upgrade spice for safety 100518 - itq · model automotive spice ® safety standard iec...
TRANSCRIPT
How to Upgrade SPICE-Compliant Processes for Functional Safety
Dr. Erwin Petry
KUGLER MAAG CIE GmbHLeibnizstraße 11 · 70806 Kornwestheim · GermanyMobile: +49 173 67 87 337 · Tel: +49 7154-1796-222 · Fax: +49 7154-1796-480Email: [email protected] · Internet: www.kuglermaag.com
May 18, 2010
Tenth International SPICE Conference, Pisa, Italy, May 18th to 20th, 2010
© Copyright 2010 KUGLER MAAG CIE GmbHPage 2 – SPICE Upgrade for Functional Safety
Abstract
• Companies developing safety-related E/E products may have SPICE-compliant processes. However, this is not enough to fulfill the requirements specified by functional safety standards like the new ISO 26262. These processes definitely need an update, and the way the organization works needs a change. But how is this change best implemented in practice, at lowest possible cost, and with the highest possible success rate?
• This tutorial presents the essential steps to be taken to achieve processes and projects capable of functional safety, covering questions like:• How can we systematically identify what to change in which element of which process?
• Where is there little to do, and where is a lot of work ahead?
• What are the success factors to be considered?
• How is the change to be organized?
• What needs to be planned?
• How long will it take, and what are the costs to be expected?
© Copyright 2010 KUGLER MAAG CIE GmbHPage 3 – SPICE Upgrade for Functional Safety
Contents
• Maturity models and functional safety standards• Relationship between ISO/DIS 26262 and Automotive SPICE• How to implement ISO/DIS 26262 requirements/clauses?• How to implement ISO/DIS 26262 work products?• How to achieve compliance with ISO/DIS 26262• Timeline for functional safety compliance• Selected elements of the program to achieve compliance• Confirmation measures• Success factors for achieving functional safety capability• Cost considerations
© Copyright 2010 KUGLER MAAG CIE GmbHPage 4 – SPICE Upgrade for Functional Safety
• Customers expect safe products
• Highly complex safety-related electronic products endanger life
• Safe products are legally required
• Need to avoid liability claims and be compliant to safety standards
• For Automotive E/E products ISO 26262 will be considered state-of-the-art
technique in 2011
• Not all organizations are already set up to fully comply with safety
standards and able to achieve safety goals
• Processes
• Product architecture (hardware, software)
• Skilled staff
Initial SituationWhat are the challenges?
Maturity Models andFunctional Safety Standards
© Copyright 2010 KUGLER MAAG CIE GmbHPage 6 – SPICE Upgrade for Functional Safety
Functional Safety and Maturity ModelsThey support each other
Management of Functional Safety
Architecture
Integrity(SIL/ASIL)
CMMI /SPICE
e.g. ProjectManagement,Configuration Management
RiskAnalysis
SafetyRequirements
Requirements fromIEC 61508 / ISO/DIS 26262
SIL = Safety Integrity LevelASIL = Automotive SIL
Requirements fromCMMI / SPICE
Processes (What)Processes (What)
Methods (How)
© Copyright 2010 KUGLER MAAG CIE GmbHPage 7 – SPICE Upgrade for Functional Safety
Maturity Models & Functional Safety StandardsHow they differ
Maturity Models• Focus on software development,
including systems• Change management approach
(capability levels)• Approach to harmonize rating criteria,
assessment method and to achieve comparability
• Result is a certificate for process maturity
• Objective is efficient and repeatable development of any product or service
• Motivation for compliance is benefit• Target level depends on business goals• Give notation, requirements, guidance,
best practice• Do not require certain methods (“what”)
Functional Safety Standards• Focus on development of safety-related
systems, especially hardware characteristics
• Capability for development of safety-related systems
• Context dependent assessment method and criteria are dominating
• Result is an expertise for a product• Objective is capability to develop certain
products with calculable risk• Motivation is product liability• Target level depends on hazard
analysis• Give notation, requirements and some
examples• Require certain methods (“how”) and
characteristics (e.g. SFF)
© Copyright 2010 KUGLER MAAG CIE GmbHPage 8 – SPICE Upgrade for Functional Safety
Process Assessments and Safety AssessmentsComparisonAttribute Process Assessment Safety Assessment
Trigger Before a project starts (supplier selection), early in a project, milestone or severe problems
Incremental after project start and at product release
Purpose Capability determination or process improvement
Judge functional safety achieved
Qualification of the assessor
Automotive SPICE® PAM, assessment process
All elements of the safety standard
Model Automotive SPICE® Safety Standard IEC 61508/ISO/DIS 26262
Criteria Process attributes, capability levels Requirements of the standard
Rating scale N, P, L, F Not defined. Overall: Accepted/Rejected
Assess what? Defined or implemented processes. Work products produced.
Implemented project safety activities. Work products produced. Product itself.
Frequency Often at most once per project At least once before product release. Typically incrementally.
Scope split Typically only HIS scope in Automotive. Individual processes possible. Only up to capability level x.
Phases, work products, subsystems, technology (system, hardware, software)
Information Process capability, maturity of development processes
Assessor judgment whether the residual risk is low enough
© Copyright 2010 KUGLER MAAG CIE GmbHPage 9 – SPICE Upgrade for Functional Safety
Which Model and which Safety Standard?Assumptions and context for this presentation
• Application context is primarily embedded E/E Automotive systems
• Typically: ECU (Electronic Control Unit) with connected sensors and actuators
Maturity Model:
• Automotive SPICE® PAM 2.5
Functional Safety Standard:
• ISO/DIS 26262
� Clearly identify model(s) and standard(s) according to business needs
Sensor
Control Actuator
System
© Copyright 2010 KUGLER MAAG CIE GmbHPage 10 – SPICE Upgrade for Functional Safety
ISO/IEC 15504Processes
Supply Process Group (SPL)SPL.1 Supplier tenderingSPL.2 Product releaseSPL.3 Product acceptance support
Management Process Group (MAN)MAN.1 Organizational alignment MAN.2 Organization managementMAN.3 Project managementMAN.4 Quality managementMAN.5 Risk managementMAN.6 Measurement
Resource & Infrastructure Process Group (RIN)
RIN.1 Human resource managementRIN.2 TrainingRIN.3 Knowledge managementRIN.4 Infrastructure
Supporting Process Group (SUP)SUP.1 Quality assuranceSUP.2 VerificationSUP.3 ValidationSUP.4 Joint reviewSUP.5 AuditSUP.6 Product evaluationSUP.7 DocumentationSUP.8 Configuration management SUP.9 Problem resolution managementSUP.10 Change request management
Operation Process Group (OPE)OPE.1 Operational useOPE.2 Customer support
Process Improvement Process Group (PIM)PIM.1 Process establishmentPIM.2 Process assessmentPIM.3 Process improvement
Reuse Process Group (REU)REU.1 Asset management REU.2 Reuse program management REU.3 Domain engineering
The Acquisition Process Group (ACQ)ACQ.1 Acquisition preparationACQ.2 Supplier selectionACQ.3 Contract agreementACQ.4 Supplier monitoringACQ.5 Customer acceptance
ISO/IEC 15504-5Engineering Process Group (ENG)
ENG.1 Requirements elicitationENG.2 System requirements analysisENG.3 System architectural designENG.4 Software requirements analysisENG.5 Software designENG.6 Software constructionENG.7 Software integrationENG.8 Software testingENG.9 System integrationENG.10 System testingENG.11 Software installationENG.12 Software and system maintenance
A modified in Automotive SPICE®
Automotive SPICE ®
AAAAAAAAAA
AA
A
AAAA
A
AA
AA
A
AA
not included in IS0 /IEC 15504-5
A ACQ.11 Technical requirementsA ACQ.12 Legal and administrative requirementsA ACQ.13 Project requirementsA ACQ.14 Request for proposalsA ACQ.15 Supplier qualification
HIS-Scope
&
A
Automotive SPICE® is a registered trademark of the Verband der Automobilindustrie e.V. (VDA).
© Copyright 2010 KUGLER MAAG CIE GmbHPage 11 – SPICE Upgrade for Functional Safety
ISO/DIS 26262 Overview
4. Product development: system level
5. Product development:hardware level
6. Product development:software level
8. Supporting processes
9. ASIL-oriented and safety-oriented analyses
2. Management of functional safety
4-5 Initiation of product development at the system level
4-6 Specification of the technical safety requirements
4-7 System design 4-8 Item integration & testing
4-9 Safety validation
4-10 Safety assessment
4-11 Release for production
5-5 Initiation of product development at the hardware level
5-6 Specification of hardware safety requirements
6-5 Initiation of product development at the software level
5-9 Evaluation of violation of the safety goals
5-7 Hardware design
5-8 Hardware arch. metrics
5-10 HW integration& testing
6-6 Spec. of SW safety requirem.
