20131216 cisec-standards-jp blanquart-jmastruc

Introduction to ISO 26262

CISEC – 2013 Dec 16th

JM Astruc, Continental Automotive SAS

It‘s a long way to ISO 26262…

PWI

(Preliminary

Work Item)

ISO/CD 26262

(Committee Draft)

NWI

(New

Work Item)

ISO/DIS 26262

(Draft International

Standard)

ISO/FDIS 26262

(Final Draft International

Standard)

2005 2006 2007 2008 2009 2010 2011

Nov 15th

Inadequacy of the generic standard IEC 61508:

• Not for mass production

• Validation after installation

• No customer / supplier relationships

• No scheme for hazard classification

• Safety functions separate from EUC

German – French joint initiative for PWI started in 2004

3 / Introduction to ISO 26262 / CISEC - Dec 2013 / JM Astruc / © Continental AG

ISO 26262 all around the world…


General legal obligation

Conformance of the product to the regulatory requirements

Adequacy of the product to its intended use

General product safety:• Only "safe products" on the market

• Survey of the product , once put on the market

• Reaction when the product is not or no longer safe

• Applicable regulations• International conventions, UN ECE, when adopted by the country

• European Union directives and regulations immediately applicable when transposed into national law

• National regulations and laws (incl. contract law), mandatory in the country of commercialization

• Mandatory standards, optional standards, state of the art

• Contractual specs

UN-ECE Regulations

Directives, Regulations

Laws, Regulations

Professional frame of reference

Contractual specifications, customer’s process,…


Legal status of ISO 26262

Functional Safety Standard ISO 26262 provides technical clauses that are:

• considered to be correct by the technical community

• suitable for practical applications

• generally accessible and regularly applied

This standard is not legally binding. Applying it is voluntary as a matter of principle, but

doing so does make it easier to demonstrate compliance with generally acknowledged

rules of technology whenever needed

Compliance induces the presumption that a product is not defective and / or the

manufacturer has observed the necessary duty of care.


Environment

Active Safety

Passive Safety

Lighting Equipment

Other Directives

01. Sound Levels EC 1999/101

02. Emissions EC 2003/76

11. Diesel Smoke EC 2005/21

39. Fuel Consumption EC 2004/3

40. Engine Power EC1999/99

41. Diesel Emissions 2006/81/EC

05. Steering Equipment EC 1999/7

07. Audible Warning EC 70/388

35. / Wipe.EC 94/68

13. Antitheft EC 95/56

32. Foward Vision EC 90/630

17. Speedometer and Reverse Gear EC 97/39

08. Rear Visibility EC 2005/27

46. Tyres EC 2005/11

34. Defrost / Demist EC 78/317

09. Braking EC 2002/78

20. Lighting Installation EC 97/28

33. Identification of Controls EC 94/53

37. Wheel Guards EC 94/78

19. Safety Belt EC 2005/41

16. Exterior Projections EC 79/488

15. Seat Strength EC 2005/39

14. Protective Steering EC 91/662

03. Fuel Tank EC 2006/20

12. Interior Fittings EC 2000/4

31. Safety Belts EC 2005/40

06. Door Latches and hinges EC 2001/31

38. Head restraints EC 78/932

45. Safety glazing EC 2001/92

53. Frontal impact EC 1999/98

54. Side impact EC 96/27

21. Reflex Reflectors EC 97/29

22. Side, Rear and Stop lamps EC 97/30

23. Direction indicator lamps EC 1999/15

24. Rear registration plate lamp EC 97/31

25. Headlamps (including bulbs) EC 1999/17

26. Front fog lamps EC 1999/18

28. Rear fog lamps EC 1999/14

29. Reversing Lamps EC 97/32

30. Parking Lamps EC 1999/16

27. Towing Hooks EC 96/64

10. Radio Interference Suppression EC 2006/28

04. Rear Registration Plate EC 70/222

18. Statutory Plates EC 78/507

36. Heating systems 2004/78

44. Masses and Dimensions EC 95/48

50. Mechanical Couplings EC 94/20

EC directives


ISO 26262 confirmation measures


What is functional safety for road vehicle?

