Handler 1 Handler 2 ... Handler 3 3
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 136
SOFTWARE ARCHITECTURE DESIGN
ACTIVITIES
ASIL
Methods
A B C D
1a Informal notations ++ ++ + +
1b Semi-formal notations + ++ ++ ++
1c Formal notations + + + +
Table 2 — Notations for software architectural design from ISO 26262-6
Informal Notation
Drawings and diagrams without fully defined syntax and
semantics
Example:
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 139
EXAMPLES
SEMI-FORMAL NOTATION
Semi-formal Notation
The syntax is defined, but the semantic is not completely defined
Examples:
logic/function block diagrams: described in IEC 61131-3
sequence diagrams: described in IEC 61131-3
data flow diagrams: see IEC 61508-3, ref. C.2.2
finite state machines/state transition diagrams: see IEC 61508-3, ref. B.2.3.2
time Petri nets: see IEC 61508-3, ref. B.2.3.3
entity-relationship-attribute Data models: see IEC 61508-3, ref. B.2.4.4
message sequence charts: see IEC 61508-3, ref. C.2.14
decision/truth tables: see IEC 61508-3, ref. C.6.1
UML: see IEC 61508-3, ref. C.3.12
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 140
EXAMPLE:
SEMI-FORMAL NOTATION
DATA FLOW DIAGRAM
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 141
FORMAL NOTATION
Formal Notation
Both syntax and semantic are fully defined
Based on mathematical models
Very rarely use, because difficult to implement
Not common in automotive
Examples:
CCS, CSP, HOL, LOTOS, OBJ, temporal logic, VDM
and Z ( methods not described in detail)
Other techniques like “finite state machines” and “Petri
nets”, are often seen as formal methods, depending on
their mathematical basis
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 142
SOFTWARE ARCHITECTURE
with
Modular structure Hiding data structures to
Encapsulation principle prevent manipulation
Low complexity
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 143
BASIC PRINCIPLES OF SW
ARCHITECTURE
ASIL Examples
Methods
A B C D Tool / Metric Interpretation
a McCabe,
1b Restricted size of software components ++ ++ ++ ++ SW modularisation, use of HIS metric
LOC metric
a
1c Restricted size of interfaces + + + + DoxyGen Is it understandable?
measure of “tightness” of the connections
High cohesion within each software LCOM4,
1d + ++ ++ ++ between data and subprograms within one
component b Cohesion metric
module
Restricted coupling between software measure for the “tightness” of connections
1e + ++ ++ ++ RFC metric
components a, b, c between modules
Operating Check of the maximum task run time,
1f Appropriate scheduling properties ++ ++ ++ ++
System (OS) TTA (time-triggered) Architecture feasible?
Only 1 timer, 1 receive and 1
transmission-interrupt is allowed
a, d Otherwise: Interrupts to be prioritized
1g Restricted use of interrupts + + + ++
correctly, Interrupts closed only for a short
time for critical SW areas, Interrupts to be
documented in details
a In methods 1b, 1c, 1e and 1g "restricted" means to minimize in balance with other design considerations.
b Methods 1d and 1e can, for example, be achieved by separation of concerns which refers to the ability to identify, encapsulate, and
manipulate those parts of software that are relevant to a particular concept, goal, task, or purpose.
c Method 1e addresses the limitation of the external coupling of software components.
d Any interrupts used have to be priority-based.
ISO26262-6, Table 3 — Principles for software architectural design (with add-ons from SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 144
ERROR DETECTION (ARCHITECTURE)
ASIL
Methods Comments
A B C D
Online check of valid input and
1a Range checks of input and output data ++ ++ ++ ++
output data range
ISO26262-6, Table 4 — Mechanisms for error detection at the software architectural level (with add ons from SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 145
ERROR CONTROL (ARCHITECTURE)
ASIL
Methods Comments
A B C D
If a fault is detected the system will be reset to
a
1a Static recovery mechanism + + + + an earlier internal operating condition, which
correctness is known or recovery by repeating
a Static recovery mechanisms can include the use of recovery blocks, backward recovery, forward recovery and recovery through
repetition.
b Graceful degradation at the software level refers to prioritizing functions to minimize the adverse effects of potential failures on
functional safety.
c Independent parallel redundancy can be realized as dissimilar software in each parallel path.
