Software development for safetyrelated automotive systems the MISRA guidelines and ISO 26262



Similar documents
Dr. Brian Murray March 4, 2011

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

ISO Introduction

ASSESSMENT OF THE ISO STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY

TÜ V Rheinland Industrie Service

Controlling Risks Safety Lifecycle

Performance Study based on Matlab Modeling for Hybrid Electric Vehicles

Hardware in the Loop (HIL) Testing VU 2.0, , WS 2008/09

Intelligent development tools Design methods and tools Functional safety

IBM Rational Rhapsody

Making model-based development a reality: The development of NEC Electronics' automotive system development environment in conjunction with MATLAB

Efficient and Faster PLC Software Development Process for Automotive industry. Demetrio Cortese IVECO Embedded Software Design

FEV Parallel Mode Strategy

Effective Application of Software Safety Techniques for Automotive Embedded Control Systems SAE TECHNICAL PAPER SERIES

Testing for the Unexpected: An Automated Method of Injecting Faults for Engine Management Development

ISO Functional Safety Draft International Standard for Road Vehicles: Background, Status, and Overview

Building a Safety Case in Compliance with ISO for Fuel Level Estimation and Display System

Model-based Testing of Automotive Systems

SUCCESSFUL INTERFACE RISK MANAGEMENT FROM BLAME CULTURE TO JOINT ACTION

Introduction CHAPTER 1

Reduce Medical Device Compliance Costs with Best Practices.

Developing software for Autonomous Vehicle Applications; a Look Into the Software Development Process

Software Production. Industrialized integration and validation of TargetLink models for series production

How to Upgrade SPICE-Compliant Processes for Functional Safety

Security risk analysis approach for on-board vehicle networks

Virtual Integration and Consistent Testing of Advanced Driver Assistance Functions

Functional Safety and Automotive SW - Engineering Introduction ISO Daimler

IEC Functional Safety Assessment. Project: K-TEK Corporation AT100, AT100S, AT200 Magnetostrictive Level Transmitter.

Impact of Safety Standards to Processes and Methodologies. Dr. Herbert Eichfeld

Automotive System and Software Architecture

Safety and security related features in AUTOSAR

Software in safety critical systems

Advanced Electronic Platform Technologies Supporting Development of Complicated Vehicle Control Software

Wiederverwendung von Testfällen bei der modellbasierten SW-Entwicklung

Automotive Software Development Challenges Virtualisation and Embedded Security

Functional Safety with ISO Principles and Practice Dr. Christof Ebert, Dr. Arnulf Braatz Vector Consulting Services

Safety Issues in Automotive Software

Rigorous Methods for Software Engineering (F21RS1) High Integrity Software Development

Introduction into IEC Software life cycle for medical devices

ACHIEVING FUNCTIONAL SAFETY OF AUDI DYNAMIC STEERING USING A STRUCTURED DEVELOPMENT PROCESS

Functional Safety Hazard & Risk Analysis

Medical Device Software Standards for Safety and Regulatory Compliance

Vehicle Electronics. Services and Solutions to Manage the Complexity

Value Paper Author: Edgar C. Ramirez. Diverse redundancy used in SIS technology to achieve higher safety integrity

Version: 1.0 Latest Edition: Guideline

Overview of IEC Design of electrical / electronic / programmable electronic safety-related systems

Safe-E. Safe-E Introduction. Coordination: Andreas ECKEL TTTech Computertechnik AG

Logic solver application software and operator interface

E/ECE/324/Rev.1/Add.12/Rev.7/Amend.4 E/ECE/TRANS/505/Rev.1/Add.12/Rev.7/Amend.4

ANSYS SCADE Model-Based Development Solutions for AUTOMOTIVE. Critical Systems & Software Development Solutions

ID# BLACKBOX - PROJEKT V&V MD ČR

Model Based System Engineering (MBSE) For Accelerating Software Development Cycle

ELECTRICAL & POWER DISTRIBUTION

Hardware safety integrity Guideline

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL

Russian Automotive Industry: Governmental Policies and Priorities

A STUDY OF THE APPLICABILITY OF ISO/IEC AND THE GERMAN BASELINE PROTECTION MANUAL TO THE NEEDS OF SAFETY CRITICAL SYSTEMS

