efficient approach to manage iso 26262 lifecycle principles and … · 2015. 12. 31. · –...
TRANSCRIPT
Dr. Eckhardt Holz
Eckhardt Holz 博士
&
邓伟
2/27/2014
2014年2月24日
Efficient approach to manage ISO 26262 lifecycle
Principles and Practice
管理 ISO 26262 生命周期技术的有效方法 — 原理与实践
1
© KPIT Technologies
Limited
ikv++ technologies ag – A KPIT Company
ikv++ 科技股份公司 —— KPIT 公司
2
– German shareholder company recently became KPIT family member Functional Safety
Practice
– 是一家德国控股公司,最近成为 KPIT 家族的一员 功能安全实践
– focus on products and solutions for automotive safety, reliability and quality
– 专注于实现汽车的安全性、可靠性和高质量的产品和解决方案
– efficient team of experienced safety engineers, safety managers and software and
hardware specialists
– 拥有资深的安全工程师、安全经理和软件和硬件专家高效团队
– Global service, consulting and support capabilities
– 全球服务、咨询和支持能力
– 10+ years in the market
– 10 多年的市场经验
– 120+ customers worldwide
– 在全球拥有 120 多个客户
– AUTOSAR Development Member
– AUTOSAR 成员
– partner of IBM Rational and The Mathworks
– 是 IBM Rational 和 Mathworks 的合作伙伴
– sales partnership with HIRAIN Technologies in China
– 是中国恒润科技的销售合作伙伴
© KPIT Technologies
Limited
our products lines –
software and services for automotive safety and reliability
我们的产品 —— 汽车安全和可靠性的软件和服务
– medini™ analyze the integrated solution for the analysis of functional
safety, reliability and quality according to standards
such as IEC 61508 and ISO 26262, VDA and SAE
– 符合 IEC 61508 和 ISO 26262、VDA 和 SAE 等标准、用于分析功能安全、可靠性和质量的集成解决方案
– medini™ unite the product for change and configuration
management support for model-based software
engineering
– 支持基于模型的软件工程,是可做变更管理和配置管理的产品
3
© KPIT Technologies
Limited
functional safety: importance and definition
功能安全:重要性和定义 • the provision of any technical system may cause harms to humans 任何技术系统可能对人类造成的危害的规定
• directly – burning, electrical shock, physical damage etc. 直接 —— 烧伤、触电、物理损伤等
• indirectly – pollution of the environment 间接 —— 对环境的污染
• it is an important development goal to deliver safe products 提供安全的产品是一个重要的发展目标
• safety
• 安全性 – absence of unacceptable risks
– 不存在不可接受的 风险
• functional safety
• 功能安全 – absence of unacceptable risks due to hazards caused by mal-functional behavior of the system
– 不存在 由于系统的功能故障行为导致的危害而造成的不可接受的风险
• the risk of the system has to be reduced to a tolerable level
• 必须将系统的风险降低至可接受的级别
– a risk evaluation becomes necessary
– 有必要进行风险评估
– a definition of „tolerable“ is necessary
– 有必要对“允许的”进行定义
• strong regulations are required and in place
• 要求健全的法规并实施到位
– safety standards and legal requirements emphasize safety aspects during systems engineering
– 强调系统工程设计安全问题的安全标准和法律要求
– Examples: ISO 26262, IEC 61508, DO-178C, ….
– 例如: ISO 26262、IEC 61508、DO-178C 等
caused by malfunction of the electronic gas pedal?
是由电动油门踏板故障引起的?
