iso 26262 update on development of the standard - nmi · 2017. 12. 1. · o iso/pas 19451 and new...
TRANSCRIPT
© HORIBA MIRA Ltd. 2016
© HORIBA MIRA Ltd. 2016
Click to edit Master title
style
Dr David Ward
Senior Technical Manager
Functional Safety
June 2016
ISO 26262
Update on development of
the standard
© HORIBA MIRA Ltd. 2016
Agenda
Why update ISO 26262?
What is the process for updating the standard?
Current status of Edition 2 draft and key changes
Wider standardization activities
Conclusion and outlook
June 2016 2
© HORIBA MIRA Ltd. 2016
A frequently asked question …
ISO 26262 was officially published on 15 November 2011
Almost immediately on 16 November 2011 …
June 2016 3
What’s going to
be in Edition 2 of
the standard?
© HORIBA MIRA Ltd. 2016
Why update ISO 26262?
Specific requirements to adapt ISO 26262 to
- Extend scope to other types of vehicles (motorcycles, trucks, buses)
o Motorcycles ISO/PAS 19695 and new Part 12 in Edition 2
- Give additional guidance on semiconductor devices
o ISO/PAS 19451 and new Part 11 in Edition 2
- Address ADAS-related hazards caused by “normal operation” of the
sensors
o Currently will be developed as a separate PAS (ISO/PAS 21448)
Other challenges include
- Addressing highly distributed architectures
- Moves towards highly automated vehicles
- Cybersecurity
June 2016 4
© HORIBA MIRA Ltd. 2016
ISO timescales
- Require at least 3 years from first publication before revision starts
- Likely timescale for full Edition 2 is ~ 2018 based on a 36 month project
- Specific needs will be addressed earlier in a PAS (Publicly Available Specification)
Timescales are approximate and may be subject to change!
Preparation CD
ballot Comments processing
DIS ballot
Comments processing
FDIS ballot
Publication
Timescales for the revision (simplified)
June 2016 5
January 2016 September 2016 September 2017 January 2018
We are here! The DIS version is being prepared …
© HORIBA MIRA Ltd. 2016
Key changes being considered for Edition 2
Disclaimer: The DIS candidate is an internal committee document and many
of the concepts are still subject to discussion and change!
Key changes to be covered today include
- Structure of the standard
- Vocabulary – definition of FTTI
- Safety management – process aspects, confirmation measures, link to
cybersecurity
- Concept phase – item definition, E0*, examples
- Product development at the hardware level
- Product development at the software level
- Supporting processes
- Semiconductors
- Extensions to other types of vehicles
June 2016 6
© HORIBA MIRA Ltd. 2016
The structure of ISO 26262 Edition 2
June 2016 7
Part 1 Vocabulary
Part 2 Management of functional safety
Part 8 Supporting processes
Part 3 Concept
phase
Part 10 Guideline on ISO 26262 (informative)
Part 7
Production,
operation,
service and
decommission-
ing
Part 4 Product development: system level
Part 5 Product
development:
hardware level
Part 6 Product
development:
software level
Part 9 ASIL-oriented and safety-oriented analyses
Part 12
Adaption of
ISO 26262 for
motorcycles
Part 11 Guideline on application of ISO 26262 to semiconductors (informative)
© HORIBA MIRA Ltd. 2016
Fault tolerant time interval
June 2016 8
Fault Hazardous event
Normal
operation Hazardous event develops
Fault tolerant time interval
Time
© HORIBA MIRA Ltd. 2016
Fault tolerant time interval
June 2016 9
Fault Hazardous event
Normal
operation Hazardous event develops
Fault tolerant time interval
Time
Fault Fault detection
Normal
operation
Transition to safe
state Safe state
Undetected
fault
Diagnostic test intervals Fault reaction time
Time
Fault detection interval
© HORIBA MIRA Ltd. 2016
Functional safety management
Many “planning” activities being moved into Part 2 so that most process-
related requirements are in that Part
Key new requirement to create and maintain effective communication
channels between functional safety and other disciplines that are related to
functional safety
- Cybersecurity is the key activity in mind here but other disciplines can also
be related
New Annex showing example interfaces between functional safety and
cybersecurity
- Will not mention specific cybersecurity work products
Revisions to confirmation reviews – now much more focussed on
“assessment” style than simply a tick-box exercise
June 2016 10
© HORIBA MIRA Ltd. 2016
Concept phase
Still some debate over meaning of “item” definition vs “function” definition
Previous proposal to include a new class E0* for combination of rare events
(e.g. EV crashes and it’s into a lake and HV is exposed)
- Will not be included currently, but considering possibility to reduce { S3,
C3 , E1 } from ASIL A to QM if an additional argument is provided
Annex B tables likely to be shortened to emphasize they are examples
June 2016 11
© HORIBA MIRA Ltd. 2016
Product development at the hardware level
Evaluation of safety goal violations due to random hardware failures
- Probabilistic metric (PMHF / Method 1)
o Possibility to increase target values by up to one order of magnitude for items
