ISO 26262 Update on development of the standard - NMI · PDF file- New joint SAE/ISO WG11 will...

© HORIBA MIRA Ltd. 2017


Click to edit Master title

style

Dr David Ward

Senior Technical Manager

Functional Safety

January 2017

ISO 26262

Update on development of

the standard


Agenda

Why update ISO 26262?

What is the process for updating the standard?

Current status of Edition 2 draft and key changes

Wider standardization activities

Conclusion and outlook

January 2017 2


A frequently asked question …

ISO 26262 was officially published on 15 November 2011

Almost immediately on 16 November 2011 …

January 2017 3

What’s going to

be in Edition 2 of

the standard?


Why update ISO 26262?

Specific requirements to adapt ISO 26262 to

- Extend scope to other types of vehicles (motorcycles, trucks, buses)

o Motorcycles ISO/PAS 19695 and new Part 12 in Edition 2

- Give additional guidance on semiconductor devices

o ISO/PAS 19451 and new Part 11 in Edition 2

- Address ADAS-related hazards caused by “normal operation” of the

sensors

o Currently will be developed as a separate PAS (ISO/PAS 21448)

Other challenges include

- Addressing highly distributed architectures

- Moves towards highly automated vehicles

- Cybersecurity

January 2017 4


ISO timescales

- Require at least 3 years from first publication before revision starts

- Likely timescale for full Edition 2 is ~ 2018 based on a 36 month project

- Specific needs will be addressed earlier in a PAS (Publicly Available Specification)

Timescales are approximate and may be subject to change!

Preparation CD

ballot Comments processing

DIS ballot

Comments processing

FDIS ballot

Publication

Timescales for the revision (simplified)

January 2017 5

January 2016 September 2016 September 2017 Q1/2018

We are here! The DIS comments are being processed …


Key changes being considered for Edition 2

Disclaimer: The DIS, although publicly available, is still a draft and many of

the concepts are still subject to discussion and change!

Key changes to be covered today include

- Structure of the standard

- Extensions to other types of vehicles

- Vocabulary – definition of FTTI

- Safety management – process aspects, confirmation measures, link to

cybersecurity

- Concept phase – item definition, low probability situations, examples

- Product development at the hardware level

- Product development at the software level

- Supporting processes

- Semiconductors

January 2017 6


The structure of ISO 26262 Edition 2

January 2017

Part 1 Vocabulary

Part 2 Management of functional safety

Part 8 Supporting processes

Part 3 Concept

phase

Part 10 Guideline on ISO 26262 (informative)

Part 7

Production,

operation,

service and

decommission-

ing

Part 4 Product development: system level

Part 5 Product

development:

hardware level

Part 6 Product

development:

software level

Part 9 ASIL-oriented and safety-oriented analyses

Part 12

Adaption of

ISO 26262 for

motorcycles

Part 11 Guideline on application of ISO 26262 to semiconductors (informative)

Safety

management

aspects

merged from

Parts 3 to 6

Safety

assessment

moved to

Part 2

New

processes

for T&B

7


Summary of additions and modifications to ISO 26262 Edition 2 – as at DIS version

Scope update to include motorcycles and trucks and buses (T&B)

- New Part 12 for motorcycles (merge in of ISO/PAS 19695)

- T&B requirements integrated into existing parts

New Part 11 – guideline for semiconductors (merge in of ISO/PAS 19451)

All other Parts have been modified

Functional Safety Assessment now focused on achieving the “Objective”

clauses

- “Objectives” clauses have been improved throughout

Functional safety management from Parts 3 – 6 merged into Part 2

- Reference to “refined” work products generally removed

January 2017 8


Summary of additions and modifications to ISO 26262 Edition 2 – as at DIS version

Cybersecurity remains out of scope

- High level informative guidance for the safety practitioner in Part 2

- New joint SAE/ISO WG11 will develop a new cybersecurity standard

Safety of the Intended Functionality (SOTIF) e.g. automated features not

explicitly included

- Though NWIP (new work item proposal) initiated to continue this activity

and will be part of WG8 (ISO/PAS 21448)

Definition of ++ and + in tables of methods updated

- For consecutive entries, all listed highly recommended and

recommended methods in accordance with the ASIL apply. It is

allowed to substitute a highly recommended or recommended method by

other one(s) not listed in the table, but a rationale shall be given that these

comply with the corresponding requirement. A recommended method

may be omitted, but a rationale why this method is omitted shall be

given

January 2017 9


What types of vehicles are in the future scope of ISO 26262?

January 2017 10

Now proposed to replace “series production” with “production road vehicles”

Production road vehicles = a passenger car, T&B or motorcycle whose intended use is

for public highways and is not a prototype

Class of vehicle In scope? Status

L1/L2 Excluded

L3/L4/L5 In scope PAS; Part 12

L6/L7 Not defined

M1 In scope Edition 1

M2/M3 In scope Integration into Edition 2

N1/N2/N3 In scope Integration into Edition 2

O1/O2/O3 In scope Integration into Edition 2

Other categories Not defined


Trucks and buses

Unlike motorcycles, truck and bus requirements are integrated into the main

Parts of the standard e.g.

