Webinar Functional Safety

Functional Safety with ISO 26262 Webinar

Dr. Arnulf Braatz, February 19th 2019

V1.7 | 2019-02-19 Welcome and Introduction Vector Group

 Development Vector provides tools for USA France Germany developing, testing, calibration Detroit Paris Stuttgart, Brunswick, Hamburg, Karlsruhe, Munich, Regensburg and diagnostics as well as Great Britain Sweden software components and Birmingham Gothenburg development services.

 Networking Vector provides components and Japan engineering services for the Tokyo, Nagoya networking of electronic systems.

Italy India Korea Milano Pune Seoul

 Optimization Austria Vector provides a comprehensive Vienna consulting portfolio as well as Brazil China suitable tools support. São Paulo Shanghai

3/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Welcome and Introduction Vector Client Survey 2019: The Fight of Two Forces

Safety & Security

Vector Client Survey 2019. Details: www.vector.com/trends. Horizontal axis shows short-term challenges; vertical axis shows mid-term challenges. Sum > 300% due to 5 answers per question. Strong validity with 4% response rate of 2000 recipients from different industries worldwide.

Vector provides tailored consulting solutions to keep OEM and suppliers competitive: Efficiency – Quality – Competences

Welcome Welcome and Introduction

 Challenges and Concepts Vector Safety Experiences Conclusions and Outlook

5/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Functional Safety Challenge: Complexity and Competences

 Increasing complexity of functions

 More and more distributed development

 Rising liability risks, such as security and safety Mobility services Autonomous driving  Quantity: Boost in number of systems Brake-by-wire Steer-by-wire  Maturity: Inefficient processes and tools Connectivity, Vehicle2X Cloud computing  Quality: Lack of experts 5G mobile communication Fuel-cell technology Electric powertrain Laser-sourced lighting Adaptive cruise control 3D displays Lane assistant Gesture HMI Stop-/start automatic Ethernet/IP backbone Hybrid powertrain Emergency break assist Electric powertrain Electronic stability control Head-up display Adaptive cruise control Active body control Electronic brake control Lane assistant Gearbox control Emergency call Tele diagnostics Stop-/start automatic Traction control Electric power steering Online Software Updates Emergency break assist CAN FLEXRAY AUTOSAR Head-up display Electronic fuel Anti lock brakes Gearbox control Hybrid powertrain Electronic brake control injection Electronic fuel Traction control Electronic stability control Remote diagnostics Anti-lock brakes injection CAN bus … Active body control ... AUTOSAR ... 1975 1985 1995 2005 2015 2025

6/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Functional Safety – Broad Exposure

ESP Electronic Park Brake Unintended, single-sided Unintended activation in brake effect on straight lane motion

Collision Avoidance Airbag Acceleration instead of Delayed deployment after deceleration in traffic crash detection

Exposure of practically all E/E functions  Risk of liability

7/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Functional Safety – Wide Impact

Idea

System System Req. Analysis Test System System Design Integration OEM Component Component Req. Analysis Test Supplier Component Component Management Activity Design Integration Engineering Activity Component Implementation Affected by ISO 26262

Project Configuration Requirements Supplier Quality Management Management Management Management Management

Wide impact on entire life-cycle  Risk of gaps and inconsistencies

Functional Safety – Many Methods Effect Hazard

Inability to perform the required function Failure Failure Failure as specified 4 X Incorrect state that may lead to a failure Error Error Error 2 X 3 X Cause of the error, e.g. code mistake 1FaultX Fault Fault

System layer 1 Fault prevention 2 Fault detection 3 Fault tolerance 4 Robustness  Guidelines  Code analysis  Redundant design  Redundant shut-off  Processes  Review, Test  Memory protection  Fail-operational

Many methods and techniques  Risk of uninformed usage

9/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Parts of ISO 26262:2018 – 2nd Edition – Main Changes