6-7 Software architectural design
6-8 SW unit design&implementation
6-9 Software unit testing
6-10 Software integration& testing
6-11 Verification of software safety requirements
7-5 Production
7- 6 Operation, service (maintenance and repair), and decommissioning
3-5 Item definition
3- 8 Functional safety concept
3-6 Initiation of the safety lifecycle
3-7 Hazard analysis and risk assessment
2-5 Overall safety management 2-7 Safety management after release for production2-6 Safety management during item development
8- 5 Interfaces within distributed development s
8- 7 Configuration management 8- 10 Documentation 8- 13 Qualific. Of HW components
8- 6 Specification & management of safety requirements
8- 8 Change management 8-11 Qualification of SW tools 8- 14 Proven in use argument
8- 9 Verification 8-12 Qualific. of SW components
9- 5 Requirements decomposition with respect to ASIL tailoring
9- 6 Criteria for coexistence of elements
9-7 Analysis of dependent failures 9-8 Safety analyses
1. Vocabulary
10. Guideline (informative)
3. Concept phase 7. Production and operation
© Copyright 2010 KUGLER MAAG CIE GmbHPage 12 – SPICE Upgrade for Functional Safety
Standards related to Functional SafetyDerived from the generic standard
IEC 61508
IEC 61513Nuclear Power
EN 5012xRailway
DO-178BAviation
IEC 60601Medical
IEC 61511Process Industry
IEC 62061Machinery
IEC 50156Furnaces
ISO/DIS 26262Automobile
IEC 60335Houshold
Appliances
Relationship betweenISO/DIS 26262andAutomotive SPICE
© Copyright 2010 KUGLER MAAG CIE GmbHPage 14 – SPICE Upgrade for Functional Safety
What means „SPICE-Compliance“?For the purpose of this presentation
• Maturity (typically) is different for different processes• Maturity/capability may vary from project to project and
may vary on organizational level• Maturity may be unknown
� What needs to be changed/added/improved for functional safety depends on the maturity
• Do we need to know the Automotive SPICE maturity/capability?→ Discussion
© Copyright 2010 KUGLER MAAG CIE GmbHPage 15 – SPICE Upgrade for Functional Safety
Relationship Automotive SPICE - ISO/DIS 26262What is supported?
SPICE
ISO 26262
� If compliant
?� What is supported?
Suppose we have a CMMI or SPICE compliant process landscape. Which phases of the safety lifecycle and which clauses of the safety standard ISO/DIS 26262 then already have a good support? Expressed in a different way: Which requirements of the safety standards ask for little process changes or extension in order to become compliant?
© Copyright 2010 KUGLER MAAG CIE GmbHPage 16 – SPICE Upgrade for Functional Safety
Relationship Automotive SPICE - ISO/DIS 26262What is missing?
SPICE
ISO 26262
� If compliant
?– What is missing?
Suppose we have a CMMI or SPICE compliant process landscape. Which phases of the safety lifecycle and which clauses of the safety standard ISO/DIS 26262 then will not be fulfilled? Expressed in a different way: Which requirements of the safety standards are missing and need explicit addition in the process landscape in order to become compliant?
© Copyright 2010 KUGLER MAAG CIE GmbHPage 17 – SPICE Upgrade for Functional Safety
Notation
Within the following slides the phases and requirements of ISO/DIS 26262 are marked as follows:
� Strong support of this requirement by using processes designed to fulfill Automotive SPICE® Level 2/3 requirements
� Medium support by Automotive SPICE® Level 2/3 processes
� No or very weak support by Automotive SPICE® Level 2/3 processes
© Copyright 2010 KUGLER MAAG CIE GmbHPage 18 – SPICE Upgrade for Functional Safety
SPICE and CMMI Support for ISO/DIS 26262
4. Product development: system level
5. Product development:hardware level
6. Product development:software level
8. Supporting processes
9. ASIL-oriented and safety-oriented analyses
2. Management of functional safety
4-5 Initiation of product development at the system level
4-6 Specification of the technical safety requirements
4-7 System design 4-8 Item integration & testing
4-9 Safety validation
4-10 Safety assessment
4-11 Release for production
5-5 Initiation of product development at the hardware level
5-6 Specification of hardware safety requirements
6-5 Initiation of product development at the software level
5-9 Evaluation of violation of the safety goals
5-7 Hardware design
5-8 Hardware arch. metrics
5-10 HW integration& testing
6-6 Spec. of SW safety requirem.
6-7 Software architectural design
6-8 SW unit design&implementation
6-9 Software unit testing
6-10 Software integration& testing
6-11 Verification of software safety requirements
7-5 Production
7- 6 Operation, service (maintenance and repair), and decommissioning
3-5 Item definition
3- 8 Functional safety concept
3-6 Initiation of the safety lifecycle
3-7 Hazard analysis and risk assessment
2-5 Overall safety management 2-7 Safety management after release for production2-6 Safety management during item development
8- 5 Interfaces within distributed development s
8- 7 Configuration management 8- 10 Documentation 8- 13 Qualific. Of HW components
8- 6 Specification & management of safety requirements
8- 8 Change management 8-11 Qualification of SW tools 8- 14 Proven in use argument
8- 9 Verification 8-12 Qualific. of SW components
9- 5 Requirements decomposition with respect to ASIL tailoring
9- 6 Criteria for coexistence of elements
9-7 Analysis of dependent failures 9-8 Safety analyses
1. Vocabulary
10. Guideline (informative)
3. Concept phase 7. Production and operation
����
����
���� ���� ����
����
����
������������ ����
������������
����������������
����
��������
��������
��������
����
��������
����������������
���� ����
��������
����
���� ��������
����
���� Strong support Medium Support Weak support��������
����
����
© Copyright 2010 KUGLER MAAG CIE GmbHPage 19 – SPICE Upgrade for Functional Safety
ISO/DIS 26262 Safety Lifecycle
4 Product development:system level
Release for production4-11
Production7-5
Operation, serviceand decommissioning
7-6
Item definition3-5
Initiation safety lifecycle3-6
Hazard analysis andrisk assessment
3-7
Functional safety concept3-8
Operation
7-6 Production
7-5Planning
SWlevel
6
HWlevel
5
Afte
r S
OP
Pro
duct
de
velo
pmen
tC
once
pt
phas
e
Othertechnologies,controllability,externalmeasures
����
����
����
����
����
������������
����
����
���� ����
© Copyright 2010 KUGLER MAAG CIE GmbHPage 20 – SPICE Upgrade for Functional Safety
How much work to become compliant?Areas with a lot of effort
? Where there is little support by Automotive SPICE there is more to do than where there is strong support.
• This statement does not help a lot. Typical areas with much additional effort:� Process improvement to achieve capability of developing safety-related
products, including training/qualification� Functional and technical safety concept (design for safety)� Safety analyses (H&R, FTA, quantitative FMEA, hardware metrics,
dependent failures)� Additional hardware components (sensors, processor, …)� Additional software for fault detection and control (3-level SW architecture)� Applying necessary test methods in a controlled way (fault injection,
coverage, repetition after change, traceability of tests, …)� Qualification of tools and of components� Safety case including all the argumentation� Field monitoring process
© Copyright 2010 KUGLER MAAG CIE GmbHPage 21 – SPICE Upgrade for Functional Safety
How much work to become compliant?Areas with limited additional effort for a mature organization
� Project management: Add activities, roles, work products, project effort and duration, assessment
� Configuration management: Add work products. Strict application.� Quality management and verification: Add reviews/inspections/audits/
assessment for safety work products and processes. Update checklists.� Change management: Strict application necessary� Requirements analysis: Some additional safety requirements and attributes� Software construction: More peer reviews and use of analysis tools
© Copyright 2010 KUGLER MAAG CIE GmbHPage 22 – SPICE Upgrade for Functional Safety
Relationship Automotive SPICE - ISO/DIS 26262What is necessary?
SPICE
ISO 26262 �
What is necessary??
If required
In case compliance with ISO/DIS 26262 is required which processes, which practices and which work products are specifically necessary? Expressed in a different way: Which elements of SPICE or CMMI should specifically be emphasized? Which elements are important and which ones are not?