Functional safety for road vehicles is the part of safety which relates to hazards caused by

malfunctioning behavior of E/E-based systems embedded in road vehicles.

Avoid & control hazardous failures of in-vehicle EE-based systems

(including those related to foreseeable operational misuse)

= Avoid systematic faultsinadequate design, gaps in requirements, wrong implementation, missing testing

+ Control of systematic faults during operation

+ Control of random hardware failures during operation(including failures of other technologies components that are not in scope of ISO 26262)


Attributes of faults and failures

Fault: abnormal condition that can cause an element or system to fail (it is a state)

Failure: termination of the ability of an element or an system to perform a function as required

(it is an event)

Systematic failure: failure of an element or system that is caused in a deterministic way during

development, manufacturing or maintenance

Random hardware failure: failure that occurs unpredictably during the lifetime of an hardware element

and that follows a probability distribution


Example of an accident scenario


Overview of ASIL classification method

EXPOSURE

Likelihood of exposure of the vehicle to

the operational situation

CONTROLLABILITY

Ability to avoid a specified harm through

timely reaction of the person(s) at risk

SEVERITY

Estimation of the extent of harm to the

person(s) at risk

Hazardous

event S

ASIL

+

Safety goalCE


Risk estimation and ASIL classification

Classes of probability of exposure

E0 Incredible

E1 Very low probability

E2 Low probability

E3 Medium probability

E4 High probability

Classes of controllability

C0 Controllable in general

C1 Simply controllable

C2 Normally controllable

C3 Difficult to control or uncontrollable

Classes of severity

S0 No injuries

S1 Light and moderate injuries

S2 Severe and life-threatening injuries

(survival probable)

S3 Life-threatening injuries (survival uncertain)

fatal injuries

S1 S2 S3

C1 E1 QM QM QM

E2 QM QM QM

E3 QM QM ASIL A

E4 QM ASIL A ASIL B

C2 E1 QM QM QM

E2 QM QM ASIL A

E3 QM ASIL A ASIL B

E4 ASIL A ASIL B ASIL C

C3 E1 QM QM ASIL A

E2 QM ASIL A ASIL B

E3 ASIL A ASIL B ASIL C

E4 ASIL B ASIL C ASIL D

Ability of traffic participants to avoid an accident

Potential harm to traffic participants if the accident occurs

Initial operational situation where the system failure occurs


ASIL as risk reduction measures

ASILs are used for specifying risk reduction measures to address

• systematic failures of system, hardware, and software with

measures and techniques for fault avoidance and fault tolerance

• random failures of hardware with

quantitative targets for safety critical failures and diagnosis coverage of architecture


Functional safety concept

Safety goal: a top level safety requirement as a result of the hazard analysis and risk assessment

Functional safety requirement: specification of implementation-independent safety behavior, or

implementation-independent safety measure, including its safety-related attributes

• operating modes

• fault tolerant time interval

• degradation, safe states, warning

• emergency operation time interval

• functional redundancies

Functional safety concept: specification of the functional safety requirements, with associated

information, their allocation to preliminary architectural element and their interaction necessary to

achieve the safety goals


Technical Safety Concept

Technical safety requirement: requirement derived from the associated functional safety requirements

to provide their technical implementation – the safety mechanisms are specified by technical safety

requirements

Safety mechanism: measure implemented by a E/E functions or element, or in other technologies, to

detect or control failures in order to achieve a safe state of the item, or maintain a safe state of the

item, or both

• measures to detect, indicate and control faults in the system itself

• measures to detect, indicate and control faults in external devices interacting with the system

