Functional Safety with ISO 26262 Webinar
Dr. Arnulf Braatz, February 19th 2019
V1.7 | 2019-02-19 Welcome and Introduction Vector Group
Development Vector provides tools for USA France Germany developing, testing, calibration Detroit Paris Stuttgart, Brunswick, Hamburg, Karlsruhe, Munich, Regensburg and diagnostics as well as Great Britain Sweden software components and Birmingham Gothenburg development services.
Networking Vector provides components and Japan engineering services for the Tokyo, Nagoya networking of electronic systems.
Italy India Korea Milano Pune Seoul
Optimization Austria Vector provides a comprehensive Vienna consulting portfolio as well as Brazil China suitable tools support. São Paulo Shanghai
3/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Welcome and Introduction Vector Client Survey 2019: The Fight of Two Forces
Safety & Security
Vector Client Survey 2019. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 300% due to 5 answers per question. Strong validity with 4% response rate of 2000 recipients from different industries worldwide.
Vector provides tailored consulting solutions to keep OEM and suppliers competitive: Efficiency – Quality – Competences
4/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Agenda
Welcome Welcome and Introduction
Challenges and Concepts Vector Safety Experiences Conclusions and Outlook
5/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Functional Safety Challenge: Complexity and Competences
Increasing complexity of functions
More and more distributed development
Rising liability risks, such as security and safety Mobility services Autonomous driving Quantity: Boost in number of systems Brake-by-wire Steer-by-wire Maturity: Inefficient processes and tools Connectivity, Vehicle2X Cloud computing Quality: Lack of experts 5G mobile communication Fuel-cell technology Electric powertrain Laser-sourced lighting Adaptive cruise control 3D displays Lane assistant Gesture HMI Stop-/start automatic Ethernet/IP backbone Hybrid powertrain Emergency break assist Electric powertrain Electronic stability control Head-up display Adaptive cruise control Active body control Electronic brake control Lane assistant Gearbox control Emergency call Tele diagnostics Stop-/start automatic Traction control Electric power steering Online Software Updates Emergency break assist CAN FLEXRAY AUTOSAR Head-up display Electronic fuel Anti lock brakes Gearbox control Hybrid powertrain Electronic brake control injection Electronic fuel Traction control Electronic stability control Remote diagnostics Anti-lock brakes injection CAN bus … Active body control ... AUTOSAR ... 1975 1985 1995 2005 2015 2025
6/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Functional Safety – Broad Exposure
ESP Electronic Park Brake Unintended, single-sided Unintended activation in brake effect on straight lane motion
Collision Avoidance Airbag Acceleration instead of Delayed deployment after deceleration in traffic crash detection
Exposure of practically all E/E functions Risk of liability
7/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Functional Safety – Wide Impact
Idea
System System Req. Analysis Test System System Design Integration OEM Component Component Req. Analysis Test Supplier Component Component Management Activity Design Integration Engineering Activity Component Implementation Affected by ISO 26262
Project Configuration Requirements Supplier Quality Management Management Management Management Management
Wide impact on entire life-cycle Risk of gaps and inconsistencies
8/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts
Functional Safety – Many Methods Effect Hazard
Inability to perform the required function Failure Failure Failure as specified 4 X Incorrect state that may lead to a failure Error Error Error 2 X 3 X Cause of the error, e.g. code mistake 1FaultX Fault Fault
System layer 1 Fault prevention 2 Fault detection 3 Fault tolerance 4 Robustness Guidelines Code analysis Redundant design Redundant shut-off Processes Review, Test Memory protection Fail-operational
Many methods and techniques Risk of uninformed usage
9/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Parts of ISO 26262:2018 – 2nd Edition – Main Changes
ISO/PRF PAS 21448 Road vehicles -- Safety of the intended functionality
1. Vocabulary 2. Management of functional safety
3. Concept 4. Product development at the 7. Production phase system level and operation
5. Product 6. Product development at development at 12. Adaption of the hardware the software ISO 26262 for level level motorcycles
8. Supporting processes 8-13 to 8-16 9. ASIL-oriented and safety-oriented analyses 10. Guideline on ISO 26262 11. Application of ISO 26262 to semiconductor
10/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts ISO 26262:2018 – 2nd Edition – Selected Changes
Part 2 (Safety Management): Chapter 5.4.2 (Safety culture): The organization shall institute and maintain effective communication channels between functional safety, cybersecurity, and other disciplines … Chapter 6.4.9 (Confirmation Measures): Additional confirmation review of impact analysis, Functional Safety Concept and Technical Safety Concept
Part 3 (Concept Phase): Chapter 6.5.4 (Hazard Analysis and Risk Assessment): Variances shall be considered when conducting a hazard analysis and risk assessment for a T&B vehicle (type of base vehicle, vehicle configuration and vehicle operation).
Part 4 (Product Development at the System Level): Chapter 6.4.4.6 (Technical Safety Concept): Properties of a system architectural design to avoid systematic faults without ASIL-dependent recommendations.
