Iso 26262tutorial 2010 Final

ISO 26262
Functional Safety Draft International Standard for Road Vehicles:

Background, Status, and Overview
Barbara J. Czerny, Joseph DAmbrosio, Rami Debouk,

General Motors Research and Development
Kelly Stashko, General Motors Powertrain
ISO 26262 Road Vehicles - Functional Safety

Draft International Standard Tutorial
ISSC 2010 Minneapolis, Minnesota
This tutorial presents an overview of the Draft International Standard (DIS) version of
the proposed ISO 26262 Functional Safety standard for road vehicles
It conveys the content of the standard as it is currently drafted

Since the release of the DIS, additional technical and editorial changes to the text have been made, but
these will not be covered in the tutorial slides
Permission was received from ISO to use content taken directly from the ISO/DIS and
contained in this presentation
The process presented in this tutorial, represents the ISO/DIS 26262 process and is not
intended to reflect or discuss the processes of any specific individual manufacturer

Roadmap
e
r
v
i
e
w

Background
Status
Part 1: Vocabulary and Part 10: Guideline
Part 2: Management of Functional Safety
Part 3: Concept Phase
Part 4: Product Development: System Level
Part 5: Product Development: Hardware Level
Break
Part 6: Product Development: Software Level
Part 7: Production and Operation
Part 8: Supporting Processes
Part 9: ASIL-oriented and Safety-oriented Analyses
Key aspects that have evolved over time
Summary
Q&A
Background
Barbara J. Czerny

What is ISO 26262?

Adaptation of IEC 61508 to comply with
the specific needs of E/E systems
within road vehicles
Specifies a functional safety life-cycle for
automotive products
Applies to all activities during the safety lifecycle of

safety-related systems comprised of electrical,
electronic, and software components
Scope
Series production passenger cars
Maximum gross weight up to 3500 kg
Does not apply to E/E systems in special purpose vehicles

e.g., vehicles designed for drivers with disabilities

Origins of ISO 26262 (Automotive IEC 61508)

MISRA
BNA
FAKRA
OEMs
Suppliers
Technical Services
IEC
61508
Initial work
of individual
companies
2002
other
Safety Standards
Quality Standards
Engineering Standards
2003
Initiatives
within
national
standardization
bodies
First drafts
of
requirement
specifications
1.2004
RESPONSE
Autom otive SPICE
HIS
9.2005
ISO
TC22
SC3
WG16
11.2005
First WG16 Meeting
ISO
TC22 (Automotive)
SC3 (E/E)
WG16 (Functional Safety)

ISO 26262 Working Group 16

Convenor
Ch. Jung, Independent Consultant
Secretary
E. Fritzsche, VDA
Germany
BMW, Daimler , VW, Bosch, Continental
France
PSA, Renault, Continental, Valeo
UK
Landrover, MIRA, Renesas
Sweden
Delphi, Volvo Cars, AB Volvo, Mecel
Italy
Centro Ricerche Fiat, Fiat Auto, TRW
Japan
Denso, Hitachi, Honda, Nissan, Toyota
USA
GM, IBM, TRW,
Belgium
Nissan, Toyota Motor Europe
Active membership as of 10/2007

Whats the Difference Between IEC 61508 and ISO 26262?
ISO 26262:
IEC 61508:
1. Framework standard
2. Implied context of Process/Automation
industries (where validation is done after install)
3. Safety Integrity Levels, SIL
SIL 1 SIL 4
Measure of the reliability of safety functions
Includes a quantitative target for the probability of a

dangerous failure
No exact mapping between SILs and ASILs

Loose mapping
SILs 1, 2, 3
Between SIL 2 and SIL 3
4. Focus on safety functions
1. IEC 61508 Automotive Sector adaptation

2. Applies to vehicles with 4 wheels (carrying
passengers, goods)
3. Automotive SIL, ASIL
ASIL A-D
Based on the violation of a safety goal
Provides requirements to achieve acceptable level of risk
No exact mapping between SILs and ASILs
Loose mapping
ASILs A, B, and D
ASIL C
4. Focus on safety goals

5. Adds required work products

Prescriptive (IEC 61508) vs. Goal-Oriented (ISO 26262)

Tables
Example of Part 4 Table 2 System design verification

Goal requirement: System design shall be verified for compliance and completeness with regard to the
technical safety concept. In this aim, the methods and measures in Table 2 shall be considered.
Methods
ASIL
A
1a
System design inspectiona
++
++
++
1b
System design walkthrougha
++
2a
Simulationb
++
++
2b
System prototyping and vehicle tests b
++
++
Safety analysesc
see Table 1
Methods 1a and 1b serve as check of complete and correct detailing and implementation of the technical safety requirements
into system design.
b
Methods 2a and 2b can be used advantageously as a fault injection technique.
For conducting safety analyses, see ISO 26262-9: , Clause 8.
Source: ISO/DIS 26262

More Facts About ISO/DIS 26262
Focus is on possible hazards caused by malfunctioning behavior of E/E safety-related systems
Bidirectional traceability
Safety lifecycle
Validation, verification and independent assessment
Development, validation, release for production vs. development, installation and commissioning, validation in IEC 61508
Supports distributed development
Safety plan & safety goals

Safety case & documentation
Corresponds to automotive product lifecycle
Includes interactions between E/E safety-related systems
Process Framework includes the following process steps/deliverables:
failures or unintended behaviours of an item with respect to its design intent
e.g., division of work between OEMs/suppliers
Hazard analysis corresponds to automotive use cases

Includes Controllability in Risk Assessment

10
Overview of ISO/DIS 26262
Source ISO/DIS 26262

11
Flow and Organization of ISO 26262
ASIL-O riented and Safety-Oriented Analysis

12
Status of Development
ISO Draft International Standard made available for review by all SC 3 countries July
2009
First time a version of the standard was made publically available
DIS ballot held in November 2009 and ballot passed

Preparing Final Draft International Standard (FDIS)
Working on resolving comments received with DIS Ballot
FDIS version will be handed over to ISO for publication in late 2010
Review of FDIS will only be for editorial changes
Part 10 will have a second DIS ballot
Expect publication as a full International Standard in mid-2011

13
Checkpoint Questions Background and Status

1.
On what standard is ISO 26262 based?
2.
Is there a top Level probability associated with an ASIL
3.
A.
B.
C.
D.
ISO/IEC 12207 Systems Software engineering Software life cycle processes

ISO/IEC 15504 AutoSpice
IEC 61508 -- Functional safety of electrical/electronic/programmable electronic safety-related systems
None ISO 26262 is completely new and developed for Automotive Safety
A.
B.
Yes
No
A.
Safety plan & safety goals, Safety case & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification and
independent assessment
Safety plan & potential hazards, Safety cases & documentation, Bidirectional traceability, Safety lifecycle, Validation, verification
and independent assessment
external assessment
Name the fundamental steps/deliverables of the ISO26262 Process Framework.

B.
C.
4.
Is Controllability included in the Risk Assessment

A.
B.
Yes
No

14

1.
2.
3.
A.
B.
C.
D.

A.
B.
Yes
No
A.
external assessment

B.
C.
4.

A.
B.
Yes
No

15

1.
2.
3.
A.
B.
C.
D.

A.
B.
Yes
No
A.
external assessment

B.
C.
4.

A.
B.
Yes
No

16

1.
2.
3.
A.
B.
C.
D.