• measures that enable the system to achieve or maintain a safe state

• measures to detail and implement the warning and degradation concept

• measures which prevent faults from being latent

Technical safety concept: specification of the technical safety requirements to be implemented, with

associated information, and their allocation to hardware and software


Default rules for ASIL assignment

Inheritance: Each safety requirement inherits the ASIL of the safety requirement it is derived from –

starting from the ASIL of the safety goal

ASIL allocation drives development: When a safety requirement is allocated to an architectural

element, this element and its sub-elements are developed in compliance with the ASIL assigned to

the safety requirement

Highest ASIL predominance: When safety requirements with different ASILs are allocated to the

same architectural element, this element is developed in compliance with the highest ASIL – unless

criteria for coexistence is met

Safety relevance by default: Any architectural element is safety related unless

• this element is independent from the safety related element of the item or

• criteria for coexistence is met


PMHF

target values

97 % 97 %

90 % 90 %

90 %

60 % 60 %

90 %

80 % 10-7 per hour (100 FIT) 10 7 ho (100 FIT)

10-7 per hour (100 FIT 10 7 ho

90 % 90 %

SPFM

target values

90 %

LFM

target values

Analysis of random HW

failures

required

required

recommended

90 %

ASIL D ASIL D

ASIL C ASIL C

ASIL B ASIL B

ASIL A

safety–related HW components

SPF RF LFM

MPF DP S


MPF DP (MPF detected / perceived)

MPF (multiple-point faults) MPF DP MPF L MPF L (MPF latent)

RF (residual faults) SPF (single-point faults)

S (safe faults)

Taxonomy of random HW faults

PMHF SPF t RF t dual-point failure t2 safety–related HW components


SPFM

MPF S


recommended

required

90 % 99 % 10-8 per hour (10 FIT)

not required nor recommended

One page summary about quantitative analyses on HW


Questions and discussion

from

Thanks for your attention !


CISECIntroduction to critical embedded systems engineering

ISAE, Toulouse, December 16th, 2013

Comparison of safety standards

across several safety critical application domains

Jean-Paul Blanquart

Astrium Satellites, Toulouse

[email protected]

23

Multi-domain expertise working group

Now with “Embedded France”

AeronauticsARP 4754, 4761

DO 178, 254, 330-3

Automation,

IndustryIEC 61508, 61511

Automotive ISO 26262

Defence IEC 61508

Nuclear IEC 61513, 60880, 62138

RailwayEN CENELEC 50126, 8, 9,

50155, 50159-1, 50159-2

Space ECSS Q30, Q40, Q80

Technology

providers

This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 24

Outline

History and positioning of standards

Regulation regimes and certification

Technical comparison highlights

Integrated safety or external safety systems

Objectives versus Means prescription

Categorising severity and assurance levels

Fault tolerance or fault prevention

Probabilistic versus deterministic

Conclusion

CISEC Series of lectures - Safety Standards - JP. Blanquart - Astrium Satellites

This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 25

History and positioning of standardsA complex picture

Foundations: treaties, laws

United Nations

Safe use of nuclear technology for peaceful applications, IAEA, 1957

Peaceful use of outer space, COPUOS, 1958

…

Norms and standards

Accepted means of compliance to higher level regulation

Self imposed in absence of regulation

Social and business needs

Complexity of systems, industrial organisation, interoperability …

A particular role played by IEC 61508

Generic but not general

Often preceded by sector specific standards


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 26

History and positioning of standardsAn Overview

DOMAIN 80-85 85-90 90-95 95-00 00-05 05-10 10-15

Aeronautics DO178DO178-B

ARP4754ARP4761 DO254

ARP4754-A

DO178-C

Automation

IEC 61508

IEC 61511

IEC 62061

IEC 61508

Edition 2

Automotive (IEC 61508) ISO 26262

Nuclear

IAEA

50-SG-D3

50-SG-D8

IEC

60880

IAEA NS-G-1.3

IEC 61513

IEC 62138

IEC 60880

Edition 2

: IAEA DS-

431

Railway EN 50155

IEC 61508

EN 50126

EN 50128

EN 50129

EN 50128

Edition 2

Space PSS ECSSECSS

“C Issues”


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 27

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 28

Regulation regimes and certificationAssessment and Certification

Assessment

Set of activities granting a confidence level to an entity (person, organisation or artefact).

