efficient approach to manage iso 26262 lifecycle principles and … · 2015. 12. 31. · –...

Dr. Eckhardt Holz

Eckhardt Holz 博士

&

邓伟

2/27/2014

2014年2月24日

Efficient approach to manage ISO 26262 lifecycle

Principles and Practice

管理 ISO 26262 生命周期技术的有效方法 — 原理与实践

1

© KPIT Technologies

Limited

ikv++ technologies ag – A KPIT Company

ikv++ 科技股份公司 —— KPIT 公司

2

– German shareholder company recently became KPIT family member Functional Safety

Practice

– 是一家德国控股公司，最近成为 KPIT 家族的一员功能安全实践

– focus on products and solutions for automotive safety, reliability and quality

– 专注于实现汽车的安全性、可靠性和高质量的产品和解决方案

– efficient team of experienced safety engineers, safety managers and software and

hardware specialists

– 拥有资深的安全工程师、安全经理和软件和硬件专家高效团队

– Global service, consulting and support capabilities

– 全球服务、咨询和支持能力

– 10+ years in the market

– 10 多年的市场经验

– 120+ customers worldwide

– 在全球拥有 120 多个客户

– AUTOSAR Development Member

– AUTOSAR 成员

– partner of IBM Rational and The Mathworks

– 是 IBM Rational 和 Mathworks 的合作伙伴

– sales partnership with HIRAIN Technologies in China

– 是中国恒润科技的销售合作伙伴


Limited

our products lines –

software and services for automotive safety and reliability

我们的产品 —— 汽车安全和可靠性的软件和服务

– medini™ analyze the integrated solution for the analysis of functional

safety, reliability and quality according to standards

such as IEC 61508 and ISO 26262, VDA and SAE

– 符合 IEC 61508 和 ISO 26262、VDA 和 SAE 等标准、用于分析功能安全、可靠性和质量的集成解决方案

– medini™ unite the product for change and configuration

management support for model-based software

engineering

– 支持基于模型的软件工程，是可做变更管理和配置管理的产品

3


Limited

functional safety: importance and definition

功能安全：重要性和定义 • the provision of any technical system may cause harms to humans 任何技术系统可能对人类造成的危害的规定

• directly – burning, electrical shock, physical damage etc. 直接 —— 烧伤、触电、物理损伤等

• indirectly – pollution of the environment 间接 —— 对环境的污染

• it is an important development goal to deliver safe products 提供安全的产品是一个重要的发展目标

• safety

• 安全性 – absence of unacceptable risks

– 不存在不可接受的风险

• functional safety

• 功能安全 – absence of unacceptable risks due to hazards caused by mal-functional behavior of the system

– 不存在由于系统的功能故障行为导致的危害而造成的不可接受的风险

• the risk of the system has to be reduced to a tolerable level

• 必须将系统的风险降低至可接受的级别

– a risk evaluation becomes necessary

– 有必要进行风险评估

– a definition of „tolerable“ is necessary

– 有必要对“允许的”进行定义

• strong regulations are required and in place

• 要求健全的法规并实施到位

– safety standards and legal requirements emphasize safety aspects during systems engineering

– 强调系统工程设计安全问题的安全标准和法律要求

– Examples: ISO 26262, IEC 61508, DO-178C, ….

– 例如： ISO 26262、IEC 61508、DO-178C 等

caused by malfunction of the electronic gas pedal?

是由电动油门踏板故障引起的？

4


Limited

safety related activities in systems engineering processes

系统工程设计过程的安全相关活动

hazard analysis 危害分析

driving situation analysis 驾驶情况分析

risk assessment 风险评估

controllability analysis 可控性分析

safety goals 安全目标 safety requirements

安全要求

fault tree analysis 故障树分析

hardware metrics 硬件指标

failure mode and effects analysis 故障模式和影响分析 (FMEA)

argumentation of freedom from interference 无干扰证明

safety validation 安全验证

configuration management 配置管理

change management 变更管理

safety architecture 安全架构

functional safety concept 功能安全性概念

safety standards like ISO 26262 require to perform multiple activities

and to produce additional work products

ISO 26262 等安全标准要求执行多项活动并产生额外的工作成果

5


Limited

safety and engineering lifecycle

安全和工程的生命周期技术

import/export

ISO 26262:

