20131216 cisec-standards-jp blanquart-jmastruc
Post on 12-Sep-2014
885 views
DESCRIPTION
Most industrial safety-critical systems are developed and validated following safety standards. However even though all safety standards address similar concerns with similar objectives, they are also domain-specific standards. The presentation results from the activity of a working group (formerly CG2E, now part of the recently set-up Embedded France) gathering industrial safety experts from aeronautics, automotive, industrial automation, nuclear, railway and space. The lecture will combine a presentation focused on one industry specific standard (the recent ISO 26262 for automotive), and complementary perspective in comparison with the standards in the other five mentioned domains. After the presentation of the history and position and the various regulation regimes, we will highlight some more technical topics e.g., integrated or external safety systems, fault prevention vs. fault tolerance, objectives vs. means prescription, probabilistic vs. deterministic arguments and the notion of criticality, integrity or assurance levels.TRANSCRIPT
Introduction to ISO 26262
CISEC – 2013 Dec 16th
JM Astruc, Continental Automotive SAS
It‘s a long way to ISO 26262…
PWI
(Preliminary
Work Item)
ISO/CD 26262
(Committee Draft)
NWI
(New
Work Item)
ISO/DIS 26262
(Draft International
Standard)
ISO/FDIS 26262
(Final Draft International
Standard)
2005 2006 2007 2008 2009 2010 2011
Nov 15th
Inadequacy of the generic standard IEC 61508:
• Not for mass production
• Validation after installation
• No customer / supplier relationships
• No scheme for hazard classification
• Safety functions separate from EUC
German – French joint initiative for PWI started in 2004
3 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
ISO 26262 all around the world…
4 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
General legal obligation
Conformance of the product to the regulatory requirements
Adequacy of the product to its intended use
General product safety:• Only "safe products" on the market
• Survey of the product , once put on the market
• Reaction when the product is not or no longer safe
• Applicable regulations• International conventions, UN ECE, when adopted by the country
• European Union directives and regulations immediately applicable when transposed into national law
• National regulations and laws (incl. contract law), mandatory in the country of commercialization
• Mandatory standards, optional standards, state of the art
• Contractual specs
UN-ECE Regulations
Directives, Regulations
Laws, Regulations
Professional frame of reference
Contractual specifications, customer’s process,…
5 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Legal status of ISO 26262
Functional Safety Standard ISO 26262 provides technical clauses that are:
• considered to be correct by the technical community
• suitable for practical applications
• generally accessible and regularly applied
This standard is not legally binding. Applying it is voluntary as a matter of principle, but
doing so does make it easier to demonstrate compliance with generally acknowledged
rules of technology whenever needed
Compliance induces the presumption that a product is not defective and / or the
manufacturer has observed the necessary duty of care.
6 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Environment
Active Safety
Passive Safety
Lighting Equipment
Other Directives
01. Sound Levels EC 1999/101
02. Emissions EC 2003/76
11. Diesel Smoke EC 2005/21
39. Fuel Consumption EC 2004/3
40. Engine Power EC1999/99
41. Diesel Emissions 2006/81/EC
05. Steering Equipment EC 1999/7
07. Audible Warning EC 70/388
35. / Wipe.EC 94/68
13. Antitheft EC 95/56
32. Foward Vision EC 90/630
17. Speedometer and Reverse Gear EC 97/39
08. Rear Visibility EC 2005/27
46. Tyres EC 2005/11
34. Defrost / Demist EC 78/317
09. Braking EC 2002/78
20. Lighting Installation EC 97/28
33. Identification of Controls EC 94/53
37. Wheel Guards EC 94/78
19. Safety Belt EC 2005/41
16. Exterior Projections EC 79/488
15. Seat Strength EC 2005/39
14. Protective Steering EC 91/662
03. Fuel Tank EC 2006/20
12. Interior Fittings EC 2000/4
31. Safety Belts EC 2005/40
06. Door Latches and hinges EC 2001/31
38. Head restraints EC 78/932
45. Safety glazing EC 2001/92
53. Frontal impact EC 1999/98
54. Side impact EC 96/27
21. Reflex Reflectors EC 97/29
22. Side, Rear and Stop lamps EC 97/30
23. Direction indicator lamps EC 1999/15
24. Rear registration plate lamp EC 97/31
25. Headlamps (including bulbs) EC 1999/17
26. Front fog lamps EC 1999/18
28. Rear fog lamps EC 1999/14
29. Reversing Lamps EC 97/32
30. Parking Lamps EC 1999/16
27. Towing Hooks EC 96/64
10. Radio Interference Suppression EC 2006/28
04. Rear Registration Plate EC 70/222
18. Statutory Plates EC 78/507
36. Heating systems 2004/78
44. Masses and Dimensions EC 95/48
50. Mechanical Couplings EC 94/20
EC directives
7 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
ISO 26262 confirmation measures
8 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
What is functional safety for road vehicle?