ISO/IEC Part 10 Safety Extension. Giuseppe Lami Istituto di Scienza e Tecnologie dell Informazione Consiglio Nezionale delle Ricerche Pisa

Change Impact analysis

Blue Ocean Equities Technology Conference

Professional Truck Driver Training Course Syllabus

Testing of safety-critical software some principles

Design of automatic testing tool for railway signalling systems software safety assessment

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

Application Functional Safety IEC 61511

Electronics & Electrification

GE Capital. Fleet Policy. A step-by-step guide to writing your fleet policy. Key Solutions Thought Leadership

JEREMY SALINGER Innovation Program Manager Electrical & Control Systems Research Lab GM Global Research & Development

THEME Competence Matrix - Electrical Engineering/Electronics with Partial competences/ Learning outcomes

Reducing Steps to Achieve Safety Certification

Selecting Sensors for Safety Instrumented Systems per IEC (ISA )

With an Eye for Details For the Commercial Vehicles of Tomorrow

INTEGRATED OPEN DEVELOPMENT PLATTFORM FÜR TEIL- UND VOLLAUTOMATISIERTE FAHRZEUGANTRIEBE

Frequently Asked Questions

PABIAC Safety-related Control Systems Workshop

Technical Bulletin. Understanding Servo Safety Functionality and SIL ratings

TÜV Rheinland Functional Safety Program Functional Safety Engineer Certification

TÜV FS Engineer Certification Course Being able to demonstrate competency is now an IEC requirement:

System Safety Process Applied to Automotive High Voltage Propulsion Systems

Improving Fuel economy and CO 2 Through The Application of V2I and V2V Communications

Herstellerinitiative Software (OEM Initiative Software)

Certification of a Scade 6 compiler

WHITEPAPER: SOFTWARE APPS AS MEDICAL DEVICES THE REGULATORY LANDSCAPE

Identifying and Understanding Relevant System Safety Standards for use in the Automotive Industry

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

IEC Overview Report

Safe Automotive software architecture (SAFE) WP 6, WT Deliverable D Methods for Assessment Activity Architecture Model (AAM)

VELOCITY LAB TM Embedded Development Ecosystem

How cloud-based systems and machine-driven big data can contribute to the development of autonomous vehicles

Systems Engineering: Development of Mechatronics and Software Need to be Integrated Closely

Elektrobit (EB) Automotive Consulting Manage challenging automotive software projects

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

A System-safety process for by-wire automotive systems

Lecture 3 - Model-based Control Engineering

AS9100 B to C Revision

Topics. Relation System and Software Engineering Why (automotive) software engineering? Process models V-model Standards.

Driveability Simulation in the continuous development process. Dr. Josef Zehetner, DI Matthias Dank, Dr. Peter Schöggl, AVL List GmbH, Graz

Public trainings, In-house seminars, webinars Personal qualification on ISO 26262

INTERNATIONAL STANDARD

Transcription:

Software development for safetyrelated automotive systems the MISRA guidelines and ISO 26262 Dr David Ward General Manager Functional Safety MIRA Ltd 2010 Agenda Motivations and challenges for system safety in the automotive industry What is the automotive industry doing? What are some of the future directions? How might these relate to other sectors? MIRA Ltd 2010. All rights reserved. 1

MIRA delivers world class and independent vehicle engineering consultancy to the global automotive and transport industries Diverse global customer base from automotive, defence, aerospace and rail sectors Full vehicle systems design, test and integration engineering expertise a one-stop-shop Discrete system engineering projects through to turnkey vehicle development programmes Advanced concept through to post-production support Unrivalled experience applied through a flexible, high-quality approach utilizing the latest tools and techniques Providers of advanced research and development, cutting edge technology to leaders in industry The MISRA project Started in 1990 Mission: to provide assistance to the automotive industry in the creation and application of safe and reliable software in vehicle systems The original project was part of the UK Government s SafeIT programme Now self-supported MIRA Ltd 2010. All rights reserved. 2

MISRA interests MISRA aims to Promote best practice in automotive safety-related systems engineering Develop guidance in specific technical areas in an engineer-friendly manner MISRA does not Run certification schemes Promote or endorse specific products MISRA activities General engineering issues MISRA Guidelines (1994) Software readiness for production MISRA Safety Analysis Language-specific issues MISRA C MISRA C++ MISRA AC family MISRA Languages (planned) MIRA Ltd 2010. All rights reserved. 3

