La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart Introduzione alla norma ISO 26262

Transcription

1 La sicurezza funzionale nel campo automotive: un approccio di riferimento per lo sviluppo di prodotti smart Introduzione alla norma ISO Renato Librino Seminario La necessità di sicurezza per i prodotti Smart 16 Maggio 2016 Centro Congressi Unione industriale di Torino

2 ISO Framework Road safety EC target: to reduce by 75 % (vs. 2001) the dead rate due to road accidents before 2020 Environmental protection EC target: to reduce greenhouse gases emissions by at least 20% below 1990 levels before 2020 New functionalities for active safety: Vehicle dynamic control ADAS - Advanced Driver Assistance Systems Alternative propulsion vehicles: Electric Hybrid New electric/electronic systems 2

3 ISO Framework New electric/electronic systems Safety-related systems Systems, which interact closely with the vehicle dynamics, in case of failure may cause unwanted effects for the control of the vehicle, resulting in harm to persons Safety-critical systems If are not adopted measures to avoid unwanted effects, the systems shall also be considered "safety-critical" 3

4 ISO Framework Safety-critical systems Characteristics of the new E/E systems that imply to be considered "safetycritical" Complexity of the control systems, distributed on various electronic control units Interaction between the functions performed by the various systems, which may result in a fault propagation difficult to control Advanced sensor technology that acquire information until now processed by the driver Actions on the vehicle dynamic control Complexity of managing different suppliers of the various systems (consistency of specifications, difficulties of integration, intellectual property constraints, etc.). 4

5 ISO Framework Safety and Functional Safety Safety Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment Functional Safety Absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems 5

6 The possible sources of hazards Hazards Explosion Radiation Electric shock Fire Malfunctioning behaviour of E/E systems Smoke Toxicity Corrosion Addressed by ISO Indirectly addressed by ISO Unione Industriale Seminario La necessità di sicurezza per i prodotti Smart 6

7 ISO Framework Functional Safety The functional safety concept involves the management of risks by means of: identification of the hazards related to a specific scenario (hazardous event) Example Malfunction A malfunction of the VDC system (Vehicle Dynamic Control), which is manifested by the lack of action of the yaw correction may result in Hazard loss of control of the vehicle causing Harm serious accident Operational situation while driving on a road at low speed grip application of appropriate measures (safety requirements, safety functions) at the level of system architecture and/or hardware or software components, or vehicle, aimed at mitigating the effects of hazard themselves. 7

8 ISO Contents 1 Vocabulary 2 Management of functional safety 3 Concept phase 4 Product development: system level 7 Production and Part 1: Vocabulary operation Terms, definitions and acronims 5 Product development: hardware level Part 2: Management of functional safety Requirements for functional safety management: overall safety management and project-specific requirements 6 Product regarding the management activities in the development: safety lifecycle Confirmation software level measures management Safety lifecycle 8 Supporting processes 9. ASIL-oriented and safety-oriented analyses 10. (Informative) Guidelines on ISO

9 ISO Contents 1 Vocabulary 2 Management of functional safety 3 Concept phase 4 Product development: system level 7 Production and operation 5 Product Part 3: Concept phase development: hardware level Requirements for the concept phase, including: item definition initiation of the safety lifecycle hazard analysis & risk assessment functional safety concept definition. Safety lifecycle 6 Product development: software Part 4: level Product development: System level Methods and processes during product development at the system level up to the product release. Particularly, definition of the methods for the integration, verification and validation of the 8 Supporting processessystem. 9. ASIL-oriented and safety-oriented analyses 10. (Informative) Guidelines on ISO

10 ISO Contents 1 Vocabulary 2 Management of functional safety 3 Concept phase 4 Product development: system level 7 Production and operation 5 Product development: hardware level 6 Product development: software level Safety lifecycle Part 5: Product development: hardware level Part 6: Product development: software level 8 Supporting processes Methods and processes to be applied during the hardware Methods and processes to be applied during the development. software development. Particularly relevant are the metrics for diagnostic Especially, definition of the requirements for the software coverage. 9. ASIL-oriented and safety-oriented integration analyses & testing. 10. (Informative) Guidelines on ISO

