Functional Safety Hazard & Risk Analysis

Functional Safety

Hazard & Risk Analysis

This presentation was prepared exclusively for the benefit and internal use of the customer and does not carry any right of publication or disclosure to any other party.

No right to publish or distribute this document is neither expressly nor implicitly allowed to third party.

The present original document was produced by CEFRIEL and no third party may claim any right or paternity on it.

No part of this document may be reproduced. The entire document or part of it may not be used for any personal interest without any previous written authorization from CEFRIEL.

CEFRIEL OVERVIEW

December 2011

Center of excellence for research, innovation and education in

Independent, super-partes and not-for-profit organization

Information & Communication Technologies

Bridging the gap between

industries

and

academia

to boost innovation

Research Innovation Market Delivery

Low Me dium Me dium H igh Hig h Low CEFRIEL Academic universities Industrial companies CEFRIEL Unique Value Proposition

Education

Knowledge and IP Sharing

Innovation

Knowledge and IP Application

Research

FUNCTIONAL SAFETY: (Brief) Introduction

What is Functional Safety? What is Functional Safety about?

• IEC 61508 Definition:

• Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. • Risk is a combination of the probability of occurrence of harm and the severity of that harm. • Functional Safety is part of the overall safety that depends on a system or equipment

operating correctly (i.e. perform a safety function) in response to its inputs.

• Functional Safety is thus about achieving “absence of unreasonable risk due to hazards (potential source of harm) caused by malfunctioning behavior of the electrical/electronic/programmable electronic (E/E/PE) systems”.

• Failures are the main impairment to safety:

• Systematic Failures: failure related in a deterministic way to a certain cause that can only be eliminated by a change of the design or of the manufacturing process, operational

procedures, documentation or other relevant factors ROBUST PROCESS

• Random HW Failures: failure that can occur unpredictably during the lifetime of a hardware

Functional Safety standards

Risk Reduction

• The risk emerging from the EUC (Equipment Under Control) is classified according to its tolerability • A risk is at a tolerable level, if the involved persons (the society) can accept it

• Standards and rules describe methods to determine the limits of acceptance

• If such a risk is not tolerable, it must be reduced by means of suitable measures (standards and rules describe measures to reduce risk to an accepted level):

• E/E/PE measures

• Other technology measures (e.g., mechanic, hydraulic, …)

• External risk reduction measures or facilities (e.g., instructions, labels, safety fences, …)

Rising Risk Necessary risk reduction

Actual risk reduction

Non tolerable risk Residual risk Tolerable risk

Partial risk covered by other technology

Partial risk covered by E/E/PE measures

Partial risk covered by external measures

Risk reduction achieved by all safety-related systems and external risk reduction facilities

Risk Reduction - Example

Rising Risk Necessary risk reduction

Actual risk reduction

Non tolerable risk Residual risk Tolerable risk

Partial risk covered by other technology

Partial risk covered by external measures

Partial risk covered by other technology

Partial risk covered by E/E/PE measures

Partial risk covered by external measures

Partial risk covered by E/E/PE measures

Partial risk covered by external measures

SYSTEM

Safety Function vs Safety Integrity

• Key Concepts in IEC 61508 standard are RISK and SAFETY FUNCTION

• Risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity

• Risk is reduced to a tolerable level by applying safety function.

• The SIL (Safety Integrity Level) is the measure of the “risk reduction level” of the Safety Function.

SAFETY FUNCTION SAFETY INTEGRITY

Function, which is intended to achieve or maintain a

safe state for the equipment under control (EUC) in

respect to a specific hazardous event.