Part 5 (Product Development at the Hardware Level): Chapter 7.4.4.3 (Hardware Design): Verification of the validity of assumptions when integrating a SEooC into the hardware.
Part 6 (Product Development at the Software Level): Chapter 7.4.12 (Software Architectural Design): Safety mechanisms for error detection and error handling shall be applied depending on the results of the safety-oriented analyses at the software architectural level …
11/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Legal Liability: State of the art of science and technology
Process - Safety Management - Project Management - Risk Management - Quality Assurance - Requirements-Mgmt. - Configuration-Mgmt. - Test Management Conferences, white papers, etc. - …
ISO 26262 Technology - Measures against random HW failures Maturity models (e.g. CMMI, SPICE) - Measures against systematic failures (System, HW, SW) - Development of safety concepts Standards: - Implementation of safety mechanisms Laws, - …
statutory provisions, Methods nongovernmental standards (ISO - FMEA,FTA 9001, ISO/TS 16949, etc.) - FMEDA - Analysis of dependent failures - ASIL decomposition - …
12/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Basic Concept of ISO 26262: Risk Classification by „ASIL“
Risk = Severity x Probability S: Severity E: Exposure C: Controllability I: necessary Integrity R = S x PE x PC x PI
ASIL Automotive Safety Integrity Level (= required integrity of a function)
Residual Tolerated Risk by Risk Risk add. Function E/E functions
Safety functions
Risk level
Source: IEC 61508:2010
13/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Approaches to Risk Reduction
Risk level (ASIL)
Product measures Development process
Technical measures Technical measures against Methodological measures to against random HW systematic system, HW ensure the application of a failures: and SW failures: safety-conform development process: Redundancy Redundancy Diagnostics Diagnostics Design methods Self-tests Self-tests Analysis techniques … … Test methods Safety case Modular HW/SW Configuration management architecture … Architecture patterns Defensive programming …
ASIL = Automotive Safety Integrity Level Goals: Avoid failures – Make unavoidable failures safe
14/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Development – HARA for deriving Safety Goals and ASIL
Failure Mode Vehicle State Road Condition Environment E C S ASIL Condition
No Braking Effect > 100 km/h Wet Highway E3 C3 S3 C
Unexpected Braking > 50 km/h Dry Main Road E4 C2 S3 C Effect < 100 km/h
Asymmetric Braking Parking Dry Side Road E4 C2 S1 A Effect < 10 km/h
Exposure: E3: 1-10% of average operating time E4: >10% of average operation time Controllability (Average Driver): C2: Hazardous situation is usually controllable C3: Hazardous situation is usually not controllable Severity: S1: Light to moderate injuries S3: Critical injuries
15/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Fail-safe vs. Fail-operational
Failure Intended 2a: detection and operation reaction
1: 2b:
Fail- Fail-safe operational
Bring the system into the fail- System remains operational safe state to avoid any hazard. E.g. degraded - but safe - Two approaches: operation mode. 1. Fail-safe by design (default) Availability of elements assuring 2. Failure mitigation and the required safety transition to fail-safe state Diverse / redundant architecture Sufficient for most “classic” Required for continuous and automotive systems, often with automated safe operation mechanical back-up The safety related system has always to be in one safe state!
16/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Efficient Traceability and Consistency
Hazard List and Risk Assessment Item Definition HZ1 ASIL B Hazard 1 HARA HZ2 ASIL D Hazard 2 ...... Determination of Safety Goals
Functional Safety Requirements Safety Goals FSR 1 SG1 ASIL B Funct. Safety Req. 1 SG1 HZ1, HZ3 ASIL B Safety Goal 1
FSR 2 SG1 ASIL B Funct. Safety Req. 2 SG2 HZ2 ASIL D Safety Goal 2 ...... Functional Safety ...... Technical Safety Concept Concept
Technical Safety Requirements TSR 1.1 FSR Technical1 ASIL B SafetyKomp1 RequirementsTech. Safety Req. 1.1 Technical Safety Requirements Testspecification TSRTSR 1.2 1.1 FSRFSR 1 1 ASILASIL B B Komp1Komp1 Tech.Tech. Safety Safety Req. Req. 1.2 1.1 TSR 1.1 FSR 1 ASIL B HW/SW Tech. Safety Req. 1.1 TSR 1.2 FSR 1 ASIL B Komp1 Tech. Safety Req. 1.2 TC 1 Test description ...... TSR 1.2 FSR 1 ASIL B HW/SW Tech. Safety Req. 1.2 ...... TC 2 Test description ......
17/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts FMEA and FTA – Safety Analysis on System and HW level
Most common methods for safety-oriented analyses
FMEA FTA
= Failure Mode Effect Analysis = Fault Tree Analysis
Inductive analysis method Deductive analysis method
Used to identify root causes of Used to identify root causes of failures and effects of failures in failures and their correlation in the system. the system.
Can only be applied to an existing Development of design design or implementation. alternatives
Discovery of unexpected scenarios
18/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Safety of the intended functionality
Safety of the intended functionality (SOTIF) – The absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons.