Safety related activities

have to go hand in hand with

engineering activities

ISO 26262：安全相关活动必须

与工程设计活动同步进行

Configuration management 配置管理

Dev

开发 Val

确认

import

generate

Item Definition

FTA

FME(D)A

Architecture (Func/Struct)

Validation Plan

确认计划

Integration Test

Unit Test Reports

Item Definition


Item Definition

Hazard & Risk Analysis


FTA

Item Definition

Hazard & Risk Analysis


FME(D)A

FTA

Item Definition

Prelimenanry architecture

初步架构

FMEA

FTA

Item description

项目定义

HAZOP

HW models

硬件模型

SW models

软件模型

Integration Test

Unit Test Reports

Integration Test

Unit Test Reports

Validation results

确认结果

Unit tests

单元测试

Integration tests

集成测试

Unit test reports

单元测试报告

Coding

编程

Coverage analysis

覆盖度分析

Safety requirements

安全要求

6


Limited

role of system design models

系统设计模型的作用

– the system design models are a key artifact for the integration of engineering and safety activities

– 系统设计模型是将工程设计与安全活动融为一体的关键工件

• many safety activities require (at least preliminary) architectural information

• 许多安全活动需要（至少初步的）架构信息

• safety requirements need to be realized by specific design choices that need to be reflected in

system models

• 需通过反映在系统模型中的特定设计选择来实现安全要求

• architectural elements obtain their Safety Integrity Levels (SIL/ASIL) by allocation of safety

requirements to them

• 架构元件通过分配安全要求获得安全完整性等级 (SIL/ASIL)

• safety analysis (e.g special architecture metrics) are performed based on architecture models

• 在结构模型的基础上进行安全分析（例如特殊的架构指标）

– model-based approaches gaining increasing popularity in the automotive industry

– 基于模型的方法在汽车行业中得到越来越广泛的应用

• EAST-ADL, SysML, ….

• EAST-ADL、SysML 等

•

7


Limited

hierarchies in automotive system development

汽车系统开发的层次结构 OEM

整车厂

Tie

r 1

一级供应商

Tie

r 1/2

/Sem

icon

du

ctors

一级／

二级

／半导体

供应商

SysML w. Messages

SysML，带消息

Functions,

Malfunctions

功能，故障

SysML w/ signals, FM

SysML 带 FM 信号

SysML w/ signals/electrics,

HW-FM, BOM

SysML，带 HW-FM，BOM 电信号

Part library (SysML)

零件库 (SysML)

FR/FM catalogs (or database)

FR/ FM 目录

（或数据库）

Functions,

Malfunctions

功能，故障

SysML w/ subpart failures

SysML 带子部件故障 FR databases

(or FR catalogs)

