Impact of Safety Standards to Processes and Methodologies Dr. Herbert Eichfeld
Impact to Processes, Methodologies, Products Processes + New/changed role descriptions (e.g. safety manager) + Assignments to competent persons + Enrichment of process with safety plan + Enrichment of document flow with new documents + Process tailoring wrt SIL / ASIL IEC 61508 / ISO 26262 Requirement Methodologies + Documentation & configuration mmgt (safety case) + Change management with safety label + Failure Modes, Effects and Diagnostic coverage Analysis + Common Cause Analysis + Requirement Traceability for safety requirements Products + Safety concept with safety product requirements + Safety manual as user manual + Element safety function: product architecture + Additional / changed IP on µc or power IC + Monitor software, watchdog IC, Page 2
Impact to processes and methodologies IEC 61508 and ISO 26262 require certain processes and methodologies to prevent systematic faults. ISO explicitely requires an audit of functional safety processes for ASIL B, C, D (see ISO 26262-2.6.4.6, Table 1). ISO proposes to check the safety management including the functional safety audit in frame of the functional safety assessment of the item (see ISO 26262-2 Annex E). 1. Setup a safety audit project to prepare your processes and methodologies according safety requirements. 2. Rollout it out for product development projects. 3. Pass the external safety audit. 4. Product assessments refer to safety audit for all process and methodology related requirements. Page 3
Example of a Safety audit project (1 of 2) I1 Scope of process audit (draft) Selection of stakeholders Stakeholder requirements Methodologies to + cope with 2 standards + avoid overengineering for < SIL3, < ASIL D Selection of lead customers Selection of auditor Interface to other process adaptations Align on Tier1 - Tier 2 process interface Align scope of audit I2 Scope of process audit I3 Project setup, Contract with auditor Page 4
Example of a Safety audit project (2 of 2) Gap analysis Company process vs standards I4 1. Internal review I5 Improvement plan to close gaps 1. Audit by auditor Enrich improvement plan by + audit findings + changes in standards Implement Improvements CR against ISO 26262 till 08.12.09 Rollout to Projects 2. Internal review I6 2. Audit by auditor: Compliant! I7 Rollout release Page 5
Example: Scope of process audit ISO part ISO topic Scope Arguments 26262-1 Vocabulary No No work product defined 26262-2 Management of functional safety 26262-6 26262-7 26262-8 26262-9 26262-10 Product dev: software level Production & operation Supporting processes ASIL- & safetyoriented analysis Guideline on ISO 26262 Yes * Yes * Yes * Yes * Yes * No All companies in the automotive safety market have to do it. 26262-3 Concept phase No OEM & Tier1 topic 26262-4 Product dev.: system level 26262-5 Product dev.: hardware level No Yes * Tier1 & OEM topic Tier1 (board) & Tier2 (µc) Tier1 (appl. SW) & Tier 2 (FW, drivers, monitors,..) OEM (car), Tier1 (ECU), Tier2 (µc) All companies affected. All companies affected. Informative overview * equivalent contents of IEC 61508 in scope as well. Page 6
Example: How to cope with 2 standards Differences ISO 26262 IEC 61508 Evaluation Information structure FSM structure FSM in one part: ISO 26262-2 1. Overall FSM 2. During development 3. After release for production FSM in IEC 61508-1.6 and other parts ISO structure does not exist but most ISO requirements covered Risk not to find all relevant IEC information ISO structure clearer no contradiction to IEC found Concepts Safety culture Does not exist ISO asks for more Terminology Safety plan, Safety case, Item, Work product, Confirmation measure Roles 1. Organization, 2. PJM, 3. Safety Mgr Terms not defined but content implicitely available 1. Organization, 2. Responsible persons ISO more precise ISO more detailled Result: ISO 26262 covers IEC 61508 for FSM. Page 7
Example: How to avoid overengineering Non-safety projects shall not be affected Today s process for automotive projects fulfills ASIL A & B. For ASIL C & D, enrichments of today s process necessary. Apply tailoring possibilities, the standards offer along the safety integrity levels. On FSM, ISO 26262 offers one tailoring possibility, the certification plan according 26262-2 Annex D, Table D.1: ASIL # of obligatory certification measures D, C 14 (including B and A) B 9 (including A) A 4 Which SIL or ASIL levels are relevant for company? Page 8
Impact to methodologies: Example on Requirement Traceability (1 of 2) Database Delta SIL PRD ITS RTR FMEA UM SAR Legacy Product Requirements SoW Safety Manual DocFlow / project 1 3 7 9 milestones Page 9
Requirement Traceability (2 of 2) Database Reqtify Delta SIL PRD ITS RTR Legacy Product Requirements tagged documents FMEA SoW UM Safety Manual SAR DocFlow / project 1 3 7 9 milestones Page 10
Requirement Tag The image shows a tagged requirement within a Word document. [req ] and [/req] are the open and closing tags. id is the this requirement identifier. parent is the link to an upper requirement, following the V- model. The text between the tags is the requirement description. The text format is not mandatory (parsing is ASCII based), but helps to differentiate. Page 11
Coverage Tag The image shows a tagged test case within a Word document. [cover ] and [/cover] are the open and closing tags. refid is the identifier of the requirement which is covered. The text between the tags is the test case name and description. The text format is not mandatory (parsing is ASCII based), but helps to differentiate. Page 12
Summary High safety integrity levels (SIL 3, ASIL C/D) require additional measures for products and for processes & methodologies. Assumption: A company having delivered automotive quality successfully since many years, should have all measures in place, to comply with low safety integrity levels (ASIL A/B, SIL 1, SIL 2). Page 13