Functional Safety Hazard & Risk Analysis

Transcription

1 Embedded - IC & Automation Fortronic Functional Safety Hazard & Risk Analysis MILANO - April, 23 rd 2013 CEFRIEL 2013; FOR DISCUSSION PURPOSES ONLY: ANY OTHER USE OF THIS PRESENTATION - INCLUDING REPRODUCTION FOR PURPOSES OTHER THAN NOTED ABOVE, MODIFICATION OR DISTRIBUTION - WITHOUT THE PRIOR WRITTEN PERMISSION OF CEFRIEL IS PROHIBITED

2 Disclaimer This presentation was prepared exclusively for the benefit and internal use of the customer and does not carry any right of publication or disclosure to any other party. No right to publish or distribute this document is neither expressly nor implicitly allowed to third party. The present original document was produced by CEFRIEL and no third party may claim any right or paternity on it. No part of this document may be reproduced. The entire document or part of it may not be used for any personal interest without any previous written authorization from CEFRIEL. copyright CEFRIEL - Milan, Italy All rights reserved in accordance with rule of law and international agreements.

3 CEFRIEL OVERVIEW December 2011

4 What is CEFRIEL? Center of excellence for research, innovation and education in Information & Communication Technologies Established in 1988 Independent, super-partes and not-for-profit organization

5 Low Our mission Bridging the gap between industries and academia to boost innovation Low Medium Medium High High CEFRIEL Unique Value Proposition Industrial companies CEFRIEL Academic universities Research Innovation Market Delivery

6 Our activities Innovation Knowledge and IP Application Research Knowledge and IP Creation Education Knowledge and IP Sharing

7 FUNCTIONAL SAFETY: (Brief) Introduction December 2011

8 Introduction to Functional Safety What is Functional Safety? What is Functional Safety about? IEC Definition: Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. Risk is a combination of the probability of occurrence of harm and the severity of that harm. Functional Safety is part of the overall safety that depends on a system or equipment operating correctly (i.e. perform a safety function) in response to its inputs. Functional Safety is thus about achieving absence of unreasonable risk due to hazards (potential source of harm) caused by malfunctioning behavior of the electrical/electronic/programmable electronic (E/E/PE) systems. Failures are the main impairment to safety: Systematic Failures: failure related in a deterministic way to a certain cause that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors ROBUST PROCESS Random HW Failures: failure that can occur unpredictably during the lifetime of a hardware element and that follow a probability distribution ROBUST DESIGN

9 Introduction to Functional Safety Functional Safety standards MEDICAL [IEC 60601, IEC 62304] AUTOMOTIVE [ISO 26262] PROCESS INDUSTRY [IEC 61511] INDUSTRIAL AUTOMATION [IEC 61508] NUCLEAR [IEC 61513, IEC 60880, IEC 60987, IEC 61226] TRANSPORTATION [EN EN 50128, EN 50129] MACHINERY [IEC 62061]

10 Introduction to Functional Safety Risk Reduction The risk emerging from the EUC (Equipment Under Control) is classified according to its tolerability A risk is at a tolerable level, if the involved persons (the society) can accept it Standards and rules describe methods to determine the limits of acceptance If such a risk is not tolerable, it must be reduced by means of suitable measures (standards and rules describe measures to reduce risk to an accepted level): E/E/PE measures Other technology measures (e.g., mechanic, hydraulic, ) External risk reduction measures or facilities (e.g., instructions, labels, safety fences, ) Residual risk Tolerable risk Non tolerable risk Necessary risk reduction Rising Risk Actual risk reduction Partial risk covered by other technology Partial risk covered by E/E/PE measures Partial risk covered by external measures Risk reduction achieved by all safety-related systems and external risk reduction facilities

11 Introduction to Functional Safety Risk Reduction - Example SYSTEM Residual risk Tolerable risk Non tolerable risk Necessary risk reduction Actual risk reduction Rising Risk CONVENTIONAL BRAKE (mechanics, hydraulics) Partial risk covered by other technology Partial risk covered by external measures ELECTRO HYDRAULIC BRAKE (hydraulic backup) Partial risk covered by other technology Partial risk covered by E/E/PE measures Partial risk covered by external measures ELECTRO MECHANIC BRAKE (no hydraulic backup) Partial risk covered by E/E/PE measures Partial risk covered by external measures