ISO 26262-6, Table 5 — Mechanisms for error handling at the software architectural level (with add ons from SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 146
VERIFICATION OF SW
ARCHITECTURE: METHODS
Objectives :
Compliance with SW SRS
Compatibility with the target hardware
Demonstration of guidelines
ASIL
Methods Comments
A B C D
a
1a Walk-through of the design ++ + o o Discussion with reviewer
a
1b Inspection of the design + ++ ++ ++ Review acc. a defined process (e.g. use of check lists)
Simulation of dynamic parts of
1c b + + + ++ Model based development
the design
1d Prototype generation o o + ++ Model based development
To satisfy ISO 26262 requirements for software safety analysis and dependent
failure analysis for software, a series of three steps can be followed:
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 149
EXAMPLE
SOFTWARE MITIGATION CHECKLIST
Dynamic
Static
ID Potential Software Failures Mitigation Measures Safety Requirement Reference
Incomplete execution
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 150
EXAMPLE
SOFTWARE FMEA
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 151
PART 6, CLAUSE 8
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 152
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION - ACTIVITIES
ASIL
Methods Comments
A B C D
ISO 26262-6, Table 7 — Notations for software unit design (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 153
SOFTWARE UNIT
AND EMBEDDED SOFTWARE
A software unit is
An atomic level software component of the software architecture that
can be subjected to stand-alone testing.
An embedded software is
A fully-integrated software to be executed on a processing element
(e.g. Microcontroller, Field Programmable Gate Array (FPGA) or an
Application Specific Integrated Circuit (ASIC))
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 154
SOFTWARE UNIT DESIGN AND
ISO 26262-6, Table 8 — Design principles for software unit design and implementation (added SGS TÜV Saar)
IMPLEMENTATION - METHODS
ASIL Umsetzung (Beispiele)
Methods
A B C D Tool Interpretation
One entry and one exit point in
1a ++ ++ ++ ++ MISRA-Rules
subprograms and functions a
1b
No dynamic objects or variables, or else
online test during their creation a,b
+ ++ ++ ++ MISRA-Rules All methods
1c Initialization of variables ++ ++ ++ ++ MISRA-Rules generally require
a
1d No multiple use of variable names + ++ ++ ++ MISRA-Rules a SW Tool
Avoid global variables or else justify their
1e + + ++ ++ MISRA-Rules
usage a
No pointer arithmetic, no pointers at functions,
a
1f Limited use of pointers o + + ++ MISRA-Rules Array indexing with pointers is allowed, HW
access with pointers is allowed
a,b
1g No implicit type conversions + ++ ++ ++ MISRA-Rules
c No continue statements, no backwards gotos, no
1h No hidden data flow or control flow + ++ ++ ++ MISRA-Rules
unreachable code, no dead code (e.g. A=A;)
1i No unconditional jumps a,b,c ++ ++ ++ ++ MISRA-Rules No continue statements, no backwards gotos
1j No recursions + + ++ ++ MISRA-Rules
a Methods 1a, 1b, 1d, 1e, 1f, 1g and 1i may not be applicable for graphical modelling notations used in model-based development.
b Methods 1g and 1i are not applicable in assembler programming.
c Methods 1h and 1i reduce the potential for modelling data flow and control flow through jumps or global variables.
ISO 26262-6, Table 8 — Design principles for software unit design and implementation (add-ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 155
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION - VERIFICATION
ASIL
Methods Comments
A B C D
a
1a Walk-through ++ + o o
a
1b Inspection + ++ ++ ++
1c Semi-formal verification + + ++ ++
1d Formal verification o o + +
b,c See next slides
1e Control flow analysis + + ++ ++
b,c
1f Data flow analysis + + ++ ++
1g Static code analysis + ++ ++ ++
d
1h Semantic code analysis + + + +
a In the case of model-based software development the software unit specification design and implementation can be verified at
the model level.
b Methods 1e and 1f can be applied at the source code level. These methods are applicable both to manual code development
and to model-based development.
c Methods 1e and 1f can be part of methods 1d, 1g or 1h.
d Method 1h is used for mathematical analysis of source code by use of an abstract representation of possible values for the
variables. For this it is not necessary to translate and execute the source code.