• Probability of a safety-related system satisfactorily performing the required safety function under all stated conditions within a stated period of time (process safety time)

• Four Level of safety integrity (SIL 1 to 4)

• Consider all causes of failures (random HW faults and systematic failures) which lead to an unsafe state SAFETY-RELATED SYSTEM

Designated system that both:

• Implements the required safety functions necessary to achieve and maintain a safe state for the EUC

• Is intended to achieve, on its own or with other E/E/PE safety-related systems, other technology safety-related systems or external risk reduction facilities, the necessary safety integrity for the required safety functions

Safety Integrity Level

• According to IEC 61508:

• The Safety Integrity Level describes the level for the required risk reduction • Scale with 4 levels (SIL 1 to SIL 4): SIL 1 = low, SIL 4 = high

• Identification by approved measures (Risk analysis)

• Derivation of requirements and measures for the risk reduction depending on the SIL • According to ISO 26262:

• The Automotive Safety Integrity Level describes the level for the required risk reduction • Scale with 4 levels (ASIL A to ASIL D): SIL A = low, SIL D = high

• Identification by the method proposed in the standard

IEC 61508 ISO 26262 - QM SIL 1 ASIL A SIL 2 ASIL B SIL 3 ASIL C ASIL D SIL 4

Development of Safety Function

• The development of Safety Functions requires the following main steps:

• Identify and analyze the risks

• Determine the tolerability of each risks

• Determine the risk reduction necessary for each intolerable risk

• Specify the safety requirements for each risk reduction, including their Safety Integrity Level • Design the Safety Functions to meet the safety requirements

• Implement the safety functions • Validate the safety function

• The safety lifecycle specifies all aspects related to the development process

of safety related systems

• Management of the process itself • Definition of system

• Specification of the system and sub-systems • Documentation and configuration management • Architectural design

• Hardware & software design

• Hardware & software development • Test & validation planning

Safety Lifecycle according to IEC 61508

Concept

Overall scope definition

Hazard and risk analysis

Overall safety requirements

Safety requirements allocation

Realisation E/E/PE Safety lifecycle Software safety lifecycle Overall operation and maintenance planning Overall safety validation planning Overall installation and commissioning planning Overall planning

Overall installation and commissioning

Overall safety validation

Overall operation, maintenence and repair Overall modification and retrofit Safety related systems

Other technology Realisation

External risk reduction facilities Realisation 1 2 3 4 5 6 7 8 9

Safety related systems E/E/PE

10 11

12

13

Safety Lifecycle according to ISO 26262

2.5 Overall safety management 2.6 Safety management during item development 2.6 Safety management after release for production

1. Vocabulary

2. Management of functional safety 3. Concept phase 4. Product development: system level

5. Product development: hardware level 5. Product development: software level

7. Production and operation

8. Supporting processes

9. ASIL-oriented and safety-oriented analyses

10. Guidelins on ISO 26262 (Informative)

3.5 Item definition 3.6 Initiation of the safety

lifecycle

3.7 Hazard analyses and risk assesment

3.8 Functional safety concept

5.5 Initiation of product

development at hardware level 5.6 Specification of hardware

safety requirements

5.8 Hardware architetcural metrics 5.7 Hardware design

5.9 Evaluation of violation of the safety goal due to hardware random failures

8.5 Interfaces within distributed developments

6.5 Initiation of product development at software level

6.6 Specification of software safety requirements

6.7 Software architectural design

6.8 Software unit design and implementation 6.9 Software unit testing

6.10 Software integration and testing

6.11 Verification of software safety requirements

7.5 Production

7.6 Operation, service and decommiissioning 4.5 Initiation of product

development at systemlevel 4.6 Specification of the technical

safety requirements

4.7 System design 4.8 System integration and testing 4.9 Safety validation

4.11 Release for production 4.10 Functioanl safety assesment

9.5 Requirement decomposition with respect to ASIL tailoring 9.6 Criteria for coexistence of elements

9.7 Analysis of dependent failures 9.9 Safety analyses

8.9 Verification 8.12 Qualification of software components 8.6 Specification & management of safety requirements 8.10 Documentation 8.13 Qualification of hardware components 8.7 Configuration management 8.11 Qualification of software tools 8.14 Proven in use argument

FUNCTIONAL SAFETY: Hazard & Risk Analysis

Hazard Analysis

• In order to perform a risk assessment

• The hazards (potential source of harm) of the EUC shall be determined systematically, as well as the event sequences leading to them

• Techniques can be used for the extraction of hazards at system level: • Brainstorming

• Checklists • Quality history • FMEA

• Fault Tree Analysis (FTA) • Event Tree Analysis (ETA) • Product metrics

• Field studies

• For each identified hazard, risks shall be determined and assessed • If a risk is not tolerable, necessary risk reduction must be evaluated.