FR 数据库（或 FR 目录）

<<refined>>

<<改善>>

<<uses>>

<<使用>>

<<uses>>

<<使用>>

<<contributes>>

<<促成>>

<<refined>>

<<改善>>

<<alloc>>

<<分配>>

Item

项目

Subsystem

子系统

Subsystem

子系统

Subsystem

子系统

Component

组件

Component

组件

Component

组件

Component

组件

HW Part

硬件部分

HW Part

硬件部分

HW Part

硬件部分

HW Part

硬件部分

<<alloc>>

<<分配>>

<<refined>>

<<改善>>

8

FM：Failure Mode；

FR：Failure Rate

BOM：Bill Of Materials


Limited

architecture V.x

架构放大

Workflow

工作流程 System Designer 系统设计师 Safety Engineer 安全工程师

initial architecture

初步架构

ACU:Controler1

Attributes

Operations outgoing:intincoming:int

Bumper Sensor:Crash sensor1

Attributes

Operations

outgoing:int

Inflator D:Inflator1

Attributes

Operationsincoming:int

Inflator P:Inflator1

Attributes

Operations

incoming:int

Power:Battery1

Attributes

Operations

Creates

创建

adds safety data

analyzes

and derives

Requirements

添加安全数据

分析和衍生要求

RMS 需求管理系统 Updates

更新

ACU:Controler1

Attributes



Attributes

Operations

outgoing:int


Attributes



Attributes

Operations

incoming:int

Power:Battery1

Attributes

Operations

ACU:Controler1

Attributes



Attributes

Operations

outgoing:int


Attributes



Attributes

Operations

incoming:int

Power:Battery1

Attributes

Operations

enhanced architecture

改善的架构

updates safety data

更新安全数据

re-analysis

重新分析

potential new

Requirements

潜在的新要求

9


Limited

(1) SysML model import into medini analyze

将 SysML 模型导入 medini analyze

ACU:Controler1

Attributes



Attributes

Operations

outgoing:int


Attributes



Attributes

Operations

incoming:int

Power:Battery1

Attributes

Operations

development of a SysML model with Rhapsody

采用 Rhapsody 开发的 SysML 模型

model is produced as result of the ordinary development process

模型是普通开发过程的结果

model contains parts, blocks, ports and connectors

模型包含部件、模块、端口和连接器

SysML model is imported into medini analyze

将 SysML 模型导入 medini analyze

model elements are derived according to the Rhapsody information

模型元件包含了 Rhapsody中的信息

Rhapsody API is applied

可直接应用 Rhapsody 的API接口

10


Limited

(2) establishing relations between model elements

建立模型元件之间的关系

Functional Safety Requirements

功能安全需求

imported preliminary architecture

导入的初步架构

the imported model is traced to other model elements

导入的模型追溯到其他模型元件

an example is the allocation of functional safety requirements

例如分配功能安全需求

such semantic links are used to relate or compute safety information for an architecture element – e.g. ASIL

这些语义链用来联系或计算架构元件的安全信息 —— 如 ASIL

11


Limited

(3) specification of safety properties

安全性能规范 extension of the architecture by

safety properties

通过安全性能扩展架构

– failure modes and failure rates

must be specified for the

elements of the safety

architecture

– 必须为安全体系结构中的元件规定失效模式和失效率

– such data can be calculated or

taken from common catalogs

such as SN 29500, IEC 62380

or Birolini Safety Handbook

– 可从如 SN29500 、IEC 62380

或 Birolini安全手册等常见失效率手册计算得出或获得这些数据

– the quantitative verification of

the architecture is based on

these data

– 根据这些数据对架构进行定量验证

12


Limited


安全性能规范

Step-by-step guidance

through the catalog to

determine the failure

rates

for all elements

按照目录循序渐进的指导，

以确定所有元件的失效率

13


Limited


安全性能规范

parameter values

which may influence

the failure rate can be

defined at elements

level or for be derived

from parent

components

影响到失效率的参数值，可在元件等级进行确定或者从上一级组件中获得

14


Limited


安全性能规范

Imported from BOM or ECL excel

从 BOM 或 ECL excel 导入

Element Library 元件库

Failure data derived from library

从库中获取的失效率数据

refers to entry in library

参考库中的条目

all entries with

the same

part number have

the same failure

information

具有相同部件号的所有条目均具有相同的失效信息

15


Limited

(4) verification of the technical safety architecture

验证技术安全架构 the system architecture is analyzed concerning violations of the

safety goal

根据安全目标违反情况来分析系统架构

– failure modes and rates of the architectural elements

used as source for probability values

– 架构元件失效模式和失效率作为概率值的来源

– Drag&Drop from architecture to FTA

– 从架构拖放至 FTA

– FTA trees are constructed and analyzed

– 构造和分析 FTA 树

16


Limited


验证技术安全架构

– Evaluation of diagnostic coverage for all Single

Point Faults of components which have the

potential to directly violate a safety goal

– 对可能直接违反安全目标的组件的所有单点故障

进行诊断覆盖度评估

– Evaluation of diagnostic coverage of all Latent

Faults, which have together with another fault the

potential to violate a safety goal

– 对在其他故障的共同作用下可能违反安全目标的所有潜伏故障进行诊断覆盖度评估

required by ISO 26262 part 5:

ISO 26262 第五部分要求：

17


Limited



shows if all FRC metrics (SPF/RF/LF) are fulfilled for element

显示元件是否达到所有 RFC 指标 (SPF/RF/LF)

18


Limited



• as result of the different safety analyses

• 不同的安全分析结果

– ASIL are allocated to requirements and subsequently to architecture components

– ASIL 分配到需求，接着分配到架构组件

– new safety requirements are derived

– 衍生新的安全需求

– safety requirements are decomposed

– 分解安全需求

– requirements are pushed back into DOORS

– 将要求还原到 DOORS

Changes in the architecture may be necessary to fulfill the new or updated requirements

