ISO 26262 Functional Safety Management in the Autonomous Car industry and the overview of the required safety lifecycle TÜV SÜD America PSES San Diego Chapter Meeting Sep. 12, 2017 TÜV SÜD AG Slide 1
Functional Safety Expert: Peter Spence Peter Spence “Functional Safety Expert” consultant with TÜV SÜD America since July 2014 Background: 9 years Weapon Eng. Office Nuclear Safety, Royal Navy 6 years Qualcomm/G* Inc, A-GPS, Software Processes, Tools +Config, Python, Perl. 5 years Exxon-Mobil, PLC/ Logic Controls Software, Safety shutdown systems 2 years Samsung Electronics, PLC/Instrumentation Logic controls/Safety shutdown systems, risk assessment/analysis 5 years Applied Materials, Semi design 300mm Projects International standardization (ISO 26262, ISO 13849 & IEC 62061, IEC 61800-5-2, IEC 61508, System Test and logic design, IEC 61010). Functional Safety Bsc from University of London, England
150 years TÜV SÜD – 150 years of inspiring trust Inspiring trust since 1866 The year 2016 marks the 150th anniversary of TÜV SÜD. Since 1866, the company has been partnering businesses and inspiring people to trust in new technologies. Today, TÜV SÜD has grown into an international service company with global representation in over 800 locations, and with over 50 per cent of its employees working outside Germany. In the decades to come, it will continue to make the world a safer place as a future-oriented company shaping the “next practice” in safety, quality and sustainability.
TÜV SÜD Automotive Functional Safety TÜV SÜD Auto Service GmbH TÜV SÜD Rail GmbH TÜV SÜD Rail GmbH Team Automotive Knowledge Knowledge transfer transfer • National and international • Evaluation of concepts, systems, Head of Functional Safety • Homologation components and processes Evaluation of safety systems for • regarding means of functional safety • Vehicle Emission Testing railway, infrastructure and • Automotive specific safety automation • Analytical Expertise • Trainings regarding functional safety Evaluation of generic safety • systems (µC, SW Tools) • ISO 26262 Audits and Assessments IEC 61508, ISO 25119, EN 50128, • • Electronic Annexes – ISO 26262 … ECE 13 and ECE 79 TÜV SÜD Rail GmbH 25.09.2017 Folie 4 18.01.2017
ISO 26262 Services: CTCT • ISO 26262 Training: • Product Certification Basic – Advanced – Expert • Generic SW Tool • IEC 62443 Training Certification • Functional Safety • Process Certification Certification Program (FSCP) Certification Training Testing Consulting • Assessments • Workshops • Supplier Audits • Development accompanying support • Penetration Tests TÜV SÜD Rail GmbH Folie 5 18.01.2017
Agenda • What is Functional safety? • Principles and Concepts • Principles and Concepts per ISO 26262 • Requirements management and traceability • Tool qualifcation and certification TÜV SÜD Rail GmbH Folie 6 6 18.01.2017
Functional Safety Standard - Overview Medical Process industry International IEC 62304 IEC 61511 Avionics Software for Safety instrumented systems (Generic) medical devices for the process industry sector IEC 61508 ARP 4761 Functional safety of ARP 4754 electrical/electronic/ RTCA/DO 178C programmable electronic Machines Railway RTCA/DO 254 ... safety related systems ISO 13849 EN 50126 IEC 62061 EN 50128 ISO/IEC 15504 Safety of machines EN 50129 SPICE/Automotive SPICE Nuclear Power Gas measure ISO/IEC 12207 Automotive IEC 60880 Software lifecycle process techniques Nuclear power– control technology, Software aspects EN 50271 ISO 26262 EN 50402 Functional safety IEC 61513 Functional safety of gas “road vehicles” warning systems TÜV SÜD AG Slide 7 TÜV SÜD AG Slide 7
What is functional Safety? Probability always risk not acceptable sporadic Functional Safety seldom improbable risk acceptable impossible Severity nothing low medium high extreme TÜV SÜD AG Slide 8
What is functional safety? • Something has to work in critical situations Functional Safety means: • Not visible for the user • Only partly testable for Hardware (wiring plan) Functional Safety is: • For software it has to root in the developing process Functional Safety Goal: • Risk reduction according to ASIL TÜV SÜD AG Slide 9
