Professional Documents
Culture Documents
Kristoffer Karlsson
Safety Manager Automotive Embedded Systems Division, Mentor Graphics
September 2013
Mathias Fritzson
Product Line Manager Picea Mecel
Distributed development Automotive Safety Integrity Level (ASIL) Tier-1 and Tier-2 responsibilities Integration of the BSW Safety Element out of Context (SEooC)
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
BACKGROUND
Background
The number of complex safety related electronic/electrical systems in todays automobiles continue to grow Hazardous events due to incorrect behavior in these systems have to be prevented or properly mitigated
Reduces the risk of hazardous events by ensuring the integrity of safety systems
Use of appropriate development processes and safety mechanisms within the architectural design
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
AUTOSAR
Some of which may be safety related Including safety mechanisms for prevention or detection of faults
ISO 26262
Safety analysis, safety management System, HW and SW development process System, HW and SW architectural requirements AUTOSAR provides some of the work products that are part of the initial stages of an ISO 26262 development process AUTOSAR safety mechanisms support fulfillment Technical Safety Concept on system level in ISO 26262
Overlap
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
ISO 26262 compliance required in case a Technical Safety Requirement may be violated due to a fault in the SW AUTOSAR BSW, or individual modules, developed as Safety Element out of Context (SEooC)
BSW developed based on assumptions - context not known For higher ASILs architectural redundancy and/or partitioning of the BSW may be needed
BSW shall have the same or higher ASIL than the SW-C
Freedom from interference partly ensured by BSW safety mechanisms in mixed ASIL architectures Tool confidence needs to be considered, e.g. for AUTOSAR configuration
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
Distributed development Automotive Safety Integrity Level (ASIL) Tier-1 and Tier-2 responsibilities
Development Interface Agreement (DIA)
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
When ASIL is required by RFQ a Development Interface Agreement (DIA) shall be setup between Tier-2 and Tier-1
Part of the contractual agreement detailing responsibilities for activities, evidence and work products to fulfill the ASIL
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
ISO 26262 Work Products provided as optional deliverable with BSW to build Safety Case by Tier-1:
BSW Safety Plan Safety Manual Safety Requirements Specification/Assumptions Verification Plan/Specification/Report
10
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
11
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
Definition of Safety Managers, and contact details, at both Tier-2 and Tier-1 Responsibilities for activities, evidence and work products by Tier-2 and by Tier-1 What Work Products that shall be exchanged
Input from Tier-1 for tailoring of SEooC and evidence Evidence from Tier-2
When Work Products are needed by Tier-2 and Tier-1 How data shall be exchanged
Submitted or made available?
12
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
13
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
14
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
15
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
EXPERIENCES/LESSONS LEARNT
Requires unfeasible detail in assumptions for system/SW architecture, performance, timing etc. to match with customer system
Ensure that the SEooC and ASIL you use provides a safe architecture
Consider use of ASIL decomposition where possible A tailored SEooC may be the most cost effective solution Ensure that compliance evidence can be provided
Evidence to the ASIL needed, not more Tailoring to customer specific safety mechanisms
17
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
SEooC can only be tested on a general configuration Responsibility for these tests should be detailed in the DIA Not likely that a qualification of the configuration tool would give sufficient confidence to get around this For higher ASILs (C and D) the SEooC verification has to be tailored to the particular configuration
ASIL C or D on the BSW may not be enough to fulfill ASIL C/D for the ECU
Architectural redundancy recommended/highly-recommended for ASIL C/D
A volume dependent tradeoff between BOM and SW development decide ASIL decomposition
18
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013
Lessons Learnt
Start in time
Ensure that everybody has a good understanding of what shall be delivered, by whom and when
DIA Delivery plan (e.g. as part of DIA)
Standard industry methods, documented and performed as planned Easy to become overambitious or overwhelmed
19
KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013