Context dependent validity: item, actors, usage, timeline.

Certification

An assessment body substantiates to an Authority that the engineering process of a manufacturer ensures regulatory safety objectives through conformance to safety standards.


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 29

Regulation regimes and certificationA variety of regimes

DOMAIN Applicant Regulation Authority Assessment Body

Aeronautics Manufacturer Yes EASA-FAA EASA-FAA

Automation

Product

Process

Manufacturer

Operator

Machinery directive

No

Labour Inspection

DREAL

Self-certification

No

Automotive Manufacturer No No No

Nuclear Operator YesGovernments

ASN (France)

IAEA

ASN, IRSN (France)

Railway Manufacturer YesERA

EPSF/STRMTGCERTIFER …

Space Manufacturer Yes GovernmentsCNES

NASA/FAA//USAF


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 30

Regulation regimes and certificationSimplified view

Assessment Certification


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 31

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 32

Technical comparison highlightsIntegrated safety or external safety systems

Design drivers : existence of fail-safe states + cost + validation

Industry, Automation, Railway, Nuclear, Space: external safety

Design of a dedicated safety system, distinct from the "process" system

Monitors and controls the "process" in safety critical situations

Aeronautics, Automotive: integrated safety

Systems monitor and control themselves internally

Automotive and Space : hybrid approach


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 33

Integrated safety or external safety systemsA simplified view

Integrated Safety External Safety


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 34

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 35

Technical comparison highlightsObjectives versus Means prescription

PROs CONs

OBJECTIVES

Prescriptive

(ex: DO 178)

Open

Applicable to many contexts Needs to be interpreted

MEANS

Prescriptive

(ex: IEC 61508)

Easy conformance check,

Easy to apply when in the context considered by the standard's authors

Closed

Needs to be updated to introduce new methods and tools


This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Prescrip

tion

of m

ean

sE

xa

mp

le: IEC

61

50

8

Page 3

6C

ISE

C S

erie

s o

f lectu

res -

Safe

ty S

tandard

s -

JP

. Bla

nquart -

Astriu

m S

ate

llites


Prescrip

tion

of o

bjectiv

esE

xa

mp

le: DO

17

8C

Page 3

7C

ISE

C S

erie

s o

f lectu

res -

Safe

ty S

tandard

s -

JP

. Bla

nquart -

Astriu

m S

ate

llites


Page 3

8

Ob

jectives v

ersus M

ean

s prescrip

tion

A sim

plifie

d v

iew

Means

Obje

ctiv

es

CIS

EC

Serie

s o

f lectu

res -

Safe

ty S

tandard

s -

JP

. Bla

nquart -

Astriu

m S

ate

llites

This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 39

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 40

Technical comparison highlightsCategorising severity and assurance levels

SEVERITY

“Safety Category”

INTEGRITY

Development Assurance Level

MEANS

Consequences

of potential failures

CatastrophicCritical

MajorMinor

ABC

D

The “safety category”

Is related to the severity

category of the most severe

consequences of potential

failures…

… so as to meet the required level

of safety and dependability thanks to

development and validation means

appropriate with respect to the

identified safety category

Exposure

Control

Failure

Occurrence

Frequency

Severity

RISK ANALYSIS (potential failures)

System

Functions,

Elements

…

Needed Trust “Trustability”

DevelopLIKELIHOOD

Ext. remoteRemote

ProbableFrequent


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 41

Technical comparison highlightsCategorising severity and assurance levels – Notion of HAZARD