ISO/PRF PAS 21448 Road vehicles -- Safety of the intended functionality

1. Vocabulary 2. Management of functional safety

3. Concept 4. Product development at the 7. Production phase system level and operation

5. Product 6. Product development at development at 12. Adaption of the hardware the software ISO 26262 for level level motorcycles

8. Supporting processes 8-13 to 8-16 9. ASIL-oriented and safety-oriented analyses 10. Guideline on ISO 26262 11. Application of ISO 26262 to semiconductor

10/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts ISO 26262:2018 – 2nd Edition – Selected Changes

 Part 2 (Safety Management):  Chapter 5.4.2 (Safety culture): The organization shall institute and maintain effective communication channels between functional safety, cybersecurity, and other disciplines …  Chapter 6.4.9 (Confirmation Measures): Additional confirmation review of impact analysis, Functional Safety Concept and Technical Safety Concept

 Part 3 (Concept Phase):  Chapter 6.5.4 (Hazard Analysis and Risk Assessment): Variances shall be considered when conducting a hazard analysis and risk assessment for a T&B vehicle (type of base vehicle, vehicle configuration and vehicle operation).

 Part 4 (Product Development at the System Level):  Chapter 6.4.4.6 (Technical Safety Concept): Properties of a system architectural design to avoid systematic faults without ASIL-dependent recommendations.

 Part 5 (Product Development at the Hardware Level):  Chapter 7.4.4.3 (Hardware Design): Verification of the validity of assumptions when integrating a SEooC into the hardware.

 Part 6 (Product Development at the Software Level):  Chapter 7.4.12 (Software Architectural Design): Safety mechanisms for error detection and error handling shall be applied depending on the results of the safety-oriented analyses at the software architectural level …

11/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Legal Liability: State of the art of science and technology

Process - Safety Management - Project Management - Risk Management - Quality Assurance - Requirements-Mgmt. - Configuration-Mgmt. - Test Management Conferences, white papers, etc. - …

ISO 26262 Technology - Measures against random HW failures Maturity models (e.g. CMMI, SPICE) - Measures against systematic failures (System, HW, SW) - Development of safety concepts Standards: - Implementation of safety mechanisms  Laws, - …

 statutory provisions, Methods  nongovernmental standards (ISO - FMEA,FTA 9001, ISO/TS 16949, etc.) - FMEDA - Analysis of dependent failures - ASIL decomposition - …

12/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Basic Concept of ISO 26262: Risk Classification by „ASIL“

Risk = Severity x Probability S: Severity E: Exposure C: Controllability I: necessary Integrity R = S x PE x PC x PI

ASIL Automotive Safety Integrity Level (= required integrity of a function)

Residual Tolerated Risk by Risk Risk add. Function E/E functions

Safety functions

Risk level

Source: IEC 61508:2010

13/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Approaches to Risk Reduction

Risk level (ASIL)

Product measures Development process

Technical measures Technical measures against Methodological measures to against random HW systematic system, HW ensure the application of a failures: and SW failures: safety-conform development process:  Redundancy  Redundancy  Diagnostics  Diagnostics  Design methods  Self-tests  Self-tests  Analysis techniques  …  …  Test methods  Safety case  Modular HW/SW  Configuration management architecture  …  Architecture patterns  Defensive programming  …

ASIL = Automotive Safety Integrity Level Goals: Avoid failures – Make unavoidable failures safe

14/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Development – HARA for deriving Safety Goals and ASIL

Failure Mode Vehicle State Road Condition Environment E C S ASIL Condition

No Braking Effect > 100 km/h Wet Highway E3 C3 S3 C

Unexpected Braking > 50 km/h Dry Main Road E4 C2 S3 C Effect < 100 km/h

Asymmetric Braking Parking Dry Side Road E4 C2 S1 A Effect < 10 km/h

 Exposure:  E3: 1-10% of average operating time  E4: >10% of average operation time  Controllability (Average Driver):  C2: Hazardous situation is usually controllable  C3: Hazardous situation is usually not controllable  Severity:  S1: Light to moderate injuries  S3: Critical injuries