A.
B.
Yes
No
A.
external assessment

B.
C.
4.

A.
B.
Yes
No

17

1.
2.
3.
A.
B.
C.
D.

A.
B.
Yes
No
A.
external assessment

B.
C.
4.

A.
B.
Yes
No

18
Part 1: Vocabulary
&
Part 10: Guideline on ISO 26262 (Informative)
Rami Debouk


20
ISO/DIS 26262 Terms

Safety
Absence of unreasonable risk
Risk
Combination of the probability of occurrence of
harm and the severity of that harm
Exposure
Severity
State of being in an operational

situation that can be hazardous
if coincident with the failure mode
under analysis
measure of the extent of harm

to an individual
in a specific situation
Harm
Physical injury or damage

to the health of people
Controllability
avoidance of the specified harm or damage

through the timely reactions of the persons
involved
21
ISO/DIS 26262 Terms

Item, system, element, & component
System Array
Item
System
E/E Components
Sensor
Communication
Controller
Other technology
Components
Actuator
Hardware
Software
Hardware
Software
Hardware
Software
Hardware
Components
Software
Components
Hardware
Components
Software Components
Hardware
Components
Software
Components
Hardware Parts
Software Units
Hardware Parts
Software Units
Hardware Parts
Software Units
Element
Component
A software component consists of one or more software components, or software units, or both
22
ISO/DIS 26262 Terms

Failure Types
Random Hardware Failures
failure that may occur unpredictably during the lifetime of a hardware element and
that follows a probability distribution
Systematic Failures
failure of an element or item that is caused in a deterministic way during

development, manufacturing, or maintenance
all software faults and a subset of hardware faults are systematic

23
ISO 26262 Terms

Safety Mechanism
Safety Mechanism
Activity or technical solution to detect / avoid / control failures or mitigate
their harmful effects
Implemented by an E/E function or element or in other technologies
The safety mechanism is either
able to switch to or maintain the item in a safe state or
able to alert the driver such that the driver is expected to control the effect of the
failure

24
ISO 26262 Terms

Work Products
Work product
Information or data
The result of one or more system safety process activities
Format appropriate to the work products content
Data files, models, source code, etc.
May include currently existing documents
Several work products may be in one document

25
ISO 26262 Terms

Confirmation Measures
Confirmation measures
Ensure the sufficient completion of work products and proper execution of
the safety lifecycle.
Provide for the evaluation of the system safety activities and work products
as a whole
Used to determine the adequacy of achievement of the functional safety
goals

26
ISO 26262 Terms

Safety Case
Safety case
Communicates a clear, comprehensive and defensible argument (supported by
evidence) that a system is acceptably safe to operate in a particular context.
Includes references to safety requirements and supporting evidence
AND a safety argument that describes how the safety requirements have been
interpreted, allocated, decomposed, etc., and fulfilled as shown by the supporting
evidence.

27
Rami Debouk


29

2.4 2.6
concept phase
Management of Functional Safety
3.4
Item Definition
3.5
Initiation of the
Safety Lifecycle
3.7
Hazard Analysis and

Risk Assessment
3.8
Functional Safety
Concept
7.5
7.6
Operation
Planning
after SOP
product dev elopment
8.4 8.13
Production
Planning
Mgmt & Quality

Advanced Engg
Product Engg
Production
Service
Product Development
System level
H/W
Level
S/W
Level
Other
Technologies
Controllability
External
Measures
4.11 Release for production
7.5
Production
7.6
Operation, Service &

Decommissioning
Back to appropriate
lif ecycle phase
Supporting Processes

30
Overview
Functional Safety Management requires:
Planning, coordinating, and documenting activities related to functional safety
Implementing management plan for all phases of the safety lifecycle, including:
Overall project-independent functional safety management activities
Safety management during development
Safety management after Start of Production (SOP)

31
Overall Project Independent Safety Management

Objectives
Define responsibilities of persons, departments and organisations in charge of each phase during the overall safety
lifecycle
Define management activities during the complete safety lifecycle
Management plan to incorporate:
Safety culture
Quality management
Continuous improvement
Training and qualification
Application of the lifecycle

32
Safety Management during Development

Objectives
To define responsibilities of the persons, departments and organisations in charge of functional safety for each
phase during development
Includes activities to ensure functional safety of the item
Includes activities for confirmation of functional safety measures
Define management activities during the development phases
Management plan to incorporate:
Allocation of safety responsibilities and duties

All safety management activities during development
Safety case
Confirmation measures for assessment of functional safety

33
Safety Management during Development

Confirmation Measures
Confirmation review
Purpose: Evaluate the safety activity work products for compliance with the requirements of ISO 26262
How: Work products are evaluated for compliance after completion of select safety activities, and a subsequent review of this
compliance evidence is conducted, resulting in confirmation review reports
Functional safety audit
Purpose: Evaluate the development process applied (as defined by the products safety plan)
How: Phased reviews during the development process, resulting in audit reports
Functional safety assessment
Purpose: Evaluate the achieved functional safety of the item

How: Progressive review of processes and safety measures applied during development to achieve functional safety of the item

34
Confirmation Measures Requirements

Depending on the work product and the ASIL assigned to safety goals, confirmation
measures are either recommended or required
In the case of required confirmation measures:
There are no requirements on the person performing the confirmation measure

The confirmation measure shall be performed by a person from a different team, not reporting to
the same direct superior
The confirmation measure shall be performed, by a person from a different department or
organization, i.e., independent from the relevant department, regarding management, resources, and
responsibility for release for production

35
Safety Management after Start of Production (SOP)

Objectives
To define responsibilities of persons, departments and organisations in charge of functional safety after SOP
Relates to general activities necessary to ensure the required functional safety of the item
Requirements
Organizational measures to achieve functional safety

Management of functional safety after SOP
Field monitoring and collection of data
Malfunction survey
Malfunction analysis
Malfunction solution

36
Part 2 Work Products
Company-specific standard for functional safety

Training and qualification program
Quality management system
Safety plan
Overall project plan
Safety case
Results of the Confirmation measures
Confirmation plan
Functional safety assessment plan
Evidence of a field monitoring process
37
Checkpoint Questions
1. What are the requirements for Project Independent Safety Management?
A.
B.
C.
D.
Safety culture and Quality management

Continuous improvement, Training, and qualification
All of the above
2. Are a Safety Plan, Confirmation Plan, and a Safety Case required Work products
A. Yes
B. No

38
A.
B.
C.
D.

All of the above
A. Yes
B. No

39
A.
B.
C.
D.

All of the above
A. Yes
B. No

40
Part 3: Concept Phase
Rami Debouk


42
Functional Safety during Concept Phase

For a given Product Item:
2) Perform a Hazard Analysis

Determine ASIL
ASIL
A, B, C, D
3) Identify Safety Goals

1) Identify relevant safety
lifecycle steps
SAFETY
GOALS
4) Identify Functional
Safety Concept
System
Requirements
System
Requirement

Functional Safety
Concept
Functional
Safety
Requirement
43
Identify relevant safety lifecycle steps

Safety Lifecycle for given item is adapted based on:
New development
Consider all safety lifecycle steps relevant
Modification of an existing component/system
Tailor safety lifecycle following an impact analysis of the modifications
Impact analysis considers the proven in use argument if original component/system was not
developed based on ISO 26262