Functional safety for road vehicles is the part of safety which relates to hazards caused by
malfunctioning behavior of E/E-based systems embedded in road vehicles.
Avoid & control hazardous failures of in-vehicle EE-based systems
(including those related to foreseeable operational misuse)
= Avoid systematic faultsinadequate design, gaps in requirements, wrong implementation, missing testing
+ Control of systematic faults during operation
+ Control of random hardware failures during operation(including failures of other technologies components that are not in scope of ISO 26262)
9 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Attributes of faults and failures
Fault: abnormal condition that can cause an element or system to fail (it is a state)
Failure: termination of the ability of an element or an system to perform a function as required
(it is an event)
Systematic failure: failure of an element or system that is caused in a deterministic way during
development, manufacturing or maintenance
Random hardware failure: failure that occurs unpredictably during the lifetime of an hardware element
and that follows a probability distribution
10 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Example of an accident scenario
11 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Overview of ASIL classification method
EXPOSURE
Likelihood of exposure of the vehicle to
the operational situation
CONTROLLABILITY
Ability to avoid a specified harm through
timely reaction of the person(s) at risk
SEVERITY
Estimation of the extent of harm to the
person(s) at risk
Hazardous
event S
ASIL
+
Safety goalCE
12 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Risk estimation and ASIL classification
Classes of probability of exposure
E0 Incredible
E1 Very low probability
E2 Low probability
E3 Medium probability
E4 High probability
Classes of controllability
C0 Controllable in general
C1 Simply controllable
C2 Normally controllable
C3 Difficult to control or uncontrollable
Classes of severity
S0 No injuries
S1 Light and moderate injuries
S2 Severe and life-threatening injuries
(survival probable)
S3 Life-threatening injuries (survival uncertain)
fatal injuries
S1 S2 S3
C1 E1 QM QM QM
E2 QM QM QM
E3 QM QM ASIL A
E4 QM ASIL A ASIL B
C2 E1 QM QM QM
E2 QM QM ASIL A
E3 QM ASIL A ASIL B
E4 ASIL A ASIL B ASIL C
C3 E1 QM QM ASIL A
E2 QM ASIL A ASIL B
E3 ASIL A ASIL B ASIL C
E4 ASIL B ASIL C ASIL D
Ability of traffic participants to avoid an accident
Potential harm to traffic participants if the accident occurs
Initial operational situation where the system failure occurs
13 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
ASIL as risk reduction measures
ASILs are used for specifying risk reduction measures to address
• systematic failures of system, hardware, and software with
measures and techniques for fault avoidance and fault tolerance
• random failures of hardware with
quantitative targets for safety critical failures and diagnosis coverage of architecture
14 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Functional safety concept
Safety goal: a top level safety requirement as a result of the hazard analysis and risk assessment
Functional safety requirement: specification of implementation-independent safety behavior, or
implementation-independent safety measure, including its safety-related attributes
• operating modes
• fault tolerant time interval
• degradation, safe states, warning
• emergency operation time interval
• functional redundancies
Functional safety concept: specification of the functional safety requirements, with associated
information, their allocation to preliminary architectural element and their interaction necessary to
achieve the safety goals
15 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Technical Safety Concept
Technical safety requirement: requirement derived from the associated functional safety requirements
to provide their technical implementation – the safety mechanisms are specified by technical safety
requirements
Safety mechanism: measure implemented by a E/E functions or element, or in other technologies, to
detect or control failures in order to achieve a safe state of the item, or maintain a safe state of the
item, or both
• measures to detect, indicate and control faults in the system itself