Risk Assessment

• In order to determine the necessary level of risk reduction (expressed as SIL, ASIL, …) • Two reference risk levels must be estimated

• The EUC risk associated with the Equipment Under Control • The level of risk considered tolerable

• Risk assessment is the procedure to evaluate the EUC risk

• Risk assessment can be summarized in answering the question: “How likely is the EUC to fail

and if it does fail, what is the outcome?”  Frequency x Consequence

• The EUC risk must be assessed independently from the measures adopted to reduce it • The EUC risk must be assessed separately for each determined hazardous event

• Risk assessment techniques can be

• Qualitative: provides qualitative risk assessment (used mainly in early risk assessment phase) • Semi-quantitative (semi-qualitative): provides discrete risk "levels"

• Quantitative: provides quantitative risk estimates based on formal mathematical models • Several techniques can be adopted

• ALARP Model

• Risk Graph / Calibrated Risk Graph

• Hazardous Event Severity Matrix • Layer of protection analysis (LOPA)

ALARP Model

• According to this model, risks can

be classified into three classes

• The risk is so great that it cannot

be justified in any ordinary

circumstance

• The risk is, or has been made,

so small as to be insignificant

• The risk falls between the two

previous classes and has been

reduced to the lowest practicable

level

• When the risk falls in the last

class, then it must be reduced to

a level which is "ALARP", i.e.

• "As Low As Reasonably Practicable"

Intolerable region ALARP region: Risk is undertaken only if a benefit is desired Broadly accepted region

Risk cannot be accepted except in extraordinary circumstances Risk is tolerable only if further risk redusction is impracticable or disproportionate to the benefits obtained

The more the risk is reduced, the less must be spent to reduce it further to satisfy ALARP

ALARP Model

• According to this model, risks can

be classified into three classes

• The risk is so great that it cannot

be justified in any ordinary

circumstance

• The risk is, or has been made,

so small as to be insignificant

• The risk falls between the two

previous classes and has been

reduced to the lowest practicable

level

• When the risk falls in the last

class, then it must be reduced to

a level which is "ALARP", i.e.

• "As Low As Reasonably Practicable"

Intolerable region ALARP region: Risk is undertaken only if a benefit is desired Broadly accepted region

Risk cannot be accepted except in extraordinary circumstances Risk is tolerable only if further risk redusction is impracticable or disproportionate to the benefits obtained

The more the risk is reduced, the less must be spent to reduce it further to satisfy ALARP

ALARP Model - Example

 As an example consider the following table where risk classes are

– I (lowest risk), II, III, IV (highest risk)

 The interpretation of risk classes in terms of the ALARP model might be:

Frequency

Consequence

Catastrophic Critical Marginal Negligible

Frequent IV IV IV III Probable IV IV III II Occasional IV III II II Remote III II II I Improbable II II I I Incredible I I I I

Risk class ALARP Interpretation I Negligible risk

II Tolerable risk if the cost of risk reduction would exceed the improvement gained III Undesirable risk. Tolerable only if risk reduction is impracticable or if the costs are

grossly disproportionate to the improvement gained. IV Intolerable risk

Risk Graph Method

• The risk graph method is based on the following equation • R = function of f, C

• Where

• R is the risk with no safety-related systems in place

• f is the frequency of the hazardous event with no safety-related systems in place • C is the consequence of the hazardous event

• The frequency is in turn influenced by

• Frequency and exposure time in the hazardous zone • Possibility of avoiding the hazardous event

• Probability of the hazardous event taking place with no safety-related measures in place but with other risk reduction facilities (probability of unwanted occurrence)

