Professional Documents
Culture Documents
Presentation On Standard ISO 26262
Presentation On Standard ISO 26262
Presentation On Standard ISO 26262
Christian Esposito
2010 Critical Software S.A.
Generalities
Vocabulary
Management of Functional Safety
Concept Phase
Product Development: System Level
Product Development: Hardware Level
Product Development: Software Level
Production and Operation
Supporting Processes
2010 Critical Software S.A.
3
::.. ISO 26262 (1/3)
10
::.. Terms (1/8)
occurrence of failures;
11. Development Interface Agreement (DIA): agreement between
customer and supplier in which reciprocal responsibilities
are specified;
::.. Terms (3/8)
44. Single Point Failure: failure that results from a single point
fault and leads to a safety violation;
45. Single Point Fault: fault in an element that is not covered by a
safety mechanism and that leads directly to a safety
violation;
46. Systematic Failure: failure of an element or item that is
caused in a deterministic way during development phases.
2010 Critical Software S.A.
Dependable
Technologies
For Critical
MANAGEMENT OF FUNCTIONAL
Systems SAFETY
2010 Critical Software S.A.
19
::.. Safety Lifecycle
The inputs are taken from the previous outcomes, plus the
overall project plan, and the dependencies on other activities.
performed by a
person from a
different depar-
tment or orga-
nization.
::.. Recommendations for the Safety Mana-
gement during Item Development (5/6)
The confirmation measures shall be performed as follows:
2010 Critical Software S.A.
The activities for ensuring the functional safety after the item
after release for production shall be planned, and shall be
initiated during system development. The organization shall
institute processes and appoint persons for maintaining the
functional safety of the item in the lifecycle phases after release.
2010 Critical Software S.A.
42
::.. Item Definition
The outcomes of this subphase are the hazard analysis and risk
assessment, safety goals, and verification review of the previous
2010 Critical Software S.A.
outcomes.
::.. Recommendations for the Hazard
Analysis and Risk Assessment (1/3)
The operational situations and operating modes where
malfunctioning behaviour is able to trigger hazards shall be
described, both for cases when the item is correctly used and
when it is incorrectly used.
51
::.. Initiation of Product Development at the
System Level
The objective of this subphase is to determine and plan the
functional safety activities during the subphases of the system
development, included in the safety plan.
2010 Critical Software S.A.
::.. Initiation of Product Development at the
System Level
The objective of this subphase is to determine and plan the
functional safety activities during the subphases of the system
development, included in the safety plan.
specification.
::.. Initiation of Product Development at the
System Level
The objective of this subphase is to determine and plan the
functional safety activities during the subphases of the system
development, included in the safety plan.
The system will be integrated within the vehicle, and proper tests
shall be performed during such integration phase.
2010 Critical Software S.A.
81
::.. Initiation of Product Development at the
Hardware Level
The scope is to determine and plan the functional safety
activities during the individual subphases of hardware
development, which is included in the safety plan.
" !F %
diagnostic coverage: $1! ' (100
# !&
" ( ! + ! ) "( ! + ! )
SPF RF MPF S
single point faults metric: 1! =
"! "!
The parts considered are electrical and electronic ones, while for
electromechanic parts, only electrical failure modes and failure
rate are considered.
::.. Evaluation of Violation of the Safety Goal
due to Random HW Failures (2/7)
Reference target values are derived from:
Quantitative analysis techniques applied on similar well-
trusted designs using well known failure rate databases;
Field data of similar well-trusted designs;
Following table:
103
::.. Initiation of Product Development at the
Software Level (1/3)
The scope is to plan and initiate the functional safety activities
for the following subphases of the software development.
Specifically, appropriate methods, and relative tools shall be
determine to achieve the requirements of the assigned ASIL.
2010 Critical Software S.A.
::.. Initiation of Product Development at the
Software Level (2/3)
To support correctness of the design and implementation,
guidelines for the modeling, or programming languages shall
address the following topics:
2010 Critical Software S.A.
::.. Initiation of Product Development at the
Software Level (3/3)
The criteria to be considered when selecting a suitable modeling
or programming language are:
An unambiguous definition;
Support for embedded real-time software and runtime
error handling;
Support for modularity, abstraction and structured
constructs.
guidelines.