Key MISRA publications November 1994: Development guidelines for vehicle based software (The MISRA Guidelines) April 1998: Guidelines for the use of the C language in vehicle based software (MISRA C) October 2004: MISRA-C:2004 Guidelines for the use of the C language in critical systems (MISRA C2) November 2007: Guidelines for safety analysis of vehicle based programmable systems (MISRA SA) November 2007 onwards: MISRA AC family (model-based development/ autocode) Automotive system safety Safety has long been an important part of automotive engineering But traditionally focused on specific areas e.g. in crashworthiness active and passive safety The increased technical sophistication of vehicles means a system-led approach to their safety is needed Particularly, but not limited to, hybrid and electric vehicles MIRA Ltd 2010. All rights reserved. 4

Hybrid vehicle safety Unique automotive safety issues Mass-market consumer product We all have a view! Any perceived issues can lead to widespread adverse publicity Driver is part of control loop but receives little formal training in operating safety-related systems Long product lifetimes with maintenance difficult to assure outside warranty MIRA Ltd 2010. All rights reserved. 5

Driver in the loop model Physical environment Tyre contact patch forces Driver goals Vehicle Driver strategy Driver control Vehicle control systems Vehicle system behavior X Complete vehicle behavior Traffic environment Vehicle maneuver Specific automotive challenges Distributed control systems with high dependence on complex software Hybrid and electric vehicles new systems with new potential failure modes Drive by wire systems Working assumption that off is a safe state i.e. it is acceptable for systems to fail safe MIRA Ltd 2010. All rights reserved. 6

The future Further integration, higher feature content Drive-by-wire systems that must be fault-tolerant Brakes, steering Vehicle-to-X communications Co-operative driving Input to vehicle objectives from outside e.g. emissions control in sensitive areas The future continued Autonomy e.g. unmanned ground vehicles (UGVs) Vienna Convention: Every vehicle must have a driver However autonomy has many applications in defense, aerospace May be based on technology from mass-market products MIRA Ltd 2010. All rights reserved. 7

Distributed control systems Traditional vehicle UGVs Driver Operator Speed up Change gear Slow down Torque Direction Deceleration ABS/TCS/DSC Vehicle manager EMS ETC EMS ETC Steering ECU BECU Engine Brakes Engine Transmission Transmission Steering Brakes Automotive system safety standards Early 1990s work on functional safety in IEC SC 65A Generic aspects of functional safety Software 1994 MISRA Development Guidelines for Vehicle Based Software 1998 2000 IEC 61508 published Now in 7 parts MIRA Ltd 2010. All rights reserved. 8

Automotive system safety standards 2004 German and French national initiatives November 2005 Official start of work on ISO 26262 Road vehicles Functional safety at international level November 2007 MISRA Guidelines for Safety Analysis of Vehicle Based Programmable Systems (MISRA SA) July 2009 ISO 26262 published as DIS (draft international standard) Mid-2011 (latest) full international standard IEC 61508 Functional safety of electrical, electronic and programmable electronic safety-related systems The benchmark standard for developing and validating safety-related electronic systems Main principles are Identify system risk and required risk mitigation (expressed as a Safety Integrity Level, SIL) Perform the development and validation with a rigor matching the SIL Demonstrate that the required risk reduction has been achieved Note that the risk reduction is usually achieved through a separate protection system or safety function MIRA Ltd 2010. All rights reserved. 9

Basis of IEC 61508 There is Equipment Under Control (EUC) which poses a threat to its environment EUC Risk of misdirected energy Control System Protection System Safety functions (continuous) Safety functions (on demand) Safety functions are performed by E/E/PE systems Steps need to be taken to understand the risks involved and reduce them to an acceptable level Some issues with applying IEC 61508 to automotive Developed for low-volume not mass-market products Methods for risk analysis are informative and industry interpretation is always needed Subcontracting of work not addressed Human factors issues only briefly addressed Does not address the driver in the loop Does not reflect state-of-the art automotive development processes e.g. use of embedded systems and model-based development MIRA Ltd 2010. All rights reserved. 10