© Copyright 2010 KUGLER MAAG CIE GmbHPage 23 – SPICE Upgrade for Functional Safety
Automotive SPICE ® Necessity for Functional Safety
A modified in Automotive SPICE®
not included in IS0/IEC 15504-5
HIS-Scope
Supply Process Group (SPL)SPL.1 Supplier tenderingSPL.2 Product releaseSPL.3 Product acceptance support
Management Process Group (MAN)MAN.1 Organizational alignment MAN.2 Organization managementMAN.3 Project managementMAN.4 Quality managementMAN.5 Risk managementMAN.6 Measurement
Resource & Infrastructure Process Group (RIN)
RIN.1 Human resource managementRIN.2 TrainingRIN.3 Knowledge managementRIN.4 Infrastructure
Supporting Process Group (SUP)SUP.1 Quality assuranceSUP.2 VerificationSUP.3 ValidationSUP.4 Joint reviewSUP.5 AuditSUP.6 Product evaluationSUP.7 DocumentationSUP.8 Configuration management SUP.9 Problem resolution managementSUP.10 Change request management
Operation Process Group (OPE)OPE.1 Operational useOPE.2 Customer support
Process Improvement Process Group (PIM)PIM.1 Process establishmentPIM.2 Process assessmentPIM.3 Process improvement
Reuse Process Group (REU)REU.1 Asset management REU.2 Reuse program management REU.3 Domain engineering
The Acquisition Process Group (ACQ)ACQ.1 Acquisition preparationACQ.2 Supplier selectionACQ.3 Contract agreementACQ.4 Supplier monitoringACQ.5 Customer acceptance
Engineering Process Group (ENG)ENG.1 Requirements elicitationENG.2 System requirements analysisENG.3 System architectural designENG.4 Software requirements analysisENG.5 Software designENG.6 Software constructionENG.7 Software integrationENG.8 Software testingENG.9 System integrationENG.10 System testingENG.11 Software installationENG.12 Software and system maintenance
AAAAAAAAAA
AA
A
AAAA
A
AA
AA
A
AA
A ACQ.11 Technical requirementsA ACQ.12 Legal and administrative requirementsA ACQ.13 Project requirementsA ACQ.14 Request for proposalsA ACQ.15 Supplier qualification
A
Necessary Automotive SPICE® Capability Levels vary from 0 to 3.Formally no Capability Level necessary for Functional Safety.Recommendation from Functional Safety point of view only.
333333333323
1123233211
3312323323
013220
230
010
1212
20
211
Capability Level
© Copyright 2010 KUGLER MAAG CIE GmbHPage 24 – SPICE Upgrade for Functional Safety
How to systematically identify what to change?
• Unidirectional mapping from Automotive SPICE to the (organization’s) standard process assumed
Standard Process
A-SPICEISO/DIS26262
• Bidirectional mapping between ISO/DIS 26262 and Automotive SPICE useful for transparency of overlapping
• Gap analysis/conformity check of the standard process against the requirements of ISO/DIS 26262
• Maintain (at least) a unidirectional mapping from Automotive SPICE AND ISO/DIS 26262 to the standard process
© Copyright 2010 KUGLER MAAG CIE GmbHPage 25 – SPICE Upgrade for Functional Safety
Gap AnalysisExample / Extract / Tool
ISO/DIS 26262 Evidence Notes Findings Charact.
ClauseNo. Topic Work Prod. Table Question Explanation
6.4.5.4 The work products referenced in the
safety case:
⎯ shall be subject to configuration and change
management, in accordance with ISO°26262-8,
Clause°7
and Clause°8, starting from the phase: product
development at system level (see ISO°26262-
4); and
⎯ shall be documented, in accordance with
ISO°26262-8, Clause°10.
Must be reviews, audits, assessment according
to table 1. Observe independence. Planning
may be included the safety plan. Evidence for
performance of confirmation measures
planned for the past must be available.
6.4.6.1 The confirmation measures shall be
planned.
6.4.6.2 The confirmation measures, as
specified in Table°1, shall be performed during
the item
development, including the following:
a) the confirmation reviews;
b) applies to ASIL (B), C, and D: Audit of
functional safety processes; and
c) applies to ASIL (B), C, and D: Assessment of
functional safety, in accordance with 6.4.6.7.
2-6 6.4.5 Safety case Safety case Explain the safety
case.
2-6 6.4.6 Confirmation
measures
Results of the
confirmation
measures
-2, table 1 Which confirmation
measures were
already performed?
© Copyright 2010 KUGLER MAAG CIE GmbHPage 26 – SPICE Upgrade for Functional Safety
How to systematically address findings?
• Group the findings of the gap analysis
• Define measures to address them
• Assign the implementation to responsible action teams of a compliance program
Findings
Measures
Action
How to Implement ISO/DIS 26262 Requirements/Clauses?
How to Implement ISO/DIS 26262 Work Products?
© Copyright 2010 KUGLER MAAG CIE GmbHPage 28 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (1/10)
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Organization specific rules and processes for functional safety
Change policy. Update processes. mission statement, vision statement, goals, process description, process repository
5.5.2 Evidence that the persons assigned to carry out activities provided by ISO°26262 have a sufficient level of skills, competences and qualification
Extend organizational training program personnel policy, training material, training plan
5.5.3 Evidence of an operational E/E quality management system, conforming to the requirements of this part of ISO°26262
Include functional safety criteria in QM activities. Update checklists. Maintain QM system certification.
quality policy, quality manual, quality plan, quality criteria, review plan, quality record, review record
6.5.1 Safety plan Maintain separate plan or include in project plan6.5.2 Overall project plan (refined) Maintain project plan project plan, work breakdown
structure, schedule, risk management plan, risk mitigation plan, quality plan
6.5.3 Safety case Collect references to evidence. Separate document with references and argumentation.
6.5.4.Results of confirmation measures Collect reports of confirmation measures. Part of the safety case.
verification results, quality record, audit report, assessment report
6.5.5 Confirmation plan Maintain separate plan or include in safety plan verification strategy6.5.6 Functional safety assessment plan Maintain separate plan or include in confirmation plan
7: Safety management after release for production
7.5 Evidence of a field monitoring process Collect evidence until decommissiong according to separate monitoring process requirements
(OPE.1 Operational use / BP5)
field measure
PIM.1 Process establishmentRIN.1 Human resource managementRIN.2 TrainingMAN.4 Quality management
MAN.3 Project managementRIN.2 TrainingPIM.2 Process assessmentSUP.1 Quality assuranceSUP.5 Audit
5: Overall safety management
6: Safety management during development of the item
2: Management of functional safety
© Copyright 2010 KUGLER MAAG CIE GmbHPage 29 – SPICE Upgrade for Functional Safety
Management of Functional SafetyRequirements from ISO/DIS 26262 part 2
• Overall project independent safety management• Definition of a safety policy and a safety strategy
• Quality management system shall be in place
• Company specific rules to be established
• Tools, templates, data bases etc. to be provided
• Lessons Learned passed on to subsequent projects
• Safety training for involved persons
• Decision on which phases of the safety lifecycle are to be carried out
• Allocation of safety responsibility and duties for all safety related activities
© Copyright 2010 KUGLER MAAG CIE GmbHPage 30 – SPICE Upgrade for Functional Safety
Management of Functional SafetyRequirements from ISO/DIS 26262 part 2
• Project specific safety management• Create and maintain safety plan
• Report safety findings to relevant management
• Results of all activities to be documented
• Planning of verification and validation activities
• Determine level of independence for confirmation activities
• Maintain a safety case
• Define rules for safety management after start of production (SOP)
© Copyright 2010 KUGLER MAAG CIE GmbHPage 31 – SPICE Upgrade for Functional Safety
Development of Safety-related SystemsThe Role of the Manager
• To be aware of its own responsibility and the risk
• Responsibility to establish a safety culture
• To establish requirements
• To clarify the integration of the functional safety process into the development process
• To allocate responsibility
• To establish positions and provide resources
• To take care of employees‘ training
• To request reports
• To actively observe the implementation
© Copyright 2010 KUGLER MAAG CIE GmbHPage 32 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (2/10)
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5: Item definition5.5 Item definition Included in the product description, statement of work, or
requirements specificationproject plan, customer requirements
6: Initiation of the safety lifecycle
6.5 Impact analysis Include in project setup. Tailored processes.MAN.3 Project management
analysis report
7.5.1 Hazard analysis and risk assessment Separate additional activity with specific method and tooling. Additional work product H&R.
analysis report
7.5.2 Safety goals Include in H&R and in customer and system requirements. Specific attributes for safety requirements.
system requirements
7.5.3 Verification review of hazard analysis and risk assessment and safety goals
Perform confirmation activity as planned in the confirmation plan and provide review report
8.5.1 Functional safety concept Separate additional activity. Additional work product eventually together with technical safety requirements and/or technical safety concept.
system requirements, interface requirements, system architecture design
8.5.2 Review of functional safety requirements Perform formal review and provide review report
(ENG.1 Requirements elicitation)
3: Concept phase
7: Hazard analysis and risk assessment
8: Functional safety concept
© Copyright 2010 KUGLER MAAG CIE GmbHPage 33 – SPICE Upgrade for Functional Safety
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Overall project plan (refined) Update plan release plan5.5.2 Safety plan (refined) Update plan5.5.3 Validation plan Maintain separate plan or include in verification plan and/or
test plan and/or confirmation plan5.5.4 Functional safety assessment plan (refined) Update plan5.5.5 Item integration and testing plan Maintain separate plan or multiple plans for different
integration and test levels6.5.1 Technical safety requirements specification Separate additional activity. Include in requirements
management of system requirements. Specific attributes for safety requirements.
system requirements specification
6.5.2 Validation plan (refined) Update plan6.5.3 System-level verification report Perform formal review and provide review report7.5.1 Technical safety concept Separate additional activity. Additional work product eventually
together with technical safety requirements and/or functional safety concept.
7.5.2 System design specification Maintain a system design system architectural design7.5.3 Requirements for production, operation, service and decommissioning
Dedicated elicitation. Eventually managed with system requirements. Allocated to non development departments.