Definitions ISO 26262 Safety • Absence of unreasonable risk • Combination of the probability of occurrence of Risk harm and the severity of that harm • Physical injury or damage to the health of Harm persons The goal is to reduce the risk to a socially accepted risk. TÜV SÜD AG Slide 10
Legal situation Due to the mostly mechatronic implementation and due to the increasing technological complexity of software and hardware it is necessary that systematic failures and random hardware errors have to be taken into account in the context of functional safety Topics to be investigated Legal requirements Product for homologation Liability (Process for Certification) Legally binding Recommended Application of, e.g., EU directives Application of IEC, ISO, EN or DIN standards and ECE regulations (Europe), FMVSS (USA) (“State of the art”) TÜV SÜD AG Slide 11
Functional Safety Risks caused by malfunctions in a vehicle Unintended Potential Failures acceleration High Voltage Unintended deceleration Non Unintended Functional Functional loss of Fire Failures Failures acceleration Unintended loss of deceleration Risk reduction measures Unintended Explosion vehicle movement • Functional measures • Design measures, e.g., isolation • Monitoring functions • Organizational measures, e.g., (safety functions, e.g., pinch protection) operation procedures • Reliability of target function • Driver instruction TÜV SÜD AG Slide 12
What is Functional Safety? • What does it mean for a product, or subsystem, or component? – Example : Motor drives for electrical vehicles: source: siemens.com - Developed and certified to IEC 61800-5-1 or UL 508C: - You can touch it - It doesn’t start a fire - No dangerous emissions or emanations - => a safe product in terms of risks for fire, shock, and injury. TÜV SÜD Rail GmbH Folie 13 13 18.01.2017
What is Functional Safety ? • Example : Motor drive in powertrain of hybrid electrical vehicle source: wikipedia.com - Still ”safe”? - Unintended acceleration! - Safety beyond the single product: SYSTEM SAFETY! - Depends on correctness of product’s functions , implemented in electronics and software: FUNCTIONAL SAFETY TÜV SÜD Rail GmbH Folie 14 14 18.01.2017
Today: Software-intensive automotive control systems Event Data Active Night Driver Recorder Cabin Noise Cabin Vision Alertness Entertainment Suppression Environment Monitoring System Controls Wiper Control Voice/Data Interior Seat Position Communications Lighting Battery Control Engine Management Accident DSRC Control Recorder Lane Correction Airbag Instrument Control Electronic Toll Cluster Collection Adaptive Front Lighting Digital Turn Signals Navigation System Adaptive Cruise Control Security System Active Exhaust Automatic Noise Suppression Breaking Electric Power Active Suspension Steering Hill-Hold Electronic Transmission Control OBDII Antilock Electronic Throttle Stability Control Idle Braking Regenerative Control Control Stop/Start Active Remote Braking Vibration Keyless Parking Electronic Lane Entry System Control Tire Active Valve Departure Pressure Cylinder Yaw Timing Warning Monitoring Blindspot De-activation Control Detection TÜV SÜD Rail GmbH Folie 15 15 18.01.2017
Immediate future: Connected car, autonomous driving • Functional safety challenges: • Advanced sensing and intelligence • Driver behaviour and responsibility • System of systems, socio-technical system • Cybersecurity as a safety risk 16
Scope of ISO 26262 : 2018, 2nd Ed. ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production road vehicles , excluding mopeds. ISO 26262 does not address unique E/E systems in special vehicles such as E/E systems designed for drivers with disabilities. TÜV SÜD AG Slide 17
Scope of ISO 26262 : 2011 / 2018 ISO 26262 addresses possible hazards caused by malfunctioning behavior of safety-related E/E systems, including interaction of these systems. Note: It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behavior of safety- related E/E systems. ISO 26262 does not address the nominal performance of E/E systems, even if functional performance standards exist for these systems (e.g. active and passive safety systems, brake systems, adaptive cruise control). TÜV SÜD AG Slide 18
Recommend
More recommend