20131216 cisec-standards-jp blanquart-jmastruc

Introduction to ISO 26262
CISEC – 2013 Dec 16th
JM Astruc, Continental Automotive SAS

It‘s a long way to ISO 26262…
ISO/DIS 26262
(Draft International
Standard)

NWI
(New
Work Item)

2005

2006

PWI
(Preliminary
Work Item)

2007

2008

ISO/CD 26262
(Committee Draft)

2009

Nov 15th
2010

ISO/FDIS 26262
(Final Draft International
Standard)

Inadequacy of the generic standard IEC 61508:
•
•
•
•
•

Not for mass production
Validation after installation
No customer / supplier relationships
No scheme for hazard classification
Safety functions separate from EUC

German – French joint initiative for PWI started in 2004

3 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG

2011

ISO 26262 all around the world…


General legal obligation
Conformance of the product to the regulatory requirements
Adequacy of the product to its intended use
General product safety:
•
•
•

Only "safe products" on the market
Survey of the product , once put on the market
Reaction when the product is not or no longer safe

• Applicable regulations
•
•
•
•
•

International conventions, UN ECE, when adopted by the country
European Union directives and regulations immediately applicable when transposed into national law
National regulations and laws (incl. contract law), mandatory in the country of commercialization
Mandatory standards, optional standards, state of the art
Contractual specs
UN-ECE
Regulations
Directives,
Regulations
Laws, Regulations
Professional frame of reference

Contractual specifications, customer’s
process,…


Legal status of ISO 26262
Functional Safety Standard ISO 26262 provides technical clauses that are:
• considered to be correct by the technical community
• suitable for practical applications
• generally accessible and regularly applied
This standard is not legally binding. Applying it is voluntary as a matter of principle, but
doing so does make it easier to demonstrate compliance with generally acknowledged
rules of technology whenever needed
Compliance induces the presumption that a product is not defective and / or the
manufacturer has observed the necessary duty of care.


EC directives

Environment
01. Sound Levels EC 1999/101
02. Emissions EC 2003/76
11. Diesel Smoke EC 2005/21
39. Fuel Consumption EC 2004/3
40. Engine Power EC1999/99
41. Diesel Emissions 2006/81/EC

Other Directives
27. Towing Hooks EC 96/64
10. Radio Interference Suppression EC 2006/28
04. Rear Registration Plate EC 70/222
18. Statutory Plates EC 78/507
36. Heating systems 2004/78
44. Masses and Dimensions EC 95/48
50. Mechanical Couplings EC 94/20

Active Safety
05. Steering Equipment EC 1999/7
07. Audible Warning EC 70/388
35. / Wipe.EC 94/68
13. Antitheft EC 95/56
32. Foward Vision EC 90/630
17. Speedometer and Reverse Gear EC 97/39
08. Rear Visibility EC 2005/27
46. Tyres EC 2005/11
34. Defrost / Demist EC 78/317
09. Braking EC 2002/78
20. Lighting Installation EC 97/28
33. Identification of Controls EC 94/53
37. Wheel Guards EC 94/78

Passive Safety
19. Safety Belt EC 2005/41
16. Exterior Projections EC 79/488
15. Seat Strength EC 2005/39
14. Protective Steering EC 91/662
03. Fuel Tank EC 2006/20
12. Interior Fittings EC 2000/4
31. Safety Belts EC 2005/40
06. Door Latches and hinges EC 2001/31
38. Head restraints EC 78/932
45. Safety glazing EC 2001/92
53. Frontal impact EC 1999/98
54. Side impact EC 96/27


Lighting Equipment
21. Reflex Reflectors EC 97/29
22. Side, Rear and Stop lamps EC 97/30
23. Direction indicator lamps EC 1999/15
24. Rear registration plate lamp EC 97/31
25. Headlamps (including bulbs) EC 1999/17
26. Front fog lamps EC 1999/18
28. Rear fog lamps EC 1999/14
29. Reversing Lamps EC 97/32
30. Parking Lamps EC 1999/16

ISO 26262 confirmation measures


What is functional safety for road vehicle?
Functional safety for road vehicles is the part of safety which relates to hazards caused by
malfunctioning behavior of E/E-based systems embedded in road vehicles.
Avoid & control hazardous failures of in-vehicle EE-based systems
(including those related to foreseeable operational misuse)

=
Avoid systematic faults
inadequate design, gaps in requirements, wrong implementation, missing testing

+
+

Control of systematic faults during operation

Control of random hardware failures during operation
(including failures of other technologies components that are not in scope of ISO 26262)


