introduction to functional safety kdg seminar 20130424 handout

8/12/2019 Introduction to Functional Safety KdG Seminar 20130424 Handout

1/73

Introduction to functional safet

Marc Van VlimmerenFlanders DRIVE

April 24 th, 2013


2/73

Agenda

Introduction to Flanders DRIVE

Introduction to functional safety

Overview of functional safety standards and regulations

ISO 26262 for safety-related automotive E/E development Scope

Parts of t e standard

Safety lifecycle

2012 Flanders DRIVE all rights reserved

!ore sa ety engineering processes #-model System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment Software )evelopment

*uestions


3/73

(landers+ ),I#E

,esearc institute for t e ve icle and mo ility industry developing andpresenting tec nological solutions in t e following ,.) domains


Open innovation approac driven y t e industry

%ig -tec Infrastructure for ve icle0 system and component testing

1ide international networ' of 34 partners

Page 5


4/73

ocated in an inspiring environment

2012 Flanders DRIVE all rights reserved Page 7


5/73

8road partners ip wit in t e ve icle and mo ility industry



6/73

Safety related ,.) pro:ects



7/73

Agenda

Introduction to (landers; ),I#E





Safety lifecycle



*uestions


8/73


9/73


10/73

,ecalls at ig level

2000: Accidents due to detachment of Bridgestone tyre treadWorldwide 700 injured and 203 dead

Recall more than 14 million tyres

Costs 1.3 billion USD

In addition: actions for damages

Toyota recently had to recall nine millioncars back to the garage because of problems


w e acce era or an ra e. n more o en,this kind of problems have a root cause inmechatronic and software components.

Break by wire example: 30 million USD(American Auto press, June 1, 2004)

Possible damage to companies: invaluable!


11/73

Overview of functional safety

Systemfailure

Software error ,andom ardware

failure

E/Esystems

%arm


)evelopment Production


12/73

)efinition of functional safety

Safety is the freedom from unreasonable risk of physical injury or of damage to the healthof people, either directly, or indirectly as a result of hazards caused by damage to propertyor to the environment.

Functional safety is part of the overall safetythat depends on electric, electronic orprogrammable electronic systems ( E/Esystems ) operating correctly in response to itsinputs.E/E/PE

!ommunications

E tent of E!E "ystem


Unreasonable risk: unacceptable adverse effects on humans or to the environment taking into accountits economic, environmental, medical and social benefits and costs.

Hazard: potential source of harm. The term includes danger to persons arising within ashort time scale (eg. fire, explosion) and also those that have a long term effect(eg. release of toxic substance).

E/E systems include power supplies, sensorsand other input devices, communicationnetworks, actuators and other output devices.

deviceInput

devices"e>g> sensors$

Outputdevices

"e>g> actuators$


13/73

)ifferent types of safety

#assive "afetyfeatures t at elp reduce t e effects of an accident

Active "afety


systems t at use an understanding oft e state of t e ve icle to ot avoid

and minimise t$e effects of anaccident >

Functional "afetyEnsures correct functioning of t e E/E systems

"including active safety related systems$


14/73

Possi le causes for incorrect functioning of E/E systems

Incorrect specifications of t e system0 ardware and/or software

Omissions in t e safety re?uirements specification

,andom ardware failure mec anisms "tin w is'er$

Systematic ardware failure mec anisms

Software errors

!ommon cause failures

Environmental influences

Failure AElement A

Fault %


temperature mec anical p enomena

Supply system voltage distur ances loss of supply

reduced voltages

re-connection of supply

oot

cause Failure &Element &

Fault '

Common cause failures


15/73

A fault in an active suspension leading to asafety critical situation.



16/73

8ut it+s not all a out tec nology@

(alse assumption

Safety is a ?uestion of tec nologyB

,eality

C e greater t e comple=ity of a tec nical system0 t e more stringent t ere?uirements to e met y management@

Prof> %artwi Sa et en ineerin Univ. Wu ertal



17/73

E=amples of poor safety management

D 6 e=plosion of t e c allenger0 3 fatalities

!ause was a sealing ring of a fuel tan'

Pro lem was 'nown since D years and an engineer ad warned for t e possi ilityof suc a catastrop e

(ypical causes of accidents Organi&ational deficits 8ad communication Poor ris' management


