Iso 26262

ISO 26262 Introduction
Singapore, 17 October 2012

Koen Leekens
exida Contacts
Singapore
Shanghai
Hong Kong
Germany
USA
Switzerland
+65 6222 5160

+86 21 5171 7250
+852 2633 7727
+49 89 4900 0547
+1 215 453 1720
+41 22 364 14 34
Canada
United Kingdom
Netherlands
Australia / NZL
Mexico
South Africa
Copyright exida LLC 2000-2012
+1 403 475 1943

+44 2476 456 195
+31 318 414 505
+64 3 472 7707
+52 55 5611 9858
+27 31 267 1564
On the Agenda
ISO 26262 and the Challenges
exida Expertise
Safety is Only as Strong as its Weakest Link
exida
Once upon a time

Electronics?
??
Many years later

Adaptive Headlights
Pre-Crash System
Automatic Steering
Backup Camera
Infrared Night Vision
Steering Lock
Traction Control System

Anti-Blocking System
Corner Brake Control
Adaptive Cruise Contro

Automatic Collision Notification
Automated Parking System
Automatic Gearbox ControlAirbag
Electronic Stability Program
Tire Pressure Monitoring
Reverse
Lane Departure Warning
Sensors
Deflation Detection Emergency Brake Assistance
Traffic Sign Recognition
System
Some Fatality Numbers
Fatalities
Fatalities decreasing
decreasing too
too Slow
Slow in
in
Europe
Europe
Fatalities
Fatalities stable
stable but
but too
too High
High in
in US
US
Many years later

Adaptive Headlights
Pre-Crash System
Automatic Steering
Backup Camera
Infrared Night Vision
Steering Lock
Actively
Actively
function
function
to
to achieve
achieve
Safe
Safe State
State
Traction Control System

Anti-Blocking System
Corner Brake Control
Adaptive Cruise Contro
Automatic Collision Notification

Automated Parking System
Automatic Gearbox ControlAirbag
Electronic Stability Program
Tire Pressure Monitoring
Deflation Detection
System
Reverse
Lane Departure Warning
Sensors
Emergency Brake Assistance
Traffic Sign Recognition
What is?
Functional Safety
ISO 26262: Absence of unreasonable risk due to
hazards caused by malfunctioning behavior of E/E
systems
IEC 61508: Part of the overall safety related to the
equipment under control (EUC) that depends on the
correct functioning of the safety-related system
Why Functional Safety Standards?

BECAUSE
Why Functional Safety?

BECAUSE
ELECTRONICS CAN FAIL !!!

Are
Are you
you Able
Able to
to Provide
Provide the
the
EVIDENCE
EVIDENCE
that
that Risks
Risks have
have been
been
Minimized?
Minimized?
Which Standard to Follow?

IEC
IEC 61508
61508
Functional
FunctionalSafety
Safetyfor
forE/E/PES
E/E/PESSafety
SafetyRelated
RelatedSystems
Systems
ISO 26262 Adaptation of IEC 61508

IEC
IEC 61508
61508
Functional
FunctionalSafety
Safetyfor
forE/E/PES
E/E/PESSafety
SafetyRelated
RelatedSystems
Systems
Why
Why not
not ideal
ideal
for
for
Automotive
Automotive
Industry
Industry ??
Basic Standard for Functional Safety

IEC
IEC 61508
61508
Functional
FunctionalSafety
Safetyfor
forE/E/PES
E/E/PESSafety
SafetyRelated
RelatedSystems
Systems
Generic High Level Standard

Roots in Process Industry
Assumes One Company does Everything
Not Designed for the Distributed Development
Why
Why not
not Ideal
Ideal
for
for
Automotive
Automotive
Industry
Industry ??
ISO 26262 Adaptation of IEC 61508

IEC
IEC 61508
61508
Functional
FunctionalSafety
Safetyfor
forE/E/PES
E/E/PESSafety
SafetyRelated
RelatedSystems
Systems
IEC
IEC 61511
61511 IEC
62061
IEC
61513
IEC
62061
IEC
61513
Process
Process
Industry
Industry
Machinery
Machinery
ISO
ISO
13849-1
13849-1
Nuclear
Nuclear
Machine
Machine
Safety
Safety
ISO
ISO
26262
26262
Road
RoadVehicles
Vehicles
ISO
ISO
25119
25119
Tractors
Tractors
ISO
ISO 26262
26262 is
is State
State of
of the
the Art
Art For
For
Automotive
Automotive
Developed
Developed with
with OEM
OEM
How E/E Systems Fail?
Random Failures: Usually a

permanent or transient failure
due to a system component
loss of functionality hardware
related
Systematic Failures: Usually

due to a design fault, wrong
specification, not fit for
purpose , error in software
program, ...
ISO 26262 Principles

