ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety

Kristoffer Karlsson
Safety Manager Automotive Embedded Systems Division, Mentor Graphics
September 2013

Mathias Fritzson
Product Line Manager Picea Mecel

ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety

Agenda

Background ISO 26262-Compliant AUTOSAR Development

Distributed development Automotive Safety Integrity Level (ASIL) Tier-1 and Tier-2 responsibilities Integration of the BSW Safety Element out of Context (SEooC)

Experiences, Lessons Learnt

from AUTOSAR 4.0.x ECU projects

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

BACKGROUND

Background

The number of complex safety related electronic/electrical systems in todays automobiles continue to grow Hazardous events due to incorrect behavior in these systems have to be prevented or properly mitigated

Standardization efforts to address these issues

Reduces the risk of hazardous events by ensuring the integrity of safety systems

Use of appropriate development processes and safety mechanisms within the architectural design

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

ISO 26262 and AUTOSAR

AUTOSAR

ECU development process BSW requirements BSW architecture design

Some of which may be safety related Including safety mechanisms for prevention or detection of faults

ISO 26262

Safety analysis, safety management System, HW and SW development process System, HW and SW architectural requirements AUTOSAR provides some of the work products that are part of the initial stages of an ISO 26262 development process AUTOSAR safety mechanisms support fulfillment Technical Safety Concept on system level in ISO 26262

Overlap

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

ISO 26262-COMPLIANT AUTOSAR DEVELOPMENT

ISO 26262-Compliant AUTOSAR Development

ISO 26262 compliance required in case a Technical Safety Requirement may be violated due to a fault in the SW AUTOSAR BSW, or individual modules, developed as Safety Element out of Context (SEooC)

BSW developed based on assumptions - context not known For higher ASILs architectural redundancy and/or partitioning of the BSW may be needed

BSW shall have the same or higher ASIL than the SW-C

Freedom from interference partly ensured by BSW safety mechanisms in mixed ASIL architectures Tool confidence needs to be considered, e.g. for AUTOSAR configuration

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

ISO 26262 Requirements to Consider

Distributed development Automotive Safety Integrity Level (ASIL) Tier-1 and Tier-2 responsibilities
Development Interface Agreement (DIA)

Integration of the BSW Safety Element out of Context (SEooC)

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Distributed Development Subcontracting

RFQ shall define if ASIL compliance is required

If not, QM-level is assumed (ISO 26262 is not applicable)

When ASIL is required by RFQ a Development Interface Agreement (DIA) shall be setup between Tier-2 and Tier-1
Part of the contractual agreement detailing responsibilities for activities, evidence and work products to fulfill the ASIL

Tier-2 and Tier-1 need to work together to fulfill ASIL

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Automotive Safety Integrity Level (ASIL)

ASIL tailoring to Tier-1 needs

Validation of assumed BSW safety requirements to Technical Safety Concept

May result in additional safety requirements for BSW

ASIL determines the evidence required for the BSW SEooC

Work products the same, different scope and content

ISO 26262 Work Products provided as optional deliverable with BSW to build Safety Case by Tier-1:
BSW Safety Plan Safety Manual Safety Requirements Specification/Assumptions Verification Plan/Specification/Report

10

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Tier-1 and Tier-2 Responsibilities

- for BSW SEooC Development
SW Development Subphase Initiation of SW development, methods, tools used Specification of SW Safety Requirements SW architectural design SW unit design and implementation SW unit testing SW integration and testing Verification of SW Safety Requirements Responsible Tier-2 Tier-2 + AUTOSAR AUTOSAR Tier-2 Tier-2 Tier-1 + Tier-2 Tier-1 + Tier-2

11

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Development Interface Agreement

Definition of Safety Managers, and contact details, at both Tier-2 and Tier-1 Responsibilities for activities, evidence and work products by Tier-2 and by Tier-1 What Work Products that shall be exchanged
Input from Tier-1 for tailoring of SEooC and evidence Evidence from Tier-2

When Work Products are needed by Tier-2 and Tier-1 How data shall be exchanged
Submitted or made available?

Internal/external assessment, onsite audits etc.

12

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Integration of the BSW SEooC

13

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Integration of the BSW SEooC

14

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Integration of the BSW SEooC

15

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

EXPERIENCES/LESSONS LEARNT

Experiences from AUTOSAR/ISO 26262 Projects, 1 of 2

ASIL compliant COTS not possible in practice

As COTS Not COTS
SEooC assumptions accepted as is -> Safety mechanisms and BSW Verification to ensure enough system resources

Important to work together to achieve ASIL

Requires unfeasible detail in assumptions for system/SW architecture, performance, timing etc. to match with customer system

Ensure that the SEooC and ASIL you use provides a safe architecture
Consider use of ASIL decomposition where possible A tailored SEooC may be the most cost effective solution Ensure that compliance evidence can be provided
Evidence to the ASIL needed, not more Tailoring to customer specific safety mechanisms

17

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Experiences from AUTOSAR/ISO 26262 Projects, 2 of 2

Tests need to be performed on the configured BSW

SEooC can only be tested on a general configuration Responsibility for these tests should be detailed in the DIA Not likely that a qualification of the configuration tool would give sufficient confidence to get around this For higher ASILs (C and D) the SEooC verification has to be tailored to the particular configuration

ASIL C or D on the BSW may not be enough to fulfill ASIL C/D for the ECU
Architectural redundancy recommended/highly-recommended for ASIL C/D

Production volume decides on how to manage ASIL

A volume dependent tradeoff between BOM and SW development decide ASIL decomposition

18

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013

Lessons Learnt

Start in time

With time plan With safety requirements

Ensure that everybody has a good understanding of what shall be delivered, by whom and when
DIA Delivery plan (e.g. as part of DIA)

Establish the right processes from the start

Standard industry methods, documented and performed as planned Easy to become overambitious or overwhelmed

19

Important to have a knowledgeable partner

Safety considered in all parts of development

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013