什么是功能安全iso26262简介

„WhatisFunctionalSafety?“-ShortIntroductionofISO26262-25June2015YujiITOTÜVSÜD(Thailand).YujiITOIntroductionofaspeakerAutomotiveHomologationManager(ASEAN)TÜVSÜD(Thailand).fromJan.2014.History1981–1999WorkedforvehiclemanufacturerinR&DDiv.,inchargeofEngineDevelopment.1999–2013WorkedforTÜVSÜDJapan..Contactaddress:yuji.ito@tuv-sud.co.th-FoundedAutomotivegroupin1999.TEL:(Ext.-AppointedasrecognizedHomologationExpert.527)-LedhomologationbusinessandFSbusinessaswellasmanyengineeringsupporttoOEMs.TUVSUD(Thailand)2015-6-251WhatsFunctionalSafety??2OverviewofISO26262Part2:FunctionalSafetyManagement.3(Whoshoulddowhat?)Part3:ConceptPhase4(howtohandleRisks?)5Part7:ProductionProcess2015-6-25TUVSUD(Thailand)CarandElectronicsTrendofCarElectronicsNo.ofECUinstalledinacar1980’s:average102010’s:50-60CarElectronicscomponentmarketintheworld(extractfromJARI,2011)TrendofaCARNowaday,driver’ionisconvertedIntheconventionalvehicle,driver’sintoasignal,andisprocessed.Andactionwastransferredmechanically,thenit’stransferredtothedevicesandthebasicfunction(drive,stop,throughharness.Thesignalisagainturn)wasexecuted.convertedintoaforceandusedtocontrolthevehicle.ConventiorecentnalstructuresimplecomplicatedSafetyfunctionnormalupgradedProbabilityofnormallessnormalfailureUnpredictabilitylesshighoffailureTUVSUD(Thailand)HowSAFETYisimportant?OfcourseSafetyisthemostimportant.But100%safetyseemsnotpossibleduetotechnology,costetc.ThereremainsariskofDanger.Wehavetothink“AcceptableRisk”.(FSPoint1)WhatisFunctionalSafety?Exampleofrailroadcrossing.Howmuchistheprobabilityofcollision?IntrinsicSafetyFunctionalSafetyRootcausesofdangerareByaddingfunctionalmeasures,completelyremoved.acceptablelevelofsafetyisensured.Assessmentofthe“functionalmeasures”(safetyfunctions)anditsnumericalevaluationisthebasisofFunctionalSafety.(FSPoint2)FunctionalSafetyinISO26262Inthisstandard(ISO26262),FunctionalSafetymeans,incase“safetyrelatedsystem”iscomposedwith“electric/electronic/programmableelectronicsystems”,awayofthinkingconcerningareductionofrisktoanacceptablelevel.ISO26262onlyconcernsariskofdanderwhichiscausedbye/e/pesystem.RiskcausedbymechanicalsystemisoutofthescopeofISO26262.(FSPoint3)Whatisthestandard“ISO26262”?2ndeditionofISO26262willmostpossiblybeISO26262isaAutomotiveFunctionalSafetystandardpublishedinJan.2018,focusedonseries-productionpassengercarsupto3.5t.andmotorcycleandcommercialvehiclewillbeMajorcontentsare;includedinthescope.①Inordertoreducerisksoccurredfromelectroniccontrolsystemtoacceptablelevel,whatshouldbeconsideredintheeachstepofdevelopmentstage?②cleardefinitionoftherisksandmeasurestoreduceit
Riskanalysisandcountableevaluationofthemeasuresetc.③Wholecompanyorganizationandmanagementsystemtorealizeit