• measures to detect, indicate and control faults in external devices interacting with the system
• measures that enable the system to achieve or maintain a safe state
• measures to detail and implement the warning and degradation concept
• measures which prevent faults from being latent
Technical safety concept: specification of the technical safety requirements to be implemented, with
associated information, and their allocation to hardware and software
16 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Default rules for ASIL assignment
Inheritance: Each safety requirement inherits the ASIL of the safety requirement it is derived from –
starting from the ASIL of the safety goal
ASIL allocation drives development: When a safety requirement is allocated to an architectural
element, this element and its sub-elements are developed in compliance with the ASIL assigned to
the safety requirement
Highest ASIL predominance: When safety requirements with different ASILs are allocated to the
same architectural element, this element is developed in compliance with the highest ASIL – unless
criteria for coexistence is met
Safety relevance by default: Any architectural element is safety related unless
• this element is independent from the safety related element of the item or
• criteria for coexistence is met
18 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
PMHF
target values
97 % 97 %
90 % 90 %
90 %
60 % 60 %
90 %
80 % 10-7 per hour (100 FIT) 10 7 ho (100 FIT)
10-7 per hour (100 FIT 10 7 ho
90 % 90 %
SPFM
target values
90 %
LFM
target values
Analysis of random HW
failures
required
required
recommended
90 %
ASIL D ASIL D
ASIL C ASIL C
ASIL B ASIL B
ASIL A
safety–related HW components
SPF RF LFM
MPF DP S
safety–related HW components
MPF DP (MPF detected / perceived)
MPF (multiple-point faults) MPF DP MPF L MPF L (MPF latent)
RF (residual faults) SPF (single-point faults)
S (safe faults)
Taxonomy of random HW faults
PMHF SPF t RF t dual-point failure t2 safety–related HW components
safety–related HW components
SPFM
MPF S
safety–related HW components
recommended
required
90 % 99 % 10-8 per hour (10 FIT)
not required nor recommended
One page summary about quantitative analyses on HW
20 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
Questions and discussion
from
Thanks for your attention !
21 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG
CISECIntroduction to critical embedded systems engineering
ISAE, Toulouse, December 16th, 2013
Comparison of safety standards
across several safety critical application domains
Jean-Paul Blanquart
Astrium Satellites, Toulouse
23
Multi-domain expertise working group
Now with “Embedded France”
AeronauticsARP 4754, 4761
DO 178, 254, 330-3
Automation,
IndustryIEC 61508, 61511
Automotive ISO 26262
Defence IEC 61508
Nuclear IEC 61513, 60880, 62138
RailwayEN CENELEC 50126, 8, 9,
50155, 50159-1, 50159-2
Space ECSS Q30, Q40, Q80
Technology
providers
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 24
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 25
History and positioning of standardsA complex picture
Foundations: treaties, laws
United Nations
Safe use of nuclear technology for peaceful applications, IAEA, 1957
Peaceful use of outer space, COPUOS, 1958
…
Norms and standards
Accepted means of compliance to higher level regulation
Self imposed in absence of regulation
Social and business needs
Complexity of systems, industrial organisation, interoperability …
A particular role played by IEC 61508
Generic but not general
Often preceded by sector specific standards
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 26
History and positioning of standardsAn Overview
DOMAIN 80-85 85-90 90-95 95-00 00-05 05-10 10-15
Aeronautics DO178DO178-B
ARP4754ARP4761 DO254
ARP4754-A
DO178-C
Automation
IEC 61508
IEC 61511
IEC 62061
IEC 61508
Edition 2
Automotive (IEC 61508) ISO 26262
Nuclear
IAEA
50-SG-D3
50-SG-D8
IEC
60880
IAEA NS-G-1.3
IEC 61513
IEC 62138
IEC 60880
Edition 2
: IAEA DS-
431
Railway EN 50155
IEC 61508
EN 50126
EN 50128
EN 50129
EN 50128
Edition 2
Space PSS ECSSECSS
“C Issues”
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 27
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 28
Regulation regimes and certificationAssessment and Certification
Assessment
Set of activities granting a confidence level to an entity (person, organisation or artefact).