12 Introduction to Functional Safety Safety Function vs Safety Integrity Key Concepts in IEC standard are RISK and SAFETY FUNCTION Risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity Risk is reduced to a tolerable level by applying safety function. The SIL (Safety Integrity Level) is the measure of the risk reduction level of the Safety Function. SAFETY FUNCTION Function, which is intended to achieve or maintain a safe state for the equipment under control (EUC) in respect to a specific hazardous event. SAFETY INTEGRITY Probability of a safety-related system satisfactorily performing the required safety function under all stated conditions within a stated period of time (process safety time) Four Level of safety integrity (SIL 1 to 4) Consider all causes of failures (random HW faults and systematic failures) which lead to an unsafe state SAFETY-RELATED SYSTEM Designated system that both: Implements the required safety functions necessary to achieve and maintain a safe state for the EUC Is intended to achieve, on its own or with other E/E/PE safety-related systems, other technology safety-related systems or external risk reduction facilities, the necessary safety integrity for the required safety functions

13 Introduction to Functional Safety Safety Integrity Level According to IEC 61508: The Safety Integrity Level describes the level for the required risk reduction Scale with 4 levels (SIL 1 to SIL 4): SIL 1 = low, SIL 4 = high Identification by approved measures (Risk analysis) Derivation of requirements and measures for the risk reduction depending on the SIL According to ISO 26262: The Automotive Safety Integrity Level describes the level for the required risk reduction Scale with 4 levels (ASIL A to ASIL D): SIL A = low, SIL D = high Identification by the method proposed in the standard IEC ISO QM SIL 1 SIL 2 SIL 3 SIL 4 ASIL A ASIL B ASIL C ASIL D

14 Introduction to Functional Safety Development of Safety Function The development of Safety Functions requires the following main steps: Identify and analyze the risks Determine the tolerability of each risks Determine the risk reduction necessary for each intolerable risk Specify the safety requirements for each risk reduction, including their Safety Integrity Level Design the Safety Functions to meet the safety requirements Implement the safety functions Validate the safety function The safety lifecycle specifies all aspects related to the development process of safety related systems Management of the process itself Definition of system Specification of the system and sub-systems Documentation and configuration management Architectural design Hardware & software design Hardware & software development Test & validation planning Operation, maintenance and decommissioning planning

15 Introduction to Functional Safety Safety Lifecycle according to IEC Concept 2 Overall scope definition 3 Hazard and risk analysis 4 Overall safety requirements 5 Safety requirements allocation Overall planning 6 Overall operation and maintenance planning 7 Overall safety validation planning 8 Overall installation and commissioning planning 9 Safety related systems E/E/PE E/E/PE Safety lifecycle Realisation Software safety lifecycle Safety related systems Other technology 10 Realisation 11 External risk reduction facilities Realisation 12 Overall installation and commissioning 13 Overall safety validation 14 Overall operation, maintenence and repair 15 Overall modification and retrofit 16 Decommissioning or disposal

16 Introduction to Functional Safety Safety Lifecycle according to ISO Vocabulary 2. Management of functional safety 2.5 Overall safety management 2.6 Safety management during item development 2.6 Safety management after release for production 3. Concept phase 4. Product development: system level 3.5 Item definition 3.6 Initiation of the safety lifecycle 3.7 Hazard analyses and risk assesment 3.8 Functional safety concept 4.5 Initiation of product development at systemlevel 4.6 Specification of the technical safety requirements 5. Product development: hardware level 5. Product development: software level 5.5 Initiation of product development at hardware level 5.6 Specification of hardware safety requirements 5.7 Hardware design 5.8 Hardware architetcural metrics 5.9 Evaluation of violation of the safety goal due to hardware random failures 6.5 Initiation of product development at software level 6.6 Specification of software safety requirements 6.7 Software architectural design 6.8 Software unit design and implementation 6.9 Software unit testing 4.11 Release for production 4.10 Functioanl safety assesment 4.9 Safety validation 4.7 System design 4.8 System integration and testing 6.10 Software integration and testing 6.11 Verification of software safety requirements 7. Production and operation 7.5 Production 7.6 Operation, service and decommiissioning 8.5 Interfaces within distributed developments 8. Supporting processes 8.9 Verification 8.12 Qualification of software components 8.6 Specification & management of safety requirements 8.10 Documentation 8.13 Qualification of hardware components 8.7 Configuration management 8.11 Qualification of software tools 8.14 Proven in use argument 8.8 Change management 9. ASIL-oriented and safety-oriented analyses 9.5 Requirement decomposition with respect to ASIL tailoring 9.7 Analysis of dependent failures 9.6 Criteria for coexistence of elements 9.9 Safety analyses 10. Guidelins on ISO (Informative) April 29, 2013

