Scribd Logo
Upload

Welcome to Scribd!

  • ISO26262 and IEC61508

    Uploaded by

    최재호
    384 views12 pages
    ISO26262 and IEC61508

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ISO26262 and IEC61508

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    384 views12 pages

    ISO26262 and IEC61508

    Uploaded by

    최재호
    ISO26262 and IEC61508

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Introduction to Requirement Management

    for Safety-Critical Embedded Vehicle Systems



    SARE-vst, May 2013


    Urban Ingelsson
    Safety-Critical Systems Competence Center
    urban.ingelsson@semcon.com
    What is functional safety?
    Absence of unreasonable risk due to hazards caused by
    malfunctioning behavior of E/E systems
    Brakes, steering,
    Electronics and software
    could cause an accident
    certifiably safe embedded systems in automotive context
    ISO 26262 Functional Safety Road Vehicles
    Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013

    2
    ISO 26262
    Structured way of working
    Scope
    Specification and management of requirements
    Hazard analysis and risk assessment
    Automotive Safety Integrity Levels ASIL

    3 Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    ASIL D
    ASIL C
    ASIL B
    ASIL A
    Quality Management (QM)
    C
    r
    i
    t
    i
    c
    a
    l
    i
    t
    y

    E
    f
    f
    o
    r
    t


    Case study
    Windshield Wiper
    Is it a safety-related function?
    4 Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    Washer Liquid
    Spray Activate
    Windshield
    controller
    Wiper Angle
    Washer Liquid
    Spray Enable
    Wiper Activate
    Wiper Enable
    Hazard Analysis and Risk Assessment
    5 Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    ASIL D
    ASIL C
    ASIL B
    ASIL A
    Quality Management (QM)
    The drivers view might be obscured
    Exposure
    High

    Controllability
    Medium

    Severity
    High
    Failure mode
    Contineous spray
    of washer liquid
    Driving situation
    High speed, curvy
    road, medium traffic
    Safety goal
    A malfunction shall not lead to the drivers view being obscured
    Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    6
    Hazard Analysis
    Risk Assessment
    Functions
    Analysis of functions and safety goals
    Safety goal violations
    Hazards
    Safety goals with ASIL classification
    Fault tolerant time interval
    Analysis to choose safety measure
    to mitigate safety goal violations
    Safety measures
    Formulate functional safety requirements
    Driving situations
    Design patterns
    Functional safety requirements
    HAZOP, etc.
    Exposure
    Controlability
    Severity
    FTA, etc.
    Design space exploration
    Compare design patterns
    Quality attributes,
    notation, etc.
    ASIL C? It takes much effort!
    Reduce effort by requirement decomposition!
    A divide-and-conquer approach
    Encourages use of safe architectures
    2 independent modules
    freedom from interference

    lower ASIL --- typically less effort
    7 Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    A A1 A2
    ASIL C ASIL B(C) + ASIL A(C)
    ASIL D ASIL B(D) + ASIL B(D)
    ASIL D ASIL D(D) + QM(D)
    Req A
    ASIL C
    Req A1
    ASIL B(C)
    Req A2
    ASIL A(C)
    8
    FSR1
    The washer liquid spray shall
    not be enabled for >5s

    FSR2
    The washer liquid spray shall
    not be enabled for >1s if the
    wiper is inoperational


    FSR3
    The washer liquid spray
    controller shall disable the
    washer liquid spray, if the
    windshield wiper angle is
    constant for >1s

    FSR4
    The wiper controller shall
    disable the washer liquid spray,
    if the washer liquid spray is
    enabled for >5s

    Decomposition
    Washer Liquid Spray Activate
    Washer
    liquid
    spray
    controller
    ASIL A(C)
    Wiper Angle
    Washer Liquid Spray Enable
    Wiper Activate
    Wiper Enable
    Wiper
    controller
    ASIL B(C)
    Override
    Washer Liquid
    Spray Activate
    Windshield
    controller ASIL C
    Wiper Angle
    Washer Liquid
    Spray Enable
    Wiper Activate
    Wiper Enable
    Quality attributes for requirements
    Each requirement
    Uniquely identified
    Allocated in the design
    Unambiguous
    Comprehensible
    Atomic
    Internally consistent
    Feasible
    Verifiable
    High ASIL: spec. in semi-formal notation
    Traceable
    Up and down the hierarchy
    Verification activities, operating
    modes and system states
    9
    The set of requirements
    Organized in a hierarchy
    Complete
    Grouped
    Consistent
    Maintainable
    Free from duplicated information
    10
    Functional safety
    Technical safety
    HW
    SW
    Safety goal
    Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    SG1: A malfunction shall not lead
    to the drivers view being
    obscured
    FSR3: The washer liquid spray
    controller shall disable the washer
    liquid spray, if the windshield
    wiper angle is constant for >1s
    FSR4: The wiper controller shall
    disable the washer liquid spray, if
    the washer liquid spray is enabled
    for >5s
    TSR42: Counter1 shall be reset
    within 20ms when Comparator3
    indicates that PreviousAnglePWM
    anglePWM
    HWSR71: Register anglePWM
    shall connect on the same bus as
    inputA of Comparator3
    SWSR50: Control loop L1 shall
    reset Counter1 if
    Comparator3.output == false
    Conclusion
    The impact of ISO 26262
    Requirement-heavy
    ASIL
    Quality attributes, traceability and semi-formal notation

    Effort

    Architecture
    11 Introduction to Requirement Management for Safety-Critical Embedded Vehicle Systems,
    May 2013
    Introduction to Requirement Management
    for Safety-Critical Embedded Vehicle Systems

    SARE-vst, May 2013


    Urban Ingelsson
    Safety-Critical Systems Competence Center
    urban.ingelsson@semcon.com

    You might also like