Attributes of faults and failures
Fault: abnormal condition that can cause an element or system to fail (it is a state)
Failure: termination of the ability of an element or an system to perform a function as required
(it is an event)

Systematic failure: failure of an element or system that is caused in a deterministic way during
development, manufacturing or maintenance
Random hardware failure: failure that occurs unpredictably during the lifetime of an hardware element
and that follows a probability distribution

Example of an accident scenario


Overview of ASIL classification method

Hazardous
event

E

C

S

EXPOSURE
Likelihood of exposure of the vehicle to
the operational situation
CONTROLLABILITY
Ability to avoid a specified harm through
timely reaction of the person(s) at risk
SEVERITY
Estimation of the extent of harm to the
person(s) at risk


ASIL
+
Safety goal

Risk estimation and ASIL classification
Initial operational situation where the system failure occurs
Classes of probability of exposure
E0
E1
E2
E3
E4

Incredible
Very low probability
Low probability
Medium probability

C1

High probability

Ability of traffic participants to avoid an accident
Classes of controllability
C0
C1
C2
C3

Simply controllable
Normally controllable
Difficult to control or uncontrollable

Potential harm to traffic participants if the accident occurs
Classes of severity
S0
S1
S2
S3

C2

Controllable in general

No injuries
Light and moderate injuries
Severe and life-threatening injuries
(survival probable)
Life-threatening injuries (survival uncertain)
fatal injuries


C3

E1
E2
E3
E4
E1
E2
E3
E4
E1
E2
E3
E4

S1
QM
QM
QM
QM
QM
QM
QM
ASIL A
QM
QM
ASIL A
ASIL B

S2
QM
QM
QM
ASIL A
QM
QM
ASIL A
ASIL B
QM
ASIL A
ASIL B
ASIL C

S3
QM
QM
ASIL A
ASIL B
QM
ASIL A
ASIL B
ASIL C
ASIL A
ASIL B
ASIL C
ASIL D

ASIL as risk reduction measures

ASILs are used for specifying risk reduction measures to address
• systematic failures of system, hardware, and software with
measures and techniques for fault avoidance and fault tolerance
• random failures of hardware with
quantitative targets for safety critical failures and diagnosis coverage of architecture


Functional safety concept
Safety goal: a top level safety requirement as a result of the hazard analysis and risk assessment
Functional safety requirement: specification of implementation-independent safety behavior, or
implementation-independent safety measure, including its safety-related attributes
• operating modes
• fault tolerant time interval
• degradation, safe states, warning
• emergency operation time interval
• functional redundancies

Functional safety concept: specification of the functional safety requirements, with associated
information, their allocation to preliminary architectural element and their interaction necessary to
achieve the safety goals

Technical Safety Concept

Technical safety requirement: requirement derived from the associated functional safety requirements
to provide their technical implementation – the safety mechanisms are specified by technical safety
requirements
Safety mechanism: measure implemented by a E/E functions or element, or in other technologies, to
detect or control failures in order to achieve a safe state of the item, or maintain a safe state of the
item, or both
• measures to detect, indicate and control faults in the system itself
• measures to detect, indicate and control faults in external devices interacting with the system
• measures that enable the system to achieve or maintain a safe state
• measures to detail and implement the warning and degradation concept
• measures which prevent faults from being latent
Technical safety concept: specification of the technical safety requirements to be implemented, with
associated information, and their allocation to hardware and software


Default rules for ASIL assignment
Inheritance: Each safety requirement inherits the ASIL of the safety requirement it is derived from –
starting from the ASIL of the safety goal
ASIL allocation drives development: When a safety requirement is allocated to an architectural
element, this element and its sub-elements are developed in compliance with the ASIL assigned to
the safety requirement
Highest ASIL predominance: When safety requirements with different ASILs are allocated to the
same architectural element, this element is developed in compliance with the highest ASIL – unless
criteria for coexistence is met
Safety relevance by default: Any architectural element is safety related unless
• this element is independent from the safety related element of the item or
• criteria for coexistence is met


One page summary about quantitative analyses on HW
PMHF
target values

Analysis of random HW
failures
ASIL A

90 %

LFM
target values

90 %

90 %

SPFM
target values

90 %

not required
nor recommended

7
10-7 per hour (100 FIT
ho

90 %

60 %

recommended

required

7
10-7 per hour (100 FIT)
ho

97 %

80 %

required

required

10-8 per hour (10 FIT)

99 %

90 %

ASIL B

recommended

ASIL C
ASIL D

PMHF

SPF t
RF t
safety–related HW components

dual-point failure

Taxonomy of random HW faults
SPFM

t2

MPF
S


S (safe faults)
MPF DP (MPF detected / perceived)
MPF L (MPF latent)
MPF (multiple-point faults)
SPF (single-point faults)
RF (residual faults)