::.. Specification of Software Safety
Requirements (1/2)
The goal is to specify the software safety requirements, derived
from the technical safety concept and system design
specification, to detail the HIS requirements, and to verify that
the software requirements are consistent with the technical
safety concept and the system design specification.
software components.
hensibility;
Robustness;
Change suitability;
Testability
::.. Software Unit Design and Implementation
(3/3)
Design and implementation shall be verified to demonstrate:
Compliance with HSI;
Completeness w.r.t.
requirements and
architecture though
traceability;
C o m p l i a n c e w i t h
specification and
guidelines;
Compatibility with
Target hardware.
2010 Critical Software S.A.
126
::.. Production
130
::.. Interfaces with Distributed Developments
(1/3)
The objective is to describe procedures and allocate
responsibilities within distributed developments for items and
elements. Just as the customers safety-related specifications
concerning planning, execution and documentation for in-house
development projects, similar procedures have to be agreed for
co-operation with the supplier on distributed developments.
In the case the supplier conducts the hazard analysis and risk
assessment, the customer shall be able to read it.
The functional safety requirements shall be agreed between
customer and supplier.
::.. Interfaces with Distributed Developments
(3/3)
The supplier shall notify the customer of increasing risk of not
conforming to any provisions of the DIA, and report each safety-
related event occurring within its area of responsibility.
agreement.
::.. Specification and Management of Safety
Requirements (1/2)
The scope is to provide the correct specification of safety
requirements, and a consistent management. During the safety
lifecycle, safety requirements are specified in a hierarchical
manner, with no duplication of information within any level.
To s u p p o r t t h e
management of safety
requirements, the use
of suitable tools is
recommended.
2010 Critical Software S.A.
::.. Specification and Management of Safety
Requirements (2/2)
Safety requirements shall be specified by an appropriate
combination of natural language and the following methods:
There are two classes of TI: TI0 shall be chosen when there is an
argument that it is not possible to have a safety violation, TI1 in
other cases.
There are four classes for TD: TD1 indicated there is an high
confidence for preventing or deleting the error, TD2 is chosen in
case of a medium confidence, TD3 is chosen in case of a low
confidence, and TD$ in all other cases.
TCL2
TCL3
2010 Critical Software S.A.
TCL4
::.. Qualification of Software Tools (4/4)
Plan.
::.. Qualification of Hardware Components
(1/2)
The scope is to show the suitability of intermediate level
hardware components and parts of their use as part of items or
elements, concerning their functional behaviour and their
operational limitations; and to provide relevant information
regarding their failure modes and their distribution, and their
diagnostic capability.
151
::.. Requirements Decomposition with
Respect to ASIL Tailoring (1/3)
The objective is to provide rules for decomposing safety
requirements with ASIL tailoring, which allows implementing
safety requirements redundantly by independent architectural
elements and potentially assigning lower ASILs to these
redundant safety requirements.
functionality and its related safety mechanism, then the last one
should be assigned the highest decomposed ASIL, and the
functionality shall become a safety requirement and implemented
using its decomposed ASIL.
::.. Requirements Decomposition with
Respect to ASIL Tailoring (2/3)
If the obtained decomposed functions do not result in a safe
state by switching them off, sufficient availability of the item shall
be shown. Decomposition is applied as follows:
2010 Critical Software S.A.
::.. Requirements Decomposition with
Respect to ASIL Tailoring (3/3)
The integration of the decomposed elements shall be applied at
the ASIL before decomposition.
FMEA
Qualitative Quantitative ETA;
FTA
Methods Methods Markov models;
ETA
Reliability block
Diagrams.
::.. Safety Analyses (2/2)
The associated safety goal is to not open the door while the
vehicle speed is higher than 15 Km/h: ASILC.
165
::.. IEC 61408 vs ISO 26262 (1/2)
Confirmation reviews.
179
::.. Acknowledgement
http://www.criticalstep.eu
Contacts
181