44
Perform a Hazard Analysis

Determine ASIL
Situation Analysis & Hazard Identification
Identify potential unintended behaviors of the item that could lead to a
hazardous event.
Vehicle Usage
Environmental Conditions
Foreseeable driver use and misuse
Interaction between vehicle systems

45

Determine ASIL
RISK ASSESSMENT
Risk = Severity x Frequency x Controllability
S
ASIL
ASIL: Automotive Safety Integrity Level

46

Determine ASIL
For each identified hazardous scenario, evaluate
S0
S1
S2
S3
No injuries
Light and moderate injuries
Severe and life-threatening injuries

(survival probable)
Life-threatening injuries (survival

uncertain), fatal injuries
E0
E1
E2
E3
E4
Incredible
Very low probability
Low probability
Medium probability
High probability
C0
C1
C2
C3
Controllable in
general
Simply controllable
Normally controllable
Difficult to control or uncontrollable

47
Perform a Hazard Analysis,

Determine ASIL
Use Severity, Exposure, Controllability to set ASIL
S1
S2
S3
C1
C2
C3
E1
QM
QM
QM
E2
QM
QM
QM
E3
QM
QM
ASIL A
E4
QM
ASIL A
ASIL B
E1
QM
QM
QM
E2
QM
QM
ASIL A
E3
QM
ASIL A
ASIL B
E4
ASIL A
ASIL B
ASIL C
E1
QM
QM
ASIL A
E2
QM
ASIL A
ASIL B
E3
ASIL A
ASIL B
ASIL C
E4
ASIL B
ASIL C
ASIL D

48
Identify Safety Goals
Safety Goals are top-level safety requirement as a result of the hazard analysis and risk assessment
A safety goal is to be determined for each hazardous event evaluated in the hazard analysis
ASIL determined for the hazardous event is to be assigned to the corresponding safety goal.
Potential hazard may have more than one safety goal
If similar safety goals are determined, they can be combined into one safety goal that will be
assigned the highest ASIL of the similar goals

49
Identify Safety Goals - Combination

Hazard A
Safety Goal M
ASIL B
Fault X
Fault Y
Hazard B
Safety Goal N
ASIL C
Fault Y
Fault Z
Per analysis results, Fault Y is implicated for both

Goals M and N but since Goal N is associated with a
higher ASIL (C), safety mechanisms to cover for Fault
Y must satisfy ASIL C requirements.

50
Identify Functional Safety Concept
Functional Safety Concept

is composed of the
Functional Safety Requirements.

51
Item definition
Impact Analysis
Hazard analysis and risk assessment
Safety goals
Review of hazard analysis, risk assessment and the safety goals
Functional safety concept
Review of the functional safety requirements

52
Checkpoint Questions - Part 3: Concept Phase

1.
What determines the activities needed for a modification of a previous product?
2.
What 3 factors determine an ASIL?
3.
A.
B.
C.
D.
ASIL
Item Definition
Impact Analysis
Hazard and Risk Analysis
A.
B.
C.
Severity, Occurrence, and Detection.

Risk, Controllability and Severity.
Severity, Controllability, and Exposure
A.
B.
C.
A, B, C, D
1,2,3,4
Critical, Severe, serious, and moderate
What are the 4 ASILs

53

1.
2.
3.
A.
B.
C.
D.
ASIL
Item Definition
Impact Analysis
A.
B.
C.

A.
B.
C.
A, B, C, D
1,2,3,4

54

1.
2.
3.
A.
B.
C.
D.
ASIL
Item Definition
Impact Analysis
A.
B.
C.

A.
B.
C.
A, B, C, D
1,2,3,4

55

1.
2.
3.
A.
B.
C.
D.
ASIL
Item Definition
Impact Analysis
A.
B.
C.

A.
B.
C.
A, B, C, D
1,2,3,4

56
Part 4: Product Development: System Level
Barbara J. Czerny


58
Overview
Safety Plan
Part 4: Product development: system level
Identify and plan the functional safety activities

for each sub-phase of system development
Includes supporting processes activities
Includes methods to be used
Tailoring of the lifecycle
4-5
4-6
4-7
Initiation of Product development at the system

level
Specification of the technical safety requirements
System Design
Part 5: Product development: hardware

level
Part 6: Product development: software

level
Applies to both systems and subsystems

4-8
4-9
Item Integration and testing
Safety Validation
4-10
Functional safety assessment
4-11
Release for production

59
Example Product Development at the System Level

System
Initiation of Product development at the system

level
4-5
4-6
4-7
System Design
Sub-system B
Sub-system A
4-6
4-7
Part 5: Product
development: hardware
level
4-8.4.2
4-6
4-7
System Design
Part 6: Product
development: software
level
Part 5: Product
level
Hardware-software integration and testing
4-8.4.2
4-8.4.3
System integration and testing
4-8.4.4
Vehicle integration and testing

System Design
Part 6: Product
level
60
Specification of the Technical Safety Requirements

Objectives
Develop the technical safety requirements
Refinement of the functional safety requirements considering the preliminary architectural

assumptions
SAFETY
GOALS
Verify the technical safety

requirements comply with
the functional safety
requirements
Functional
Safety
Requirement
Verify
Describe how to implement the

Prelim. Arch.
Assumptions
Refine
Technical
Safety
Requirement
61
Specification of the Technical Safety Requirements Contd.
Specification includes
Safety-related functional and safety-related non-functional dependencies

Between systems or elements of the item and between the item and other systems
System/element response to stimuli
Safety mechanisms
Related to detection, indication and control of faults, that enable the system to achieve and
maintain a safe state,
Safety-related requirements for production, operation, maintenance and decommissioning
Define system properties
External interfaces, constraints, system configuration requirements
Specify other functional and non-functional requirements

62
System Design and Technical Safety Concept

Objectives
Develop the system design and the technical safety concept

Verify that the system design and technical safety concept comply with the technical safety
requirements specification
SAFETY
GOALS
Specify the system design based on

Functional safety concept
Preliminary architectural
assumptions
Technical safety requirements
specification
Functional
Safety
Requirement
Implementation of
Technical Safety
Requirements
Prelim. Arch.
Assumptions
Technical Safety Concept

Verify

Technical
Safety
Requirement
System
Design
Verify
63
System Design and Technical Safety Concept Contd

Requirements for avoiding systematic failures
e.g., deductive and inductive analysis to identify causes and effects of systematic failures, use well-trusted
design principles, apply properties to modular design, etc.
Overall requirements for the control of random hardware failures during operation
e.g., specify measures for detection and control, set target values for metrics in part 5 for final evaluation
at the item level, etc.
Allocate each technical safety requirement to hardware, software, or both

Allocate
Hardware
Refine
Technical
Safety
Requirement
Refine
Allocate

Software
64
System Design and Technical Safety Concept Contd.

