Upload
lionking222
View
224
Download
0
Embed Size (px)
Citation preview
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
1/20
Kristoffer Karlsson
ISO 26262 & AUTOSAR- Achieving a New
Level in Vehicle Safety
Safety Manager
Automotive
Embedded SystemsDivision, Mentor Graphics
September 2013
Mathias Fritzson
Product Line ManagerPicea
Mecel
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
2/20
ISO 26262 & AUTOSAR
- Achieving a New Level in Vehicle Safety
2
Agenda
Background
ISO 26262-Compliant AUTOSARDevelopment
Distributed development
Automotive Safety Integrity Level
(ASIL)
Tier-1 and Tier-2 responsibilities
Integration of the BSW SafetyElement out of Context (SEooC)
Experiences, Lessons Learnt
from AUTOSAR 4.0.x ECU projects
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
3/20
BACKGROUND
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
4/20
Background
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 20134
The number of complex safety related electronic/electricalsystems in todays automobiles continue to grow
Hazardous events due to incorrect behavior in thesesystems have to be prevented or properly mitigated
Standardization efforts to address these issues
Reduces the risk of hazardous events by ensuring theintegrity of safety systems
Use of appropriate development processes and safetymechanisms within the architectural design
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
5/20
ISO 26262 and AUTOSAR
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 20135
AUTOSAR ECU development process
BSW requirements Some of which may be safety related BSW architecture design
Including safety mechanisms for prevention or detection of faults
ISO 26262 Safety analysis, safety management System, HW and SW development process System, HW and SW architectural requirements
Overlap AUTOSAR provides some of the work products that are part ofthe initial stages of an ISO 26262 development process
AUTOSAR safety mechanisms support fulfillment Technical SafetyConcept on system level in ISO 26262
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
6/20
ISO 26262-COMPLIANT
AUTOSAR DEVELOPMENT
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
7/20
ISO 26262-Compliant AUTOSAR Development
ISO 26262 compliance required in case a Technical SafetyRequirement may be violated due to a fault in the SW
AUTOSAR BSW, or individual modules, developed asSafety Element out of Context (SEooC) BSW developed based on assumptions - context not known
BSW shall have the same or higher ASIL than the SW-C For higher ASILs architectural redundancy and/or partitioning ofthe BSW may be needed
Freedom from interference partly ensured by BSW safety
mechanisms in mixed ASIL architectures Tool confidence needs to be considered, e.g. for
AUTOSAR configuration
7 KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
8/20
ISO 26262 Requirements to Consider
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 20138
Distributed development
Automotive Safety Integrity Level (ASIL)
Tier-1 and Tier-2 responsibilities Development Interface Agreement (DIA)
Integration of the BSW Safety Element out of Context
(SEooC)
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
9/20
Distributed Development -
Subcontracting
9
RFQ shall define if ASIL compliance is required If not, QM-level is assumed (ISO 26262 is not applicable)
When ASIL is required by RFQ a Development InterfaceAgreement (DIA) shall be setup between Tier-2 and Tier-1 Part of the contractual agreement detailing responsibilities for
activities, evidence and work products to fulfill the ASIL
Tier-2 and Tier-1 need to work together to fulfill ASIL
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
10/20
Automotive Safety Integrity Level (ASIL)
10
ASIL tailoring to Tier-1 needs Validation of assumed BSW safety requirements to Technical
Safety Concept May result in additional safety requirements for BSW
ASIL determines the evidence required for the BSW SEooC Work products the same, different scope and content
ISO 26262 Work Products provided as optional deliverablewith BSW to build Safety Case by Tier-1: BSW Safety Plan Safety Manual
Safety Requirements Specification/Assumptions Verification Plan/Specification/Report
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
11/20
Tier-1 and Tier-2 Responsibilities
- for BSW SEooC Development
11
SW Development Subphase Responsible
Initiation of SW development,methods, tools used
Tier-2
Specification of SW SafetyRequirements
Tier-2 + AUTOSAR
SW architectural design AUTOSAR
SW unit design and implementation Tier-2
SW unit testing Tier-2
SW integration and testing Tier-1 + Tier-2
Verification of SW SafetyRequirements Tier-1 + Tier-2
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
12/20
Development Interface Agreement
12
Definition of Safety Managers, and contact details, at bothTier-2 and Tier-1
Responsibilities for activities, evidence and work productsby Tier-2 and by Tier-1
What Work Products that shall be exchanged
Input from Tier-1 for tailoring of SEooC and evidence Evidence from Tier-2
When Work Products are needed by Tier-2 and Tier-1
How data shall be exchanged Submitted or made available?
Internal/external assessment, onsite audits etc.
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
13/20
Integration of the BSW SEooC
13 KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
14/20
Integration of the BSW SEooC
14 KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
15/20
Integration of the BSW SEooC
15 KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
16/20
EXPERIENCES/LESSONS
LEARNT
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
17/20
Experiences from AUTOSAR/ISO 26262
Projects, 1 of 2
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 201317
ASIL compliant COTS not possible in practice As COTS
SEooC assumptions accepted as is -> Safety mechanisms and BSW
Not COTS Verification to ensure enough system resources
Requires unfeasible detail in assumptions for system/SW architecture,performance, timing etc. to match with customer system
Important to work together to achieve ASIL
Ensure that the SEooC and ASIL you use provides a safearchitecture Consider use of ASIL decomposition where possible
A tailored SEooC may be the most cost effective solution Evidence to the ASIL needed, not more Tailoring to customer specific safety mechanisms
Ensure that compliance evidence can be provided
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
18/20
Experiences from AUTOSAR/ISO 26262
Projects, 2 of 2
18
Tests need to be performed on the configured BSW SEooC can only be tested on a general configuration
Responsibility for these tests should be detailed in the DIA Not likely that a qualification of the configuration tool would givesufficient confidence to get around this
For higher ASILs (C and D) the SEooC verification has to betailored to the particular configuration
ASIL C or D on the BSW may not be enough to fulfill ASILC/D for the ECU Architectural redundancy recommended/highly-recommended for
ASIL C/D
Production volume decides on how to manage ASIL A volume dependent tradeoff between BOM and SW development
decide ASIL decomposition
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
19/20
Lessons Learnt
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 201319
Start in time With time plan
With safety requirements Ensure that everybody has a good understanding of what
shall be delivered, by whom and when DIA
Delivery plan (e.g. as part of DIA)
Establish the right processes from the start Standard industry methods, documented and performed as
planned
Important to have a knowledgeable partner Easy to become overambitious or overwhelmed
Safety considered in all parts of development
7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013
20/20