Poor management of safetyconcerns


18/73

Agenda



)verview of functional safety standards and regulations



Safety lifecycle


!ore sa ety engineering processes #-model System and environment description %a&ard analysis and ris' assessment (unctional safety concept

*uestions


19/73


*eneric

IE! 6 94 )n+,ig$wayISO 26262

AgricultureISO 29 D

Functional safety standards Quality standardsISO D44 244

ISO CS 6D7D

Basis forQuality

Management

(QM)

Systems engineering


Mac$ineryIE! 6246

Mac$ineryISO 5 7D

Eart$ movingmac$inesISO 9DD

Process improvement& assessment models

++SAFE v1.2


20/73


21/73

,e?uired standards to follow y manufacturer

SOCA

SSC I n c r e a s i n g d e g

State of Scienceand Cec nology

State of Practice

enerally Accepted

!onsiderednecessary

I") '-'-'

State of t e Art


A,C

,egulations

aws / directives

e e o f o - l i g a t i o n

,ules of Cec nology

e>g> E!E , 5

e>g>


22/73

Agenda




I") '-'-' for safety+related automotive E!E development Scope


Safety lifecycle



*uestions


23/73

Scope of ISO 26262

This International Standard is applicable to safety-related systems that include one ormore E/E systems and that are installed in series production passenger cars with amaximum gross weight up to 3500 kg.

ISO 26262 does not address unique E/E systems in special purpose vehiclessuch as vehicles designed for drivers with disabilities;

It does not address hazards related to electric shock, fire, smoke, heat,radiation, toxicity, flammability, reactivity, corrosion, release of energy, andsimilar hazards unless directly caused by malfunctioning behaviour of E/Esafety-related systems.



24/73

Parts of t e ISO 26262 standard


Source: ISO 26262 standard


25/73

E=planation of t e #-model

Fser re?uirements

System re?uirements

Arc itectural design

)etailed

Fser acceptancetesting

System integration andtesting

%1/S1 integration andtesting

Fnit and integrationtestin

#alidationtracea ility


)evelopment andcoding

tracea ility

The purpose of Verification is toensure that selected work products

meet their specified requirements.

The purpose of Validation is to demonstrate that aproduct or product component fulfills its intended use

when placed in its intended environment.


26/73

Safety lifecycle according to ISO 26262



27/73

1ays of ac ieving ris' reduction

E/E facilities

Ot er tec nologies "eg> safety valves$

According to ISO 26262


E=ternal measures "eg> p ysical containment$

Out of scope ISO 26262

Out of scope ISO 26262


28/73

#-model from ve icle to component perspective



29/73

,esponsi ilities of t e OE

AgPL a


SIL 1SIL 2SIL 3SIL 3

ASIL AASIL BASIL CASIL D

PL aPL bPL cPL d

AgPL bAgPL cAgPL dAgPL e


32/73

Safety integrity level "2/7$



33/73

Safety integrity level "5/7$

C e ASI level defines t e re?uirements0 met ods0 tec ni?ues and measures tomanage systematic failures "system0 %1 and S1$ and random failures "%1$


Source for tables: ISO 26262 standardparts 4 and 5


34/73

(irst steps in t e process

Organi&ational processes

Closer look


!ore systems and safetyengineering processes

Supporting processes

Safety-oriented analysesSource: Flanders DRIVE FLAME methodology

F l i i


35/73

Fse-case electric powertrain


! t t d i t d i ti "Jit d fi iti $


36/73

!reate system and environment description "Jitem definition$

Fnderstanding of t e system0 its environment and actors to facilitatet e a&ard analysis and ris' assessment

The boundaries of the system


The elements of the system

The systems interfaces Requirements received from other

systems and the environment

Requirements on other systemsand the environment

The allocation and distribution offunctions among the systems

E t & d l i d i ' t " /2$


37/73

E=ecute a&ard analysis and ris' assessment " /2$

!onte=t for t e a&ard analysis and ris' assessment

Definition of safetygoals to prevent

$azardous eventsleading to $arm2


E=ecute a&ard analysis and ris' assessment "2/2$


38/73

E=ecute a&ard analysis and ris assessment "2/2$

System and environment description Functional behaviour of the system at vehicle level

Operating modes, operational situations, vehicle states Already known hazards

Systematic determination of system hazardsBrainstorming, checklists, quality history, FMEA,


)perating modes %ill descent control mode

Agility control mode Craction !ontrol mode

H

)perational situations !ity driving

Snow and ice


39/73

!lassification of Severity S$

The risk assessment of

hazardous eventsfocuses on the harm to

each endangered person including the

driver or the


passengers of the

vehicle causing thehazardous event, andother endangeredpersons such as

cyclists ,pedestrians or

occupants of othervehicles .