Specify the hardware software interface (HSI)
Specify requirements for production, operation, service, and decommissioning
e.g., measures to support field monitoring, specification of diagnostic features to allow fault identification
by service personnel, etc.
Continue development at the hardware and software levels
4-6
4-7
System Design
Part 5: Product
level
Part 6: Product
level

65
Item Integration and Testing
Part 5: Product
level
Objectives
Integrate the elements of an item
4-8
Part 6: Product
level
If applicable, systems or elements of other

technologies and external measures or systems
Test the integrated item for compliance with
each safety requirement
Verify that the system design is correctly implemented by the entire item
Process
4-8.4.2
4-8
4-8.4.3
System integration and testing
4-8.4.4
Vehicle integration and testing

66
Part 5: Product
level
Safety Validation
Objectives
4-8
Evidence of compliance with the
functional safety goals
Evidence that the safety concepts are
4-9
appropriate for the functional safety of the item
Evidence that the safety goals are correct, complete, and fully achieved at the vehicle level
Part 6: Product
level
Safety Validation
Validation of safety goals is applied to the item integrated at the vehicle level
Includes: E/E system, software (if applicable), hardware, elements of other technologies, external measures
Validation plan includes
Validation test procedures for each safety goal with pass/fail criteria
Scope of the application
e.g., configuration, environmental conditions, driving situations, etc.

67
Functional Safety Assessment

Objective
Part 5: Product
level
4-8
Assess the functional safety achieved

by the item
Part 6: Product
level
4-9
4-10
Safety Validation
Functional safety
assessment
Initiated by the entity with responsibility for functional safety

e.g., the vehicle manufacturer

68
Functional Safety Assessment Contd.

Identify topics to be addressed by the
FSA for each step of the safety
lifecycle (Part 2)
Conduct Assessment
according to Part 2
Confirmation Plan
Recommendations from
previous Functional Safety
Assessments
Considering
By
Results from functional safety

audits and confirmation
reviews
Review processes & safety measures applied

during development to achieve functional
safety of the item
Acceptance
Conditional
Acceptance
Functional Safety Considered Evident
Rejection
Perform corrective actions and
reassess

69
Release for Production
Part 5: Product
level
Objective
Specify the criteria for the release for

production at the completion of item development
Confirmation that the item complies with

the requirements for functional safety
at the vehicle level
4-8
Part 6: Product
level
4-9
Functional safety
assessment
4-10
Ready for series-production and operation
Safety Validation
4-11
Release for
production
Only approved if the required work products are available and provide confidence of
functional safety
Functional safety assessment report, safety case
Requires appropriate documentation of functional safety for release for production

Name and signature of person in charge of release, Version of released item, etc.

70
Overall project plan (refined)

Safety plan (refined)
Validation plan
Functional safety assessment plan
Technical safety requirements specification
System level verification report
Technical safety concept
System design specification
Item integration and testing plan
Requirements for production, operation,

service, and decommissioning
HW/SW interface specification (HSI)
Integration testing specification
Integration testing report
Validation report
Functional safety assessment report
Release for production report

71
Checkpoint Questions - Part 4: Product Development System Level

1. Where are the safety mechanisms specified and where are they allocated to hardware and
software?
A.
B.
C.
D.
Item Definition and Hazard Analysis and Risk Assessment

Hazard Analysis and Risk Assessment
Functional Safety Concept and Functional Safety Requirements
Technical Safety Requirements and System Design
2. Which of the following is true concerning Safety Validation?

A.
B.
C.
D.
Item tested as integrated at vehicle level

Test procedures for each safety goal (pass/fail)
Within scope of driving situations, environmental conditions, configuration, etc.
All of the above

72

software?
A.
B.
C.
D.


A.
B.
C.
D.

All of the above

73

software?
A.
B.
C.
D.


A.
B.
C.
D.

All of the above

74
Part 5: Product Development: Hardware Level
Rami Debouk


76
Overview
Identify relevant safety lifecycle steps for item
hardware engineering
Identify Hardware safety requirements
Design hardware, protecting for safety concerns
Assess architectural constraints
Evaluate probability of violation of a safety goal
Hardware safety integration and test
Technical Safety
Concept (Part 4)
Hardware Safety
Requirements
Hardware Design
& Verification
Architectural
Constraints
Probability
of Safety Goal
Violation
Hardware Integration
& Testing

77
Establish Target Safety Goal Metrics

Single Point
Fault metric
Single Point
& Residual
Faults
All
Faults
Latent Multiple
Point Fault metric
Single Point Fault: fault leads directly to the violation of the safety goal
Residual Fault: portion of a fault, not covered by a safety mechanism, that by itself leads to
the violation of a safety goal
Dual/Multiple Point Fault: combination of two/multiple independent faults that leads
directly to the violation of a safety goal
Latent Fault: multiple point fault whose presence is not detected by a safety mechanism nor
perceived by the driver
Safe Faults: fault whose occurrence will not significantly increase the probability of violation
of a safety goal

Undetected
Dual Point
Faults
Single Point
& Residual
Faults
ASIL
Single Point
Fault Metric
Latent
Multiple Point
Fault Metric
> 90%
> 60%
>97%
>80%
>99%
>90%
78
Evaluating violation of Safety Goal target metrics due to random

hardware failures
to provide criteria to demonstrate that the risk of safety goal violation
due to random hardware failures of the item is sufficiently low.
Method 1: Probabilistic Method for Random Hardware

Failure
Quantitative analysis to evaluate
probability of violation of safety goal.
Latent fault metric targets
Metrics are compared to target goals to demonstrate
achievement of safety goal
Method 2: Residual Risk

Assessment Method
Evaluation of residual risks due to

random hardware failures of the item,
to show that the residual risk is
sufficiently low.

79
Method 1:
Probabilistic Method for Random Hardware Failure

Compute probability of violation of each safety goal due to random hardware failures and then
compare it to a target value
Quantitative target values for maximum probability of violation of each safety goal due to random
hardware failures are defined from sources such as:
1. Quantitative analysis on similar well-trusted designs, using well known failure rate databases.
2. Derived from field data of similar well-trusted designs
3. Derived from Table G-1
ASIL Level
D
Random hardware failure target

values
< 10-8 per hour
< 10-7 per hour
< 10-7 per hour
< 10-6 per hour

80
Method 1:
Probabilistic Method for Random Hardware Failure

Quantitative Analysis considers:
a)
b)
c)
d)
e)
f)
g)
Single point faults, residual faults, dual point faults

Item architecture
Estimated hardware part failure rates (all modes) for single point faults
Estimated hardware part failure rates for dual point faults
Diagnostic coverage (Tables B.1-B.12 may be used)
Exposure duration (in case of multiple point faults)
Remaining dependent faults due to random hardware faults

81
Method 2 Residual Risk Evaluation Method

Individually evaluate each single point fault, residual fault and dual point failure
of the hardware parts which violate the considered safety goal.
Defines Failure Rate Classes based on random hardware failure targets :
Failure Rate Class 1 < 10-10

82
Method 2 Evaluation Method Single Point Faults

A single point fault occurring in a hardware part shall be considered as acceptable, if the
corresponding hardware part failure rate is:
ASIL of
Safety Goal
Failure Rate Class
Class 1 (10-10) +
dedicated measures to ensure Class 1
Class 2 (10-9) +
dedicated measures to ensure Class 2
OR Class 1 (10-10)
Class 2 (10-9)
OR Class 1 (10-10)

83
Hardware Integration & Testing
To ensure, by testing, the compliance of the integrated hardware elements with the hardware safety
requirements

84
Overall project plan (refined)

Hardware safety requirements specification
(including test and qualification criteria)
Hardware architectural metrics requirements
Random hardware failure requirements
Hardware-software interface specification (refined)
Hardware safety requirements verification report
Hardware design specification
Hardware safety analysis report
Hardware design verification report
Requirements for production and operation

Assessment of the effectiveness of the system architecture to
cope with the hardware random failures
Review report of assessment of the effectiveness of the
system architecture to cope with the hardware random
failures
Evaluation of random hardware failures
Specification of dedicated measures
Review report of evaluation of violation of the safety goal
due to random HW failures
Hardware integration and verification report

85
Checkpoint Questions - Part 5: Product Development Hardware Level

1. What is the Single Point Fault Metric requirement for ASIL D?
A.
B.
C.
D.
>99%
>97%
>90%
None of the above
2. What is the Latent Fault Metric requirement for ASIL C?