ISO
ISO 26262
26262 Functional
Functional Safety
Safety
Principles
Principles
Avoidance
Avoidance of
of
Faults
Faults
Control
Control of
of Failures
Failures
Avoid
AvoidSystematic
Systematic
Faults
Faults
Control
Controlof
of
Systematic
SystematicFailures
Failures
Control
Controlof
of
Random
RandomFailures
Failures
Process
ProcessMethods
Methods-Organization
Organization
Before
BeforeDelivery
Delivery
Technical
TechnicalSafety
Safety
Measures
Measures
In
InOperation
Operation
ISO 26262 Principles

ISO
ISO 26262
26262 Functional
Functional Safety
Safety
Principles
Principles
Avoidance
Avoidance of
of
Faults
Faults
Control
Control of
of Failures
Failures
Avoid
AvoidSystematic
Systematic
Faults
Faults
Control
Controlof
of
Systematic
SystematicFailures
Failures
Control
Controlof
of
Random
RandomFailures
Failures
Process
ProcessMethods
Methods-Organization
Organization
Before
BeforeDelivery
Delivery
Implement
Implement
Correctly
Correctly
Technical
TechnicalSafety
Safety
Measures
Measures
In
InOperation
Operation
Detect
Detect and
and
React
React
2.4 2.6
Management of Functional Safety
Risk
Risk Based
Based
Approach
Approach
3.5
Item definition
3.6
Initiation of Safety Life

Cycle
3.7
Hazard Analysis and

Risk Assessment
3.7
3.8
Concept
Functional
of Functional
Safety
Concept
Safety
Product Development
System
7.4
7.5
Planning of Operation,
Service and Decom.
after SOP
product
development
concept phase
ISO 26262 follows a Safety LifeCycle
Planning of
Production
Hardware
Other
Technologies
Software
4.11
Release for SOP
7.4
Production
Operation, Service
7.5 and Decommissioning

8.4 8.15
Supporting Processes
Driver
Controllability
(and Usability)
External
Measures
Back to appropriate
lifecycle phase
Work Products
>
> 100
100
Work
Work
Products
Products
Exida
Templat
es
ISO 26262 Structure
ISO 26262 Structure

Vocabular
y
Vocabulary is important
English is not English
English American - KorEnglish GerEnglish
Singlish
English is not ISO/IEC
Validation Verification Confirmation
Fault Failure Error
Different Standard Different Terminology
Safety Requirement in ISO 26262 vs IEC
61511
ISO 26262 Structure

Functional Safety
Management

Overall Requirements for the Organization
Specific Organizational Rules
Competence
Quality
Requirements for Phases Plan Coordinate - Track
Roles and Responsibilities

Functional Safety Plan
Progression
Safety Case
Confirmation Measures
Functional Safety Plan
Exida
Template

Safety Case
AA clear,
clear,
comprehensive
comprehensive and
and defensible
defensible
argument
argument
that
that aa system
system is
is acceptably
acceptably safe
safe to
to
operate
operate
in
in aa particular
particular context.
context.
(Tim
(TimKelly
Kelly/ /Rob
RobWeawer
Weawer
University
of
York)
of York)
Copyright exida University
LLC 2000-2012
ISO 26262 Structure

Conce
pt
Concept Phase
Prevent
Prevent use
use by
by
OEM Defines Item > ESCL
unauthorized
unauthorized
person
Initiation of Safety Lifecycle
person by
by
mechanical
mechanical lock
lock
Hazard Analyses and Risk Assessment
Functional Safety Concept
Concept Phase
Initiation of Safety Lifecycle > New
Exida
Exida
Modificatio
Modificatio
nn Process
Process
Concept Phase
Initiation of safety Lifecycle > New
What
What Can
Can Go
Go Wrong?
Wrong?
>
> Steering
Steering locks
locks when
when
driving
driving
Concept Phase
SAFETY
SAFETY GOAL
GOAL
Avoid
Avoid aa
Dangerous
Dangerous
Situation
Situation
SG
No.
SG1
HRA Reg
ESCL_001
Safety Goal
Unintended locking of
ESCL while vehicle is
moving shall be avoided
ASIL
Safe
State
Unlocked
ESCL
Concept Phase
How
How Risky
Risky is
is that?
that?
>
> Need
Need ASILD
ASILD
Consequence Likelihood
Moderation
Moderation
Always
Always with
with
OEM
OEM
Concept Phase
Hazard Analyses and Risk Assessment > ASILD
Functionality
Functionality
to
to meet
meet
SAFETY
SAFETY GOAL
GOAL
Concept Phase
Hazard Analyses and Risk Assessment > ASILD
Unlock
Unlock Steering
Steering Column
Column when
when Vehicle
Vehicle
is
is moving
moving
ASIL
ASIL D
D
Vehicle
VehicleSpeed
Speed
Server
Server
Vehicle speed
ASIL D
ASIL
ASIL D
D
SG1
SG1
Lock Sequence
ASIL D
ASIL
ASIL D
D
Steering
Steering
Column
ColumnLock
Lock
ISO 26262 Structure