11 ISO Contents 1 Vocabulary Part 8: Supporting processes 2 Management of functional safety Requirements 3 Concept for supporting phase 4 Product development: system level 7 Production and processes management, Part 7: Production and operation operation including: Requirements for production, operation, interfaces within distributed service and decommissioning. developments (DIA) configuration management change management Part 5 Product 9: ASIL-oriented 6 Product verification to ensure that the and development: safety-oriented analyses development: work products comply with their hardware Methods and level criteria for: software level requirements ASIL decomposition documentation management of the coexistence qualification of sw tool and within the same element of subelements with different ASILs sw&hw components proven in use argument. safety analysis to be performed during 8 the Supporting concept and processes product development phases (FMEA, FTA, Markov models, RBD, etc.) Safety lifecycle Part 10: Guideline on ISO Informative Part, with additional explanation and application examples 9. ASIL-oriented and safety-oriented analyses 10. (Informative) Guidelines on ISO

12 Hazard Analysis & Risk assessment Hazard analysis Risk classification Malfunction Hazard Scenario Hazardous event exposure time controllability Harm severity ASIL ASIL D: most severe ASIL C ASIL B ASIL A QM: Quality Management, not safety critical functions Risk assessment Assessment of the risk related to every hazard referred to each scenario, by classification according to the Automotive Safety Integrity Level, ASIL ASIL determination by: Exposure time Controllability Severity 12

13 ASIL Criteria: Severity Exposure - Controllability Severity of Damage S0 S1 S2 S3 Description No injuries Light and moderate Severe injuries, Life-threatening ASIL injuries C1 C2 possibly C3 lifethreatening, survival uncertain) or fatal injuries (survival E1 QM QM probable QM injuries Probability of E1 E2 E3 E4 Reference Exposure AIS 0 E2 More than QM 10% QM More than QM 10% More than 10% S1 for Description single Damage Very that cannot low probability be E3 probability Low probability QM of QM probability Medium A probability of probability High probability of injuries classified safety related, e.g. AIS 1-6 (and not S2 AIS 3-6 (and not S3) AIS 5 and 6 Definition of bumps with Not the specified infrastructure E4 or < S3) 1% of QM average A 1% - 10% B of average > 10% of average duration/ operating time operating time operating time probability of E1 QM QM QM exposure E2 QM QM A Controllability C0 Definition of Situations S2 C1 C2 C3 that occur E3 Situations QM that occur A Situations B that occur All situations that frequency Description Controllable less often in than once Simply a controllable few times a year Normally once controllable a month or Difficult occur during to control almost or general a year for the great E4 for the great A majority B more often C for an uncontrollable every drive on Definition Distracting majority of drivers More than of drivers 99% of More than average 90% driver of average The average E1 QM QM A average driver or average drivers or drivers or other traffic other traffic participant other E2 traffic QM participants A are B usually is usually unable, or S3 participants E3 are A able B to control C the damage. barely able, to control usually able to the damage. control E4 the damage. B C D 13

14 Safety requirements Malfunction Hazard Scenario scenario Hazardous scenario event ASIL X Harm Hazard analysis & Risk assessment To identify and categorize hazardous events and to specify ASILs and safety goals related to the prevention or mitigation of the associated hazards in order to avoid unreasonable risk Safety goal Safe state Functional safety requirements Safety requirements Safety goal Possible safe state Functional safety requirements: functional requirements that enable the achievement of safety goals associated to the hazards and the relative ASILs 14

15 Safety requirements Functional safety requirements ASIL D Partitioning Functional ASIL D requirements A Subsystem A Functional ASIL D requirements B Subsystem B ASIL D Functional requirements B Subsystem C ASIL decompositin ASIL C Subsystem A1 ASIL A Subsystem A2 Additional requirements 1-2 Functional requirements A1 Technical specifications Functional requirements A2 Functional safety concept Allocation of functional safety requirements into the subsystems ASIL decomposition/assignment to the components according to the rules of ASIL decomposition Assignment of additional requirements (plausibility check, no single mode of failure, etc.) Technical safety requirements Architecture, HW and SW components 15