A.
B.
C.
D.
>90%
>80%
>60%
None of the above

86

A.
B.
C.
D.
>99%
>97%
>90%
None of the above
2. What is the Latent Fault Metric requirement for ASIL D?

A.
B.
C.
D.
>90%
>80%
>60%
None of the above

87

A.
B.
C.
D.
>99%
>97%
>90%
None of the above
2. What is the Latent Fault Metric requirement for ASIL D?

A.
B.
C.
D.
>90%
>80%
>60%
None of the above

88
Break

Part 6: Product Development: Software Level
Barbara J. Czerny


91
Part 6 Overview
Part 6: Product development: Software level
Planning
6-5
Software development activities wrt functional safety

Supporting processes
Methods to achieve requirements of assigned ASIL
Guidelines and tools
Coordination with product development at hardware level
Lists requirements to be satisfied for each phase of

the software development lifecycle
Dependent on ASIL
6-6
6-7
6-8
6-9
Initiation of Product development at the software

level
Specification of software safety requirements
System Architectural Design
Software unit design and implementation
Software unit testing
6-10
Software integration and testing
6-11
Verification of software safety requirements

92
Part 6 Overview Contd.
ASIL of software safety requirements flows down

Requires qualification of software tools used for
software development (Part 8 Clause 11)
Requirements Flow Down

ASIL
Identifies criteria to be addressed in design and

coding guidelines
e.g., use of language subsets, support for abstraction and

modularity,
strong typing,

Allocation to HW/SW
93
Tailoring of the lifecycle at the software level based on:
Evaluate work products to ensure they

meet previously established requirements
Reference Phase Model for the Software Development

Ensure that the item developed, or

parts of it, comply with the
requirements
94
Specification of Software Safety Requirements

Objectives
6-6 Spec. of SW
Safety Reqs.
Specify the SW safety requirements

from the technical safety requirements
(including their ASIL) and the system design specification
6-11 Verif. of
SW Safety Reqs
6-7 SW Arch.
Design
6-10 SW
Integration Tstg.
Detail the hardware-software interface requirements
Verify that the SW safety requirements are consistent with the

technical safety requirements and the system design
specification
6-9 SW Unit
Testing
6-8 SW Unit
Des. & Imp.
SAFETY
GOALS
Functional Safety
Concept
Functional
Safety
Requirement
Technical Safety
Concept
System Design
6-5 Spec. of SW
Safety Reqs.
Compliant with technical safety requirements and

system design, and consistent with relevant
hardware safety requirements

Technical
Safety
Requirement
Verify
Refine /
Allocate
Software Safety
Requirements
System
Design
Verify
95
Software Architectural Design
6-6 Spec. of SW
Safety Reqs.
Objectives
Develop a SW architectural design that
Realizes the software safety requirements
Verify the SW architectural design
6-11 Verif. of
SW Safety Reqs
6-7 SW Arch.
Design
6-10 SW
Integration Tstg.
6-9 SW Unit
Testing
6-8 SW Unit
Des. & Imp.
Gives requirements for notations for SW architectural design

Goal appropriate levels of abstraction
Includes design principles to apply to achieve modularity, encapsulation, minimum complexity

e.g., hierarchical structure, restricted size of SW components/interfaces
Allocates SW safety requirements to the SW components

SW components of different ASILs
SW Safety Reqs
Treat as belonging to the highest ASIL

Exception: adequate freedom from
interference between SW components
ASIL A
SW
Comp1 SW
Comp1 SW
Comp 1
ASILs A,C,D
ASIL D
SW
Comp 3
SW
Comp 2
ASIL B
96
Software Architectural Design Contd.
Safety analysis (Part 9-8) applied to the software architecture to

Help identify and confirm safety-related characteristics
Support specification of the safety mechanisms
Requirements for addressing error detection
e.g., plausibility checks, detection of data errors, control flow monitoring,
Requirements for addressing error handling
e.g., static recovery mechanisms, graceful degradation, correcting codes for data,
Specifies verification requirements
Includes control flow analysis, data flow analysis, inspections, etc.

6-6 Spec. of SW
Safety Reqs.
Design
Guidelines
Compliant
Adherent
6-7 SW Arch.
Design

Target
Hardware
Compatible
97
Software Unit Design and Implementation

6-6 Spec. of SW
Safety Reqs.
Objectives
Specify the software units in accordance

6-7 SW Arch.
Design
with the software architectural design
and the associated software safety
6-8 SW Unit
Des. & Imp.
requirements
Implement the software units as specified
Verify the design of the software units and their implementation
6-11 Verif. of
SW Safety Reqs
6-10 SW
Integration Tstg.
6-9 SW Unit
Testing
Notation requirements based on ASIL
To allow subsequent development activities to be performed correctly and effectively
Specifies design principles to apply to achieve robustness, testability, simplicity,

e.g., one entry and one exit point in subprograms and functions, limited use of pointers,

98
Software Unit Design and Implementation Contd.

Specifies verification requirements
Control flow analysis, data flow analysis, static code analysis, walkthroughs,
inspections,
6-6 Spec. of SW
Safety Reqs.
Completeness
Coding
Guidelines
6-7 SW Arch.
Design
Compliant
Source
Code Spec.
Completeness
Compliant

6-8 SW Unit
Des. & Imp.
HardwareSoftware
Interface
Compliant
Target
Hardware
Compatible
99
Software Unit Testing
Objective
Demonstrate that the software units satisfy their

specification and do not contain undesired functionality
6-7 SW Arch.
Design
Addresses
6-6 Spec. of SW
Safety Reqs.
6-8 SW Unit
Des. & Imp.
6-11 Verif. of
SW Safety Reqs
6-10 SW
Integration Tstg.
6-9 SW Unit
Testing
SW unit test planning

Selection of test methods
Interface test, resource usage test,
Methods for deriving test cases to demonstrate appropriate specification of test cases
Analysis of requirements, boundary value analysis,
Test environment requirements
As close as possible to the target environment
Evaluation criteria
Compliance with expected results, & pass or fail criteria
Demonstrates
Compliance with the SW unit design specification and the HW/SW interface
Correct implementation of the functionality
Absence of unintended functionality
robustness
100
Software Integration and Testing
6-5 Spec. of SW
Safety Reqs.
Objectives
Integrate the software components

Demonstrate that the software architectural
design is correctly realized by the embedded
software
6-6 SW Arch.
Design
6-7 SW Unit
Des. & Imp.
6-10 Verif. of
SW Safety Reqs
6-9 SW
Integration Tstg.
6-8 SW Unit
Testing
Addresses
Planning
Selection of test methods to demonstrate that the SW components and embedded SW achieve
Compliance with the architectural design and the HW/SW interface