Hazard: system failure mode or unintended behaviour

that may lead to harm

System

Hazard

Use Case

Accident

Person interacting

with the vehicle

Hazardous

event Harm

Vehicle

ASIL: characterizes a Hazard


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 42

Technical comparison highlightsCategorising severity and assurance levels – Automotive (ISO 26262)

acceptable

not acceptableRisk Reduction external to

technical system:

driver controls situation

Frequency of exposure to

driving situation where

accident can potentially

happen

“Trustability”

of system

Lower than

tolerable risk

ResidualRisk

Severity of possible

accident

Frequency

Extremely

improbable

Sometimes

Rarely

Very rarely

Always

Safety

category

(ASIL)

Minor CatastrophicMajor Hazardous

Severity


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 43

Technical comparison highlightsCategorising severity and assurance levels – IEC 61508

acceptable

not acceptable

Frequency of failure of EUC

and control system

Risk reduction

by protection system

Lower than

tolerable risk

ResidualRisk


accident

Frequency

Extremely

improbable

Sometimes

Rarely

Very rarely

Always

Safety

category

(SIL)


Severity


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 44

Technical comparison highlightsCategorising severity and assurance levels - Aerospace

acceptable

not acceptable

“Trustability”

of system

Lower than

tolerable risk

ResidualRisk


accident

Frequency

Extremely

improbable

Sometimes

Rarely

Very rarely

Always

Safety

category


Severity


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 45

Categorising severity and assurance levelsCommon principles

Principles common to all covered domains

The category defines the applicable requirements so as to cover:

“Random” faults (hardware): probability objectives, minimum number of faults,,,

“Systematic” faults (development): no quantitative probability target

Confidence level through development and validation requirements

Confirmed by decades of experience, e.g. in aeronautics or nuclear

Need to enforce a strong isolation against fault propagation from “low levels” to “high levels” elements


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 46

Categorising severity and assurance levelsSome differences

Definition and categories of consequences, severity

Generic and general (space, automotive)

Domain dependent (aeronautics)

Incorporation of exposure probability (automotive)

Incorporation of “controllability” (automotive)

Similar to aeronautics domain dependent consequences severity

“Syntactic” variations (number of levels, names, ordering …)

“Arithmetic of levels”, combining low levels into a higher level

Accepted in aeronautics, automotive, not in nuclear, space

Requirements for each level


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 47

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 48

Technical comparison highlightsFault tolerance or fault prevention

Fault tolerance

Principally hardware faults

Domain and application dependent

Continuity of service versus safety, mission needs

External versus internal safety system

Software, development faults

Focus on fault prevention

Process, product

Residual faults: detection and degraded mode preserving safety

System level, functional diversification, independence


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 49

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 50

Technical comparison highlightsProbabilistic versus deterministic

A combination of probabilistic and deterministic approaches

Probabilistic approach

Top level risk assessment

Hardware faults and their impact on feared events (architecture based analysis of propagation)

Deterministic approach

Behaviour, correctness (functional, fault management)

In particular software

It does not mean that software is expected to be fault free

Cf. severity/integrity levels, and fault prevention versus tolerance


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 51

Outline









Conclusion


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Page 52

Conclusion

Common view of the fundamental principles

Risk assessment, integrity levels,

Combination of deterministic and probabilistic approach, of fault prevention and fault tolerance,

Focus on fault propagation, independence, single points of failures, common causes …

Slight but numerous variations

On each topic a simple grouping exists, but it varies from one topic to another

Not all variations can be clearly justified by the specific characteristics of each domain

Strong impact on efficiency, cost (tools, products, processes …)


This

docum

en

t is

the p

ropert

y o

f A

str

ium

. It s

hall

not

be c

om

mun

icate

d t

o t

hird p

art

ies w

ithou

t prior

written a

gre

em

en

t. I

ts c

onte

nt

shall

not

be d

isclo

sed.

Questions and discussion

from

Thanks for your attention !

CISEC Series of lectures - Safety Standards - JP. Blanquart (Astrium Satellites) and JM. Astruc (Continental Automotive)

20131216 cisec-standards-jp blanquart-jmastruc

Technology

functional

safety requirement

functional

safety standards

standardsregulation

systematic

cisec series

control faults