composed of multiple systems
- Previous proposal for a new “residual risk assessment method” proposed
to be withdrawn
Example architectures for fault tolerant implementations
June 2016 12
© HORIBA MIRA Ltd. 2016
ISO 26262 Part 6 reference phase model
June 2016 13
Item testing
Software analysis and testing
Design phase verification
4-7 System design
6-5
In
itia
tio
n o
f p
rod
uct d
eve
lop
me
nt
at th
e s
oft
wa
re le
ve
l
Design phase verification
Test phase verification
Test phase verification
Test phase verification
4-8 Item integration and
testing
6-6 Specification of
software safety
requirements
6-7 Software
architectural design
6-8 Software unit
design and
implementation
6-9 Software unit
verification
6-10 Software
integration and
verification
6-11 Testing of the
embedded software
Test phase verification
Software analysis and
testing
Software testing
Design phase verification
© HORIBA MIRA Ltd. 2016
Supporting processes – Part 8
Clause 11 – confidence in the use of software tools
- New proposals were introduced in the CD including a further TI level to
apply to verification tools
- Agreement wasn’t reached so for DIS are reverting to Edition 1 scheme
- This may however be revisited in a future Edition …
Clause 13 – qualification of hardware components
- New approach to defining “complexity”
June 2016 14
© HORIBA MIRA Ltd. 2016
Semiconductors
• Intellectual property
• Base failure rate estimation
• Semiconductor dependent failures analysis
• Fault injection
• Production and operation
• Interfaces within distributed developments
• Confirmation measures and functional safety audit
• Clarification of hardware integration and testing
Common topics
• Digital components and memories
• Analogue/mixed signal components
• Programmable logic devices
• Multi-core components
• Sensors and transducers
Specific semiconductor technologies and use cases
June 2016 15
© HORIBA MIRA Ltd. 2016
What types of vehicles are in the future scope of ISO 26262?
June 2016 16
Now proposed to replace “series production” with “production road vehicles”
Production road vehicles = a passenger car, T&B or motorcycle whose intended use is
for public highways and is not a prototype
Class of vehicle In scope? Status
L1/L2 Excluded
L3/L4/L5 In scope PAS; Part 12
L6/L7 Not defined
M1 In scope Edition 1
M2/M3 In scope Integration into Edition 2
N1/N2/N3 In scope Integration into Edition 2
O1/O2/O3 In scope Integration into Edition 2
Other categories Not defined
© HORIBA MIRA Ltd. 2016
Motorcycles
Part 12 contains requirements for
- Functional safety management (concept phase and product development)
o Maximum I2 independence
- Hazard analysis and risk assessment
o Use of MSILs
o Example tables
Chapters from PAS on vehicle integration and testing and safety validation
appear not to be included in Part 12
UK has argued for deeper integration but this has been rejected by the
motorcycle lobby
June 2016 17
© HORIBA MIRA Ltd. 2016
Trucks and buses
Unlike motorcycles, truck and bus requirements are integrated into the main
Parts of the standard e.g.
- Some specific requirements for hazard analysis and risk assessment
o Management of variants in performing the analysis
o Integration of truck and bus examples in the tables of Annex B
- New supporting processes for
o Development of a base vehicle for an application out of scope of ISO 26262
o Integration of safety elements developed out of scope of ISO 26262
June 2016 18
© HORIBA MIRA Ltd. 2016
What are the challenges we perceive?
Differing approaches to interpreting and applying the standard still exist
globally
Discussions on cybersecurity highlight the narrow focus of ISO 26262
compared to system safety and wider issues of system dependability
Some issues associated with autonomous vehicles have been acknowledged
but it is unlikely the standard will fully address autonomy in the timescales
being discussed for their deployment
- Fault tolerance and SOTIF are a start however …
Vision for 2025 (personal opinion!)
- Edition 3 of ISO 26262?
- Majority of cars on the road will have at least one SAE Level 1 (or above)
application
- Level 3+ systems will become more prevalent along with new entrants /
new modes
June 2016 19
© HORIBA MIRA Ltd. 2016
Conclusions
ISO 26262 is already well established as the “state of the art” in development
of automotive safety-related systems
Still some variance in actual practice
Edition 2 is under preparation addressing some of the issues in application of
Edition 1 and future trends
Further work remains to be done, particularly addressing wider issues for
example
- System assurance
- Highly automated vehicles
June 2016 20
© HORIBA MIRA Ltd. 2016
Contact details
June 2016 21
HORIBA MIRA Ltd
Watling Street,
Nuneaton, Warwickshire,
CV10 0TU, UK
T: (024) 7635 5000
F: (024) 7635 8000
www.horiba-mira.com
Dr David Ward MA (Cantab), PhD, CEng, CPhys, MInstP, MIEEE, MSAE
Senior Technical Manager, Functional Safety
Direct T: (024) 7635 5430