autosar karlsson-fritzson iso26262 iesf2013

7/27/2019 Autosar Karlsson-fritzson Iso26262 Iesf2013

1/20

Kristoffer Karlsson

ISO 26262 & AUTOSAR- Achieving a New

Level in Vehicle Safety

Safety Manager

Automotive

Embedded SystemsDivision, Mentor Graphics

September 2013

Mathias Fritzson

Product Line ManagerPicea

Mecel


2/20

ISO 26262 & AUTOSAR

- Achieving a New Level in Vehicle Safety

2

Agenda

Background

ISO 26262-Compliant AUTOSARDevelopment

Distributed development

Automotive Safety Integrity Level

(ASIL)

Tier-1 and Tier-2 responsibilities

Integration of the BSW SafetyElement out of Context (SEooC)

Experiences, Lessons Learnt

from AUTOSAR 4.0.x ECU projects

KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013


3/20

BACKGROUND


4/20

Background


The number of complex safety related electronic/electricalsystems in todays automobiles continue to grow

Hazardous events due to incorrect behavior in thesesystems have to be prevented or properly mitigated

Standardization efforts to address these issues

Reduces the risk of hazardous events by ensuring theintegrity of safety systems

Use of appropriate development processes and safetymechanisms within the architectural design


5/20

ISO 26262 and AUTOSAR


AUTOSAR ECU development process

BSW requirements Some of which may be safety related BSW architecture design

Including safety mechanisms for prevention or detection of faults

ISO 26262 Safety analysis, safety management System, HW and SW development process System, HW and SW architectural requirements

Overlap AUTOSAR provides some of the work products that are part ofthe initial stages of an ISO 26262 development process

AUTOSAR safety mechanisms support fulfillment Technical SafetyConcept on system level in ISO 26262


6/20

ISO 26262-COMPLIANT

AUTOSAR DEVELOPMENT


7/20

ISO 26262-Compliant AUTOSAR Development

ISO 26262 compliance required in case a Technical SafetyRequirement may be violated due to a fault in the SW

AUTOSAR BSW, or individual modules, developed asSafety Element out of Context (SEooC) BSW developed based on assumptions - context not known

BSW shall have the same or higher ASIL than the SW-C For higher ASILs architectural redundancy and/or partitioning ofthe BSW may be needed

Freedom from interference partly ensured by BSW safety

mechanisms in mixed ASIL architectures Tool confidence needs to be considered, e.g. for

AUTOSAR configuration

7 KK MF, ISO 26262 & AUTOSAR - Achieving a New Level in Vehicle Safety, September 2013


8/20

ISO 26262 Requirements to Consider


Distributed development

Automotive Safety Integrity Level (ASIL)

Tier-1 and Tier-2 responsibilities Development Interface Agreement (DIA)

Integration of the BSW Safety Element out of Context

(SEooC)


9/20

Distributed Development -

Subcontracting

9

RFQ shall define if ASIL compliance is required If not, QM-level is assumed (ISO 26262 is not applicable)

When ASIL is required by RFQ a Development InterfaceAgreement (DIA) shall be setup between Tier-2 and Tier-1 Part of the contractual agreement detailing responsibilities for

activities, evidence and work products to fulfill the ASIL

Tier-2 and Tier-1 need to work together to fulfill ASIL



10/20

Automotive Safety Integrity Level (ASIL)

10

ASIL tailoring to Tier-1 needs Validation of assumed BSW safety requirements to Technical

Safety Concept May result in additional safety requirements for BSW

ASIL determines the evidence required for the BSW SEooC Work products the same, different scope and content

ISO 26262 Work Products provided as optional deliverablewith BSW to build Safety Case by Tier-1: BSW Safety Plan Safety Manual

Safety Requirements Specification/Assumptions Verification Plan/Specification/Report



11/20

Tier-1 and Tier-2 Responsibilities

- for BSW SEooC Development

11

SW Development Subphase Responsible

Initiation of SW development,methods, tools used

Tier-2

Specification of SW SafetyRequirements

Tier-2 + AUTOSAR

SW architectural design AUTOSAR

SW unit design and implementation Tier-2

SW unit testing Tier-2

SW integration and testing Tier-1 + Tier-2

Verification of SW SafetyRequirements Tier-1 + Tier-2



12/20

Development Interface Agreement

12

Definition of Safety Managers, and contact details, at bothTier-2 and Tier-1

Responsibilities for activities, evidence and work productsby Tier-2 and by Tier-1

What Work Products that shall be exchanged

Input from Tier-1 for tailoring of SEooC and evidence Evidence from Tier-2

When Work Products are needed by Tier-2 and Tier-1

How data shall be exchanged Submitted or made available?

Internal/external assessment, onsite audits etc.



13/20

Integration of the BSW SEooC



14/20




15/20




16/20

EXPERIENCES/LESSONS

LEARNT


17/20

Experiences from AUTOSAR/ISO 26262

Projects, 1 of 2


ASIL compliant COTS not possible in practice As COTS

SEooC assumptions accepted as is -> Safety mechanisms and BSW

Not COTS Verification to ensure enough system resources

Requires unfeasible detail in assumptions for system/SW architecture,performance, timing etc. to match with customer system

Important to work together to achieve ASIL

Ensure that the SEooC and ASIL you use provides a safearchitecture Consider use of ASIL decomposition where possible

A tailored SEooC may be the most cost effective solution Evidence to the ASIL needed, not more Tailoring to customer specific safety mechanisms

Ensure that compliance evidence can be provided


18/20

Experiences from AUTOSAR/ISO 26262

Projects, 2 of 2

18

Tests need to be performed on the configured BSW SEooC can only be tested on a general configuration

Responsibility for these tests should be detailed in the DIA Not likely that a qualification of the configuration tool would givesufficient confidence to get around this

For higher ASILs (C and D) the SEooC verification has to betailored to the particular configuration

ASIL C or D on the BSW may not be enough to fulfill ASILC/D for the ECU Architectural redundancy recommended/highly-recommended for

ASIL C/D

Production volume decides on how to manage ASIL A volume dependent tradeoff between BOM and SW development

decide ASIL decomposition



19/20

Lessons Learnt


Start in time With time plan

With safety requirements Ensure that everybody has a good understanding of what

shall be delivered, by whom and when DIA

Delivery plan (e.g. as part of DIA)

Establish the right processes from the start Standard industry methods, documented and performed as

planned

Important to have a knowledgeable partner Easy to become overambitious or overwhelmed

Safety considered in all parts of development


20/20

autosar karlsson-fritzson iso26262 iesf2013

Documents