7.5.4 Item integration and testing plan (refined) Update plan7.5.5 System-level verification report (refined) Perform formal review and provide review report verification results7.5.6 Hardware Software Interface Specification (HSI)
Maintain separate specification or include in system design and in software requirements
interface requirements specification
8.5.1 Integration testing specification Maintain integration and testing strategy, test plan, test specifications and test implementations
test specification, verification criteria
8.5.2 Integration testing report(s) Perform tests according to plan and document performance carefully
test result
9.5.1 Validation plan (refined) Update plan validation strategy, validation test plan
9.5.2 Validation report Perform validation according to plan and document performance carefully
validation results
10: Functional safety assessment
10.5 Functional safety assessment report Perform confirmation activity as planned in the function safety assessment plan and provide review report
11: Product release
11.5 Release for production report Include specific functional safety activities in the release procedure and report
(ENG.10 System testing)product release information, product release package
(MAN.2 Organization management)MAN.3 Project management
(ENG.2 System requirements analysis)
ENG.3 System architectural design(OPE.1 Operational use / BP4)
ENG.9 System integration testENG.10 System testing
5: Initiation of product development at the system level
6: Specification of the technical safety requirements
7: System design
8: Item integration and testing
9: Safety validation
4: Product development: system level
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (3/10)
© Copyright 2010 KUGLER MAAG CIE GmbHPage 34 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (4/10)
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Overall project plan (refined) Maintain project plan5.5.2 Safety plan (refined) Update plan
6.5.1 Hardware safety requirements specification Separate additional activity. Include in requirements management of hardware requirements. Specific attributes for safety requirements.
6.5.2 Hardware architectural metric requirements Separate additional activity. Include in functional or technical safety concept.
6.5.3 Random hardware failure requirements Separate additional activity. Include in functional or technical safety concept.
6.5.4 Hardware-software interface specification (refined)
Maintain separate specification or include in system design and in software requirements
6.5.5 Hardware safety requirements verification report
Perform formal review and provide review report
7.5.1 Hardware design specification Maintain a hardware design7.5.2 Hardware safety analysis report Perform dedicated safety analyses (e.g. FTA, FMEA) and
provide report(s)7.5.3 Hardware design verification report Perform formal review and provide review report7.5.4 Requirements for production and operation Update requirements for production and operation8.5.1 Assessment of the effectiveness of the system architecture to cope with the hardware random failures
Perform dedicated assessment of hardware architectural metrics and provide report
8.5.2 Review report of assessment of the effectiveness of the system architecture to cope with the hardware random failures
Perform formal review and provide review report
9.5.1 Evaluation of random hardware failures Perform dedicated evaluation of random hardware failures and provide report
9.5.2 Specification of dedicated measures Specification of dedicated measures to be included in suited documents, depending on the measure
9.5.3 Review report of evaluation of violation of the safety goal due to random hardware failures
Perform formal review and provide review report
10: Hardware integration and testing
10.5.1 Hardware integration and verification report.
Perform hardware integration and testing including the methods and tests required and document performance carefully
MAN.3 Project management
5: Initiation of product development at the hardware level
5: Product development: hardware level
6: Specification of hardware safety requirements
7: Hardware design
8: Hardware architectural metrics
9: Evaluation of violation of the safety goal due to random HW failures
© Copyright 2010 KUGLER MAAG CIE GmbHPage 35 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (5/10)
6. Product development software level to be continued next page ►
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Safety plan (refined) Update plan5.5.2 Software verification plan Maintain separate plan or multiple plans for different
integration and test levelstest plan
5.5.3 Design and coding guidelines for modelling and programming language
Maintain rules for software design. Eventually maintain rules for model based development. Maintain rules for each coding language and environment.
coding standard, software development methodology
5.5.4 Software tool application guidelines Maintain a tool guideline. software assets register6.5.1 Software safety requirements specification Separate additional activity. Include in requirements
management of software requirements. Specific attributes for safety requirements.
software requirements specification, analysis report
6.5.2 Hardware-software interface specification (refined)
Maintain separate specification or include in system design and in software requirements
interface requirements specification
6.5.3 Software verification plan (refined) Update plan test plan6.5.4 Software verification report Perform formal review of software (safety) requirements and
provide review reportverification results
7.5.1 Software architectural design specification Maintain a software architectural design software architectural design7.5.2 Safety plan (refined) Update plan7.5.3 Software safety requirements specification (refined)
Update specification
7.5.4 Safety analysis report Perform dedicated safety analysis and provide report. Method needs decision.
7.5.5 Dependent failures analysis report Perform dedicated safety analysis and provide report.7.5.6 Software verification report (refined) Perform formal review of software architectural design and
provide review reportverification results
(MAN.2 Organization management)MAN.3 Project management
(ENG.4 Software requirements analysis)
ENG.5 Software design
6: Product development: software level
5: Initiation of product development at the software level
6: Specification of software safety requirements
7: Software architectural design
© Copyright 2010 KUGLER MAAG CIE GmbHPage 36 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (6/10)
► continued from previous page: 6. Product development software level
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
8.5.1 Software unit design specification Maintain a software unit design software detailed design
8.5.2 Software unit implementation Implement software units according to coding rules software unit8.5.3 Software verification report (refined) Perform formal review and/or static analysis of software
implementation and provide report(s)verification results, review record
9.5.1 Software verification plan (refined) Update plan test plan9.5.2 Software verification specification Maintain integration and testing strategy, test plan, test
specifications and test implementations.test specification, verification criteria
9.5.3 Software verification report (refined) Perform dynamic analyses, achieve test coverage, and provide report(s)
test result
10.5.1 Software verification plan (refined) Update plan test plan, regression test plan10.5.2 Software verification specification (refined) Maintain testing strategy, test plan, test specifications and test
implementations.test specification, verification criteria
10.5.3 Embedded software Integrate software units and components to embedded software
software item, integrated software
10.5.4 Software verification report (refined) Perform tests and provide report(s) test result11.5.1 Software verification plan (refined) No separate activity or result. See clause 10. test plan11.5.2 Software verification specification (refined) No separate activity or result. See clause 10. test specification, verification
criteria11.5.3 Software verification report (refined) No separate activity or result. See clause 10. test result
ENG.5 Software design / BP6ff.ENG.6 Software construction / BP4
ENG.6 Software construction / BP6ff.
ENG.7 Software integration test
(ENG.8 Software testing)
6: Product development: software level
8: Software unit design and implementation
9: Software unit testing
10: Software integration and testing
11: Verification of software safety requirements
© Copyright 2010 KUGLER MAAG CIE GmbHPage 37 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (7/10)
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Production plan (refined) TBD5.5.2 Production control plan (refined) including test plan
TBD installation and maintenance plan
5.5.3 Documentation of performed control measures
TBD
5.5.4 If applicable, requirements on the producibility at system-, hardware or software development level
TBD
5.5.5 Assessment report for capability of the production process
TBD
6.5.1 Maintenance plan (refined) TBD installation and maintenance plan
6.5.2 Repair instructions TBD6.5.3 User manual TBD6.5.4 Instructions regarding field observations TBD6.5.5 Instructions for decommissioning TBD6.5.6 If applicable, requirements concerning operation, maintenance and decommissioning at system-, hardware or software development level
TBD product operation guide
(ENG.11 Software installation)
ENG.12 Software and system maintenance(OPE.1 Operational use / BP5)
7: Production and operation
5: Production
6: Operation, service (maintenance and repair), and decommissioning
© Copyright 2010 KUGLER MAAG CIE GmbHPage 38 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (8/10)
8. Supporting processes to be continued next page ►
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Supplier selection report Perform systematic supplier selection including safety criteria and document decisions
supplier selection policy
5.5.2 Development Interface Agreement (DIA) Develop, agree upon and maintain a DIA as appendix to the contract. See also ISO/DIS 26262-8, Annex B: DIA example
commitment/agreement
5.5.3 Supplier's project plan Supplier maintains separate but consistent plan release plan5.5.4 Supplier's safety plan Supplier maintains separate but consistent plan5.5.5 Safety assessment report Include safety assessments at supplier side in DIA, perform
assessments and provide a report for each assessmentsupplier evaluation report, review record
6: Specification and management of safety requirements
6.5.1 Safety plan (refined) Include requirements concerning safety requirements in requirements analyses processes
ENG.1 Requirements elicitationENG.2 System requirements analysisENG.4 Software requirements analysis
7: Configuration management
7.5.1 Configuration management plan Update configuration management process and plan with work products specific for functional safety
SUP.8 Configuration management
configuration management plan
8.5.1 Change management plan Apply change management to work products specific for functional safety
change management plan, problem management plan
8.5.2 Change request Nothing specific for functional safety change request8.5.3 Impact analysis and the change request plan Take care to include criteria specific to functional safety.