17 FUNCTIONAL SAFETY: Hazard & Risk Analysis December 2011

18 Hazard & Risk Analysis Hazard Analysis In order to perform a risk assessment The hazards (potential source of harm) of the EUC shall be determined systematically, as well as the event sequences leading to them Techniques can be used for the extraction of hazards at system level: Brainstorming Checklists Quality history FMEA Fault Tree Analysis (FTA) Event Tree Analysis (ETA) Product metrics Field studies For each identified hazard, risks shall be determined and assessed If a risk is not tolerable, necessary risk reduction must be evaluated.

19 Hazard & Risk Analysis Risk Assessment Inorder to determine the necessary level of risk reduction (expressed as SIL, ASIL, ) Two reference risk levels must be estimated The EUC risk associated with the Equipment Under Control The level of risk considered tolerable Risk assessment is the procedure to evaluate the EUC risk Risk assessment can be summarized in answering the question: How likely is the EUC to fail and if it does fail, what is the outcome? Frequency x Consequence The EUC risk must be assessed independently from the measures adopted to reduce it The EUC risk must be assessed separately for each determined hazardous event Risk assessment techniques can be Qualitative: provides qualitative risk assessment (used mainly in early risk assessment phase) Semi-quantitative (semi-qualitative): provides discrete risk "levels" Quantitative: provides quantitative risk estimates based on formal mathematical models Several techniques can be adopted ALARP Model Risk Graph / Calibrated Risk Graph Hazardous Event Severity Matrix Layer of protection analysis (LOPA)

20 Hazard & Risk Analysis ALARP Model According to this model, risks can be classified into three classes The risk is so great that it cannot be justified in any ordinary circumstance The risk is, or has been made, so small as to be insignificant The risk falls between the two previous classes and has been reduced to the lowest practicable level When the risk falls in the last class, then it must be reduced to a level which is "ALARP", i.e. "As Low As Reasonably Practicable" Intolerable region ALARP region: Risk is undertaken only if a benefit is desired Broadly accepted region Negligible risk Risk cannot be accepted except in extraordinary circumstances Risk is tolerable only if further risk redusction is impracticable or disproportionate to the benefits obtained The more the risk is reduced, the less must be spent to reduce it further to satisfy ALARP

21 Hazard & Risk Analysis ALARP Model According to this model, risks can be classified into three classes The risk is so great that it cannot be justified in any ordinary circumstance The risk is, or has been made, so small as to be insignificant The risk falls between the two previous classes and has been reduced to the lowest practicable level When the risk falls in the last class, then it must be reduced to a level which is "ALARP", i.e. "As Low As Reasonably Practicable" Intolerable region ALARP region: Risk is undertaken only if a benefit is desired Broadly accepted region Negligible risk Risk cannot be accepted except in extraordinary circumstances Risk is tolerable only if further risk redusction is impracticable or disproportionate to the benefits obtained The more the risk is reduced, the less must be spent to reduce it further to satisfy ALARP

22 Hazard & Risk Analysis ALARP Model - Example As an example consider the following table where risk classes are I (lowest risk), II, III, IV (highest risk) Consequence Frequency Catastrophic Critical Marginal Negligible Frequent IV IV IV III Probable IV IV III II Occasional IV III II II Remote III II II I Improbable II II I I Incredible I I I I The interpretation of risk classes in terms of the ALARP model might be: Risk class I II III IV ALARP Interpretation Negligible risk Tolerable risk if the cost of risk reduction would exceed the improvement gained Undesirable risk. Tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained. Intolerable risk