MPF DP

MPF L

LFM

MPF DP
S
SPF
RF

Questions and discussion

Thanks for your attention !

from


CISEC
Introduction to critical embedded systems engineering

ISAE, Toulouse, December 16th, 2013

Comparison of safety standards
across several safety critical application domains

Jean-Paul Blanquart
Astrium Satellites, Toulouse

jean-paul.blanquart@astrium.eads.net

Multi-domain expertise working group
Now with “Embedded France”
Aeronautics

ARP 4754, 4761
DO 178, 254, 330-3

Automation,
Industry

IEC 61508, 61511

Automotive

ISO 26262

Defence

IEC 61508

Nuclear

IEC 61513, 60880, 62138

Railway

EN CENELEC 50126, 8, 9,
50155, 50159-1, 50159-2

Space

ECSS Q30, Q40, Q80

Technology
providers
23

Outline
History and positioning of standards

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion

CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites

Page 24

A complex picture
Foundations: treaties, laws
United Nations


Safe use of nuclear technology for peaceful applications, IAEA, 1957
Peaceful use of outer space, COPUOS, 1958

…
Norms and standards
Accepted means of compliance to higher level regulation
Self imposed in absence of regulation
Social and business needs
Complexity of systems, industrial organisation, interoperability …

A particular role played by IEC 61508
Generic but not general
Often preceded by sector specific standards


Page 25

An Overview
80-85

Aeronautics

DOMAIN

85-90

DO178

90-95

95-00

00-05

ARP4761

05-10

DO254

DO178-B
ARP4754

Automation

ARP4754-A
DO178-C

IEC 61508
IEC 61511
IEC 62061

Automotive

(IEC 61508)

Nuclear

IAEA
50-SG-D3
50-SG-D8

EN 50155

Railway

Space

IAEA NS-G-1.3
IEC 61513
IEC 62138

IEC
60880

PSS


ECSS

10-15

IEC 61508
Edition 2

ISO 26262
IEC 60880

: IAEA DS-

Edition 2

431

IEC 61508
EN 50126
EN 50128
EN 50129

EN 50128
Edition 2

ECSS
“C Issues”
Page 26

Outline


Conclusion


Page 27


Assessment and Certification

Assessment
Set of activities granting a confidence level to an entity (person, organisation or
artefact).
Context dependent validity: item, actors, usage, timeline.

Certification
An assessment body substantiates to an Authority that the engineering process of
a manufacturer ensures regulatory safety objectives through conformance to safety
standards.


Page 28

A variety of regimes
Applicant

Regulation

Authority

Assessment Body

Aeronautics

DOMAIN

Manufacturer

Yes

EASA-FAA

EASA-FAA

Product

Manufacturer

Machinery directive

Process

Operator

No

Automotive

Manufacturer

No

No

No

Nuclear

Operator

Yes

Governments
ASN (France)

IAEA
ASN, IRSN (France)

Railway

Manufacturer

Yes

Space

Manufacturer

Automation
Labour Inspection
DREAL

Self-certification
No

ERA
CERTIFER …
EPSF/STRMTG
CNES


Yes

Governments
NASA/FAA//USAF
Page 29

Simplified view

Certification


Assessment


Page 30

Outline


Conclusion


Page 31



Design drivers : existence of fail-safe states + cost + validation

Industry, Automation, Railway, Nuclear, Space: external safety
Design of a dedicated safety system, distinct from the "process" system
Monitors and controls the "process" in safety critical situations

Aeronautics, Automotive: integrated safety
Systems monitor and control themselves internally

Automotive and Space : hybrid approach


Page 32

A simplified view

External Safety


Integrated Safety


Page 33

Outline


Conclusion


Page 34




PROs

CONs

Open
OBJECTIVES
Prescriptive
(ex: DO 178)

MEANS
Prescriptive
(ex: IEC 61508)

Applicable to many contexts

Needs to be interpreted

Easy conformance check,
Easy to apply when in the context
considered by the standard's
authors

Closed
Needs to be updated to
introduce new methods and
tools


Page 35


Prescription of means
Example: IEC 61508


Page 36


Prescription of objectives
Example: DO 178C


Page 37


Means


A simplified view


Objectives

Page 38

Outline


Conclusion


Page 39

RISK ANALYSIS (potential failures)
Frequency
Exposure
Failure
Severity


Control

Consequences
of potential failures

Occurrence

Needed Trust

SEVERITY

LIKELIHOOD

Catastrophic
Critical
Major
Minor

Ext. remote
Remote
Probable
Frequent

The “safety category”
Is related to the severity
category of the most severe
consequences of potential
failures…