Involve persons in charge of functional safety.analysis report
8.5.4 Change report Carefully document changes to baselines configuration management record, change control record
9.5.1 Verification plan Maintain separate plan or multiple plans. May be integrated with confirmation plan. May be integrated with test plans.
verification plan, review plan
9.5.2 Specification of verification Separate specifications for reviews (checklists, …) and for tests (test specification, …). Include safety criteria.
quality criteria
9.5.4 Verification report Separate results depending on the kind of verification verification result, review record
10.5.1 Document management plan Include documents and information specific to functional safety in the documentation plan
documentation plan
10.5.2 Documentation requirements Assure that specific requirements for the safety standard are fulfilled
documentation requirementsSUP.7 Documentation
ACQ.x The Acquisition Process GroupSPL.x The Supply Process Group
(SUP.9 Problem resolution management)SUP.10 Change request management
SUP.2 Verification(SUP.3 Validation)SUP.4 Joint review(SUP.6 Product evaluation)
8: Supporting processes
10: Documentation
9: Verification
8: Change management
5: Interfaces within distributed developments
© Copyright 2010 KUGLER MAAG CIE GmbHPage 39 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (9/10)
► continued from previous page: 8. Supporting processes
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
11.5.1 Software tool classification analysis On an organizational level collect and classify all tools used. Maintain a tool concept.
11.5.2 Software tool qualification plan Assign responsibility and resources to assure availability of tools and of qualification reports in time for the projects
11.5.3 Software tool documentation Maintain a documentation for each tool classified TCL 2 to 411.5.4 Software tool qualification report Provide evidence of successful qualification. Report for each
tool. Take care of timely availability for the project.12.5.1 Software component documentation Maintain a documentation for each qualified software
component or a set of software componentscustomer manual
12.5.2 Software component qualification report Provide evidence of successful qualification. Report for each component or for a set of components. Take care of timely availability for the project.
reuse evaluation report
12.5.3 Safety plan (refined) Update plan reuse strategy, reuse plan13.5.1 Qualification plan Establish a qualification plan for one component or for a set of
components13.5.2 Hardware component testing plan Establish a testing plan or integrate the plan with the
qualification plan or the project plan or the hardware testing/verification plan
13.5.3 Qualification report Provide evidence of successful qualification. Report for each component or for a set of components. Take care of timely availability for the project.
14.5.1 Proven in use credit Maintain a proven in use argument including necessary attachments for each candidate mentioned in the safety plan
14.5.2 Definition of a candidate for proven in use argument
Identify candidates early in the project or even better independent from projects on an organizational level. Maintain a proven in use argument including necessary attachments for each candidate mentioned in the safety plan.
reuse proposal
14.5.3 Proven in use analysis reports Provide the argument early in the project in order to know whether it substantive. Maintain a proven in use argument including necessary attachments for each candidate mentioned in the safety plan.
(RIN.4 Infrastructure)
(REU.2 Reuse program management)
(REU.2 Reuse program management)
(REU.2 Reuse program management)
8: Supporting processes
14: Proven in use argument
13: Qualification of hardware components
12: Qualification of software components
11: Qualification of software tools
© Copyright 2010 KUGLER MAAG CIE GmbHPage 40 – SPICE Upgrade for Functional Safety
Work Products of ISO/DIS 26262How to implement in Automotive SPICE context (10/10)
ISO/DIS 26262 Clause Work Product How to implement it? Where?(Proposals, ideas)
Association with Automotive SPICE process
Association with Automotive SPICE work products
5.5.1 Update of architectural information Do consider this clause in all design activities for safety requirements. Include this information in existing work products system safety specification, hardware design specification, an/or software architectural design specification
system architectural design, software architectural design
5.5.2 Update of ASIL as attribute of safety requirements and elements
Update necessary attributes of safety requirements requirements specification
6: Criteria for coexistence of elements
6.5.1 Results of application of coexistence criteria Do consider this clause each time breaking down a safety-related element into sub-elements. Include this information in the technical safety concept and/or design documents
7.5.1 Results of analyses of dependent failures Perform analyses of dependent failures in combination with safety analyses according to clause 8. Include this information in the results of safety analyses.
7.5.2 Change requests for confirmed dependent failures
In cases where dependent failures are detected later than releasing the documents and components which need a change: Post a formal change request
change request
8: Safety analyses
8.5.1 Results of safety analyses Perform safety analyses during concept and product development phase. Great variety in methods, scope and time points possible. For each safety analysis planned in the safety plan provide the analysis itself, change requests as far as necessary, and additional test cases.
9: ASIL-oriented and safety-oriented analyses
5: Requirements decomposition with respect to ASIL tailoring
7: Analysis of dependent failures
© Copyright 2010 KUGLER MAAG CIE GmbHPage 41 – SPICE Upgrade for Functional Safety
Necessary Measures to Provide a Safe Product
Process-
To Avoid
Process-
To detect and to control
Product-
To Avoid
Product-
To detect and to control
Pro
cess
Pro
duct
To avoid To detect and to control
Process-oriented measures to avoid, detect and control systematic faults
Product-oriented measures to avoid, detect and control systematic faults
Measures to avoid failures in work
products and in the product itself
Measures to detect and control failures in work products and in
the product itself
• Management awareness• Mature processes, customer and supplier, e.g.
• Process management, Project management,• Change management, Configuration management• Documentation• Quality management
• Managed safety lifecycle• Safety analyses• Qualified staff members• Qualified tools• Organizational safety management• Project specific safety management, e.g. safety case• Management of distributed development
• Verification
• Tests
• Audits
• Validation
• Assessment of functional
safety
• Qualified components• Proven-in-use components• Safety requirements• Safety architecture• Redundancy• Metrics (HW, …)
• Safety mechanisms
• Fault detection
How to Achieve Compliance with ISO/DIS 26262
© Copyright 2010 KUGLER MAAG CIE GmbHPage 43 – SPICE Upgrade for Functional Safety
Achieve Compliance with ISO/DIS 26262Perform a process improvement program
• What is a typical standard way for complying with ISO/DIS 26262 and Automotive SPICE in a development organization?• Steps, phases• Milestones, outcomes• Sequence, duration• Organization
� Standard Process for Compliance
© Copyright 2010 KUGLER MAAG CIE GmbHPage 44 – SPICE Upgrade for Functional Safety
Program InterrelationshipProcess Improvement and Safety Compliance
• Do not consider this as two isolated activities !• There is only one standard process in the organization and one
defined process in each project
• The same people are concerned
• The same projects are concerned
• Maturity models and standards for functional safety overlap
• Actively manage both “sources for change and improvement”• Change management is similar
• Program organization should highly overlap at least
• Programs can be sequential or overlapping
© Copyright 2010 KUGLER MAAG CIE GmbHPage 45 – SPICE Upgrade for Functional Safety
Standard Process for ComplianceOverview
Year
X X+1 X+3
Initiali-zation
Delta Phase RolloutInstitutiona-
lization
X+2
• Definition of objectives
• Gap analysis
• Action planning
• Project organization
• Commit-ments for plans and organization
• Process Definition• Piloting• Transition• Intermediate Assessments
• Rollout to projects according to plan
• Quality assurance• Feedback loop• Change management• Confirmation assessment
• Continuous changes to processes
• Improve further processes due to business needs and customer requirements
• Periodic re-assessments
© Copyright 2010 KUGLER MAAG CIE GmbHPage 46 – SPICE Upgrade for Functional Safety
Standard Process for ComplianceInitialization
• Activities• Vision: Definition of objectives• Gap analysis. Combined: Related to functional safety and Automotive SPICE• Action planning• Establish improvement project organization• Intelligent selection of pilot projects and process groups to pilot• Achieve commitments for plans and organization
• Duration• 1 - 4 months, before any further specific activities
• Outcomes• Project plan committed• Steering committee working, process owner committed, project core team
established, process action teams initialized
© Copyright 2010 KUGLER MAAG CIE GmbHPage 47 – SPICE Upgrade for Functional Safety
Standard Process for ComplianceDelta Phase
• Activities• Process Definition
• Includes process elements like templates and checklists, ready for piloting
• Piloting• Improvement and completion of processes including process elements• Intensive coaching of pilot projects
• Transition• Plan the rollout phase, including training concept• Train the trainer• Rules for transition to changed processes
• Intermediate assessments
• Duration• 6 to 12 months depending of target maturity level and size of the organization
• Duration of process definition shorter than piloting
• Activities may overlap and may be performed e.g. per process group
• Outcomes• Organizational standard process for the development organization
• Training and coaching package for the organization
© Copyright 2010 KUGLER MAAG CIE GmbHPage 48 – SPICE Upgrade for Functional Safety
Standard Process for ComplianceRollout
• Activities• Rollout of the processes to projects according to plan• Rollout not only to new projects. Rollout of relevant processes according to project
phase.• Incremental rollout of parts of the process landscape usually• Quality assurance, feedback loop and change management for processes are
active• Confirmation assessment
• Duration• 6 to 18 months• Overlap with delta phase for some processes
• Outcomes• Organization works according to improved processes
© Copyright 2010 KUGLER MAAG CIE GmbHPage 49 – SPICE Upgrade for Functional Safety
Standard Process for ComplianceInstitutionalization
• Activities• Have a team active for managing continuous changes to processes• Improve further processes due to business needs and customer requirements• Periodic re-assessments of maturity
• Duration• Continuously
• Outcomes• Organization continuously monitors process performance and improves processes
© Copyright 2010 KUGLER MAAG CIE GmbHPage 50 – SPICE Upgrade for Functional Safety
Steps of a Compliance Program
• Inventory of existing processes, tools and practices (initial assessment, gap analysis)
• Definition and prioritization of measures to fill the gaps
• Planning
• Definition of revised processes
• Pilot projects incl. coaching
• Performance reviews, intermediate assessments, lessons learned
• Process definition rework, definition of tailoring guidelines
• Rollout incl. coaching, training, monitoring
• Confirmation assessment
• Institutionalizing phase: Continuous improvement
© Copyright 2010 KUGLER MAAG CIE GmbHPage 51 – SPICE Upgrade for Functional Safety
The Roadmap to Change
Official AppraisalIntermediate AppraisalLevel 2 Level 3
2006 03/2008 09/200903/200709/2005
Level 3Level 3Pilots
Level 2Pilots
Level 2
Pilot Project 1
Pilot Project 2
Pilot Project 3
Pilot Project 4
Roll-Out Project x
Initialization
Planning &Contracting
Start-Up Phase Piloting Phase05/2005
Roll-Out Phase (~ 60% - 80% coverage)
Roll-Out Project kRoll-Out Project j
Roll-Out Project y
© Copyright 2010 KUGLER MAAG CIE GmbHPage 52 – SPICE Upgrade for Functional Safety
Standard Process for ComplianceOrganization
ProductMarketing
Sales
AdvancedProductConcepts
ProductDevelop-ment
Manufac-turing
Delivery
Business Units Core Processes
ManagementControl Board
(Engineering)ProcessGroup Results
Successes &Failures
PerformanceTargets &Objectives
QualityAssurance
ImprovementObjectives
ComplianceVerification
AbilitySupport
ComplianceAnalysis
© Copyright 2010 KUGLER MAAG CIE GmbHPage 53 – SPICE Upgrade for Functional Safety
Example: Organization Principle BoschPublished on Safetronic 2009, Munich
© Copyright 2010 KUGLER MAAG CIE GmbHPage 54 – SPICE Upgrade for Functional Safety
Abs
timm
ung
BU1
BU-Resp.