23 Hazard & Risk Analysis Risk Graph Method The risk graph method is based on the following equation Where R = function of f, C R is the risk with no safety-related systems in place f is the frequency of the hazardous event with no safety-related systems in place C is the consequence of the hazardous event The frequency is inturn influenced by Frequency and exposure time in the hazardous zone Possibility of avoiding the hazardous event Probability of the hazardous event taking place with no safety-related measures in place but with other risk reduction facilities (probability of unwanted occurrence) This extends the number of parameters to be considered to four C = Consequence of the hazardous event S = Severity F = Frequency and exposure time in the hazardous zone E = Exposure P = Possibility of failing to avoid the hazardous event C = Controllability W = Probability of the unwanted occurrence --- ISO 26262

24 Hazard & Risk Analysis Risk Graph Method - Example The implementation of a risk graph requires Defining values / levels for each parameter Defining the relations between parameters and their levels The values / levels of the parameters, expressed qualitatively or quantitatively as number, must be: Justified on a rigorous and widely accepted basis Agreed with all the parties involved W 3 W 2 W 1 C: CA < CB < CC < CD F: FA < FB P: PA < PB W: WA < WB < WC Start C A C B C C C D F A F B F A F B F A P A P B P A P B P A P B X 1 X 2 X 3 X 4 X 5 a SIL 1 SIL 2 SIL 3 SIL 4 a SIL 1 SIL 2 SIL a SIL 1 SIL 2 F B P A P B X 6 b SIL 4 SIL 3 Using different integrity scales, e.g. W1, W2 and W3 Allows accounting explicitly for other risk reduction measures From one scale to another there is an integrity level "shift" --- No safety requirements a No special safety requirements b Single E/E/PE system not sufficient

25 Hazard & Risk Analysis HRA acc. to ISO SEVERITY Class S0 S1 S2 S3 Reference for single injuries (from AIS scale) Maximum AIS 0 Damage that cannot be classified safety-related, e.g. bumps with roadside infrastructure Maximum AIS 1-2 more than 10% probability of AIS 1-6 (and not S2 or S3) Maximum AIS 3-4 more than 10% probability of AIS 3-6 (and not S3) Maximum AIS 5-6 more than 10% probability of AIS 5-6 AIS (Abbreviated Injury Scale): The AIS represents a classification of the severity of injuries and is issued by AAAM (Association for the Advancement of Automotive Medicine): AIS 0: no injuries. AIS 1: light injuries such as skin-deep wounds, muscle pains, whiplash etc. AIS 2: moderate injuries such as deep flesh wounds, concussion with up to 15 minutes of unconsciousness, AIS 3: severe but not life-threatening injuries such as skull fractures without brain injury, spinal dislocations below the fourth cervical vertebra without damage to the spinal cord, AIS 4: severe injuries (life-threatening, survival probable) such as concussion with or without skull fractures with up to 12 hours of unconsciousness, paradoxical breathing. AIS 5: critical injuries (life-threatening, survival uncertain) such as spinal fractures below the fourth cervical vertebra with damage to the spinal cord, more than 12 hours of unconsciousness including intracranial bleeding, AIS 6: extremely critical or fatal injuries such as fractures of the cervical vertebrae above the third cervical vertebra with damage to the spinal cord, extremely critical open wounds of body cavities (thoracic and abdominal cavities),

26 Hazard & Risk Analysis HRA acc. to ISO SEVERITY (Informative examples) Class S0 S1 S2 S3 Informative examples Side collision, e.g. crashing into a tree Side collision with a passenger car Rear/front collision between two passenger cars Other collisions Under riding a truck Pedestrian/bicycle accident Pushing over roadside infrastructure Light collision Light grazing damage Damage while entering or leaving a parking space Leaving the road without collision or rollover Δv <15km/h 15 < Δv <25 km/h Δv >25 km/h Δv <15km/h 15 < Δv <35 km/h Δv >35 km/h Δv <20km/h 20 < Δv <40 km/h Δv >40 km/h Scrape collision with little vehicle to vehicle overlap Without deformation of the passenger cell E.g. during a turning manoeuver inside built-up area Roof or side collision with considerable deformation With deformation of the passenger cell Outside built-up area