Correct implementation of the functionality
Robustness
Sufficiency of the resources to support the functionality
Example test methods - Fault injection, resource usage tests,
Methods for deriving test cases
Analysis of requirements, boundary value analysis,
Requirements on the test environment

101
Verification of Software Safety

Requirements
6-6 Spec. of SW
Safety Reqs.
Objective
6-7 SW Arch.
Design
Demonstrate that the embedded

software fulfills the software safety
requirements in the target environment
6-8 SW Unit
Des. & Imp.
6-11 Verif. of
SW Safety Reqs
6-10 SW
Integration Tstg.
6-9 SW Unit
Testing
Addresses
Planning
Selection of test environments
Hardware-in-the-loop, vehicles,
Execution on the target hardware

Evaluation criteria
Compliance with expected results, coverage of the software safety requirements, pass/fail criteria

102

Software verification plan
Design and coding guidelines for modelling
and programming languages
Software tool application guidelines
Software safety requirements specification
Hardware-software interface specification
(refined)
Software verification plan (refined)
Software verification report

Software architectural design specification
Safety analysis report
Dependent failures analysis report
Software unit design specification
Software unit implementation
Software verification specification (refined)
Embedded software

103
Checkpoint Questions - Part 6: Product Development Software Level

1. Do software requirements inherit an ASIL?
A. Yes
B. No
2. Do Software components always inherit the highest ASIL?

A. Yes
B. No
3. Where is the verification of software safety requirements executed?

A.
B.
C.
D.
On the target system

In the system model
In the software to software integration phase
None of the above

104

A. Yes
B. No

A. Yes
B. No

A.
B.
C.
D.

In the system model
None of the above

105

A. Yes
B. No

A. Yes
B. No

A.
B.
C.
D.

In the system model
None of the above

106

A. Yes
B. No

A. Yes
B. No

A.
B.
C.
D.

In the system model
None of the above

107
Barbara J. Czerny


109
Production and Operation
Specifies requirements on production, operation, service, and decommissioning
Production objectives
Develop a production plan for safety-related products

Ensure that the required functional safety is achieved during the production process
Planning
Includes planning for safety-related special characteristics
e.g., temp. range for specific processes, material characteristics, configuration
Considers requirements for production, conditions for storage, transport, and handling of hardware elements,
approved configurations,
Describes, as applicable production process flow and instructions, production tools and means,
Requirements for production
Implementation of the planned production process, Analysis of process failures and monitoring of corrective
measures,

110
Production and Operation Contd.
Operation, service (maintenance and repair), and decommissioning objectives
Define the scope of customer information, and maintenance and repair instructions regarding the safety-related
products in order to maintain the required functional safety during operation of the vehicle
Provide the requirements concerning activities addressing safety issues before disassembly
Planning
Considers requirements for operation, the warning and degradation concept, measures for field data collection and
analysis,
Maintenance plan describes methods required for maintenance including steps, intervals, means of maintenance,
and tools
User manual requirements
Relevant functions and operating modes, how to use them in the intended way, required maintenance activities,
warnings regarding known hazards resulting from interactions with third party products,

111
Production and Operation Contd.

Operation
Field monitoring process for functional safety events related to the item needs to be implemented as
planned
Requirements for decommissioning activities need to be developed

Measures to be taken before disassembling the vehicle
Emphasis on deactivating the systems or elements that would lead to violation of a safety goal if activated
during disassembly or decommissioning

112

Production plan (refined)
Production Control plan (refined)

Documentation of performed control
measures
If applicable, requirements on
producibility at system, hardware or
software development level
Assessment report for capability of the
production process
Maintenance plan (refined)

Repair instructions
User manual
Instructions regarding field observations
Instructions for decommissioning
If applicable, requirements concerning
operation, maintenance and decommissioning
at system, hardware or software development
level

113
1. What requirements are specified in the clause on Production and Operation?
A.
B.
C.
D.
Production
Operation
Service and decommissioning
All of the above

114
1. What requirements are specified in the clause on Production and Operation?
A.
B.
C.
D.
Production
Operation
Service and decommissioning
All of the above

115
Part 8: Supporting Processes
Barbara J. Czerny


117
Requirements for Supporting Processes

Objective
Consolidate common requirements to maintain consistency
Supporting Processes
Interfaces within distributed developments

Specification and management of safety requirements
Configuration management
Change management
Verification
Documentation
Qualification of software tools
Qualification of software components
Qualification of hardware components
Proven in use argument

118
Clause 5: Interfaces Within Distributed Developments

Objective
Describe procedures and allocate responsibilities within distributed developments ( e.g.,

vehicle manufacturer and supplier) for items and elements
Supplier selection criteria
Evaluate the suppliers capability to develop and produce items of comparable

complexity and ASIL according to ISO 26262
Suppliers quality management system, experience, capability in developing products of

comparable complexity and ASIL,

119
Clause 5: Interfaces Within Distributed Developments Contd.
Development Interface Agreement (DIA) specifying:
Coordination of supporting processes and tools
Safety managers at the customer's and supplier's

Joint tailoring of the safety lifecycle, with identification of activities and processes to be performed by the customer and by the
supplier;
The information required; work products to be exchanged; persons responsible
Communication of target values (derived from system level targets) specified to fulfil the targets for single point faults metric
and latent faults metric, and evaluation of violation of the safety goal due to random hardware failures
Including interfaces assuring compatibility between the customer and the supplier
Adequate customer access to supplier work products to allow completion of safety case
Information related to execution of DIA, including Safety Assessment at the suppliers facility, and postproduction support

120
Clause 5: Interfaces within distributed environments

Work Products
Supplier selection report

Development Interface Agreement
Suppliers project plan
Suppliers safety plan
Safety Assessment Report
Supply agreement

121
Clauses 6 through 10: Existing engineering processes

Include requirements for existing engineering processes
Accommodate the functional system safety activities defined in other parts of the standard
Engineering process capabilities addressed include:
Clause 6: Specification and Management of safety requirements

Clause 7: Configuration Management
Clause 8: Change management
Clause 9: Verification
Clause 10: Documentation

122
Clause 6 Specification and Management of Safety Requirements

Objectives
Ensure correct specification of safety requirements with respect to attributes and

characteristics
Support consistent management of safety requirements throughout the safety lifecycle
Clause includes requirements for
Notations for the specification of safety requirements

Attributes and characteristics of safety requirements
Unambiguous and comprehensible, atomic, internally consistent
Properties for the collection of safety requirements
Hierarchical, complete, externally consistent, maintainable,
Management of safety requirements
Traceability, configuration management, verification
Work Product Safety Plan (refined)

123
Clause 7 Configuration Management

Objective
Ensure unique identification and reproducibility of work products at any time

Ensure traceability of relationships and differences between earlier and current versions
Compliance with the requirements of ISO TS 16949, 4.2.3 and ISO 12207, 6.2
Work products listed in ISO 26262 are subject to configuration management
Tools subject to configuration management
Software tools and software development environments
Test tools and test environments
Work product configuration management plan

124
Clause 8 Change Management
Objective
The analysis and management of changes to safety-related work products occurring throughout the safety
lifecycle
Involves
Systematically planning, controlling, monitoring, implementing, and documenting changes, while maintaining
consistency of all work products
Planning and initiating change management

Change requests
Unambiguously identified, author, reason for change, exact description,
Impact analysis of the change requests
Type of change, affected work products, impact on functional safety ...
Deciding on a change request