ISO 26262-6, Table 9 — Methods for the verification of software unit design and implementation (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 156
SW UNIT DESIGN
VERIFICATION BY INSPECTION
Example: Checklist
Checklist for Code Reviews, (list is not complete, only an example)
Has the design been properly translated into code? (The results of the procedural design should be
available during this review.)
Is the document header complete:
a) the title, referring to the scope of the content,
b) the author and approver,
c) unique identification of each different revision (version) of a document,
d) the change history,
e) the status. E.g.: “draft", "released".
Are there misspellings and typos?
Is there compliance with coding standards for language style, comments, etc.?
Are there incorrect or ambiguous comments?
Are comments useful or are they simply poor coding?
Are data types and data declarations correct?
Are physical constants correct?
Has maintainability been considered?
and so on ….
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 157
SW UNIT DESIGN
VERIFICATION BY THE USE OF
CONTROL FLOW ANALYSIS
Objective
Detection of bad or incorrect program structures
Description
The control flow analysis is a static analysis method. The
program is analyzed to get a flow graph, which can be
analyzed for:
• Unreachable code, as a result of unconditional jumps
• Knotted code bad structured code (see example next page)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 158
SW UNIT DESIGN
VERIFICATION BY THE USE OF
CONTROL FLOW ANALYSIS - EXAMPLE
Legend
= Knot = Instruction
= Path = Control Flow
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 159
SW UNIT DESIGN
VERIFICATION BY THE USE OF
DATA FLOW ANALYSIS
Objective
Identification of bad or incorrect program structures
Description
The data flow analysis is a static method, which is typically combined
with the information from the control flow analysis. The analysis checks
the following:
• Variables which can be read without initialization
• Variables which can be written several times, without reading. This could
be an indication for a skipped code
• Variables which are written but never read. This could be an indication for
a redundant code
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 160
SW UNIT DESIGN
VERIFICATION BY THE USE OF
STATIC ANALYSIS
Static code analysis can be seen as “state of the art” at software unit level
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 161
SW UNIT DESIGN
VERIFICATION BY THE USE OF
DATA FLOW ANALYSIS - EXAMPLE
© SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 164
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 165
PART 6, CLAUSE 10
SOFTWARE-INTEGRATION AND TEST
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 166
PLANNED INTEGRATION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 168
SOFTWARE UNIT TESTING
ACTIVITIES AND AIMS
Objectives:
Compliance with SW unit design specification
Compliance with HW/SW interface specification (HSI)
Demonstration of correct implementation of the functionality
Demonstration that no unintended functionality has been
implemented
Robustness
Demonstration that sufficient resources for functionality are available
This is the standard approach for deriving test cases in the industry.
Deriving test cases is only possible after the release of the requirements.
Quality of test cases depends on the quality of the requirements.
Example:
Requirement: One procedure named “InterriorLightning” shall switch
off or on the interior lightning depending on the input value.
Following test cases are used during testing:
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 171
SW UNIT TESTING
METHODS
ASIL
Methods Comments
A B C D
a
1a Requirements-based test ++ ++ ++ ++
1b Interface test ++ ++ ++ ++
b
1c Fault injection test + + + ++ See next slides
c
1d Resource usage test + + + ++
Back-to-back comparison test between model and
1e d + + ++ ++
code, if applicable
a The software requirements at the unit level are the basis for this requirements-based test.
b This includes injection of arbitrary faults (e.g. by corrupting values of variables, by introducing code mutations, or by corrupting
values of CPU registers).
c Some aspects of the resource usage test can only be evaluated properly when the software unit tests are executed on the
target hardware or if the emulator for the target processor supports resource usage tests.
d This method requires a model that can simulate the functionality of the software units. Here, the model and code are stimulated
in the same way and results compared with each other.
ISO 26262-6, Table 10 — Methods for deriving test cases for software unit testing (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 172
SW UNIT TESTING
REQUIREMENTS BASED TEST
EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 174
SW UNIT TESTING
FAULT INJECTION TEST
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 175
RESOURCE USAGE TESTING
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 176
SW UNIT TESTING
RESSOURCE USAGE TEST
EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 177
BACK-TO-BACK TESTING
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 178
SW UNIT TESTING
TEST COVERAGE
ASIL
Methods Comments
A B C D
1a Statement coverage ++ ++ + +
ISO 26262-6, Table 12 — Structural coverage metrics at the software unit level (add ons by SGS TÜV Saar)
There are no target values given for the structural test coverage.