System Level
Development
Product Development System Level

Objectives TSC and SystemDesign
Requirements allocation
Specification of Safety
Measures
Integration
Validation
Concept Phase
Functional
Functional
Safety
Safety Concept
Concept
Product Development
Technical
Technical
Safety
Safety Concept
Concept
INTEGRITY
INTEGRITY
System
System Design
Design
HW
Design
SW
Design
Product Development System Level
ISO 26262 Structure
HS
I
ISO 26262 Structure
HW Level
Development
Product Development Hardware Level

5.8
5.8
Architectural
Architectural
ASIL B
ASIL C
ASIL D
Single point
faults metric
90 %
+
97 %
++
99 %
++
Latent faults
metric
60 %
+
80 %
+
90 %
++
5.9
5.9 Random
Random
ASIL
Random hardware failure target values
< 10-8 h-1
< 10-7 h-1
< 10-7 h-1
Dual Core versus 2 C Solution

Optimized Vehicle + Safety Features
AURIX covers Random HW Fault issues
I/O
C1
I/O
C
2
I/O
2x
2x SW
SW Development,
Development,
Communication,
Communication,
Testing,
Testing,
PCB
PCB Space,
Space,
Justification,
Justification,Supply
Supply
voltage,
voltage,
Voter
ALU
RAM
Reg
ALU
RAM
Reg
Flash
I/O
I/O
I/O
Focus
Focus Mainly
Mainly
on
on Application
Application
ISO 26262 Structure
SW Level
Development
Product Development Software Level

System Validation
E/E System-Design
E/E System Integration
Verification
during Design
Software Validation
Software Safety
Requirements
Software Safety
Validation
Verification
during Design
Software Architecture
and Design
Test
Software Integration
and Test
Verification
during Design
Software
Implementation
Test
Software Unit Test
ISO 26262 Structure
Producti
on
Operati
on
ISO 26262 Structure
Interfaces within Distributed Developments
(DIA)
Specification and Management Other
of
Parts
Other
Parts
reference
Requirements
reference
Supporting
Supporting
Configuration Management
Processes
Processes
Change Management
Verification
Documentation
Confidence of Use in SW Tools
Qualification of HW/SW Components
Proven in Use Arguments
ISO 26262 Structure
Safety
Analyses
Safety Analyses
Decomposition ASIL Tailoring
Criteria for Coexistence
Dependent Failure Analysis
Safety Analyses
Where are Safety Analyses in ISO?
SCA
H&R
FMEA
FTA
FMEA
FMED
A
SWCA
HAZA
N
H&R: Hazard & Risk

SCA: System Criticality
FTA: Fault Tree
FMEA: Failure Mode Effect
FMEDA: FMEA with Diagnostics
SWCA: SW-Criticality
HAZAN: Hazard Analysis
exida Tools for Automotive

SafetyCaseDB
Requirements and Safety Case Management and ISO
26262 knowledgebase
SILCal FMEDA
Component FMEA with integrated Failure Mode
Database
SILCap
Safety Criticality Analysis, System FMEA and S/WTool-Based
HAZOP
Tool-Based
Design
Design Support
Support
ISO 26262 Structure
Guideline
ISO 26262: If you did it well

You are Able to Show:
Completeness:
Everything accounted for

Requirements under Control
Everything tested pass
Used the toolsets
This is visible for external

auditor even when project
members have left
Documentation:
Traceability:
Consistency
Structured Process Model

Documents linked
Evidence for Everything
Understandable for external
All activities planned

Execution documented in SC
Inspected - Archived
For a life-time (15year?)
ISO 26262: If you did it well

You are Able to Show:
Completeness:
Consistency
This is visible for external

Everything accounted for
auditor even when project
Requirements under Control
members have left
Everything tested passAA clear,
clear,
comprehensive and
and defensible
defensible
Used the comprehensive
toolsets
argument
argument
that
safe
that aa system
system is
is acceptably
acceptably
safe to
to
Documentation:
Traceability:
operate
operate
Structured Process
All activities planned
Model
in
a
particular
context.
in a particular context.
(Tim
/ /Rob
Kelly
Documents linked
Execution
documented in SC
(Tim
Kelly
RobWeawer
Weawer
University
Universityof
ofYork)
York)
Inspected - Archived
Evidence for Everything
For a life-time (15year?)
Understandable for external
On the Agenda
ISO 26262 and the Challenges
exida Expertise
Who we are
Founded in 1999 by experts from
Manufacturers, End Users, Engineering
Companies and TV SD
Today: LARGEST Functional Safety and Cyber
Security consultancy and certification body
worldwide
Provide independent services and tools to