Carrying out and documenting the change

125
Clause 8 Change Management Work Products
Change management plan

Change request
Impact analysis
Change request plan
Change report

126
Clause 9 Verification
Objective
Ensure that all work products

are correct, complete, and consistent
meet the requirements of ISO 26262
Planning of verification
Specification of verification
Selection and specification of verification methods, specification of test cases,
Execution of verification
Verification shall be executed as planned and specified
Evaluation of verification
Requirements on the evaluation of the verification results
Work products verification plan, specification of verification, verification report

127
Clause 10 Documentation
Objectives
Develop a documentation management strategy so that every phase of the entire safety lifecycle
can be executed effectively and can be reproduced

Availability of documentation
Content of documentation
e.g., precise and concise, structured in a straightforward manner, easy to understand, maintainable, etc.
Work Products document management plan, documentation requirements

128
Clause 11 Qualification of Software Tools

Objective
Provide evidence of SW tool suitability for use in developing a safety-related item or element
Confidence in correct execution of activities and tasks required by ISO 26262
Clause includes
Planning of qualification of a software tool

Classification of a software tool
Tool impact
Possible violation of safety requirement if tool is malfunctioning or producing erroneous output (TI0 no
possibility, TI1 possibility)
Tool detection
Possibility of preventing or detecting that the software tool is malfunctioning or producing erroneous output
(TD1 TD4)
Tool confidence level
Based on tool impact and tool detection determinations (TCL1 TCL4)

129
Clause 11 Qualification of software tools

Methods for qualifying software tools
For TCL2, TCL3, and TCL4

Increased confidence from use
Evaluation of the development process
Validation of the software tool
Development in compliance with a safety standard
Dependent on Tool
Confidence Level
and ASIL
Description of each method for qualification

Verification requirements of the qualification of software tools
Work Products software tool classification analysis, software tool qualification
plan, software tool documentation, software tool qualification report

130
Clause 12 Qualification of Software Components

Objectives
To enable the re-use of existing software components as part of items, systems, or elements developed in
compliance with ISO 26262 without completely re-engineering the software components
To show their suitability for re-use
Required information to treat a software component as qualified

Specification of the software component
Evidence that the software component complies with its requirements
Evidence that the software component is suitable for its intended use
Requirements on the verification of the qualification of a software component
Work Products software component documentation, software component qualification

report

131
Clause 13 Qualification of Hardware Components

Objectives
To show the suitability of intermediate level hardware components and parts for their use as part
of items, systems, or elements, developed in compliance with ISO 26262
Concerning their functional behavior and their operational limitations
Provide relevant information regarding

Failure modes and their distribution
Diagnostic capability with regard to the safety concept for the item

132
Clause 13 Qualification of Hardware Components Contd.

Qualification using analysis and/or testing
Ensure that the functional performance of components is adequate for the purposes of the safety concept
Identify failure modes and models by using appropriate tests or analyses
Ensure sufficient robustness and evaluate limitations of component use
Requirements on qualification by analysis and testing

Requirements on qualification report
Pass/fail with respect to the operating envelope
Verification of the qualification report
Work Products
Qualification plan
Hardware component testing plan, if applicable
Qualification report

133
Clause 14 Proven in use

Objective
Provide guidance for proven in use argument
Alternate means of compliance with ISO 26262 requirements

May be used in case of reuse of existing items or elements
when field data is available
Proven in use credit does not eliminate need for

integration safety lifecycle activities
Considers:
Service period for the item/element
Changes to the candidate for a future
application

134
Clause 14 Proven in use

Requirements on analysis of field data
Configuration management and change control applied to candidate
Target values for proven in use
Observable incident rate must not exceed targets for the ASIL of the
candidate
Observable incident is a failure that is reported to the
Table 7 Targets for minimum
manufacturer and caused by the candidate with the
service period for candidate
potential to lead to the violation of a safety goal
Mi nimum service
Field problems need to be recorded and retrievable
Work Products
Proven in use credit

Definition of candidate for proven in use argument
Proven in use analysis reports
ASIL
period without
observable incident
(hours)
1.2 109
1.2 108
1.2 108
1.2 107
135
Checkpoint Questions - Part 8: Supporting Processes

1.
What specifies the interfaces between a manufacturer and supplier in a distributed development?
2.
What tools are subject to configuration management?
3.
4.
A.
B.
C.
The system specification

The purchase order
The Development Interface Agreement (DIA)
A.
B.
C.

All of the above
A.
B.
C.
Ensure that all work products are correct, complete, and consistent
Ensure that all work products meet ISO 26262 requirements
All of the above
A.
B.
C.
D.
Definition of the candidate for proven in use argument

Analysis of changes to the candidate
Analysis of field data
All of the above
What is the objective of verification?
What is required for a Proven in Use Argument?

136

1.
2.
3.
4.
A.
B.
C.

The purchase order
A.
B.
C.

All of the above
A.
B.
C.
All of the above
A.
B.
C.
D.

All of the above

137

1.
2.
3.
4.
A.
B.
C.

The purchase order
A.
B.
C.

All of the above
A.
B.
C.
All of the above
A.
B.
C.
D.

All of the above

138

1.
2.
3.
4.
A.
B.
C.

The purchase order
A.
B.
C.

All of the above
A.
B.
C.
All of the above
A.
B.
C.
D.

All of the above

139

1.
2.
3.
4.
A.
B.
C.

The purchase order
A.
B.
C.

All of the above
A.
B.
C.
All of the above
A.
B.
C.
D.

All of the above

140
Part 9: ASIL-oriented and Safety-oriented Analyses
Rami Debouk


142
ASIL-oriented and safety-oriented analyses
Requirements decomposition with respect to ASIL tailoring

Criteria for coexistence of elements
Analysis of Dependent Failures
Safety Analyses

143

Objectives
Decomposing safety requirements into redundant safety requirements (not necessarily identical) to allow
ASIL tailoring at the next level of detail
In this decomposition, the relevant safety goal is only violated if both elements fail simultaneously
Some Requirements
ASIL decomposition is performed considering each allocated safety requirement of the element
Initial safety requirements are implemented by sufficiently independent elements and redundant safety
requirements are derived for each of these elements

144

Updated architectural
information
Update of ASIL as attribute of
safety requirements and elements
ASIL D Safety Reqt (e.g., no RAM

errors for safety-critical variables)
ASIL A (D) Element

(e.g., Dual store of safetycritical variables)
ASIL C (D) Element

(e.g., Main C)
ASIL B (D) Element

(e.g. ECC)

ASIL A (D) Element

(e.g., Software
RAM tests)
ASIL A (D) Element

(e.g., Verify safetycritical variable against
copy before use)
145

Objectives
Provide criteria for coexistence within the same element of
safety-related sub-elements with non-safety-related ones

safety-related sub-elements assigned different ASILs
Can be beneficial to avoid raising the ASIL of sub-elements

146

Requirements
A non-safety-related sub-element coexisting in the same element with safety-related sub-element(s) shall only
be treated as a QM sub-element, if it has no functional dependency with any of the safety requirements allocated
to the element and it does not interfere with any other safety-related sub-elements of the element
In the case of coexistence in the same element of safety-related sub-elements with different ASILs, a subelement shall only be treated as a lower ASIL sub-element if it is shown that it does not interfere with any other
sub-element assigned a higher ASIL, for each of the safety requirements allocated to the element