!lasses of pro a ility of e=posure "E$


40/73

!lasses of pro a ility of e=posure E$



)efining t e controlla ility "!$


41/73

)efining t e controlla ility !$

Vehicle no longer controllable 10

System reaction dangerous

9

8

7

System reaction disturbing

6

5

S stem reaction noticeable

!

"

Neukum andKrger method


Analysis of dynamic driving data.Determination of error limits: via statistical analysis of subjective

scores of malfunctions

Analysis of dynamic driving data.Determination of error limits: via statistical analysis of subjective

scores of malfunctions

Safety CriteriaSafety Criteria

Creation of error functions withdifferent error amplitudes and

error durations in different drivingmanoeuvres

Creation of error functions withdifferent error amplitudes and

error durations in different drivingmanoeuvres

1

#othing noticed 0

)etermine safety goals and ASI levels


42/73

)etermine safety goals and ASI levels

Risk graph from ISO 26262

A safety goal is a top-level safety requirementfor the system. Failure of the safety goal will


Severity (S)Exposure (E)

Controllability (C)

resu n an mme a e ncrease o e r s .

ASIL D = highest safety requirementsASIL A = lowest safety requirementsQM = Quality Management (no safety requirements)


et+s Practice


43/73

et s Practice


8uild t e %A,A for an electric ve iclewit one electric motor providingtor?ue to t e front w eel via an

automatic transmission o=>

Page 75

E=ample functional safety goals


44/73

a p e u ct o a sa ety goa s

The magnitude and sign of the torque delivered to each front wheel shallnot destabilize the vehicle in all driving situations. The sign shall be correct.

The magnitude shall be within +/-5% of the required value.

No torque shall be delivered by the system when the vehicle is connectedto a charging spot.

Functional Safety Goal = toplevel functional safety requirement


The time and phase lag of the torque transfer shall not destabilize thevehicle in all driving situations. Time lag shall be less than 100 ms. Phaselag shall be less than 20 ms.

)erive functional safety re?uirements


45/73

) y

Derive the functional safety requirements (FSR),

from the safety goals, and allocate them topreliminary architectural elements of the system inorder to ensure the required functional safety.,esults of a&ardanalysis and ris'

assessment

Safety goal AASI !

(unctional safety (unctional safety

Safety goal 8ASI )

(unctional safety

Safety goal K

Criteria for FSRs:

Techniques to define FSRs:FMEA, FTA,

brainstorming, HAZOP,


re?uirement

ASI !

re?uirement

ASI !

re?uirement

ASI )

At least onefunctional safetyrequirement shallbe specified for

each safety goal.

- Unique label.- Unambiguous

- Comprehensible- Atomic

- Consistent

- Feasible- Verifiable

System arc itecture for Electric Powertrain


46/73

y


E=ample functional safety re?uirements


47/73

y



48/73

(CA "(ault Cree Analysis$


49/73

Deductive a roach


Main Question: what is the reason?Can also be called TOP-DOWN

What led to the top event?

Sherlock Holmesian approach

Deductive system analysis:Fault Tree Analysis (FTA)

(urt er system design0 integration . testing and validation


50/73

The technical safety conceptis a statement of how the safety

functions are implemented inhardware or software. This isstated in the technical safety

requirements.

Hardware and software safetyrequirements state the specificsafety requirements that will be


mp emen e as par o e

software and hardware design

Agenda


51/73

Introduction to (landers; ),I#E Introduction to functional safety




Safety lifecycle


!ore sa ety engineering processes #-model

System and environment description %a&ard analysis and ris' assessment (unctional safety concept ,ardware Development Software )evelopment

*uestions

%ardware development


52/73

%ardware implementation of t e tec nical safety concept

Analysis of potential ardware faults and t eir effects

!oordination wit Software development

Re3uired activities and processes



53/73



54/73

)etected (ault fault w ose presence is detected wit in a prescri ed time y a safety mec anism

t at prevents t e fault from eing latent>

Perceived (ault (ault w ose presence is deduced y t e driver wit in a prescri ed time interval>

atent (ault

,ardware faults 4continued5


mu t p e-po nt au t w ose presence s not etecte y a sa ety mec an sm nor

perceived y t e driver wit in t e multiple-point fault detection interval>

Page 97



55/73

C e single point faults metric reflects t e ro ustness of t e item to singlepoint faults>

