Most industrial safety-critical systems are developed and validated following safety standards. However even though all safety standards address similar concerns with similar objectives, they are also domain-specific standards. The presentation results from the activity of a working group (formerly CG2E, now part of the recently set-up Embedded France) gathering industrial safety experts from aeronautics, automotive, industrial automation, nuclear, railway and space. The lecture will combine a presentation focused on one industry specific standard (the recent ISO 26262 for automotive), and complementary perspective in comparison with the standards in the other five mentioned domains. After the presentation of the history and position and the various regulation regimes, we will highlight some more technical topics e.g., integrated or external safety systems, fault prevention vs. fault tolerance, objectives vs. means prescription, probabilistic vs. deterministic arguments and the notion of criticality, integrity or assurance levels.
19. CISEC
Introduction to critical embedded systems engineering
ISAE, Toulouse, December 16th, 2013
Comparison of safety standards
across several safety critical application domains
Jean-Paul Blanquart
Astrium Satellites, Toulouse
jean-paul.blanquart@astrium.eads.net
20. Multi-domain expertise working group
Now with “Embedded France”
Aeronautics
ARP 4754, 4761
DO 178, 254, 330-3
Automation,
Industry
IEC 61508, 61511
Automotive
ISO 26262
Defence
IEC 61508
Nuclear
IEC 61513, 60880, 62138
Railway
EN CENELEC 50126, 8, 9,
50155, 50159-1, 50159-2
Space
ECSS Q30, Q40, Q80
Technology
providers
23
21. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 24
22. History and positioning of standards
A complex picture
Foundations: treaties, laws
United Nations
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Safe use of nuclear technology for peaceful applications, IAEA, 1957
Peaceful use of outer space, COPUOS, 1958
…
Norms and standards
Accepted means of compliance to higher level regulation
Self imposed in absence of regulation
Social and business needs
Complexity of systems, industrial organisation, interoperability …
A particular role played by IEC 61508
Generic but not general
Often preceded by sector specific standards
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 25
23. History and positioning of standards
An Overview
80-85
Aeronautics
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
DOMAIN
85-90
DO178
90-95
95-00
00-05
ARP4761
05-10
DO254
DO178-B
ARP4754
Automation
ARP4754-A
DO178-C
IEC 61508
IEC 61511
IEC 62061
Automotive
(IEC 61508)
Nuclear
IAEA
50-SG-D3
50-SG-D8
EN 50155
Railway
Space
IAEA NS-G-1.3
IEC 61513
IEC 62138
IEC
60880
PSS
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
ECSS
10-15
IEC 61508
Edition 2
ISO 26262
IEC 60880
: IAEA DS-
Edition 2
431
IEC 61508
EN 50126
EN 50128
EN 50129
EN 50128
Edition 2
ECSS
“C Issues”
Page 26
24. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 27
25. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Assessment and Certification
Assessment
Set of activities granting a confidence level to an entity (person, organisation or
artefact).
Context dependent validity: item, actors, usage, timeline.
Certification
An assessment body substantiates to an Authority that the engineering process of
a manufacturer ensures regulatory safety objectives through conformance to safety
standards.
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 28
26. Regulation regimes and certification
A variety of regimes
Applicant
Regulation
Authority
Assessment Body
Aeronautics
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
DOMAIN
Manufacturer
Yes
EASA-FAA
EASA-FAA
Product
Manufacturer
Machinery directive
Process
Operator
No
Automotive
Manufacturer
No
No
No
Nuclear
Operator
Yes
Governments
ASN (France)
IAEA
ASN, IRSN (France)
Railway
Manufacturer
Yes
Space
Manufacturer
Automation
Labour Inspection
DREAL
Self-certification
No
ERA
CERTIFER …
EPSF/STRMTG
CNES
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Yes
Governments
NASA/FAA//USAF
Page 29
27. Regulation regimes and certification
Simplified view
Certification
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Assessment
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 30
28. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 31
29. Technical comparison highlights
Integrated safety or external safety systems
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Design drivers : existence of fail-safe states + cost + validation
Industry, Automation, Railway, Nuclear, Space: external safety
Design of a dedicated safety system, distinct from the "process" system
Monitors and controls the "process" in safety critical situations
Aeronautics, Automotive: integrated safety
Systems monitor and control themselves internally
Automotive and Space : hybrid approach
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 32
30. Integrated safety or external safety systems
A simplified view
External Safety
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Integrated Safety
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 33
31. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 34
32. Technical comparison highlights
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Objectives versus Means prescription
PROs
CONs
Open
OBJECTIVES
Prescriptive
(ex: DO 178)
MEANS
Prescriptive
(ex: IEC 61508)
Applicable to many contexts
Needs to be interpreted
Easy conformance check,
Easy to apply when in the context
considered by the standard's
authors
Closed
Needs to be updated to
introduce new methods and
tools
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 35
33. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Prescription of means
Example: IEC 61508
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 36
34. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Prescription of objectives
Example: DO 178C
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 37
35. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Means
Objectives versus Means prescription
A simplified view
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Objectives
Page 38
36. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 39
37. Technical comparison highlights
Categorising severity and assurance levels