BU2
BU-Resp.
BU3
BU-Resp.
BU4
BU-Resp.
BUx
BU-Resp.
Part 1Topic-Resp.
Part 2Topic-Resp.
Part 3Topic-Resp.
…Topic-Resp.
Topic-Resp. in
BUResponsibility
Possible ISO 26262 Master Plan set-up
Res
pons
ibili
ty
Safety Control Board:Focus: Strategy & Policy
Project„Functional Safety ISO 26262“
Safety TeamFocus: Cross BU’s
Team
ISO
262
62F
ocus
: Sta
ndar
d
PM
Expert Workshops
© Copyright 2010 KUGLER MAAG CIE GmbHPage 55 – SPICE Upgrade for Functional Safety
Process Improvement and Safety ComplianceList of Process Action Teams (Proposal)
• Project Management• Requirements Elicitation and Management• Safety Analyses and Assessment• System Architecture• System Integration, Test, and Validation• Software Architecture• Software Implementation• Software Test• Hardware Architecture• Quality Management• Build Management and Configuration Management• Problem and Change Request Management• Tool Concept and Tool QualificationNote: This is not a blueprint for all organizations.
Case to case decision necessary depending on many factors.
© Copyright 2010 KUGLER MAAG CIE GmbHPage 56 – SPICE Upgrade for Functional Safety
Organizational units providing know-how and resources
Functional Safety Service Center in the Organization
FSSC
Project 1
Project 2
Project 3
Softwaredesign Test Quality
Development and safety activities
Development and safety activities
Development and safety activities
Pla
nnin
g &
pro
ject
man
agem
ent
Hardwaredesign
FSSC: Functional Safety Service Center
© Copyright 2010 KUGLER MAAG CIE GmbHPage 57 – SPICE Upgrade for Functional Safety
• It is an organizational entity to systematically establish and manage
functional safety
• It provides guidance, know-how and internal/external resources for getting
started with safety activities (jump start with external know-how and
resources)
• It provides training and qualification of project staff with respect to
functional safety knowledge required to perform safety-related analysis,
design and test activities
• It enables improving of standard processes on the organizational level to
become compliant with safety standards
• It facilitates the transfer of external know-how into the organization
• It is an efficient job-aid for all safety-related activities throughout the
complete lifecycle
What is a Functional Safety Service Center?FSSC
© Copyright 2010 KUGLER MAAG CIE GmbHPage 58 – SPICE Upgrade for Functional Safety
• Culture of safe work
• Safe products
• Customer satisfaction
• Reduced rework
• Calculable product risk
• Optimized effort for process maturity (multi-model compliance)
• Process maturity with defined results
• Full compliance with safety-related standards such as IEC 61508 and
ISO/DIS 26262
FSSC Benefits
© Copyright 2010 KUGLER MAAG CIE GmbHPage 59 – SPICE Upgrade for Functional Safety
FSSC ServicesThe project side: Develop safe products
The organizational side: Achieve functional safety capability
FSSCStrategy and Control
Planning functional safety in projects
• Sales support• Supplier management• Functional safety plan including
• Analyses, design, and test for safety• Confirmation measures• Project safety process
• Safety know-how
Establish functional safety competence
• Safety training• Safety job aid workshop• Design for functional safety• Safety analyses training (H&A, FTA, FMEDA)• Testing safety-related products• Functional safety networking• Qualified Project Safety Engineer (QFSE)
Managing functional safety in projects
• Hazard and risk analysis• Functional and technical safety concept• Safety architecture• Safety analyses (FTA, FMEDA, …)• Test support• Reviews, audits, assessments• Safety case
Managing functional safety for theOrganization
• Safety process compliance check• Provide organizational processes for safety• Qualification of hard- and software components• Qualification of software tools
© Copyright 2010 KUGLER MAAG CIE GmbHPage 60 – SPICE Upgrade for Functional Safety
RolesAffected by the FSSC
Roles Responsibilities
Exi
stin
g
Project Manager Managing the project including safety aspects
Hardware Architect Designing the hardware architecture for safety requirements
Software Architect Designing the software architecture for safety requirements
Reviewer Reviewing work products (e.g. safety concept, test plan)
Tester Testing hardware/software systems with specific methods
Auditor Checking implementation of functional safety processes
New
Functional Safety Manager Managing functional safety on organization level
Project Safety Engineer Planning and implementing safety activities in the project
Trainer Training of project staff on safety standards & methods
Safety Assessor Checking the achievement of safety goals
© Copyright 2010 KUGLER MAAG CIE GmbHPage 61 – SPICE Upgrade for Functional Safety
Management of Functional SafetyRecommendations from practice (1)
Implement the role „Functional Safety Manager“• Overall across projects
• Responsible for the definition of the functional safety process
• Definition of tools and resources
• Qualification of the development tools and libraries
• Coordination of audits across projects
• Safety management during the offer phase (up to the project kick-off)
• Safety management after development project closure (SOP)
• Provision of persons specifically qualified (e.g. auditors, assessors and for safety analyses)
• Leader of the Project Safety Engineers/Managers
• Reports to senior management
© Copyright 2010 KUGLER MAAG CIE GmbHPage 62 – SPICE Upgrade for Functional Safety
Management of Functional SafetyRecommendations from practice (2)
Implement the role „Project Safety Engineer / Manager“• Project specific role
• Drives the safety related processes in the project
• Creates the safety plan
• Responsible for all functional safety work products
• Steers the safety related activities in the project
• Moderates analysis sessions or performs safety analyses
• Organizes reviews, audits and safety assessments
• Interface to the customer and to the suppliers for functional safety
• Maintains the safety case
• Reports to the Functional Safety Manager and to the Project Manager
© Copyright 2010 KUGLER MAAG CIE GmbHPage 63 – SPICE Upgrade for Functional Safety
FSSC ImplementationActivities and timeline
1. Functional safety introduction for management
2. Safety process gap analysis and action plan proposal
3. Define functional safety strategy for the organization
4. Set up a FSSC steering board
5. Approve functional safety strategy for the organization
6. Assign Functional Safety Manager
7. Define process tailoring guidelines
8. Train staff
9. Assign Project Safety Engineer
10.Set up safety planning for a customer project
11.Perform and support safety activities in the project as planned
1. - 3.
4. - 6.
7. - 8.
9. - 10.
11.