Context dependent validity: item, actors, usage, timeline.
Certification
An assessment body substantiates to an Authority that the engineering process of a manufacturer ensures regulatory safety objectives through conformance to safety standards.
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 29
Regulation regimes and certificationA variety of regimes
DOMAIN Applicant Regulation Authority Assessment Body
Aeronautics Manufacturer Yes EASA-FAA EASA-FAA
Automation
Product
Process
Manufacturer
Operator
Machinery directive
No
Labour Inspection
DREAL
Self-certification
No
Automotive Manufacturer No No No
Nuclear Operator YesGovernments
ASN (France)
IAEA
ASN, IRSN (France)
Railway Manufacturer YesERA
EPSF/STRMTGCERTIFER …
Space Manufacturer Yes GovernmentsCNES
NASA/FAA//USAF
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 30
Regulation regimes and certificationSimplified view
Assessment Certification
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 31
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 32
Technical comparison highlightsIntegrated safety or external safety systems
Design drivers : existence of fail-safe states + cost + validation
Industry, Automation, Railway, Nuclear, Space: external safety
Design of a dedicated safety system, distinct from the "process" system
Monitors and controls the "process" in safety critical situations
Aeronautics, Automotive: integrated safety
Systems monitor and control themselves internally
Automotive and Space : hybrid approach
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 33
Integrated safety or external safety systemsA simplified view
Integrated Safety External Safety
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 34
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 35
Technical comparison highlightsObjectives versus Means prescription
PROs CONs
OBJECTIVES
Prescriptive
(ex: DO 178)
Open
Applicable to many contexts Needs to be interpreted
MEANS
Prescriptive
(ex: IEC 61508)
Easy conformance check,
Easy to apply when in the context considered by the standard's authors
Closed
Needs to be updated to introduce new methods and tools
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Prescrip
tion
of m
ean
sE
xa
mp
le: IEC
61
50
8
Page 3
6C
ISE
C S
erie
s o
f lectu
res -
Safe
ty S
tandard
s -
JP
. Bla
nquart -
Astriu
m S
ate
llites
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Prescrip
tion
of o
bjectiv
esE
xa
mp
le: DO
17
8C
Page 3
7C
ISE
C S
erie
s o
f lectu
res -
Safe
ty S
tandard
s -
JP
. Bla
nquart -
Astriu
m S
ate
llites
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Page 3
8
Ob
jectives v
ersus M
ean
s prescrip
tion
A sim
plifie
d v
iew
Means
Obje
ctiv
es
CIS
EC
Serie
s o
f lectu
res -
Safe
ty S
tandard
s -
JP
. Bla
nquart -
Astriu
m S
ate
llites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 39
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 40
Technical comparison highlightsCategorising severity and assurance levels
SEVERITY
“Safety Category”
INTEGRITY
Development Assurance Level
MEANS
Consequences
of potential failures
CatastrophicCritical
MajorMinor
ABC
D
The “safety category”
Is related to the severity
category of the most severe
consequences of potential
failures…
… so as to meet the required level
of safety and dependability thanks to
development and validation means
appropriate with respect to the
identified safety category
Exposure
Control
Failure
Occurrence
Frequency
Severity
RISK ANALYSIS (potential failures)
System
Functions,
Elements
…
Needed Trust “Trustability”
DevelopLIKELIHOOD
Ext. remoteRemote
ProbableFrequent
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 41
Technical comparison highlightsCategorising severity and assurance levels – Notion of HAZARD
Hazard: system failure mode or unintended behaviour
that may lead to harm
System
Hazard
Use Case
Accident
Person interacting
with the vehicle
Hazardous
event Harm
Vehicle
ASIL: characterizes a Hazard
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 42
Technical comparison highlightsCategorising severity and assurance levels – Automotive (ISO 26262)
acceptable
not acceptableRisk Reduction external to
technical system:
driver controls situation
Frequency of exposure to
driving situation where
accident can potentially
happen
“Trustability”
of system
Lower than
tolerable risk
ResidualRisk
Severity of possible
accident
Frequency
Extremely
improbable
Sometimes
Rarely
Very rarely
Always
Safety
category
(ASIL)
Minor CatastrophicMajor Hazardous
Severity
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 43