MISRA Safety Analysis Guidelines for safety analysis of vehicle based programmable systems Provides guidance on safety management Useful for establishing processes e.g. in accordance with IEC 61508 or ISO 26262 Provides process for automotive hazard and risk analysis Explains this from first principles Risk graph for hazard classification Permits adaptation or calibration for different application requirements e.g. UGVs Takes account of designated safety systems ISO 26262 Road vehicles Functional safety A functional safety standard specifically for passenger cars Claims to be the automotive version of IEC 61508 Timetable DIS (first public version) July 2009 FDIS (second public version) February 2011* Full standard July 2011* Excluded from scope Trucks and buses Specialist adaptations of cars * Guideline dates MIRA Ltd 2010. All rights reserved. 11

Objectives of ISO 26262 Maintain comparability with IEC 61508 for product liability reasons Adapt the safety lifecycle to the typical automotive development and operation phases Include requirements for relationships between manufacturers and suppliers, and for distributed development processes Adapt the hazard analysis and risk assessment for typical automotive use cases Allow for application of typical automotive validation tests Hardware-in-the-loop, whole vehicle simulation environments, fleet tests and user-oriented tests Overview of an automotive functional safety process System definition Description of system or function and its boundaries Supporting processes e.g. Configuration Management, documentation, reviews Management processes e.g. planning, qualification, responsibilities, guidelines Hazard analysis and risk assessment Safety requirements Design and realization Collection of driving situations Safety class (e.g. ASIL D) Safety integrity requirement (How good) - e.g. <10 -x dangerous failures/h - process requirements Design and implementation Malfunction of technical system Safety goals (e.g. no de-stabilization) Safety function (What) (e.g. do not send wrong signal) Verification and Validation Source: ISO 26262 introductory presentation Safety Case Safety Analysis FMEA, FTA, Markov,... MIRA Ltd 2010. All rights reserved. 12

Automotive V Model Requirements specification Safety goals and Functional Safety Concept Validation e.g. vehicle driving tests Vehicle integration e.g. System FMEA RBD, FTA, State transition diagrams Architecture and system design Technical Safety concept Verification e.g. HIL test System integration e.g. Component FMEA Detailed FTA Safety analysis HW and SW component design Measures for fault avoidance and mitigation Verification e.g. module testing Module / component integration Implementation Source: ISO 26262 introductory presentation Some issues with ISO 26262 ISO ASILs do not align with IEC SILs Difficult to read across components between different sectors e.g. electric motor controller and battery management may be reused in different applications No provision for emerging technology e.g. Vehicle-to-X communication Autonomy Some systems in hybrid/electric vehicles more like the safety/protection systems of IEC 61508 MIRA Ltd 2010. All rights reserved. 13

Relationships between standards Generic Functional Safety IEC 61508 Automotive Functional Safety Overall Guidance Specific requirements ISO 26262 Parts 1 9 MISRA 1994 MISRA SA Techniques to fulfill requirements MISRA C Guidance on the specific requirements ISO 26262 Part 10 Future: UGVs So what about software? So far this presentation has (intentionally) focused on system approaches to system safety A key strength of IEC 61508 and ISO 26262 is that design for safety is system-led Top-level safety requirements lead to requirements for system, hardware and software development Development lifecycle Specific requirements for process and product Specific techniques (IEC) or methods (ISO) MIRA Ltd 2010. All rights reserved. 14

So where does MISRA C fit? Coding guidelines and subsets are required by many safety-related standards Not only for C C is popular for embedded systems because It is specified in an International Standard It is widely implemented Compiles into efficient code It provides access to low-level machine features Its drawbacks include Many aspects of program behavior not specified Implementations vary widely It provides access to low-level machine features MISRA C aims to reduce the uncertainties associated with these drawbacks MISRA C history First ISO C standard, C90, published in 1990 with corrections and amendments in 1995 and 1996 First version of MISRA C published in 1998 Second version published in 2004 with Technical Corrigendum in 2007 More specific and definitive guidance Based on C90 as support for C99 by embedded compiler vendors was limited at the time Originally intended for automotive use but has become widely accepted in many industries MIRA Ltd 2010. All rights reserved. 15

In conclusion The automotive industry has some specific challenges in safety-related systems and their software, but many of the general principles are the same MISRA C is a good example of how guidance developed for an automotive need has benefited other sectors Going forward we look forward to ongoing cooperation David Ward + 44 24 7635 5430 For further details david (dot) ward (at) mira (dot) co (dot) uk www.mira.co.uk MISRA information www.misra.org.uk MIRA Ltd 2010. All rights reserved. 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information