“Trustability”

System
Functions,
Elements
…

INTEGRITY
Development Assurance Level
Develop

“Safety Category”


MEANS

A
B
C
D

… so as to meet the required level
of safety and dependability thanks to
development and validation means
appropriate with respect to the
identified safety category

Page 40

Categorising severity and assurance levels – Notion of HAZARD

ASIL: characterizes a Hazard
Use Case

Vehicle
System

Hazardous
event

Accident

Harm

Hazard
Person interacting
with the vehicle

Hazard: system failure mode or unintended behaviour
that may lead to harm Page 41

Categorising severity and assurance levels – Automotive (ISO 26262)
Frequency
Always

Frequency of exposure to
driving situation where
accident can potentially
happen

Severity of possible
accident


Sometimes

Risk Reduction external to
technical system:
driver controls situation

not acceptable
Rarely
Safety
category
(ASIL)

“Trustability”
of system

acceptable
Very rarely

Lower than
tolerable risk

Extremely
improbable

Residual
Risk

Severity
Minor

Major


Hazardous

Catastrophic
Page 42

Categorising severity and assurance levels – IEC 61508
Frequency
Always

Frequency of failure of EUC
and control system

accident


Sometimes

not acceptable
Rarely
Safety
category
(SIL)

Risk reduction
by protection system

acceptable
Very rarely

Lower than
tolerable risk

Extremely
improbable

Residual
Risk

Severity
Minor

Major


Hazardous

Catastrophic
Page 43

Categorising severity and assurance levels - Aerospace
Frequency
Always

accident


Sometimes

not acceptable
Rarely
Safety
category
“Trustability”
of system

acceptable
Very rarely

Lower than
tolerable risk

Extremely
improbable

Residual
Risk

Severity
Minor

Major


Hazardous

Catastrophic
Page 44

Common principles


Principles common to all covered domains
The category defines the applicable requirements so as to cover:
“Random” faults (hardware): probability objectives, minimum number of faults,,,
“Systematic” faults (development): no quantitative probability target
Confidence level through development and validation requirements
Confirmed by decades of experience, e.g. in aeronautics or nuclear

Need to enforce a strong isolation against fault propagation from “low levels” to “high
levels” elements


Page 45

Some differences


Definition and categories of consequences, severity
Generic and general (space, automotive)
Domain dependent (aeronautics)
Incorporation of exposure probability (automotive)
Incorporation of “controllability” (automotive)
Similar to aeronautics domain dependent consequences severity
“Syntactic” variations (number of levels, names, ordering …)
“Arithmetic of levels”, combining low levels into a higher level
Accepted in aeronautics, automotive, not in nuclear, space
Requirements for each level

Page 46

Outline


Conclusion


Page 47



Fault tolerance
Principally hardware faults
Domain and application dependent
Continuity of service versus safety, mission needs
External versus internal safety system

Software, development faults
Focus on fault prevention
Process, product

Residual faults: detection and degraded mode preserving safety
System level, functional diversification, independence


Page 48

Outline


Conclusion


Page 49



A combination of probabilistic and deterministic approaches

Probabilistic approach
Top level risk assessment
Hardware faults and their impact on feared events (architecture based analysis of
propagation)

Deterministic approach
Behaviour, correctness (functional, fault management)
In particular software
It does not mean that software is expected to be fault free
Cf. severity/integrity levels, and fault prevention versus tolerance


Page 50

Outline


Conclusion


Page 51


Conclusion

Common view of the fundamental principles
Risk assessment, integrity levels,
Combination of deterministic and probabilistic approach, of fault prevention and
fault tolerance,
Focus on fault propagation, independence, single points of failures, common causes
…
Slight but numerous variations
On each topic a simple grouping exists, but it varies from one topic to another
Not all variations can be clearly justified by the specific characteristics of each domain
Strong impact on efficiency, cost (tools, products, processes …)


Page 52

Questions and discussion


Thanks for your attention !

from

CISEC Series of lectures - Safety Standards - JP. Blanquart (Astrium Satellites) and JM. Astruc (Continental Automotive)

20131216 cisec-standards-jp blanquart-jmastruc

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to 20131216 cisec-standards-jp blanquart-jmastruc

Similar to 20131216 cisec-standards-jp blanquart-jmastruc (20)

More from CISEC

More from CISEC (10)

Recently uploaded

Recently uploaded (20)

20131216 cisec-standards-jp blanquart-jmastruc