- Some specific requirements for hazard analysis and risk assessment

o Management of variants in performing the analysis

o Integration of truck and bus examples in the tables of Annex B

- New supporting processes for

o Development of a base vehicle for an application out of scope of ISO 26262

o Integration of safety elements developed out of scope of ISO 26262

January 2017 11


Fault tolerant time interval

January 2017

Fault Hazardous event

Normal

operation Hazardous event develops


Time

No safety mechanism implemented

12



January 2017


Normal



Time

Fault Fault detection

Normal

operation

Transition to safe

state Safe state

Undetected

fault

Diagnostic test time intervals Fault reaction time interval

Time

Fault detection time interval Safety mechanism implemented


13



January 2017


Normal



Time


Normal

operation

Transition to

emergency

operation

Emergency

operation

Undetected

fault

Diagnostic test time intervals Fault reaction time interval Time

Fault detection time interval Safety mechanism implemented with emergency operation


Safe state

Emergency operation time interval

14


FTTI – fundamentally the same as Edition 1

Modified definition

- Minimum time span from occurrence of a fault in an item to occurrence of

a hazardous event could occur [typo!], if a safety mechanism is not

activated

FTTI considered/defined without safety mechanisms of the item

- “Fault handling time interval” introduced to define time limits at element

level

FTTI stated as an attribute of Safety Goal at item level

- See Notes in Part 1 Clause 3.58 and Part 3 Clause 6.4.4.2

January 2017 15


Fault detection time interval (FDTI) and Fault reaction time interval (FRTI)

Fault detection time interval (FDTI)

- Time-span from the occurrence of a fault to the detection of a fault

- Determined independently of diagnostics test interval

Fault reaction time interval (FRTI)

- Time-span from the detection of a fault to reaching the safe state or to

reaching emergency operation


Normal

operation

Transition to safe

state Safe state

Undetected

fault

Diagnostic test time intervals Fault reaction time interval (FRTI)

Time

Fault detection time interval (FDTI) Fault handling time interval (FDTI+FRTI)

January 2017 16


Partitioning of FTTI in requirements hierarchy

FTTI at item level

FDTI and FRTI specified as part of safety concept (FSC and/or TSC)

FDTI and FRTI partitioned and allocated to system, hardware or software

elements

- Verified against the parent

FTTI (SG)

FDTI

(FSC)

FRTI

(FSC)

FDTI

(TSC SW)

FDTI

(TSC HW)

FRTI

(TSC SW)

FRTI

(TSC HW)

+

+ + +

January 2017 17


Functional safety management

Many “planning” activities being moved into Part 2 so that most process-

related requirements are in that Part

Key new requirement to create and maintain effective communication

channels between functional safety and other disciplines that are related to

functional safety

- Cybersecurity is the key activity but other disciplines can also be related

New Annex showing example interfaces between functional safety and

cybersecurity

- Does not mention specific cybersecurity work products

- Some examples included in Part 4; comments on DIS to put similar

content into Part 6

Revisions to confirmation reviews – now much more focussed on

“assessment” style than simply a tick-box exercise

Safety case now explicitly required to be an argument

January 2017 18


Confirmation measures Independence requirements

Confirmation measure QM ASIL A ASIL B ASIL C ASIL D

Impact analysis I3 I3 I3 I3 I3

Hazard analysis I3 I3 I3 I3 I3

Safety plan I1 I1 I2 I3

Functional safety concept I1 I1 I2 I3

Technical safety concept I1 I1 I2 I3

Item integration and verification specification I0 I1 I2 I2

Safety validation specification I0 I1 I2 I2

Safety analyses (FMEA, FTA, etc.) I1 I1 I2 I3

Completeness of safety case I1 I1 I2 I3

Functional safety audit I0 I0 I2 I3

Functional safety assessment I0 I1 I2 I3

January 2017

ISO/DIS 26262:2018 Part 2 Table 1

19


Requirements for T&B in Parts 2 and 8 Interfaces and integration to other standards/domains

Integration of ISO 26262 developed item integrated into vehicle out of scope

(Part 8 Clause 15)

- Safety goals of item/vehicle are not violated in another domain

- e.g. brake “item” developed to ISO 26262 used in agricultural equipment

Item integration with other systems/subsystems that are not developed to

ISO 26262 (Part 8 Clause 16)

- e.g. subsystem supplier develops to ISO 13849

Application according to ISO 26262

January 2017 20


Concept phase

Still some debate over meaning of “item” definition vs “function” definition

Previous proposal to include a new class E0* for combination of rare events

(e.g. EV crashes and it’s into a lake and HV is exposed)

- E0* not included in DIS, instead possibility to reduce { S3, C3 , E1 } from

ASIL A to QM if an additional argument is provided

Annex B tables shortened to emphasize they are examples

January 2017 21


Product development at the hardware level

Evaluation of safety goal violations due to random hardware failures

- Probabilistic metric (PMHF / Method 1)

o Possibility to increase target values by up to one order of magnitude for items

composed of multiple systems

- Previous proposal for a new “residual risk assessment method” was

withdrawn

Example architectures for fault tolerant implementations

January 2017 22


Example of PMHF budget assignment for item consisting of two systems (Annex G)