15/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Fail-safe vs. Fail-operational

Failure Intended 2a: detection and operation reaction

1: 2b:

Fail- Fail-safe operational

 Bring the system into the fail-  System remains operational safe state to avoid any hazard.  E.g. degraded - but safe -  Two approaches: operation mode. 1. Fail-safe by design (default)  Availability of elements assuring 2. Failure mitigation and the required safety transition to fail-safe state  Diverse / redundant architecture  Sufficient for most “classic”  Required for continuous and automotive systems, often with automated safe operation mechanical back-up The safety related system has always to be in one safe state!

16/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Efficient Traceability and Consistency

Hazard List and Risk Assessment Item Definition HZ1 ASIL B Hazard 1 HARA HZ2 ASIL D Hazard 2 ...... Determination of Safety Goals

Functional Safety Requirements Safety Goals FSR 1 SG1 ASIL B Funct. Safety Req. 1 SG1 HZ1, HZ3 ASIL B Safety Goal 1

FSR 2 SG1 ASIL B Funct. Safety Req. 2 SG2 HZ2 ASIL D Safety Goal 2 ...... Functional Safety ...... Technical Safety Concept Concept

Technical Safety Requirements TSR 1.1 FSR Technical1 ASIL B SafetyKomp1 RequirementsTech. Safety Req. 1.1 Technical Safety Requirements Testspecification TSRTSR 1.2 1.1 FSRFSR 1 1 ASILASIL B B Komp1Komp1 Tech.Tech. Safety Safety Req. Req. 1.2 1.1 TSR 1.1 FSR 1 ASIL B HW/SW Tech. Safety Req. 1.1 TSR 1.2 FSR 1 ASIL B Komp1 Tech. Safety Req. 1.2 TC 1 Test description ...... TSR 1.2 FSR 1 ASIL B HW/SW Tech. Safety Req. 1.2 ...... TC 2 Test description ......

17/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts FMEA and FTA – Safety Analysis on System and HW level

Most common methods for safety-oriented analyses

FMEA FTA

 = Failure Mode Effect Analysis  = Fault Tree Analysis

 Inductive analysis method  Deductive analysis method

 Used to identify root causes of  Used to identify root causes of failures and effects of failures in failures and their correlation in the system. the system.

 Can only be applied to an existing  Development of design design or implementation. alternatives

 Discovery of unexpected scenarios

18/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Challenges and Concepts Safety of the intended functionality

Safety of the intended functionality (SOTIF) – The absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons.

PAS 21448

Starting Point Goal

Unknown safe scenarios known safe scenarios known unsafe scenarios unknown unsafe scenarios

Welcome Welcome and Introduction

Challenges and Concepts  Vector Safety Experiences Conclusions and Outlook

20/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Support Throughout the Life-Cycle

SystemSystem System Req.Req. AnalysisAnalysis Test

Item Definition System System Safety Case Design Integration

Component Component Hazard and Req. Analysis Test Risk Analysis Validation

Component Component Design Integration System Safety Company Project Concept Manual Verification Processes Component Implementation

Project Qualitative Quantitative Safety Analyses DIA Schedule Safety Analyses

Consistently plan and systematically maintain safety artefacts

21/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Systematic Analysis and Design

Support by Vector Consulting Services and PREEvision tool:  Single source for item definition, based on features, requirements, operating scenarios, dependencies  Model-based design of functional and technical safety concept, including ASIL decomposition and requirements based tests

22/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Including the Customer and Supplier

 Often insufficient information shared between OEM and Tier-1 supplier and Tier-1 and Tier-2 suppliers concerning safety-critical functions and related hazards

 Risk that system and component design is not optimized to balance safety and costs

 Our experience shows that companies which tried more intense supplier-collaboration, continue to do so for all critical interfaces