Technical comparison highlightsCategorising severity and assurance levels – IEC 61508
acceptable
not acceptable
Frequency of failure of EUC
and control system
Risk reduction
by protection system
Lower than
tolerable risk
ResidualRisk
Severity of possible
accident
Frequency
Extremely
improbable
Sometimes
Rarely
Very rarely
Always
Safety
category
(SIL)
Minor CatastrophicMajor Hazardous
Severity
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 44
Technical comparison highlightsCategorising severity and assurance levels - Aerospace
acceptable
not acceptable
“Trustability”
of system
Lower than
tolerable risk
ResidualRisk
Severity of possible
accident
Frequency
Extremely
improbable
Sometimes
Rarely
Very rarely
Always
Safety
category
Minor CatastrophicMajor Hazardous
Severity
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 45
Categorising severity and assurance levelsCommon principles
Principles common to all covered domains
The category defines the applicable requirements so as to cover:
“Random” faults (hardware): probability objectives, minimum number of faults,,,
“Systematic” faults (development): no quantitative probability target
Confidence level through development and validation requirements
Confirmed by decades of experience, e.g. in aeronautics or nuclear
Need to enforce a strong isolation against fault propagation from “low levels” to “high levels” elements
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 46
Categorising severity and assurance levelsSome differences
Definition and categories of consequences, severity
Generic and general (space, automotive)
Domain dependent (aeronautics)
Incorporation of exposure probability (automotive)
Incorporation of “controllability” (automotive)
Similar to aeronautics domain dependent consequences severity
“Syntactic” variations (number of levels, names, ordering …)
“Arithmetic of levels”, combining low levels into a higher level
Accepted in aeronautics, automotive, not in nuclear, space
Requirements for each level
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 47
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 48
Technical comparison highlightsFault tolerance or fault prevention
Fault tolerance
Principally hardware faults
Domain and application dependent
Continuity of service versus safety, mission needs
External versus internal safety system
Software, development faults
Focus on fault prevention
Process, product
Residual faults: detection and degraded mode preserving safety
System level, functional diversification, independence
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 49
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 50
Technical comparison highlightsProbabilistic versus deterministic
A combination of probabilistic and deterministic approaches
Probabilistic approach
Top level risk assessment
Hardware faults and their impact on feared events (architecture based analysis of propagation)
Deterministic approach
Behaviour, correctness (functional, fault management)
In particular software
It does not mean that software is expected to be fault free
Cf. severity/integrity levels, and fault prevention versus tolerance
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 51
Outline
History and positioning of standards
Regulation regimes and certification
Technical comparison highlights
Integrated safety or external safety systems
Objectives versus Means prescription
Categorising severity and assurance levels
Fault tolerance or fault prevention
Probabilistic versus deterministic
Conclusion
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Page 52
Conclusion
Common view of the fundamental principles
Risk assessment, integrity levels,
Combination of deterministic and probabilistic approach, of fault prevention and fault tolerance,
Focus on fault propagation, independence, single points of failures, common causes …
Slight but numerous variations
On each topic a simple grouping exists, but it varies from one topic to another
Not all variations can be clearly justified by the specific characteristics of each domain
Strong impact on efficiency, cost (tools, products, processes …)
CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites
This
docum
en
t is
the p
ropert
y o
f A
str
ium
. It s
hall
not
be c
om
mun
icate
d t
o t
hird p
art
ies w
ithou
t prior
written a
gre
em
en
t. I
ts c
onte
nt
shall
not
be d
isclo
sed.
Questions and discussion
from
Thanks for your attention !
CISEC Series of lectures - Safety Standards - JP. Blanquart (Astrium Satellites) and JM. Astruc (Continental Automotive)