• This extends the number of parameters to be considered to four

• C = Consequence of the hazardous event  S = Severity

• F = Frequency and exposure time in the hazardous zone  E = Exposure

• P = Possibility of failing to avoid the hazardous event  C = Controllability

• W = Probability of the unwanted occurrence 

Risk Graph Method - Example

• Defining values / levels for each parameter

• Defining the relations between parameters and their levels

• The values / levels of the parameters, expressed qualitatively or quantitatively as number, must be: • Justified on a rigorous and widely accepted basis

• Agreed with all the parties involved

Start C_A C_B C_C C_D F_A F_B F_A F_B F_A F_B P_A P_B P_A P_B P_A P_B P_A P_B X₁ X₂ X₃ X₄ X₅ X₆ a SIL 1 SIL 2 SIL 3 SIL 4 b a SIL 1 SIL 2 SIL 3 SIL 4 ---a SIL 1 SIL 2 SIL 3 W₃ W₂ W₁ --- No safety requirements

a No special safety requirements b Single E/E/PE system not sufficient Using different integrity scales, e.g. W1, W2 and W3

• Allows accounting explicitly for other risk reduction measures • From one scale to another there is an integrity level "shift"

C: CA < CB < CC < CD F: FA < FB

P: PA < PB

HRA acc. to ISO 26262 - SEVERITY

Class S0 S1 S2 S3

Reference for single injuries (from AIS scale)

Maximum AIS 0

Damage that cannot be classified safety-related, e.g. bumps with roadside infrastructure

Maximum AIS 1-2

more than 10% probability of AIS 1-6 (and not S2 or S3)

Maximum AIS 3-4

more than 10% probability of

AIS 3-6 (and not S3)

Maximum AIS 5-6

more than 10% probability of AIS 5-6

AIS (Abbreviated Injury Scale): The AIS represents a classification of the severity of injuries and is

issued by AAAM (Association for the Advancement of Automotive Medicine):

• AIS 0: no injuries.

• AIS 1: light injuries such as skin-deep wounds, muscle pains, whiplash etc.

• AIS 2: moderate injuries such as deep flesh wounds, concussion with up to 15 minutes of unconsciousness, … • AIS 3: severe but not life-threatening injuries such as skull fractures without brain injury, spinal dislocations

below the fourth cervical vertebra without damage to the spinal cord, …

• AIS 4: severe injuries (life-threatening, survival probable) such as concussion with or without skull fractures with up to 12 hours of unconsciousness, paradoxical breathing.

• AIS 5: critical injuries (life-threatening, survival uncertain) such as spinal fractures below the fourth cervical vertebra with damage to the spinal cord, more than 12 hours of unconsciousness including intracranial bleeding,… • AIS 6: extremely critical or fatal injuries such as fractures of the cervical vertebrae above the third cervical

vertebra with damage to the spinal cord, extremely critical open wounds of body cavities (thoracic and abdominal cavities),…

HRA acc. to ISO 26262 – SEVERITY (Informative examples)

Class S0 S1 S2 S3

Informative examples

• Pushing over roadside infrastructure

• Light collision

• Light grazing damage • Damage while entering or

leaving a parking space • Leaving the road without

collision or rollover

Side collision, e.g.

crashing into a tree Δv <15km/h 15 < Δv <25 km/h Δv >25 km/h Side collision with a

passenger car Δv <15km/h 15 < Δv <35 km/h Δv >35 km/h Rear/front collision between two passenger cars Δv <20km/h 20 < Δv <40 km/h Δv >40 km/h Other collisions

Scrape collision with little vehicle to vehicle overlap

Roof or side collision with considerable deformation

Under riding a truck Without deformation

of the passenger cell

With deformation of the passenger cell

Pedestrian/bicycle accident

E.g. during a turning manoeuver inside built-up area

HRA acc. to ISO 26262 – EXPOSURE

Class E0 E1 E2 E3

Description Very low probability Low probability Medium probability High probability

Definition of duration / probability of exposure Not specified < 1% of average operating time 1% - 10% of average operating time > 10% of average operating time Informative examples -• Pulling a trailer • Driving with roof rack • Driving on a mountain

pass with unsecured steep slope

• Snow and ice • Driving backwards • Fuelling • Overtaking • Car wash • Tunnels • Hill hold