help customers comply to any industry
Rainer Faller
Dr. William Goble
standards
for
Functional
Safety,
Former Head of TV Product Services
FormerCyber
Director Moore Industries
Chairman German IEC 61508
Developed FMEDA Technique (PhD
Security
and
Alarm
Management
Intervener ISO 26262 / IEC 61508
Author of several Safety Books
Co-Authored IEC 61508 parts
Author of several Safety Publications
Author of several Reliability Books
What we do
EXIDA SCOPE
SERVICE
Function
S
Tools
al Safety
Cyber
Security
Reliability
Training
Consulta
ncy
Certificat
ion
INDUSTRI
CUSTOME
ES
Process
RS
Industry End Users
Automoti Equipmen
t
ve
Manufact
Machine urer
Industry
Alarm
Manageme
Power
nt
Referenc
Industry
e
Car
Manufact
urer
Automotive Customers (extract)

Service
Service
ss
Tools
Tools
ICs
ICs
exida Development Support Services

Setting up Functional Safety Management / Act as FSM
Coordinator
Safety System Development and Design support
Requirements Management & Engineering (SafetyCaseDB +

Doors incl. Setup)
Safety Concept development and documentation (also preexisting systems)
Tool based Safety Criticality Analysis (SILCap)

Hardware design support Tool based FMEA and Quantitative
FMEDA
Software design support UML design Tool based Software

HAZOP/FMEA (SILCap)
Tool based Safety Case development
IEC/ISO knowledgebase
per exida
development
phase:
Document templates
Copyright
LLC 2000-2012
exida Certifications
exida Certification S.A.
Clean separation from the exida Consulting business
English language based assessment and certification
system
International alternative to TV
Open exida Certification Scheme
IEC 61508 and ISO 26262 compliant using exida Safety
Case methodology (SafetyCaseDB) and audits
Assessment Process and Requirements Publicly
available
exida is Part of your Team

Safety and Standards Advisor
Questions, advice
Interpretation of standards
Moderator and Participant
One
One or
or more
more
FMEDA, Dependent Failure Analysis
Roles
Roles
Software analysis
Project Bottlenecks
Participant (joint activities)
Write development documents and procedures
Help with test specification, FIT, safety validation
Be your Lawyer vs. the Assessment Body
Argue your safety case
Manage all activities with the assessor
exida Certification S.A. the Assessment Body
Automotive Projects (extract)

Steering (Active Front Steering, Electronic Power Steering)
Gearbox
Driver assistance (e.g. ACC, ESP)
Body control
H2 Clean-Energy
Battery monitoring
Software platforms (AUTOSAR, communication, hardware
drivers, self-tests)
Safety IC Assessment support (C, system chips)

Iso 26262

Uploaded by

Copyright:

Available Formats

Iso 26262

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 26262

Uploaded by

Copyright:

Available Formats

ISO 26262 Introduction

Singapore, 17 October 2012

+65 6222 5160

Copyright exida LLC 2000-2012

+1 403 475 1943

Copyright exida LLC 2000-2012

Safety is Only as Strong as its Weakest Link

Once upon a time

Copyright exida LLC 2000-2012

Many years later

Traction Control System

Adaptive Cruise Contro

Some Fatality Numbers

Many years later

Traction Control System

Adaptive Cruise Contro

Automatic Collision Notification

Copyright exida LLC 2000-2012

Why Functional Safety Standards?

Copyright exida LLC 2000-2012

Why Functional Safety?

ELECTRONICS CAN FAIL !!!

Copyright exida LLC 2000-2012

Which Standard to Follow?

Copyright exida LLC 2000-2012

ISO 26262 Adaptation of IEC 61508

Basic Standard for Functional Safety

Generic High Level Standard

ISO 26262 Adaptation of IEC 61508

How E/E Systems Fail?

Random Failures: Usually a

Systematic Failures: Usually

ISO 26262 Principles

Copyright exida LLC 2000-2012

ISO 26262 Principles

Copyright exida LLC 2000-2012

Management of Functional Safety

Initiation of Safety Life

Hazard Analysis and

ISO 26262 follows a Safety LifeCycle

Release for SOP

7.5 and Decommissioning

ISO 26262 Structure

Copyright exida LLC 2000-2012

ISO 26262 Structure

Copyright exida LLC 2000-2012

Copyright exida LLC 2000-2012

ISO 26262 Structure

Copyright exida LLC 2000-2012

Management of Functional Safety

Requirements for Phases Plan Coordinate - Track

Roles and Responsibilities

Copyright exida LLC 2000-2012

Functional Safety Plan

Management of Functional Safety

ISO 26262 Structure

Copyright exida LLC 2000-2012

Functional Safety Concept

Copyright exida LLC 2000-2012