为满足全新的或更新的需求，可能需要更改架构

19


Limited

(5) model update in case of design change

设计更改中的模型更新与设计更新同步

ACU:Controler1

Attributes



Attributes

Operations

outgoing:int


Attributes



Attributes

Operations

incoming:int

Power:Battery1

Attributes

Operations

design changes may lead to a changed Rhapsody model

设计变更可能需要对 Rhapsody 模型进行更改

safety analysis needs to be repeated

需要重新进行安全分析

new model can be re-imported into medini analyze

新的模型可重新导入 medini analyze

SysML model is updated

SysML 得到更新

update includes a model compare algorithm

更新包括模型比较算法

all traces and safety properties previously added will be preserved

之前添加的所有痕迹和安全性将被保留

safety analysis for the re-imported model can be re-done with minimum effort

可轻松地对重新导入的模型进行安全分析

20


Limited

Consistency among design and safety analysis

设计和安全分析的一致性

SysML Models SysML 模型

Fault Tree Analysis 故障树分析

Update 更新

Update 更新

Derive 衍生

Review 审核

ISO 26262 SPF & LF metrics diagnostic coverage ISO 26262 SPF 和 LF 指标诊断覆盖率

FMEA & FMEDA FMEA 和 FMEDA

Review/Assesment Checklists 审核/评估清单

Derive 衍生

21


Limited

Benefits

优点

– increased awareness of the engineering team for functional safety

– 增强工程团队对功能安全性的意识

– significant reduction of the work-effort for the safety analyses in round-trip engineering

– 明显减少重复工程设计中的安全分析工作量

– easier comparison of different architecture variants

– 不同架构变体之间的比对更轻松

– consistency and traceability among the different work products as required by ISO 26262

– 符合 ISO 26262 所要求的不同工作成果之间需要达成的一致性和可追溯性

– clear allocation of responsibilities for system design and functional safety analysis

– 明确分配系统设计和功能安全性分析的工作职责

– avoidance of error prone manual information duplication

– 避免容易出错的人工信息复制

– improved provision of necessary safety documentation

– 对改进必要的安全文件的改良规定

22


Limited 23

Thank You

谢谢

www.kpit.com

www.ikv.de


Limited

Functional Safety (ISO 26262) Service Offerings

功能安全 (ISO 26262) 服务内容

24

Safety Process

Consulting

安全过程咨询

Process & need

analysis

过程与需求分析

Safety

Management

Plan

安全管理计划

Define methods

& techniques

定义方法和技巧

Safety Process

Tailoring

安全过程定制

Review existing

process

审核现有过程

Tailor safety

process

裁剪安全过程

Tailor safety

process e.g. for

AUTOSAR

裁剪 AUTOSAR

等的安全过程

Safety Concept

Engineering

安全概念工程设计

Perform HARA

执行 HARA

Determine ASIL

确定 ASIL 等级

Develop Safety

Goals & Safety

Concepts

制定安全目标与安全概念

Functional Safety

Engineering & Analysis功能安全工

程设计和分析

System/SW

development

系统/软件开发

FMEA/FTA,

Verification &

Validation

FMEA/FTA，验证与确认

Hardware

architectural

metrics (FMEDA)

硬件架构指标

(FMEDA)

medini analyze

implementation

使用 medini

analyze

Pilot project

试验项目

Tools training &

workshop

工具培训与研讨会

Deployment

Support

部署支持

medini analyze

customization

定制 medini

analyze

Adoption of

medini analyze

采用 medini

analyze

Customization as

per need basis

按需定制

Integration with

existing tool

landscape

集成到现有工具环境中

Safety

Assessment &

Qualification

安全评估与资质

Independent

confirmation

review

独立的确认审核

Safety reviews &

Safety Audits

安全审核与安全审计

SW component

qualification

软件组件资质

FUNCTIONAL SAFETY MANAGEMENT

功能安全性管理

ISO 26262 workflow kit

ISO 26262 工作流程包

tool - medini analyze

工具 — medini analyze

Training using medini analyze

使用 medini analyze 进行培训 Knowledge Repository

知识库

efficient approach to manage iso 26262 lifecycle principles and … · 2015. 12. 31. · –...

Documents