FSorganization,V-Vmdevelopmentetc.(FSPoint4)Regulation&StandardTopicstobeinvestigatedLegalrequirementsforhomologationProductLiability(mandatory)(voluntary)LegallybindingRecommendedApplicationof,e.g.,EUApplicationofIEC,ISO,ENordirectivesandUNECEDINstandardsregulations(Europe)(“Stateoftheart”)ISO26262belongstohere(FSPoint5)RequiredObligationstobefollowedExamplecase:Onedriversteppedontheaccel.pedalandbrakepedalatthesametimebymistake.Asaresult,vehicledidn’tstopandaccidentoccurred.Adriverwasinjured.Legallythereisnoregulation.(*)(exceptforsomecountries)Butifmostofthepeoplethinksbrakingfunctionmustbeprioritizedinsuchcase,whathappensinlawsuit?StateoftheArt.Theterm"stateoftheart"referstothehighestlevelofgeneraldevelopment,asofadevice,technique,orscientificfieldachievedataparticulartime.Italsoreferstothelevelofdevelopment(asofadevice,procedure,process,technique,orscience)reachedatanyparticulartimeasaresultofthecommonmethodologiesemployed(ExtractfromWikipedia)StructureofManagementISO26262SystemdevelopmentConceptProductionphase&operationHardwareSoftwareSupportingprocessSafetyanalysisPart2.FunctionalsafetymanagementandprocessesFunctionalSafetyManagement1.ConstructFunctionalSafetyManagement(FSM)
FSmanual,FSPlan,Workrule,Trainingetc.Documentation2.ConstructFSOrganizationresponsibleforrealization
appointFSmanagerappointFSassessorsTheseshouldcoverwholecompanyaswellaseachDept.samelikeQMSbutfocusingonFSDocumentsWorkProduct:Allkindsofdocumentsandevidenceswhicharerelatedwiththedecisiontaken.SafetyCase:•isthecompilationofalldocumentsanddatathatexplainstheproductisfunctionallysafe.•Thesafetycasecanbederivedfromtheworkproductsofthedevelopmentphases.•Thesafetyplanformsthebasisforthesafetycase.•Thesafetycaseisthekeyrequirementforthereleaseforproduction.ISO26262requeststostoreallkindsofdocumentssothatthehistorycanbetracedtoprovethesafety.Part3.ConceptphaseHowtohandlerisksAnalyzedrivingsituationandinvestigaterisks•（HAZOPetc.）Classificationofrisks•Severity,exposureandcontrollabilityDefineASILlevel•FromriskmatrixDefinesafetygoalHazardanalysisandriskassessmentreviewRiskParameters:Severity,Probability&ControllabilityProbabilityofdamageNotacceptedInacceptablealwaysriskareasporadicallyControllabilityCofadangerousdrivingsituationlowAcceptedverylowresidualriskExposureEtothedangerousAcceptabledrivingsituationextremelyareaunlikelySeveritySlowSeverityhighHazardandriskanalysis:parameterS(severity)ClassS0S1S2S3Severeinjuries,Life-threateninglightandpossiblylife-injuries(survivalDescriptionNoinjuriesmoderatethreatening,uncertain)orinjuriessurvivalfatalinjuriesprobableAIS0DamagethatReferencemorethancannotbemorethan10%forsingle10%morethan10%classifiedprobabilityofinjuriesprobabilityofprobabilityofsafety-related,AIS3-6(and(fromAISAIS1-6(andAIS5-6e.g.bumpsnotS3)scale)notS2orS3)withroadsideinfrastructureAIS:AbbreviatedInjuryScaleHazardandriskanalysis:parameterE(exposure)EstimationofexposureprobabilityClassE1E2E3E4DescriptionVerylowprobabilityLowprobabilityMediumprobabilityHighprobabilitySituationsthatoccurSituationsthatSituationsthatAllsituationsthatlessoftenthanoccuronceaDefinitionofoccurafewtimesoccurduringonceayearforthemonthormorefrequencyayearforthegreatalmosteverydrivegreatmajorityofoftenforanmajorityofdriversoagedriversaveragedriverHazardandriskanalysis:parameterC(controllability)ClassC0C1C2C3ControllableinDifficulttocontrolorDescriptionSimplycontrollableNormallycontrollablegeneraluncontrollable99%ormoreofallLessthan90%ofall90%ormoreofalldriversorotherdriversorothertrafficdriversorothertrafficControllableintrafficparticipantsparticipantsareDefinitionparticipantsaregeneralareusuallyabletousuallyable,orbarelyusuallyabletoavoidaavoidaspecificable,toavoidaspecificharm.harm.specificharm.Hazardandriskanalysis:riskmatrixControllabilityCSeveritySProbabilityEC1C2C3AssignanAutomotiveE1QMQMQMSafetyIntegrityLevelE2QMQMQMS1(ASIL)toeachE3QMQMASILAhazardouseventE4QMASILAASILBE1QMQMQMIncaseofQM,ISOE2QMQMASILA26262requirementsS2E3QMASILAASILBdonotapplyE4ASILAASILBASILCASILDisthehighestE1QMQMASILAE2QMASILAASILBlevelS3E3ASILAASILBASILCE4ASILBASILCASILDASILlevelRiskmustbeariskofvehicle.So.ASILlevelmustbedefinedbyvehiclemanufacturer.IncaseASILlevelbecomeshigh,probabilityofrisk(injury/death)becomeshigh.Severeandthoroughcountermeasuresarerequired.Oneexample:InfluenceofASILlevelHardwarearchitecturemetrics:Probabilityofdetectingthefollowingfailurewhichviolatesachievingsafetygoal・SinglePointFaultMetrics(SPFM）・LatentFaultMetrics(LFM）Belowpercentageoffailuastobedetected.HardwareArchitecturemetricsSPFM:ASILBASILCASILDProbabilityofdetectingfailurewhichsingleoccurrenceviolatesSPFM≥90%≥97%≥99%achievingsafetygoalLFM:LFM≥60%≥80%≥90%ProbabilityofdetectingfailurewhichviolatesachievingsafetygoalISO26262-5,Table4&Table5latentlyTUVSUD(Thailand)2015-6-25Part7.ProductionandoperationWhatshouldbedoneinProduction?•PlanningoftheproductionprocessProduction•DevelopmentofproductioncontrolplanplanningPre•Productionofitems,systemsorelementsbeforereleaseforproductionproductionseriesproduction•Productionofitems,systemsorelementsafterreleaseforProductionproductionRequirementsonproduction•SpecifytherequirementsofproductionfromtheFSpointofview.•Developaproductionplanforsafety-relatedproducts.•Ensurethattherequiredfunctionalsafetyisachievedduringtheproductionprocess.ProductionPlanningForproductionprocessplanningevaluateitemandconsiderRequirementsConditionsforstorage,ApprovedLessonsCompetenceforproductiontransportandhandlingconfigurationslearnedofnelcreatee.g.calibrationande.g.allowedstoragesetupofsensortimeforelementProductionplanincludingProductionprocessProductionTraceabilitySpecialflowandtoolsmeasuresmeasuresinstructionse.g.labellingofe.g.burn-intestelementOtherimportantpointsInterfaceofdiversedevelopment•Chooser–Confirmthedevelopmentcapabilityofracc.toISO26262–ClearrequesttocomplythestandardbyRFQDevelopmentscope,safetyplan,ASILetc.•「DevelopmentInterfaceAgreement」ISO26262Part8AnnexB–Confirmsafetymanagerofbothparties–Sharethesafetylifecycle–Actualactivity,processandresponsibilityofeachside–SharedinformationandworkproductTUVSUD(Thailand)2015-6-25KeyISO26262servicesprovidedbyTÜVSÜDISO26262servicesTÜVSÜDprovidesthefollowingfunctionalsafetyservicesfortheautomotiveindustry:CertificationTestingConsultingTrainingProductcertificationAssessmentsWorkshopsStandardBasicProcesscertificationrauditsProject-relatedTrainingsGenericToolQualificationsupportAdvancedTrainingsFSCP2015-6-25TUVSUD(Thailand)TÜVSÜDforyourattention.Pleaseletmeknowifyouhaveanyquestion.2015-6-25TUVSUD(Thailand)