4
© KPIT Technologies
Limited
safety related activities in systems engineering processes
系统工程设计过程的安全相关活动
hazard analysis 危害分析
driving situation analysis 驾驶情况分析
risk assessment 风险评估
controllability analysis 可控性分析
safety goals 安全目标 safety requirements
安全要求
fault tree analysis 故障树分析
hardware metrics 硬件指标
failure mode and effects analysis 故障模式和影响分析 (FMEA)
argumentation of freedom from interference 无干扰证明
safety validation 安全验证
configuration management 配置管理
change management 变更管理
safety architecture 安全架构
functional safety concept 功能安全性概念
safety standards like ISO 26262 require to perform multiple activities
and to produce additional work products
ISO 26262 等安全标准要求执行多项活动并产生额外的工作成果
5
© KPIT Technologies
Limited
safety and engineering lifecycle
安全和工程的生命周期技术
import/export
ISO 26262:
Safety related activities
have to go hand in hand with
engineering activities
ISO 26262: 安全相关活动必须
与工程设计活动同步进行
Configuration management 配置管理
Dev
开发 Val
确认
import
generate
Item Definition
FTA
FME(D)A
Architecture (Func/Struct)
Validation Plan
确认计划
Integration Test
Unit Test Reports
Item Definition
Architecture (Func/Struct)
Item Definition
Hazard & Risk Analysis
Architecture (Func/Struct)
FTA
Item Definition
Hazard & Risk Analysis
Architecture (Func/Struct)
FME(D)A
FTA
Item Definition
Prelimenanry architecture
初步架构
FMEA
FTA
Item description
项目定义
HAZOP
HW models
硬件模型
SW models
软件模型
Integration Test
Unit Test Reports
Integration Test
Unit Test Reports
Validation results
确认结果
Unit tests
单元测试
Integration tests
集成测试
Unit test reports
单元测试报告
Coding
编程
Coverage analysis
覆盖度分析
Safety requirements
安全要求
6
© KPIT Technologies
Limited
role of system design models
系统设计模型的作用
– the system design models are a key artifact for the integration of engineering and safety activities
– 系统设计模型是将工程设计与安全活动融为一体的关键工件
• many safety activities require (at least preliminary) architectural information
• 许多安全活动需要(至少初步的)架构信息
• safety requirements need to be realized by specific design choices that need to be reflected in
system models
• 需通过反映在系统模型中的特定设计选择来实现安全要求
• architectural elements obtain their Safety Integrity Levels (SIL/ASIL) by allocation of safety
requirements to them
• 架构元件通过分配安全要求获得安全完整性等级 (SIL/ASIL)
• safety analysis (e.g special architecture metrics) are performed based on architecture models
• 在结构模型的基础上进行安全分析(例如特殊的架构指标)
– model-based approaches gaining increasing popularity in the automotive industry
– 基于模型的方法在汽车行业中得到越来越广泛的应用
• EAST-ADL, SysML, ….
• EAST-ADL、SysML 等
•
7
© KPIT Technologies
Limited
hierarchies in automotive system development
汽车系统开发的层次结构 OEM
整车厂
Tie
r 1
一级供应商
Tie
r 1/2
/Sem
icon
du
ctors
一级/
二级
/半导体
供应商
SysML w. Messages
SysML,带消息
Functions,
Malfunctions
功能,故障
SysML w/ signals, FM
SysML 带 FM 信号
SysML w/ signals/electrics,
HW-FM, BOM
SysML,带 HW-FM,BOM 电信号
Part library (SysML)
零件库 (SysML)
FR/FM catalogs (or database)
FR/ FM 目录
(或数据库)
Functions,
Malfunctions
功能,故障
SysML w/ subpart failures
SysML 带子部件故障 FR databases
(or FR catalogs)
FR 数据库(或 FR 目录)
<<refined>>
<<改善>>
<<uses>>
<<使用>>
<<uses>>
<<使用>>
<<contributes>>
<<促成>>
<<refined>>
<<改善>>
<<alloc>>
<<分配>>
Item
项目
Subsystem
子系统
Subsystem
子系统
Subsystem
子系统
Component
组件
Component
组件
Component
组件
Component
组件
HW Part
硬件部分
HW Part
硬件部分
HW Part
硬件部分
HW Part
硬件部分
<<alloc>>
<<分配>>
<<refined>>
<<改善>>
8
FM:Failure Mode;
FR:Failure Rate
BOM:Bill Of Materials
© KPIT Technologies
Limited
architecture V.x
架构放大
Workflow
工作流程 System Designer 系统设计师 Safety Engineer 安全工程师
initial architecture
初步架构
ACU:Controler1
Attributes
Operations outgoing:intincoming:int
Bumper Sensor:Crash sensor1
Attributes
Operations
outgoing:int
Inflator D:Inflator1
Attributes
Operationsincoming:int
Inflator P:Inflator1
Attributes
Operations
incoming:int
Power:Battery1
Attributes
Operations
Creates
创建
adds safety data
analyzes
and derives
Requirements
添加安全数据
分析和衍生要求
RMS 需求管理系统 Updates
更新
ACU:Controler1
Attributes
Operations outgoing:intincoming:int
Bumper Sensor:Crash sensor1
Attributes
Operations
outgoing:int
Inflator D:Inflator1