RISK ANALYSIS (potential failures)
Frequency
Exposure
Failure
Severity
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Control
Consequences
of potential failures
Occurrence
Needed Trust
SEVERITY
LIKELIHOOD
Catastrophic
Critical
Major
Minor
Ext. remote
Remote
Probable
Frequent
The “safety category”
Is related to the severity
category of the most severe
consequences of potential
failures…
“Trustability”
System
Functions,
Elements
…
INTEGRITY
Development Assurance Level
Develop
“Safety Category”
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
MEANS
A
B
C
D
… so as to meet the required level
of safety and dependability thanks to
development and validation means
appropriate with respect to the
identified safety category
Page 40
38. Technical comparison highlights
Categorising severity and assurance levels – Notion of HAZARD
ASIL: characterizes a Hazard
Use Case
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Vehicle
System
Hazardous
event
Accident
Harm
Hazard
Person interacting
with the vehicle
Hazard: system failure mode or unintended behaviour
that may lead to harm Page 41
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
39. Technical comparison highlights
Categorising severity and assurance levels – Automotive (ISO 26262)
Frequency
Always
Frequency of exposure to
driving situation where
accident can potentially
happen
Severity of possible
accident
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Sometimes
Risk Reduction external to
technical system:
driver controls situation
not acceptable
Rarely
Safety
category
(ASIL)
“Trustability”
of system
acceptable
Very rarely
Lower than
tolerable risk
Extremely
improbable
Residual
Risk
Severity
Minor
Major
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Hazardous
Catastrophic
Page 42
40. Technical comparison highlights
Categorising severity and assurance levels – IEC 61508
Frequency
Always
Frequency of failure of EUC
and control system
Severity of possible
accident
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Sometimes
not acceptable
Rarely
Safety
category
(SIL)
Risk reduction
by protection system
acceptable
Very rarely
Lower than
tolerable risk
Extremely
improbable
Residual
Risk
Severity
Minor
Major
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Hazardous
Catastrophic
Page 43
41. Technical comparison highlights
Categorising severity and assurance levels - Aerospace
Frequency
Always
Severity of possible
accident
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Sometimes
not acceptable
Rarely
Safety
category
“Trustability”
of system
acceptable
Very rarely
Lower than
tolerable risk
Extremely
improbable
Residual
Risk
Severity
Minor
Major
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Hazardous
Catastrophic
Page 44
42. Categorising severity and assurance levels
Common principles
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Principles common to all covered domains
The category defines the applicable requirements so as to cover:
“Random” faults (hardware): probability objectives, minimum number of faults,,,
“Systematic” faults (development): no quantitative probability target
Confidence level through development and validation requirements
Confirmed by decades of experience, e.g. in aeronautics or nuclear
Need to enforce a strong isolation against fault propagation from “low levels” to “high
levels” elements
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 45
43. Categorising severity and assurance levels
Some differences
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Definition and categories of consequences, severity
Generic and general (space, automotive)
Domain dependent (aeronautics)
Incorporation of exposure probability (automotive)
Incorporation of “controllability” (automotive)
Similar to aeronautics domain dependent consequences severity
“Syntactic” variations (number of levels, names, ordering …)
“Arithmetic of levels”, combining low levels into a higher level
Accepted in aeronautics, automotive, not in nuclear, space
Requirements for each level
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 46
44. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 47
45. Technical comparison highlights
Fault tolerance or fault prevention
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Fault tolerance
Principally hardware faults
Domain and application dependent
Continuity of service versus safety, mission needs
External versus internal safety system
Software, development faults
Focus on fault prevention
Process, product
Residual faults: detection and degraded mode preserving safety
System level, functional diversification, independence
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 48
46. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 49
47. Technical comparison highlights
Probabilistic versus deterministic
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
A combination of probabilistic and deterministic approaches
Probabilistic approach
Top level risk assessment
Hardware faults and their impact on feared events (architecture based analysis of
propagation)
Deterministic approach
Behaviour, correctness (functional, fault management)
In particular software
It does not mean that software is expected to be fault free
Cf. severity/integrity levels, and fault prevention versus tolerance
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 50
48. Outline
History and positioning of standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 51
49. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Conclusion
Common view of the fundamental principles
Risk assessment, integrity levels,
Combination of deterministic and probabilistic approach, of fault prevention and
fault tolerance,
Focus on fault propagation, independence, single points of failures, common causes
…
Slight but numerous variations
On each topic a simple grouping exists, but it varies from one topic to another
Not all variations can be clearly justified by the specific characteristics of each domain
Strong impact on efficiency, cost (tools, products, processes …)
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
Page 52
50. Questions and discussion
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Thanks for your attention !
from
CISEC Series of lectures - Safety Standards - JP. Blanquart (Astrium Satellites) and JM. Astruc (Continental Automotive)