Impact of Safety Standards to Processes and Methodologies. Dr. Herbert Eichfeld

Impact of Safety Standards to

Processes and Methodologies

Impact to Processes, Methodologies, Products

IEC 61508 /

ISO 26262

Requirement

Processes

+ New/changed role descriptions (e.g. safety manager) + Assignments to competent persons

+ Enrichment of process with safety plan

+ Enrichment of document flow with new documents + Process tailoring wrt SIL / ASIL …

Methodologies

+

Documentation & configuration mmgt (safety case) + Change management with safety label

+ Failure Modes, Effects and Diagnostic coverage Analysis + Common Cause Analysis

+ Requirement Traceability for safety requirements…

Products

+ Safety concept with safety product requirements + Safety manual as user manual

+ Element safety function: product architecture + Additional / changed IP on µC or power IC + Monitor software, watchdog IC, …

Impact to processes and methodologies

„

IEC 61508 and ISO 26262 require certain processes and

methodologies to prevent systematic faults.

„

ISO explicitely requires an audit of functional safety processes

for ASIL B, C, D (see ISO 26262-2.6.4.6, Table 1).

„

ISO proposes to check the safety management including the

functional safety audit in frame of the functional safety

assessment of the item (see ISO 26262-2 Annex E).

1. Setup a safety audit project to prepare your processes and

methodologies according safety requirements.

2. Rollout it out for product development projects.

3. Pass the external safety audit.

4. Product assessments refer to safety audit

Example of a Safety audit project (1 of 2)

Scope of process audit

(draft)

Selection of stakeholders

Stakeholder requirements

Methodologies to + cope with 2 standards + avoid overengineering

for < SIL3, < ASIL D

Selection of

lead customers Selection of auditor Interface to other process adaptations Align on Tier1 - Tier 2

process interface Align scope of audit

Scope of process audit Project setup,

Contract with auditor

I1

I2

Example of a Safety audit project (2 of 2)

Gap analysis

Company process vs standards

I4

1. Internal review

Improvement plan to close gaps 1. Audit by auditor

Enrich improvement plan by + audit findings

+ changes in standards

I5

2. Internal review

2. Audit by auditor: Compliant! Rollout release

I6

I7

Implement Improvements Rollout to Projects CR against ISO 26262 till 08.12.09

Example: Scope of process audit

Informative overview

No

Guideline on ISO 26262

26262-10

All companies affected.

Yes *

ASIL- & safety-oriented analysis

26262-9

All companies affected.

Yes *

Supporting processes

26262-8

OEM (car), Tier1 (ECU), Tier2 (µC)

Yes *

Production & operation

26262-7

Tier1 (appl. SW) & Tier 2 (FW, drivers, monitors,..)

Yes *

Product dev: software level

26262-6

ISO part

ISO topic

Scope Arguments

26262-1

Vocabulary

_No

_{No work product defined}

26262-2

Management of

functional safety

Yes *

All companies in the automotive _{safety market have to do it.}

26262-3

Concept phase

_No

_{OEM & Tier1 topic}

26262-4

Product dev.:

system level

No

Tier1 & OEM topic

26262-5

Product dev.:

hardware level

Yes *

Tier1 (board) & Tier2 (µC)

Example: How to cope with 2 standards

Differences

ISO 26262

IEC 61508

Evaluation

Information

structure

FSM in one part:

ISO 26262-2 FSM in IEC 61508-1.6 and other parts Risk not to find all relevant IEC information

FSM structure

1. Overall FSM 2. During development

3. After release for production

ISO structure does not exist but most ISO requirements covered ISO structure clearer – no contradiction to IEC found

Concepts

Safety culture Does not exist ISO asks for more

Terminology

Safety plan, Safety case, Item, Work product,

Confirmation measure

Terms not defined but content

implicitely available

ISO more precise

Roles

1. Organization, 2.

PJM, 3. Safety Mgr 1. Organization, 2. Responsible persons

ISO more detailled

Example: How to avoid overengineering

„

Non-safety projects shall not be affected

„

Today´s process for automotive projects fulfills ASIL A & B.

„

For ASIL C & D, enrichments of today´s process necessary.

„

Apply tailoring possibilities, the standards offer along the safety

integrity levels.

„

On FSM, ISO 26262 offers one tailoring possibility, the certification

plan according 26262-2 Annex D, Table D.1:

„

Which SIL or ASIL levels are relevant for company?

ASIL

# of obligatory certification measures

D, C

14 (including B and A)

B

9 (including A)

Impact to methodologies:

Example on Requirement Traceability (1 of 2)

milestones

Legacy

Product

Require-ments

Delta

SIL

Database

PRD

ITS

FMEA

SoW

3

1

…

Safety

Man-ual

UM

7

…

RTR

SAR

9

DocFlow / project

Requirement Traceability (2 of 2)

milestones

Legacy

Product

Require-ments

Delta

SIL

Database

PRD

ITS

FMEA

SoW

3

1

…

Safety

Man-ual

UM

7

…

RTR

SAR

9

DocFlow / project

Reqtify

tagged

docu-ments

Requirement Tag

„

The image shows a tagged requirement within a Word

document.

„

[req …] and [/req] are the open and closing tags.

„

id is the this requirement identifier.

„

parent is the link to an upper requirement, following the

V-model.

„

The text between the tags is the requirement description.

„

The text format is not mandatory (parsing is ASCII based), but

Coverage Tag

„

The image shows a tagged test case within a Word document.

„

[cover …] and [/cover] are the open and closing tags.

„

refid is the identifier of the requirement which is covered.

„

The text between the tags is the test case name and description.

„

The text format is not mandatory (parsing is ASCII based), but

Summary

„

High safety integrity levels (SIL 3, ASIL C/D) require additional

measures for products and for processes & methodologies.

„

Assumption: A company having delivered automotive quality

successfully since many years, should have all measures in

place, to comply with low safety integrity levels (ASIL A/B, SIL

1, SIL 2).