Attributes
Operationsincoming:int
Inflator P:Inflator1
Attributes
Operations
incoming:int
Power:Battery1
Attributes
Operations
ACU:Controler1
Attributes
Operations outgoing:intincoming:int
Bumper Sensor:Crash sensor1
Attributes
Operations
outgoing:int
Inflator D:Inflator1
Attributes
Operationsincoming:int
Inflator P:Inflator1
Attributes
Operations
incoming:int
Power:Battery1
Attributes
Operations
enhanced architecture
改善的架构
updates safety data
更新安全数据
re-analysis
重新分析
potential new
Requirements
潜在的新要求
9
© KPIT Technologies
Limited
(1) SysML model import into medini analyze
将 SysML 模型导入 medini analyze
ACU:Controler1
Attributes
Operations outgoing:intincoming:int
Bumper Sensor:Crash sensor1
Attributes
Operations
outgoing:int
Inflator D:Inflator1
Attributes
Operationsincoming:int
Inflator P:Inflator1
Attributes
Operations
incoming:int
Power:Battery1
Attributes
Operations
development of a SysML model with Rhapsody
采用 Rhapsody 开发的 SysML 模型
model is produced as result of the ordinary development process
模型是普通开发过程的结果
model contains parts, blocks, ports and connectors
模型包含部件、模块、端口和连接器
SysML model is imported into medini analyze
将 SysML 模型导入 medini analyze
model elements are derived according to the Rhapsody information
模型元件包含了 Rhapsody中的信息
Rhapsody API is applied
可直接应用 Rhapsody 的API接口
10
© KPIT Technologies
Limited
(2) establishing relations between model elements
建立模型元件之间的关系
Functional Safety Requirements
功能安全需求
imported preliminary architecture
导入的初步架构
the imported model is traced to other model elements
导入的模型追溯到其他模型元件
an example is the allocation of functional safety requirements
例如分配功能安全需求
such semantic links are used to relate or compute safety information for an architecture element – e.g. ASIL
这些语义链用来联系或计算架构元件的安全信息 —— 如 ASIL
11
© KPIT Technologies
Limited
(3) specification of safety properties
安全性能规范 extension of the architecture by
safety properties
通过安全性能扩展架构
– failure modes and failure rates
must be specified for the
elements of the safety
architecture
– 必须为安全体系结构中的元件规定失效模式和失效率
– such data can be calculated or
taken from common catalogs
such as SN 29500, IEC 62380
or Birolini Safety Handbook
– 可从如 SN29500 、IEC 62380
或 Birolini安全手册等常见失效率手册计算得出或获得这些数据
– the quantitative verification of
the architecture is based on
these data
– 根据这些数据对架构进行定量验证
12
© KPIT Technologies
Limited
(3) specification of safety properties
安全性能规范
Step-by-step guidance
through the catalog to
determine the failure
rates
for all elements
按照目录循序渐进的指导,
以确定所有元件的失效率
13
© KPIT Technologies
Limited
(3) specification of safety properties
安全性能规范
parameter values
which may influence
the failure rate can be
defined at elements
level or for be derived
from parent
components
影响到失效率的参数值,可在元件等级进行确定或者从上一级组件中获得
14
© KPIT Technologies
Limited
(3) specification of safety properties
安全性能规范
Imported from BOM or ECL excel
从 BOM 或 ECL excel 导入
Element Library 元件库
Failure data derived from library
从库中获取的失效率数据
refers to entry in library
参考库中的条目
all entries with
the same
part number have
the same failure
information
具有相同部件号的所有条目均具有相同的失效信息
15
© KPIT Technologies
Limited
(4) verification of the technical safety architecture
验证技术安全架构 the system architecture is analyzed concerning violations of the
safety goal
根据安全目标违反情况来分析系统架构
– failure modes and rates of the architectural elements
used as source for probability values
– 架构元件失效模式和失效率作为概率值的来源
– Drag&Drop from architecture to FTA
– 从架构拖放至 FTA
– FTA trees are constructed and analyzed
– 构造和分析 FTA 树
16
© KPIT Technologies
Limited
(4) verification of the technical safety architecture
验证技术安全架构
– Evaluation of diagnostic coverage for all Single
Point Faults of components which have the
potential to directly violate a safety goal
– 对可能直接违反安全目标的组件的所有单点故障
进行诊断覆盖度评估
– Evaluation of diagnostic coverage of all Latent
Faults, which have together with another fault the
potential to violate a safety goal
– 对在其他故障的共同作用下可能违反安全目标的所有潜伏故障 进行诊断覆盖度评估
required by ISO 26262 part 5:
ISO 26262 第五部分要求:
17
© KPIT Technologies
Limited