Week0 2 4 6
FSSC Set-up &
Execution
© Copyright 2010 KUGLER MAAG CIE GmbHPage 64 – SPICE Upgrade for Functional Safety
• Functional safety training modules
• Safety assessment workbench
• Safety analysis workbench
• Sample safe architectures
• Job aid for confirmation measures
• Functional safety process templates (process additions, work product
templates, roles, glossary, …)
FSSC Instruments
© Copyright 2010 KUGLER MAAG CIE GmbHPage 65 – SPICE Upgrade for Functional Safety
Example: Hazard and Risk Analysis
What Performing hazard and risk analysis
• Scheduling the workshop
• Preparing the input documents
• Performing the workshop
• Documenting the results
Who / Roles • Hardware Architect
• Software Architect
• Functional Safety Manager (moderating)
• Project Safety Engineer (preparing, documenting)
When Once in the concept phase of the customer project and at any change of the safety-related
system as part of impact analysis
Input • H&R templates
• Scope definition (vehicle class, countries, customer requirements)
• List of operating modes (e.g. power up, shut down, normal operation)
• List of operating situations (weather, traffic situation etc.)
• Catalogue of potential operating errors
Result • Safety goals
• Top level safety requirements
• ASIL (Automotive Safety Integrity Level)
Effort /
Duration
• 4 Person Days for preparing and documenting
• 2 Days workshop (4 participants)
Timeline for Functional Safety Compliance
© Copyright 2010 KUGLER MAAG CIE GmbHPage 67 – SPICE Upgrade for Functional Safety
Temporal ConsiderationsCompliance with Safety Standard(s)
• Necessary period for achieving compliance with ISO/DIS 26262 is comparable with improving by one maturity level:• A few years. It depends on …
• No one does it in one step. Always in increments.• Important to begin! Make a plan with what to begin.• Beginning is urgent
• Apply state-of-the-art techniques at the time of product release
• ISO 26262 is continuously replacing IEC 61508 as state-of-the-art techniques for Automotive until 2011
• Compliance is recommended/required for products sold
• Development time is typically 3 years in Automotive
© Copyright 2010 KUGLER MAAG CIE GmbHPage 68 – SPICE Upgrade for Functional Safety
When to Begin? Example.Introduction of ISO 26262 at a German OEM
Selected Elements of the Program to Achieve Compliance
© Copyright 2010 KUGLER MAAG CIE GmbHPage 70 – SPICE Upgrade for Functional Safety
Gap Analysis and Planning for a ProjectExample: Proposal for work package
• Activities• Perform functional safety gap analysis for one project• Leading standard for the gap analysis is ISO/DIS 26262.• Expectations of Automotive SPICE (HIS scope) will be considered up to maturity
level 2.• Define improvement infrastructure• Plan process improvement activities for the project
• Duration• Two consecutive weeks onsite: 1 week gap analysis, 1 week planning
• Outcomes• Analysis report and project plan• Plan for continuous consulting and intermediate performance checks
© Copyright 2010 KUGLER MAAG CIE GmbHPage 71 – SPICE Upgrade for Functional Safety
Gap Analysis and Planning for a ProjectEffort indication
• Team• Consulting
• 12 days effort for functional safety and A-SPICE expert
• Organization’s team member• 10 days effort for the team member• Development organization member with good standing
© Copyright 2010 KUGLER MAAG CIE GmbHPage 72 – SPICE Upgrade for Functional Safety
Perform ISO/DIS 26262 Gap AnalysisWith Automotive SPICE considerationsObjectives• To identify the gaps between the requirements of the safety standard ISO/DIS 26262 and actual planning and application of processes,
methods, and techniques in a project. To identify the gaps with respect to infrastructure, organizational structures for safety and established safety culture. The main focus of the analysis is placed on ISO/DIS 26262 part 2, 4, 5, 6, and the supporting processes from part 8 and 9.
• Consider Automotive SPICE standard requirements for gap analysis and definition of improvement measures
Content1. Short introduction into relevant project’s documents such as process descriptions and project handbook
• Product architecture and specification• Functional and technical safety concepts• Safety plan and project plan• Quality plan• Test- and verification plans, test specifications• Verification and test results
2. Get familiar with the documents and plan the systematic gap analysis (planning of joint working sessions for the analysis)3. Analyze documents and check if processes, methods, infrastructure, and organizational structures are adequate to fulfill the general
requirements (planning, configuration management, documentation etc.)• to fulfill specific requirements according to the required ASIL• regarding the system and SW architecture and the diagnostics.
4. Check whether tools in use reflect the state of practice, with particular attention to collecting evidences for the safety case5. Perform interviews with process and product experts to clarify questions regarding the analyzed documents and to obtain additional
information not contained in the documentation6. Derive measures to close the gaps; some measures address Automotive SPICE-related issues7. Review the organizational set-up suitable for maintaining a functional safety culture; perform short (1h) interviews with key stakeholders, like
upper management8. Compile the analysis report including proposed measures and suggestions for tools and their integration9. Results presentation & discussion of measures and next steps
Customer Obligations• The organization provides relevant documents as specified in “Content”• Safety Manager and Safety Engineer, Project Manager and Quality Engineers (System and SW), Requirements Manager, Architects,
Developers, Testers, are available for interviews and to provide information on the project’s safety concept
© Copyright 2010 KUGLER MAAG CIE GmbHPage 73 – SPICE Upgrade for Functional Safety
SPICE Work Product 10-00 Process DescriptionSmall differences for functional safety
Automotive SPICE:• A detailed description of the process/procedure which
includes:• tailoring of the standard process (if applicable)
• purpose of the process
• outcomes of the process
• task and activities to be performed and ordering of tasks
• critical dependencies between task activities
• expected time required to execute task
• input/output work products
• links between input and outputs work products
• Identifies process entry and exit criteria• Identifies internal and external interfaces to the process• Identifies process measures• Identifies quality expectations• Identifies functional roles and responsibilities• Approved by authorised personnel
Functional Safety:• Additionally:
• Methods how to do it
• Dependence from ASIL
• Tool to be used (qualified)
• Independence for confirmation measures
• Mandatory activities (e.g. H&R, confirmation measures)
• Mandatory work product attributes (e.g. for functional safety requirements)
• Not all SPICE characteristics are required for functional safety, e.g.• expected time required to
execute task
• process measures
© Copyright 2010 KUGLER MAAG CIE GmbHPage 74 – SPICE Upgrade for Functional Safety
What to Change in Standard Process?Implement change in all kinds of elements of processes
• Changed, additional, deleted elements
• Variants according to ASIL
• Lifecycle
• Process
• Activity in a process
• Work product
• Template
• Checklist
• Method
• Tool
• Attribute
• Role
Confirmation Measures
© Copyright 2010 KUGLER MAAG CIE GmbHPage 76 – SPICE Upgrade for Functional Safety
Confirmation MeasuresReviews, Audits and Assessments in the Lifecycle
Safety analyses
Integration and test planSafety plan
Hazard analysis, risk assessment, safety goals
t
Safety Lifecycle Concept phase Product Development Production, Operation
Reviews
Audits
Assessments of functional safety
Project Start SOPSampleSampleStart Product
DevelopmentEnd of
Decommissioning
Validation planSafety analyses
V&V test cases V&V test cases V&V test cases
V&V tests V&V tests V&V tests
Qualification of components
Qualification of software toolsSafety case
Proven in use argument
Project independent After initiation of product development
After initiation of product development at hardware level
After initiation of product development at software level
After a major sample After a major sample
At product release
During production and operation
At product release( ) Intermediate( ) Intermediate
© Copyright 2010 KUGLER MAAG CIE GmbHPage 77 – SPICE Upgrade for Functional Safety
Evaluations in the Safety Lifecycle
Verifi-
cation
Walkthrough
Review
Inspection
t
Safety Lifecycle
Concept phase Product Development Production,Operation
Project Start
SOPSampleSampleStart Product Development
End of Decommissioning
Activity specific for functional safetyActivity specific for A-SPICE Joint activity
Validation
Testing
Safety Validation
Analysis
Optional activity
Safety analysis
Audit
Process assessment
Safety assessment
Quality management
Project independent
© Copyright 2010 KUGLER MAAG CIE GmbHPage 78 – SPICE Upgrade for Functional Safety
ISO/DIS 26262-2 Confirmation Measures
© Copyright 2010 KUGLER MAAG CIE GmbHPage 79 – SPICE Upgrade for Functional Safety
Two Interesting NotesISO/DIS 26262-2, clause 6.4.6.3
NOTE 1 on combining a SPICE assessment with a functional safety assessment
• If the functional safety assessment is performed by a qualified SPICE assessor, then the functional safety audit and a SPICE assessment can be performed simultaneously. There is sufficient commonality in content between ISO°26262 and SPICE to allow synchronizatio n of the planning, and execution of, for some supporting processes. Otherwise, if synchronized, the certified SPICE assessor can provide feedback to the safety assessor.
NOTE 2 on compliance of process definitions with SPICE and ISO 26262• An organization’s process definitions can address multiple standards at the
same time, e.g., functional safety requirements of ISO°26262 and SPICE. This might help to avoid duplication of work or process inconsistencies. In those cases, organization specific reference lists of process references to ISO°26262 requirements and to SPICE base practices can be provided.
© Copyright 2010 KUGLER MAAG CIE GmbHPage 80 – SPICE Upgrade for Functional Safety
Example: Confirmation Measures BoschPublished on SPICE Days 2009, Stuttgart
© Copyright 2010 KUGLER MAAG CIE GmbHPage 81 – SPICE Upgrade for Functional Safety
Example: Assessement Methods BoschPublished on SPICE Days 2009, Stuttgart
Success Factors for Achieving Functional Safety Capability
Comparable with Process Improvement Success Factors
© Copyright 2010 KUGLER MAAG CIE GmbHPage 83 – SPICE Upgrade for Functional Safety
Success is a Question of Culture
Safety culture• There needs to be a culture for providing safe products
• Safety Culture (ISO/DIS 26262-1, 1.104): Policy and strategy used within an organization to support the development, production, and operation of safety related systems
Process culture• There needs to be a culture to work in a systematic way according to
constantly improving procedures
Some definitions of “culture”• Culture is a collective programming of the mind that distinguishes the members of one
group or category of people from another. (www.tamu.edu)• Culture is a shared, learned, symbolic system of values, beliefs and attitudes that
shapes and influences perception and behavior -- an abstract "mental blueprint" or "mental code.“ (www2.eou.edu)
© Copyright 2010 KUGLER MAAG CIE GmbHPage 84 – SPICE Upgrade for Functional Safety
ResourcesSkills
Incentives
VisionImprove-
mentCommitment
Communication/Change Mgmt.
PI Program Management
Culture
Success Factors for Process Improvement
© Copyright 2010 KUGLER MAAG CIE GmbHPage 85 – SPICE Upgrade for Functional Safety
ResourcesSkillsActionPlan
IncentivesVision Change
ResourcesSkillsActionPlan
Incentives Confusion
ResourcesActionPlan
IncentivesVision Anxiety
ResourcesSkillsActionPlan
VisionSlow
Change
SkillsActionPlan
IncentivesVision Frustration
ResourcesSkills IncentivesVision FalseStarts
Consequences of missing Success Factors They all are important
Management, Communication, and Culture
© Copyright 2010 KUGLER MAAG CIE GmbHPage 86 – SPICE Upgrade for Functional Safety
Health Check
Make a Health Check to determine whether your organization is likely to succeed
0
1
2
3
4Vision
Commitment
Skills
Incentives
Resources
PI Project Management
Communication / Change Management
Culture
green 4,00 5,00Process improvement (PI) project to achieve functional safety (FS) compliance yellow 3,00 3,99
orange 2,00 2,99red 0,00 1,99
Success Factor
Question Answers Overall Result
Weighting (1=low, 4=high)
Functional Safety Control Board
Functional Safety Team
Quality Assurance
Development Department
Number of Participants
To what extend does management understand FS compliance as strategically important / as a strategic tool to achieve business goals?
2 4 1
How are FS processes linked to business goals? 3 1 1How are process and FS objectives deployed into the organization, e.g., is FS part of a systematic policy deployment? Are policies and objectives deployed and communicated adequately?
3 3 1
How is the implementation of company objectives and FS compliance and objectives tracked systematically and consistently?
2 1 1
How does management support the PI project, visible to its staff / employees? 3 3 1How does management take an active role in the PI project, e.g. by removing organizational barriers or by participating in a Control Board?
2 2 1
To what extend does management provide adequate resources, and does it establish corresponding priorities in relation to other initiatives as well?
3 2 1
How does management challenge the objectives and requirements in relation to the deployment progress in the organization?
2 2 1
How would you rate know-how and experience with respect to organizational change and impact within the organization?
2 2 1
How would you rate the degree of experience in the planning and management of change / improvement programs?
2 2 1
How much know-how exists regarding the required FS standard and approach?
2 3 1
How is the PI project actively supported by the goal and reward system of the organization?
4 1 1
How are conflicts of interests or goals between individuals mitigated by incentives and the organization's goal system?
3 1 1
Which further incentives (praise, management attention, …) are there? 2 1 1
To what extend are there sufficient resources for full-time staff in the PI project (e.g. EPG, PI-PL)?
2 4 1
Which resources for process experts in the improvement project (e.g. process owner, PAT members) are there?
2 3 1
To what extend are there sufficient resources for key functions (trainers, auditors, coaches, consultants)?
2 2 1
To what extend are there sufficient resources available for the process users to learn about the new processes?
2 2 1
Are sufficient resources available for the process users to execute the processes?
2 4 1
To what extend is the PI project executed as a project with clear responsibilities, realistic planning, and good tracking?
4 4 1
To what extend does the PI project have good management attention or does it allow for escalation (high-ranking sponsor, Control Board)?
3 3 1
How does the PI project maintain close cooperation with Quality Assurance to be able to utilize their observations regarding process compliance and product quality as well?
2 2 1
Which awareness of a problem and that there is a need for change management is within the organization?
2 2 1
How is change management established as an integral part of the improvement project (time, capacities, …)?
2 3 1
How does management use Quality Assurance as an independent observer of the change?
2 2 1
To what extend is the volume of communication adequate, and do people communicate?
3 3 1
To what extend does the communication clearly and demonstrabely reach all necessary target groups (management, customer, line, projects, staff, ...)? 3 3 1
How is process compliance rewarded (or are successful fire fighters rewarded)?
3 2 1
To what extend is the culture solution-oriented (or does one look for somebody to blame)?
2 5 1
How does a preoccupation with processes tend to advance or hinder one's career?
2 3 1
To what extend are long-term measures sacrificed for result improvements in the short-term?
2 3 1
On the whole, are process application and improvement running smoothly or are there barriers to be taken seriously?
3 3 1
Cul
ture
3,1
Score (0-5); 0=low, 5=high
Com
mun
icat
ion
/ C
hang
e M
anag
emen
tIn
cent
ives
1,0
Ski
lls 2,3
2,7
PI P
roje
ct
Man
agem
ent
3,2
Res
ourc
es
Legend for overall result
Com
mitm
ent
2,3
Vis
ion
2,2
Health Check
3,0
How does management support the PI project, visible to its staff / employees?
How does management take an active role in the PI project, e.g. by removing organizational barriers or by participating in a Control Board?To what extend does management provide adequate resources, and does it establish corresponding priorities in relation to other initiatives as well?How does management challenge the objectives and requirements in relation to the deployment progress in the organization?C
omm
itmen
t
Cost Considerations
© Copyright 2010 KUGLER MAAG CIE GmbHPage 88 – SPICE Upgrade for Functional Safety
Functional Safety Capability Effort / Cost on the Organizational Level
Extension of documented processes for functional safety (organizational level).Assumed: CMMI/SPICE maturity „nearly“ 2; medium size organization200 person days (process descriptions, utilities, piloting, …)
Maintaining functional safety capability on an organizational level.Depends on the size of the organization.For 50 – 100 developers in safety related development projects one person in full time (e.g. Functional Safety Manager)
• Additional roles, additional process elements, new and changed templates, tools, training, …
• Definition, piloting, rollout• Much less effort for a mature organization• KUGLER MAAG CIE experiences
© Copyright 2010 KUGLER MAAG CIE GmbHPage 89 – SPICE Upgrade for Functional Safety
Management of Functional SafetyEffort / Cost for a Project
• Effort for SIL / ASIL projects will increase when compared to non safety-related projects of the same complexity
Note:• Estimation, not measured data
• Many factors heavily influence actual effort
• Clarify assumptions and requirements before making estimations
IEC 61508 ISO/DIS 26262 Effort Increase
1 A 15 - 25 %
2 B 20 - 40 %
3 C 30 – 60 %
3 D 50 – 100 %
© Copyright 2010 KUGLER MAAG CIE GmbHPage 90 – SPICE Upgrade for Functional Safety
Summary
• Maturity models and standards for functional safety overlap• Some supporting, some missing, some required elements in Automotive SPICE• A process assessment is not an assessment of functional safety• Maintain a mapping from the maturity model and the functional safety standard to
the standard process
• Safety measures need to be implemented• Product and process• To avoid, to detect and to control faults
• A program must be performed to achieve safety compliance• A gap analysis identifies what to do to achieve safety compliance• Change management is key for a success of this program• Cost of functional safety heavily vary depending on circumstances• An organizational unit is recommended to manage functional safety across
projects (Functional Safety Service Center)
• It is urgent to achieve safety compliance because of product liability
© Copyright 2010 KUGLER MAAG CIE GmbHPage 91 – SPICE Upgrade for Functional Safety
Thank you for your participation!
Should you have any questions please do not hesitat e to contact us …
KUGLER MAAG CIE GmbHLeibnizstraße 11D-70806 KornwestheimInternet: www.kuglermaag.comTel. Office : +49 7154 - 807 210Email: [email protected]
Dr. Erwin PetryEmail: [email protected]: +49 (0) 173-678 7337
© Copyright 2010 KUGLER MAAG CIE GmbHPage 92 – SPICE Upgrade for Functional Safety
Our Book aboutFunctional Safety(in German)
Can be ordered here:http://www.kuglermaag.de/webshop.html