This means 100% is the target
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 180
MC/DC (MODIFIED
CONDITION/DECISION COVERAGE)
MC/DC:
Every point of entry and exit in the program has been invoked at least once,
Every decision in the program has taken all possible outcomes at least once
Every condition in a decision in the program has taken on all possible outcomes at
least once,
Every condition in a decision has been shown to independently affect that
decision’s outcome.
A condition is shown to affect a decision’s outcome independently by varying
just that condition while holding fixed all other possible conditions.
The condition/decision criterion does not guarantee the coverage of all
conditions in a module because in many test cases, some conditions of a
decision are masked by the other conditions.
Using the modified condition/decision criterion, each condition must be shown
to be able to act on the decision outcome by itself, everything else being held
fixed. The MC/DC criterion is thus much stronger than the
condition/decision coverage.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 181
SIMPLE C++ EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 183
SOFTWARE INTEGRATION AND
TEST METHODS
ASIL
Methods Comments
A B C D
a
1a Requirements-based test ++ ++ ++ ++
1b Interface test ++ ++ ++ ++
b
1c Fault injection test + + ++ ++
cd
see SW-Unit Testing
1d Resource usage test + + + ++
Back-to-back comparison test between model and
1e e + + ++ ++
code, if applicable
a
The software requirements at the architectural level are the basis for this requirements-based test.
b
This includes injection of arbitrary faults in order to test safety mechanisms (e.g. by corrupting software or hardware
components).
c
To ensure the fulfilment of requirements influenced by the hardware architectural design with sufficient tolerance, properties such
as average and maximum processor performance, minimum or maximum execution times, storage usage (e.g. RAM for stack and
heap, ROM for program and data) and the bandwidth of communication links (e.g. data buses) have to be determined.
d
Some aspects of the resource usage test can only be evaluated properly when the software integration tests are executed on
the target hardware or if the emulator for the target processor supports resource usage tests.
e
This method requires a model that can simulate the functionality of the software components. Here, the model and code are
stimulated in the same way and results compared with each other.
ISO 26262-6, Table 13 — Methods for software integration testing (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 184
SOFTWARE INTEGRATION UND TEST
DERIVATION OF TEST CASES
ASIL
Methods Comments
A B C D
1a Analysis of requirements ++ ++ ++ ++
a
1b Generation and analysis of equivalence classes + ++ ++ ++
See SW-Unit Testing
b
1c Analysis of boundary values + ++ ++ ++
c
1d Error guessing + + + +
a Equivalence classes can be identified based on the division of inputs and outputs, such that a representative test value can be
selected for each class.
b This method applies to interfaces, values approaching and crossing the boundaries and out of range values.
c Error guessing tests can be based on data collected through a “lessons learned” process and expert judgment.
ISO 26262-6, Table 14 — Methods for deriving test cases for software integration testing (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 185
SOFTWARE INTEGRATION AND TEST
TEST COVERAGE
ASIL
Methods Comments
A B C D
a
1a Function coverage + + ++ ++
See next slides
b
1b Call coverage + + ++ ++
a Method 1a refers to the percentage of executed software functions. This evidence can be achieved by an appropriate
software integration strategy.
b Method 1b refers to the percentage of executed software function calls.
ISO 26262-6, Table 15 — Structural coverage metrics at the software architectural level (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 186
STRUCTURAL COVERAGE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 187
SIMPLE C++ EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 189
VERIFICATION OF SOFTWARE
SAFETY REQUIREMENTS –
ACTIVITIES AND AIMS
ASIL
Methods Comments
A B C D
1a Hardware-in-the-loop + + ++ ++ HIL-Test
a
1b Electronic control unit network environments ++ ++ ++ ++ Simulation
1c Vehicles ++ ++ ++ ++ Tests in the vehicle
a Examples include test benches partially or fully integrating the electrical systems of a vehicle, “lab-cars” or “mule” vehicles,
and “rest of the bus” simulations.
ISO 26262-6, Table 16 — Test environments for conducting the software safety requirements verification (add-ons by SGS TÜV Saar)
Verification tests are typically done together with software integration tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 190
SUMMARY OF DAY 3
SOFTWARE DEVELOPMENT (1)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 191
SUMMARY OF DAY 3
SOFTWARE DEVELOPMENT (2)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 192