PAS 21448
Starting Point Goal
Unknown safe scenarios known safe scenarios known unsafe scenarios unknown unsafe scenarios
19/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Agenda
Welcome Welcome and Introduction
Challenges and Concepts Vector Safety Experiences Conclusions and Outlook
20/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Support Throughout the Life-Cycle
SystemSystem System Req.Req. AnalysisAnalysis Test
Item Definition System System Safety Case Design Integration
Component Component Hazard and Req. Analysis Test Risk Analysis Validation
Component Component Design Integration System Safety Company Project Concept Manual Verification Processes Component Implementation
Project Qualitative Quantitative Safety Analyses DIA Schedule Safety Analyses
Consistently plan and systematically maintain safety artefacts
21/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Systematic Analysis and Design
Support by Vector Consulting Services and PREEvision tool: Single source for item definition, based on features, requirements, operating scenarios, dependencies Model-based design of functional and technical safety concept, including ASIL decomposition and requirements based tests
22/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Including the Customer and Supplier
Often insufficient information shared between OEM and Tier-1 supplier and Tier-1 and Tier-2 suppliers concerning safety-critical functions and related hazards
Risk that system and component design is not optimized to balance safety and costs
Our experience shows that companies which tried more intense supplier-collaboration, continue to do so for all critical interfaces
OEM Tier-1 OEM
Tier-1 Tier-2 Tier-1
Tier-2
Perform joint workshops on requirements & design and apply DIA
23/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Development Interface Agreement (DIA)
List of relevant Minimum scope: Project specific tailoring, application artefacts ~ 60 artefacts and tracking
OEM
Use the DIA for comprehensive definition of the customer/supplier interfaces. Extend the usage to not safety related artefacts
24/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Performing Audits and Assessments
Safety Audit Safety Assessment Purpose: Evaluate implementation Purpose: Evaluate achieved of the processes required for functional safety within the defined functional safety item for product and process Perform periodic audits in projects Continuously compile the safety Combine with SPICE assessments case as basis for the assessment Perform short supplier audits before If the OEM requests assessment nomination, and comprehensive by a third party, involve the third audits in B sample stage party early
Demand audit and assessment results from suppliers, consider the independency requirements for auditors and assessors
25/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Security Directly Impacts Safety
Op. Functional Safety Assets, Threats Safety Security Scenarios, and Risk Management Management Hazard, Risk (IEC 61508, ISO 26262) Assessment after SOP in Service Assessment
Security Safety Goals Safety Case, Security Hazard analysis Goals and and Certification, Case, Audit, and risk assessment Requirements Requirements Approval Compliance
Functional Functions and risk mitigation Technical and Technical Safety Security Security Safety- Validation Validation Safety engineering Concept Concept
Security Safety Safety Security Implemen- Implemen- Verification Verification tation tation Security not explicitly addressed
+ Security architecture (ISO methods15408, J3061, ISO/SAE AWI 21434) data formats & functionality Threat and risk analysis Abuse, misuse, confuse cases Security engineering
Security and Safety are interacting and demand holistic systems engineering For fast start security engineering should be connected to safety framework
26/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Agenda
Welcome Welcome and Introduction
Challenges and Concepts Vector Safety Experiences Conclusions and Outlook
27/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Conclusions and Outlook ISO26262 Experience
Increasing functional safety capabilities Majority of OEM´s include ISO26262 compliance in their contracts Independent audits and assessments are performed Methods for qualitative and quantitative analysis are available ASIL D capable MCU´s are available
But… Many suppliers do not have full ISO26262 compliance because they develop based on legacy systems Suppliers and OEMs need to further improve field observation and abilities to efficiently maintain a safety case New suppliers, e.g. for electric powertrain or ADAS, struggle with ramping up a safety process Security risks increasingly hamper functional safety Functional safety processes in many cases create overheads – which could be done at much lower cost
Functional safety can be efficiently achieved on the basis of mature development processes together with a competent partner.
28/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Conclusions and Outlook Vector: Comprehensive Portfolio for Security and Safety
Vector Cyber Security and Safety Solutions
AUTOSAR Basic Software Tools Security and Safety (PLM, Architecture, Consulting Test, Diagnosis etc.)
HW based Security
Engineering Services for Safety and Security
www.vector.com/safety www.vector.com/security www.vector.com/consulting
29/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Conclusions and Outlook Vector Safety Solutions
Trainings and media Training “Functional Safety with ISO 26262” Stuttgart, continuously www.vector.com/training-safety In-house trainings tailored to your needs available worldwide Free white papers… www.vector.com/media-safety
Vector Forum – Agile Scaling, scaled Agile (27 June 2019) https://www.vector.com/int/en/events/global-de-en/2019/vector-forum-2019-agile-scaling-scaled-agile/
Vector PREEvision UserDay (20-21 March 2019) https://www.vector.com/int/en/events/global-de-en/2019/vpre19/
Free Webinar: Automotive Cyber Security—Challenges and Practical Guidance (19 March 2019)
30/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19