147

Objective
Identify any single event or single cause that could bypass or invalidate the independence or freedom
from interference between elements of an item required to comply with its safety goals
Requirements
Identification of potential for dependent failures from safety analyses

Evaluation for dependent failures in order to determine if a reasonably foreseeable cause exists which
will cause the dependent failures to occur and violate a safety goal
Resolution of dependent failures in change requests to mitigate the root cause in the sub-phases of the
safety lifecycle for which analysis of dependent failure is applied

148

Results of analyses of dependent failures

Change requests for confirmed dependent failures

149
Safety Analyses
Objectives
To examine the influence of faults and failures on items or elements regarding their
architecture, functions and behaviour
Provide information on conditions and causes that could lead to violation of a safety
goal or safety requirement
Contribute to the identification of new functional or non-functional hazards not
previously considered during hazard analysis and risk assessment

150
Safety Analyses
Requirements
Carried out according to the ASIL assigned to the item or element
Performed according to national, international or other appropriate standards or guidelines
Provide measures and apply them to faults or failures that could potentially violate the safety goals
or safety requirements
Implement the above measures as part of the product development
The results of the safety analyses is used to determine the need for additional safety-related test
cases
The results of the safety analyses are documented and reviewed

151
Checkpoint Questions - Part 9: ASIL-oriented and

Safety-oriented Analyses
1.
ASIL Decomposition is about decomposing safety requirements into identical redundant requirements
2.
Why perform dependent failure analysis?
A.
B.
True
False
A.
B.
To reduce the ASIL requirement of a component

To identify any single event or single cause that could bypass or invalidate the independence required to satisfy the safety goals
of a system.
To analyze field data
All of the above
C.
D.

152

1.
2.
A.
B.
True
False
A.
B.

of a system.
All of the above
C.
D.

153

1.
2.
A.
B.
True
False
A.
B.

of a system.
All of the above
C.
D.

154
Key Aspects that Have Evolved Over Time During ISO/DIS 26262
Development
What is meant by malfunctioning behavior?
Includes more than just failures of an item
Also includes unintended behaviours of an item with respect to its design intent and interactions between
E/E safety-related systems
Requirement for manufacturers to ensure proper decommissioning of systems

Changed to a should
Not possible in all cases for manufacturers to ensure this
From prescriptive to goal-based
Methods listed in tables are now related to satisfying a specific goal

Change required a restructuring and reinterpretation of tables and introduction of a goals clause related
to methods in the tables

155
Summary
Background of ISO 26262
What is it?
What are the origins of ISO 26262?
Differences between IEC 61508 and ISO 26262
Status of ISO 26262

Overview of each part of the standard
Objectives, requirements, and work products
Overview of key aspects that have evolved over time

156
Q&A

BACKGROUND

158
ISO 26262 Terms

Safety Element out of Context (SEooC)
Item Development
3 - 7 Hazard analysis and risk
Hazard
analysis
and risk
assessment
Hazard
analysis and
risk assessment
Hazard
analysis
and risk
SEooC Development
Hazard analysis
and risk assessment
assessment
Assumptions
on safetyon
goals
( ASIL
Assumptions
safety goals
Safety Element out of Context
(ASIL
of per
Safety
out of Context)
Capability
systemElement
failure
)
8- 6 Over all manage ment of saf et y r equi r e ment s
Over all manage ment of saf et y r equi r e ment s
Concept phase
Pr oduct devel op ment
assessment
3 - 7 Hazard analysis and risk
ASIL
Capability
ASIL
Capability
Subsystem,
Hardware or
Software developed
with assumed
requirements (e.g.,
ASIL), confirmed
when used in an
Item
assessment
Specification
Specification
of safety goals
of safety
Assumptions on functional safety
3 - 8 Functional
safety
concept concept
Functional
safety
Assum ptions onconcept

functional safety concept
Assumptions on functional safety
Assumptions on
functional safety requirements
requirements
4 - 6 Specification of technical safety

Specification ofconcept
technical
goals
Specification of functional safety
Specification ofrequirements
functional safety requirements
safety concept
Specification ofof
technical
safety safety requirements
Specification
technical
requirements
4 - 7 System
design
System
design
System
designdesign
specification
System
specification
5 -6
Specification of HW safety
Specificationrequirements
of HW safety requirements
Hardware
safety
Hardw
arerequirements
safety requirements
6 - 6 Specification of SW safety
Specification
of SW safety requirements
requirements
Software
safety
Softw
arerequirements
safety requirements

159

160

Iso 26262tutorial 2010 Final

Uploaded by

Copyright:

Available Formats

Iso 26262tutorial 2010 Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso 26262tutorial 2010 Final

Uploaded by

Copyright:

Available Formats

What is the scope of ISO 26262?

What is the scope of ISO 26262?

What are the main parts of ISO 26262?

What are the main parts of ISO 26262?

ISO 26262

Functional Safety Draft International Standard for Road Vehicles:

Barbara J. Czerny, Joseph DAmbrosio, Rami Debouk,

ISO 26262 Road Vehicles - Functional Safety

It conveys the content of the standard as it is currently drafted

ISO 26262 Road Vehicles - Functional Safety

ISO 26262 Road Vehicles - Functional Safety

ISO 26262 Road Vehicles - Functional Safety

What is ISO 26262?

Applies to all activities during the safety lifecycle of

Does not apply to E/E systems in special purpose vehicles

ISO 26262 Road Vehicles - Functional Safety

Origins of ISO 26262 (Automotive IEC 61508)

ISO 26262 Road Vehicles - Functional Safety

ISO 26262 Working Group 16

Ch. Jung, Independent Consultant

BMW, Daimler , VW, Bosch, Continental

PSA, Renault, Continental, Valeo

Landrover, MIRA, Renesas

Delphi, Volvo Cars, AB Volvo, Mecel

Centro Ricerche Fiat, Fiat Auto, TRW

Denso, Hitachi, Honda, Nissan, Toyota

GM, IBM, TRW,

Nissan, Toyota Motor Europe

Active membership as of 10/2007

Whats the Difference Between IEC 61508 and ISO 26262?

Includes a quantitative target for the probability of a

No exact mapping between SILs and ASILs

4. Focus on safety functions

1. IEC 61508 Automotive Sector adaptation

Provides requirements to achieve acceptable level of risk

No exact mapping between SILs and ASILs

4. Focus on safety goals

ISO 26262 Road Vehicles - Functional Safety

Prescriptive (IEC 61508) vs. Goal-Oriented (ISO 26262)

Example of Part 4 Table 2 System design verification

System design inspectiona

System design walkthrougha

System prototyping and vehicle tests b

Methods 2a and 2b can be used advantageously as a fault injection technique.

For conducting safety analyses, see ISO 26262-9: , Clause 8.

Source: ISO/DIS 26262

More Facts About ISO/DIS 26262

Focus is on possible hazards caused by malfunctioning behavior of E/E safety-related systems

Supports distributed development

Safety plan & safety goals

Corresponds to automotive product lifecycle

Includes interactions between E/E safety-related systems

Process Framework includes the following process steps/deliverables:

failures or unintended behaviours of an item with respect to its design intent

e.g., division of work between OEMs/suppliers

Hazard analysis corresponds to automotive use cases

ISO 26262 Road Vehicles - Functional Safety

Overview of ISO/DIS 26262

Source ISO/DIS 26262