Provides an example procedure for budgeting PMHF across two systems

which both contribute to the same safety goal

Considers an example item architecture with two systems

Provides an example PMHF target allocation

January 2017 23


ISO 26262 Part 6 reference phase model

January 2017 24

Item testing

Software analysis and testing

Design phase verification

4-7 System design

6-5

In

itia

tio

n o

f p

rod

uct d

eve

lop

me

nt

at th

e s

oft

wa

re le

ve

l


Test phase verification



4-8 Item integration and

testing

6-6 Specification of

software safety

requirements

6-7 Software

architectural design

6-8 Software unit

design and

implementation

6-9 Software unit

verification

6-10 Software

integration and

verification

6-11 Testing of the

embedded software


Software analysis and

testing

Software testing



Part 6 Annexes (expanded Annex B, new Annex E)

Annex B (informative) rewritten and expanded to cover wider aspects of

model-based development approaches (not only code generation)

New Annex E (informative) “Application of safety analyses and analyses of

dependent failures at the software architectural level” (Figure E.1 describes

restructure of clause 6.4.1)

January 2017 25


Supporting processes – Part 8

Clause 11 – confidence in the use of software tools

- New proposals were introduced in the CD including a further TI level to

apply to verification tools

- Agreement wasn’t reached so for DIS are reverting to Edition 1 scheme

- This may however be revisited in a future Edition …

Clause 13 – qualification of hardware components

- New approach to defining “complexity”

- This is likely to be further developed during DIS FDIS phase

January 2017 26


Confidence in the use of software tools (Clause 11)

Simplified overview of tool confidence activities

January 2017 27


Evaluation of hardware elements (Clause 13)

Clause 13 heading changed

- From “Qualification of hardware components” to “Evaluation of hardware

elements”

The objective has been expanded to include COTS hardware components/parts or

custom hardware components/parts that are not developed to ISO 26262 (or do not

achieve compliance with ISO 26262)

New approach to defining “complexity” in terms of Class of element

- Class I – if element has no or a few states and can be tested; all safety-

related failure modes can be evaluated without detailed knowledge of the

element; has no internal safety mechanisms

- Class II – if element has manageable state space and can be analysed;

documented systematic faults; no internal safety mechanisms

- Class III – if elements has state space impossible to analyse; sources of

systematic faults only understood with detailed knowledge of

development/production; element has internal safety mechanisms

January 2017 28


Semiconductors

• Intellectual property

• Base failure rate estimation

• Semiconductor dependent failures analysis

• Fault injection

• Production and operation

• Interfaces within distributed developments

• Confirmation measures and functional safety audit

• Clarification of hardware integration and testing

Common topics

• Digital components and memories

• Analogue/mixed signal components

• Programmable logic devices

• Multi-core components

• Sensors and transducers

Specific semiconductor technologies and use cases

January 2017 29


Motorcycles

Part 12 contains requirements for

- Functional safety management (concept phase and product development)

o Maximum I2 independence

o Reference to cybersecurity removed several national comments on DIS

objecting to this

- Hazard analysis and risk assessment

o Use of MSILs

o Example tables

Chapters from PAS on vehicle integration and testing and safety validation

have been re-included in Part 12 as at DIS version

UK has argued for deeper integration but this has been rejected by the

motorcycle lobby

January 2017 30


What are the challenges we perceive?

Differing approaches to interpreting and applying the standard still exist

globally

Discussions on cybersecurity highlight the narrow focus of ISO 26262

compared to system safety and wider issues of system dependability

Some issues associated with autonomous vehicles have been acknowledged

but it is unlikely the standard will fully address autonomy in the timescales

being discussed for their deployment

- Availability requirements and SOTIF are a start however …

Vision for 2025 (personal opinion!)

- Edition 3 of ISO 26262?

- Majority of cars on the road will have at least one SAE Level 1 (or above)

application

- Level 3+ systems will become more prevalent along with new entrants /

new modes

January 2017 31


Conclusions

ISO 26262 is already well established as the “state of the art” in development

of automotive safety-related systems

Still some variance in actual practice

Edition 2 is under preparation addressing some of the issues in application of

Edition 1 and future trends

Further work remains to be done, particularly addressing wider issues for

example

- System assurance

- Highly automated vehicles

January 2017 32


Contact details

January 2017 33

HORIBA MIRA Ltd

Watling Street,

Nuneaton, Warwickshire,

CV10 0TU, UK

T: (024) 7635 5000

F: (024) 7635 8000

www.horiba-mira.com

Dr David Ward MA (Cantab), PhD, CEng, CPhys, MInstP, MIEEE, MSAE

Senior Technical Manager, Functional Safety

Direct T: (024) 7635 5430

E: [email protected]

ISO 26262 Update on development of the standard - NMI · PDF file- New joint SAE/ISO WG11 will...

Documents

Transcript of ISO 26262 Update on development of the standard - NMI · PDF file- New joint SAE/ISO WG11 will...