OEM Tier-1 OEM

Tier-1 Tier-2 Tier-1

Tier-2

Perform joint workshops on requirements & design and apply DIA

23/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Development Interface Agreement (DIA)

List of relevant Minimum scope: Project specific tailoring, application artefacts ~ 60 artefacts and tracking

OEM

Use the DIA for comprehensive definition of the customer/supplier interfaces. Extend the usage to not safety related artefacts

24/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Performing Audits and Assessments

Safety Audit Safety Assessment  Purpose: Evaluate implementation  Purpose: Evaluate achieved of the processes required for functional safety within the defined functional safety item for product and process  Perform periodic audits in projects  Continuously compile the safety  Combine with SPICE assessments case as basis for the assessment  Perform short supplier audits before  If the OEM requests assessment nomination, and comprehensive by a third party, involve the third audits in B sample stage party early

Demand audit and assessment results from suppliers, consider the independency requirements for auditors and assessors

25/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Vector Safety Experiences Vector Experiences – Security Directly Impacts Safety

Op. Functional Safety Assets, Threats Safety Security Scenarios, and Risk Management Management Hazard, Risk (IEC 61508, ISO 26262) Assessment after SOP in Service Assessment

 Security Safety Goals Safety Case, Security Hazard analysis Goals and and Certification, Case, Audit, and risk assessment Requirements Requirements Approval Compliance

Functional  Functions and risk mitigation Technical and Technical Safety Security Security Safety- Validation Validation  Safety engineering Concept Concept

Security Safety Safety Security Implemen- Implemen- Verification Verification tation tation Security not explicitly addressed

+ Security  architecture (ISO methods15408, J3061, ISO/SAE AWI 21434)  data formats & functionality  Threat and risk analysis  Abuse, misuse, confuse cases  Security engineering

Security and Safety are interacting and demand holistic systems engineering For fast start security engineering should be connected to safety framework

Welcome Welcome and Introduction

Challenges and Concepts Vector Safety Experiences  Conclusions and Outlook

27/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Conclusions and Outlook ISO26262 Experience

 Increasing functional safety capabilities  Majority of OEM´s include ISO26262 compliance in their contracts  Independent audits and assessments are performed  Methods for qualitative and quantitative analysis are available  ASIL D capable MCU´s are available

 But…  Many suppliers do not have full ISO26262 compliance because they develop based on legacy systems  Suppliers and OEMs need to further improve field observation and abilities to efficiently maintain a safety case  New suppliers, e.g. for electric powertrain or ADAS, struggle with ramping up a safety process  Security risks increasingly hamper functional safety  Functional safety processes in many cases create overheads – which could be done at much lower cost

Functional safety can be efficiently achieved on the basis of mature development processes together with a competent partner.

28/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Conclusions and Outlook Vector: Comprehensive Portfolio for Security and Safety

Vector Cyber Security and Safety Solutions

AUTOSAR Basic Software Tools Security and Safety (PLM, Architecture, Consulting Test, Diagnosis etc.)

HW based Security

Engineering Services for Safety and Security

www.vector.com/safety www.vector.com/security www.vector.com/consulting

29/30 © 2018. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.7 | 2019-02-19 Conclusions and Outlook Vector Safety Solutions

Trainings and media  Training “Functional Safety with ISO 26262” Stuttgart, continuously www.vector.com/training-safety  In-house trainings tailored to your needs available worldwide  Free white papers… www.vector.com/media-safety

 Vector Forum – Agile Scaling, scaled Agile (27 June 2019) https://www.vector.com/int/en/events/global-de-en/2019/vector-forum-2019-agile-scaling-scaled-agile/

 Vector PREEvision UserDay (20-21 March 2019) https://www.vector.com/int/en/events/global-de-en/2019/vpre19/

 Free Webinar: Automotive Cyber Security—Challenges and Practical Guidance (19 March 2019)