• Night driving on roads without streetlights • Wet roads • Congestion • Accelerating • Braking • Steering • Parking • Driving on highways • Driving on secondary roads • City driving

HRA acc. to ISO 26262 – EXPOSURE

Class E0 E1 E2 E3

Description Extremely low probability Low probability Medium probability High probability

Definition of frequency of exposure

Situations that occur less

often than once a year for

the great majority of drivers

Situations that occur

a few time a year for

the great majority of drivers

Situations that occur

once a month or more often for an

average driver

All situations that occur during almost

every drive on average

Informative examples

• Stop at railway crossing, which requires start of engine

• Towing • Jump start

• Pulling a trailer, driving with roof rack

• Driving on a mountain pass with unsecured steep slope

• Driving situation with deviation from desired path

• Snow and ice

• Fuelling • Overtaking • Tunnels • Hill hold • Car wash • Wet roads • Congestion • Starting • Shifting gears • Accelerating • Braking • Steering • Using indicators • Parking • Driving backwards

HRA acc. to ISO 26262 – CONTROLLABILITY

Class C0 C1 C2 C3

Description Controllable in general

Simply

controllable Normally controllable

Difficult to control or uncontrollable

Definition Controllable in_general

99% or more of all

drivers or other traffic participants are

usually able to avoid a specific harm

90% or more of all drivers or

other traffic participants are usually able to avoid a

specific harm

Less than 90% of all

drivers or other traffic participants are usually able, or barely able, to avoid a specific harm.

Informative examples • Unexpected increase in radio volume • Situations that are considered distracting • Unavailability of a driver assisting system

• When starting the vehicle with a locked steering column, the car can be brought to stop by almost all drivers early enough to avoid a specific harm to persons nearby.

• Faulty adjustment of seats while driving can be controlled by almost all drivers by bringing the vehicle to a stop.

• Avoid departing from the lane in case of a failure of ABS during emergency braking. • Avoid departing from the lane

in case of a motor failure at high lateral acceleration (motorway exit).

• Bring the vehicle to a stop in case of a total lighting failure at medium or high speed on an unlighted country road without departing from the lane in an uncontrolled manner.

• Avoid hitting an unlit vehicle on an unlit country road.

• Wrong steering with high angular speed at medium or high vehicle speed can hardly be controlled by the driver. • Cannot avoid departing from

the lane on snow or ice on a bend in case of a failure of ABS during emergency braking. • Cannot bring the vehicle to a

stop if a total loss of braking performance occurs.

• In the case of faulty airbag release at high or moderate vehicle speed, the driver usually cannot prevent vehicle from departing from the lane.

HRA acc. to ISO 26262 – RISK MATRIX

Note: If a hazard is assigned to a Severity class S0 or Controllability class C0, or

When the required SIL is assessed?

 Based on the required Safety Integrity Level

– Different requirement on the design and the process apply

– Different techniques and measures should be used

 Requirements to the integrity of HW

 Requirements to the integrity of SW

– Requirements to SW design and development (architecture, support tools,

programming language, code implementation, testing,…)

– Requirements to SW diagnostics to achieve the required HW integrity

SIL Low Demand Mode of Operation (PFD probability of failure on demand)

e.g., airbag

High Demand Mode of Operation (PFH probability of failure per hour)

e.g., brake / steer by wire

1 10–2_{PFD < 10}–1 ₁₀–6_{PFH < 10}–5 _1.000 _{FIT< 10.000}

2 10–3_{PFD < 10}–2 ₁₀–7_{PFH < 10}–6 ₁₀₀ _{FIT < 1.000}

3 10–4_{PFD < 10}–3 ₁₀–8_{PFH < 10}–7 ₁₀ _{FIT < 100}

• Basic course on Functional Safety (2 days) • Info:

• Web: www.cefriel.it

• Mail: [email protected]

• Tel: 02.239541

For any request related to Functional Safety area:

• ENRICO SILANI