16 Basic concepts: Verification & Validation Safety goal Safe state 4-5 Initiation of product development at the system level 5-5 Initiation of product development at the hardware level 5-6 Specification of hardware safety requirements 5-7 Hardware design 5-8 Hardware architectural metrics Verification & Validation 4-6 Specification of the technical safety requirements 4. Product development: system level 4-7 System design 4-8 Item integration and testing Functional safety requirements 5. Product development: hardware level 4-11 Release for production 4-10 Functional safety assessment 4-9 Safety validation Verification 6. Product development: software level 6-5 Initiation of product development at the software level 6-6 Specification of software safety requirements 6-7 Software architectural design 6-8 Software unit design and implementation Validation Mandatory the verification and validation of the safety requirements: The safety requirements are verified by ensuring the coverage in the implementation The safety requirements are validated by examination and testing using various methods to ensure the achievement of the safe state and the safety goals against failures (e.g. fault injection) 16

17 Key points Concept phase Product development Production & operation Hazard Analysis & Risk Assessment Safety Goal Safe State Functional Safety requirements Technical Safety requirements SW Safety req HW Safety req Testing & Validation Production, maintenance, decommissioning ASIL determination: identification and classification of the hazards. Safety Goal: top-level safety requirement as a result of the hazard analysis and risk assessment. Safe State: operating mode of an item without an unreasonable level of risk. Functional safety requirements: specification of implementation-independent safety behaviour, or implementation-independent safety measure, including its safety-related attributes. Technical safety requirement: requirement derived for implementation of associated functional safety requirements. Safety Validation: assurance, based on examination and tests, that the safety goals are sufficient and have been achieved. Safety requirements for manufacturing, serviceability and decommissioning. 17

18 Fault categories and countermeasures Safety mechanisms Mitigation measures via proper design Heterogeneous redundancy (diversity) Design criteria Development methods For SW faults: SW development methodologies Proper testing Manufacturing, servicing processes Systematic failure Random hardware failure Safety mechanisms Diagnosis Redundancy Fault controls Proper components Low λ components 18

19 Confirmation measures Means of demonstrating the proper execution of the management processes and the achievement of functional safety Confirmation measures Confirmation Reviews Functional Safety Audits Functional Safety Assessments Demonstrate the compliance of the processes and the outcomes (work products) against the ISO requirements Ensure the functional safety of the system or network of systems (item) that performs the functions at the vehicle level Activities to be performed by the vehicle manufacturers and their suppliers 19

20 ISO application to the product lifecycle 20

21 ISO integration in the company processes Integrated Company Management System The Company Management Processes are integrated to include in them all the applicable requirements Synergy Simplification Environment ISO Q-E-S MS Quality ISO 9001 ISO/TS H&S OHSAS CMMI Functional Safety requirements ISO A-SPICE ISO/IEC ISO/IEC Effectiveness Process Improvement Models Efficiency 21

22 Possible source of malfunctioning New issues to be covered? Systematic failures Security Design Manufacturing Malicious attacks Incorrect specification Maintenance Technology limitation Critical environment conditions Safety of intended functionality (SIF) Operational safety Addressed by ISO Not addressed (yet) by ISO

23 ISO implications Functional Safety and Product Liability The ISO standard: is intended to minimize the risks that can arise in all operating conditions represents the state of the art in safety in the automotive sector Applying this standard, even if voluntary: is essential for the purposes of Product Liability, because protect companies from lawsuits in case of an accident caused by malfunctions of E/E safety-critical systems. 23

24 ISO implications Main actions required at Company level All companies involved in the development of automotive E/E systems shall: increase the know-how on functional safety define their own functional safety development process consistently adapt the organizational structure creation of new professional roles, as Safety Manager, Safety Specialist, internal/external Assessors develop new products by applying the ISO perform independent Assessment provide testing tools for validation, e.g. including test benches for fault injection 24

25 Conclusioni L'automotive è un settore ricco di sistemi smart La norma ISO persegue criteri automotive: alta integrazione, basso costo, sicurezza propri dei sistemi smart La ricerca delle soluzioni tecniche si avvale di opportunità di scomposizione che consentono la compatibilità con eventuali vincoli tecnologici e di costo L'applicazione della norma ha, comunque, un significato impatto sull'azienda, sia in termini organizzativi che di cultura L'applicazione della norma è comunque una strada obbligata, anche se non imposta dalla legislazione 25