C e latent faults metric reflects t e ro ustness of t e item to latent faults>

#ro6a6ilistic Metric for random ,ardware Failures "P

,ardware metrics




56/73

"ingle point faults metric




57/73

7atent faults metric




58/73

E ample



59/73


60/73



61/73

E ample 4continued58 demo (9V :or;6enc$


Agenda


62/73

Introduction to (landers; ),I#E Introduction to functional safety


ISO 26262 for safety-related automotive E/E development Scope Parts of t e standard

Safety lifecycle


!ore sa ety engineering processes #-model

System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment "oftware Development

*uestions

Software development


63/73

Reference #$ase Model




64/73

S1 as neit er potential to wear out nor produce random failures> S1?uality is determined y its development process> C e more rigorous andsystematic t e development process0 t e ig er t e ASI rating can e

ac ieved> Programming language selection

rd

Is a6out


> >

Cool selection and ?ualification S1 !onfiguration

Integration in ardware

And muc more H>

Page 67



65/73

C e safety state s all e activated y a switc off of driver 5>

C e ogic Solver "!PF$ s all run self tests of t e internal registers>

C e input cloc' s all e tested to detect faults> )uring t en operating p ase0 plausi ility c ec's of specific varia les

according to t e appropriate range s all e performed>

"oftware "afety Re3uirements< some e amples


C e ma=imum start-up tome is 2 seconds>

C e reaction time to a normal input c ange is ma=imum millisecond>

HH

Page 69



66/73

E=ample CI+s %erculesC< A,>

"demo$

Page 66

C an's for your attendance@


67/73



68/73

For more information, please contact

Marc Van VlimmerenFunctional safety engineer

tel. +32 11 790 [email protected]


Bert DextersProject leader Automotive Safety Integrity Leveltel. +32 11 790 545

[email protected]

www.flandersdrive.be

lossary " /5$


69/73

Active safetySystems assisting in the prevention of a crash

Error(1) Mistake in engineering, requirement specification, or design.(2) Mistake in design, implementation or operation which could cause a failure.

FailureThe inability of a system or component to perform its required functions within specifiedperformance requirements.

FaultAny change in state of an item that is considered to be anomalous and may warrant some type of


corrective action. Examples of faults included device errors reported by Built-In Test (BIT)/Built-In

Test Equipment (BITE), out-of-limits conditions on sensor values, loss of communication withdevices, loss of power to a device, communication error on bus transaction, software exceptions(e.g., divide by zero, file not found), rejected commands, measured performance values outside ofcommanded or expected values, an incorrect step, process, or data definition in a computerprogram, etc. Faults are preliminary indications that a failure may have occurred.

Fault Injection Process

The process of deliberately inserting faults into a system (by manual or automatic methods) to testthe ability of the system to safely handle the fault or to fail to a safe state. Usually, fault injectioncriteria is defined by system safety and is implemented by the software test engineeringgroup to measure the systems ability to mitigate potential mishaps to anacceptable level of risk.

Page 6D


70/73

lossary "5/5$


71/73

Safety Freedom from those conditions that can cause death, injury, occupational illness, damage to orloss of equipment or property, or damage to the environment.

Safety AnalysisA systematic examination to determine system functionality, to identify potential hazards, andanalyze the adequacy of measures taken to eliminate, control, or mitigate identified hazards; and

analyze and evaluate potential accidents and their associated risksSafety Critical Function

A function whose failure to operate, or incorrect operation, will directly result in a high risk mishap(i.e., death, serious injury, system loss, environmental damage).


Safety IntegrityThe ability of a control system to work safely (this includes shutting down safely if a fault occurs),which depends on the entire system, not just the computer

Automotive Safety Integrity Level (ASIL)

One of four levels to specify the item's or element's necessary requirements of ISO 26262 andsafety measures to apply for avoiding an unreasonable residual risk , with D representing the most

stringent and A the least stringent level .

Page 3

A reviations " /2$


72/73

ASI Automotive Safety Integrity evel

8


73/73

OE< Original E?uipment

introduction to functional safety kdg seminar 20130424 handout

Documents