27 Hazard & Risk Analysis HRA acc. to ISO EXPOSURE Class E0 E1 E2 E3 Description Very low probability Low probability Medium probability High probability Definition of duration / probability of exposure Not specified < 1% of average operating time 1% - 10% of average operating time > 10% of average operating time Informative examples - Pulling a trailer Driving with roof rack Driving on a mountain pass with unsecured steep slope Snow and ice Driving backwards Fuelling Overtaking Car wash Tunnels Hill hold Night driving on roads without streetlights Wet roads Congestion Accelerating Braking Steering Parking Driving on highways Driving on secondary roads City driving Classes of probability of exposure regarding duration/probability of exposure in initial situations

28 Hazard & Risk Analysis HRA acc. to ISO EXPOSURE Class E0 E1 E2 E3 Description Extremely low probability Low probability Medium probability High probability Definition of frequency of exposure Situations that occur less often than once a year for the great majority of drivers Situations that occur a few time a year for the great majority of drivers Situations that occur once a month or more often for an average driver All situations that occur during almost every drive on average Informative examples Stop at railway crossing, which requires start of engine Towing Jump start Pulling a trailer, driving with roof rack Driving on a mountain pass with unsecured steep slope Driving situation with deviation from desired path Snow and ice Fuelling Overtaking Tunnels Hill hold Car wash Wet roads Congestion Starting Shifting gears Accelerating Braking Steering Using indicators Parking Driving backwards Classes of probability of exposure regarding frequency in initial situations

29 Hazard & Risk Analysis HRA acc. to ISO CONTROLLABILITY Class C0 C1 C2 C3 Description Controllable in general Simply controllable Normally controllable Difficult to control or uncontrollable Definition Controllable in general 99% or more of all drivers or other traffic participants are usually able to avoid a specific harm 90% or more of all drivers or other traffic participants are usually able to avoid a specific harm Less than 90% of all drivers or other traffic participants are usually able, or barely able, to avoid a specific harm. Informative examples Unexpected increase in radio volume Situations that are considered distracting Unavailability of a driver assisting system When starting the vehicle with a locked steering column, the car can be brought to stop by almost all drivers early enough to avoid a specific harm to persons nearby. Faulty adjustment of seats while driving can be controlled by almost all drivers by bringing the vehicle to a stop. Avoid departing from the lane in case of a failure of ABS during emergency braking. Avoid departing from the lane in case of a motor failure at high lateral acceleration (motorway exit). Bring the vehicle to a stop in case of a total lighting failure at medium or high speed on an unlighted country road without departing from the lane in an uncontrolled manner. Avoid hitting an unlit vehicle on an unlit country road. Wrong steering with high angular speed at medium or high vehicle speed can hardly be controlled by the driver. Cannot avoid departing from the lane on snow or ice on a bend in case of a failure of ABS during emergency braking. Cannot bring the vehicle to a stop if a total loss of braking performance occurs. In the case of faulty airbag release at high or moderate vehicle speed, the driver usually cannot prevent vehicle from departing from the lane.

30 Hazard & Risk Analysis HRA acc. to ISO RISK MATRIX Note: If a hazard is assigned to a Severity class S0 or Controllability class C0, or Exposure class E0, no ASIL (SIL) assignment is required.

31 Hazard & Risk Analysis When the required SIL is assessed? Based on the required Safety Integrity Level Different requirement on the design and the process apply Different techniques and measures should be used Requirements to the integrity of HW SIL Low Demand Mode of Operation (PFD probability of failure on demand) e.g., airbag High Demand Mode of Operation (PFH probability of failure per hour) e.g., brake / steer by wire PFD < PFH < FIT< PFD < PFH < FIT < PFD < PFH < FIT < PFD < PFH < FIT < 10 Requirements to the integrity of SW Requirements to SW design and development (architecture, support tools, programming language, code implementation, testing, ) Requirements to SW diagnostics to achieve the required HW integrity

32 Training Course: An introduction to Functional Safety Basic course on Functional Safety (2 days) Info: Web: Mail: Tel: For any request related to Functional Safety area: ENRICO SILANI Mail: