Transcription of Introduction to Functional Safety
1 Elektrobit(EB) 2018 Introduction to Functional SafetyHurley Davis Director of Engineering, , ElektrobitNovember 8, 2018 Elektrobit(EB) 2018 Elektrobit(EB) 2018 Introduction to Functional SafetyWhat is Functional Safety ?ISO 26262 Definitions Elektrobit(EB) 2018 Absence of unreasonable risk Combination of Probability and SeverityFunctional SafetyAbsence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systemsSystem of electrical and electronic components including softwareSafetyRiskE/E System Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018 ISO 26262 Functional Safety StandardIntroduced in 2011 Second addition expected late 2018 AutomotivesafetylifecycleAutomotive risk-based approach Requirements for validation and confirmation measures Elektrobit(EB) 2018 Introduction to Functional SafetyFunctional Safety Concept2) Management of Functional SafetySafety Management during Item Development3) Concept Phase8) Supporting Processes7) Production and Operation5) Hardware DevelopmentSystem Dev.
2 InitiationSystem Requirements4) System DevelopmentObservationServiceProductionI tem DefinitionStart Safety LifecycleSystem DesignSafety Management after SOPO verall Safety ManagementReleaseItem Integration, TestInitiationInitiationHW DesigneHW Integration and TestingHW Failure RateHazard & Risk AnalysisValidation & Safety AssessmentSW Safety RequirementsSW DesignSW Integration and TestingSW Unit TestingSW Unit Design & ImplementationVerification of SW Safety Requirements9) ASIL-Oriented and Safety -Oriented AnalysisDistributed DevelopmentMgmt. of Safety RequirementsConfiguration ManagementRequirement DecompositionChange ManagementVerificationCoexistence of ElementsQualification of SW of HW in Use ArgumentationAnalysis of dependent FailuresDocumentationQualification of SW ToolsSafety AnalysisHSIHW Architectural MetricsHW Safety Requirements1) Vocabulary6) Software Development10) Guide-lineISO 26262 Consists of Ten Parts Elektrobit(EB) 2018 ISO 26262 has 10 parts 500 pages 43 Chapters 600 Requirements 100 Work Products 180 Methods Safety Lifecycle Elektrobit(EB) 2018 Introduction to Functional SafetyAutomotive Safety Integrity Level (ASIL)ISO 26262:2011, Part 3 Section.
3 Hazard Analysis and Risk Assessment (HARA) Elektrobit(EB) 2018 Function definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goalsRisk potentialQMABCD Elektrobit(EB) 2018 Introduction to Functional SafetyStep 1 -Define the function to be analyzedExample: Adaptive Cruise Control (ACC) with emergency brakingFunction definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goals Elektrobit(EB) 2018 HARA Workflow Safety and Error ManagementSituative BehaviorArbitrationHD PositioningObject FusionGrid FusionRoad & Lane FusionVehicle DatabaseFunction Specific ViewsTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementVehicle Abstraction -SensorsBehaviorVehicle Abstraction -ActuatorsSensor DATA FusionSituationAnalysisSituationAnalysis SituationAnalysisBehaviorBehaviorACCPath PlanningPathPlanning Elektrobit(EB)
4 2018 Introduction to Functional SafetyStep 2 -Define a possible malfunctionSafety and Error ManagementSituative BehaviorArbitrationHD PositioningObject FusionGrid FusionRoad & Lane FusionVehicle DatabaseFunction Specific ViewsTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementVehicle Abstraction -SensorsBehaviorVehicle Abstraction -ActuatorsSensor DATA FusionSituationAnalysisSituationAnalysis SituationAnalysisBehaviorBehaviorACCPath PlanningExample: Braking force too high (above ACC norm) Elektrobit(EB) 2018 MalfunctionDetails}HazarddescriptionPoss ible MalfunctionHARA Workflow Function definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goalsPathPlanning Elektrobit(EB) 2018 Introduction to Functional SafetyCritical SituationHARA Workflow Step 3 -Define a critical situationSafety and Error ManagementSituative BehaviorArbitrationHD PositioningObject FusionGrid FusionRoad & Lane FusionVehicle DatabaseFunction Specific ViewsTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementVehicle Abstraction -SensorsBehaviorVehicle Abstraction -ActuatorsSensor DATA FusionSituationAnalysisSituationAnalysis SituationAnalysisBehaviorBehaviorACCPath PlanningExample.
5 Normal highway driving in fog (degraded view) with high speed (rear traffic near) Elektrobit(EB) 2018 Operating modeOperational situationEnvironmental conditionSpeed (details)Function definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goalsPathPlanning Elektrobit(EB) 2018 Introduction to Functional SafetyHazardous EventHARA Workflow Step 4 -Evaluate consequences of the malfunctionSafety and Error ManagementSituative BehaviorArbitrationHD PositioningObject FusionGrid FusionRoad & Lane FusionVehicle DatabaseFunction Specific ViewsTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementVehicle Abstraction -SensorsBehaviorVehicle Abstraction -ActuatorsSensor DATA FusionSituationAnalysisSituationAnalysis SituationAnalysisBehaviorBehaviorACCPath Planning Elektrobit(EB) 2018 Function definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goalsPathPlanningRear-end collision with speed difference > 25 mphHazardous Event Details}Malfunction Effect Elektrobit(EB)
6 2018 Introduction to Functional SafetyHazardous EventHARA Workflow Step 5 -Classify the hazardous eventSafety and Error ManagementSituative BehaviorArbitrationHD PositioningObject FusionGrid FusionRoad & Lane FusionVehicle DatabaseFunction Specific ViewsTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementVehicle Abstraction -SensorsBehaviorVehicle Abstraction -ActuatorsSensor DATA FusionSituationAnalysisSituationAnalysis SituationAnalysisBehaviorBehaviorACCPath Planning Elektrobit(EB) 2018 Function definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goalsPathPlanning Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018 Severity, exposure and controllabilityS0: No injuriesS1: Light or moderate injuriesS2: Severe and life threatening injuriesS3: Life threatening injuries fatal injuriesE0: IncredibleE1: Very low probabilityE2: Low probabilityE3: Medium probabilityE4: High probabilityC0: Controllable in generalC1: Simply controllableC2: Normally controllableC3.
7 Difficult to control or uncontrollableHazard ClassificationSeverity (S)Exposure (E)Controllability (C)Degree of potential harm to personsProbability of being in a situationAbility to avoid harm through reaction of the persons involved Elektrobit(EB) 2018 Introduction to Functional SafetyASIL Level derived from Elektrobit(EB) 2018C1C2C3S1E1 QMQMQME2 QMQMQME3 QMQMAE4 QMABS2E1 QMQMQME2 QMQMAE3 QMABE4 ABCS3E1 QMQMAE2 QMABE3 ABCE4 BCD Elektrobit(EB) 2018 Introduction to Functional SafetyHazardous EventHARA Workflow Step 5 -Classify the hazardous eventSafety and Error ManagementSituative BehaviorArbitrationHD PositioningObject FusionGrid FusionRoad & Lane FusionVehicle DatabaseFunction Specific ViewsTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementTrajectory ControlLongitudinal ControlLateral ControlMotionManagementHMI ManagementVehicle Abstraction -SensorsBehaviorVehicle Abstraction -ActuatorsSensor DATA FusionSituationAnalysisSituationAnalysis SituationAnalysisBehaviorBehaviorACCPath Planning Elektrobit(EB) 2018S3 -Life-threatening or fatal injuriesSeverity(of potential harm)E3 -Medium probabilityExposure(of situation )C3 -Difficult to control or uncontrollableControllability(of hazardous event)CASILD eterminationEXAMPLE.
8 Function definitionHazard identificationSituation analysis Hazardous event identificationHazard classificationDerivation of Safety goalsPathPlanning Elektrobit(EB) 2018 Introduction to Functional SafetyDevelopment Methods Dependent on ASIL Levels Elektrobit(EB) 2018 ++ The method is highly recommended for this ASIL. + The method is recommended for this ASIL. o The method has no recommendation for or against its usage for this Safety Concept2) Management of Functional SafetySafety Management during Item Development3) Concept Phase8) Supporting Processes7) Production and Operation5) Hardware DevelopmentSystem Dev. InitiationSystem Requirements4) System DevelopmentObservationServiceProductionI tem DefinitionStart Safety LifecycleSystem DesignSafety Management after SOPO verall Safety ManagementReleaseItem Integration, TestInitiationInitiationHW DesigneHW Integration and TestingHW Failure RateHazard & Risk AnalysisValidation & Safety AssessmentSW Safety RequirementsSW DesignSW Integration and TestingSW Unit TestingSW Unit Design & ImplementationVerification of SW Safety Requirements9) ASIL-oriented and Safety -oriented AnalysisDistributed DevelopmentMgmt.
9 Of Safety RequirementsConfiguration ManagementRequirement DecompositionChange ManagementVerificationCoexistence of ElementsQualification of SW of HW in Use ArgumentationAnalysis of dependent FailuresDocumentationQualification of SW ToolsSafety AnalysisHSIHW Architectural MetricsHW Safety Requirements1) Vocabulary6) Software Development10) Guide-line Elektrobit(EB) 2018 Introduction to Functional SafetyFunctional Safety Alone Not Sufficient Elektrobit(EB) 2018 Functional SafetySecurity* Safety of the Intended functionality(SOTIF)Usage SafetyActive / Passive SafetyProtect fromHardware or software not working according to the specificationUnauthorized access or attackHazardous situation due to unspecified behaviorPoor usability induces risks Accidents / accident impacts* Issues can lead to Safety hazards Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018* Issues can lead to Safety hazardsSecurity Impacts SafetyOTA/Wireless Capabilities Unintended Access to Safety FunctionsHazards to PassengersHacking vehicle steeringSecurity and Safety go hand-in-hand Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018* Issues can lead to Safety hazardsSafety of the Intended Functionality (SOTIF)Issue:First F14 Tomcats, variable for altitude was level = 0 metersAreas below sea level were not consideredThe surface of the Dead Sea is 400m below sea level Plane descended below sea level with Autopilot engagedAirplane autopilot systems use the measured altitude to regulate horizontal.
10 Altitudes below sea level were reported incorrectlyPlane crashed into the Dead Sea Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018 Safety of the Intended FunctionalityFunctional Safety and nominal performanceBad weather conditionsHidden speed signsAssignment of traffic lights to lanesSensors canbefunctionallysafe, but istheperformancesufficient? Elektrobit(EB) 2018 Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018 Technology benefits and risksLaws are put into place to protect peopleState-of-the-art methods, processes and toolsInternal Competence Development programsProfessional Functional Safety ConsultingWe are committed to staying ahead of the technology curve and helping our customers, suppliers and partners do the same!Closing Remarks Elektrobit(EB) 2018 Introduction to Functional Safety Elektrobit(EB) 2018 Hurley Davis Director of Engineering.