(4) verification of the technical safety architecture
验证技术安全架构
shows if all FRC metrics (SPF/RF/LF) are fulfilled for element
显示元件是否达到所有 RFC 指标 (SPF/RF/LF)
18
© KPIT Technologies
Limited
(4) verification of the technical safety architecture
验证技术安全架构
• as result of the different safety analyses
• 不同的安全分析结果
– ASIL are allocated to requirements and subsequently to architecture components
– ASIL 分配到需求,接着分配到架构组件
– new safety requirements are derived
– 衍生新的安全需求
– safety requirements are decomposed
– 分解安全需求
– requirements are pushed back into DOORS
– 将要求还原到 DOORS
Changes in the architecture may be necessary to fulfill the new or updated requirements
为满足全新的或更新的需求,可能需要更改架构
19
© KPIT Technologies
Limited
(5) model update in case of design change
设计更改中的模型更新与设计更新同步
ACU:Controler1
Attributes
Operations outgoing:intincoming:int
Bumper Sensor:Crash sensor1
Attributes
Operations
outgoing:int
Inflator D:Inflator1
Attributes
Operationsincoming:int
Inflator P:Inflator1
Attributes
Operations
incoming:int
Power:Battery1
Attributes
Operations
design changes may lead to a changed Rhapsody model
设计变更可能需要对 Rhapsody 模型进行更改
safety analysis needs to be repeated
需要重新进行安全分析
new model can be re-imported into medini analyze
新的模型可重新导入 medini analyze
SysML model is updated
SysML 得到更新
update includes a model compare algorithm
更新包括模型比较算法
all traces and safety properties previously added will be preserved
之前添加的所有痕迹和安全性将被保留
safety analysis for the re-imported model can be re-done with minimum effort
可轻松地对重新导入的模型进行安全分析
20
© KPIT Technologies
Limited
Consistency among design and safety analysis
设计和安全分析的一致性
SysML Models SysML 模型
Fault Tree Analysis 故障树分析
Update 更新
Update 更新
Derive 衍生
Review 审核
ISO 26262 SPF & LF metrics diagnostic coverage ISO 26262 SPF 和 LF 指标诊断覆盖率
FMEA & FMEDA FMEA 和 FMEDA
Review/Assesment Checklists 审核/评估清单
Derive 衍生
21
© KPIT Technologies
Limited
Benefits
优点
– increased awareness of the engineering team for functional safety
– 增强工程团队对功能安全性的意识
– significant reduction of the work-effort for the safety analyses in round-trip engineering
– 明显减少重复工程设计中的安全分析工作量
– easier comparison of different architecture variants
– 不同架构变体之间的比对更轻松
– consistency and traceability among the different work products as required by ISO 26262
– 符合 ISO 26262 所要求的不同工作成果之间需要达成的一致性和可追溯性
– clear allocation of responsibilities for system design and functional safety analysis
– 明确分配系统设计和功能安全性分析的工作职责
– avoidance of error prone manual information duplication
– 避免容易出错的人工信息复制
– improved provision of necessary safety documentation
– 对改进必要的安全文件的改良规定
22
© KPIT Technologies
Limited 23
Thank You
谢谢
www.kpit.com
www.ikv.de
© KPIT Technologies
Limited
Functional Safety (ISO 26262) Service Offerings
功能安全 (ISO 26262) 服务内容
24
Safety Process
Consulting
安全过程咨询
Process & need
analysis
过程与需求分析
Safety
Management
Plan
安全管理计划
Define methods
& techniques
定义方法和技巧
Safety Process
Tailoring
安全过程定制
Review existing
process
审核现有过程
Tailor safety
process
裁剪安全过程
Tailor safety
process e.g. for
AUTOSAR
裁剪 AUTOSAR
等的安全过程
Safety Concept
Engineering
安全概念工程设计
Perform HARA
执行 HARA
Determine ASIL
确定 ASIL 等级
Develop Safety
Goals & Safety
Concepts
制定安全目标与安全概念
Functional Safety
Engineering & Analysis功能安全 工
程设计和分析
System/SW
development
系统/软件开发
FMEA/FTA,
Verification &
Validation
FMEA/FTA,验证与确认
Hardware
architectural
metrics (FMEDA)
硬件架构指标
(FMEDA)
medini analyze
implementation
使用 medini
analyze
Pilot project
试验项目
Tools training &
workshop
工具培训与研讨会
Deployment
Support
部署支持
medini analyze
customization
定制 medini
analyze
Adoption of
medini analyze
采用 medini
analyze
Customization as
per need basis
按需定制
Integration with
existing tool
landscape
集成到现有工具环境中
Safety
Assessment &
Qualification
安全评估与资质
Independent
confirmation
review
独立的确认审核
Safety reviews &
Safety Audits
安全审核与安全审计
SW component
qualification
软件组件资质
FUNCTIONAL SAFETY MANAGEMENT
功能安全性管理
ISO 26262 workflow kit
ISO 26262 工作流程包
tool - medini analyze
工具 — medini analyze
Training using medini analyze
使用 medini analyze 进行培训 Knowledge Repository
知识库