a critical view on independence

A Critical View on “Independence“ in ISO 26262-2

4th EUROFORUM conference “ISO 26262”,Sept 12th–14th 2012 Leinfelden-Echterdingen Germany

Peter Grabs, Ph.D.

Sept 12th 14th, 2012, Leinfelden Echterdingen, Germany

intedis GmbH & Co. KG, Germany

Pierre Metz, Ph.D.

Brose Fahrzeugteile GmbH & Co. KG, Hallstadt, Germany

© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.

All rights reserved.

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem

plar für Veranstaltungsteilnehm

er.C

opyright: Peter G

rabs;Pierre M

etz. Stand: 12.09.2012. E

xemplar für V

eranstaltungsteilnehmer.

Content

1 Wh t ISO 26262 2 S1. What ISO 26262-2 Says

2. Different Views on Independence

3. Our Considerations

4. Change Request to ISO 26262-2

5 Scenarios5. Scenarios


All rights reserved.2

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

“Independence“ for confirmation measures

A tl i d d i d fi d i t f i ti l t tApparently, independence is defined in terms of organizational structure:

ISO 26262-2, clause 6.4.7



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Content








Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Different Views on Independence (1/3)

S thi d t i id l i Some third-party service providers claim

certification of individuals would be necessary for satisfying I1 and I2 1

it would be state of the art to have safety assessments performed by accredited third parties 2,3parties 2,3

I3 would require purely external services being free of economical or any other kind of dependency to the organization assessed 2

1) as perceived by the authors from 2009 to 2012 based on personal community communications, EUROFORUM ISO 26262 conference publications & debates, IQPC ISO 26262 conference publications & debates, VDA Sys Conference debates, public advertisements & service offers, “Functional Safety Executive Summary“ publication of ZVEI working group on functional safety, internet articles, white papers, journal articles

2) Schmidt M., Rau M., Helmig E., Bauer B., SGS TÜV Saar, “Funktionale Sicherheit – Umgang mit Unabhängigkeit, rechtlichen Rahmenbedingungen und Haftungsfragen“ (http://www.sgs-tuev-saar.com/pdf/Fachartikel-ISO-26262-Jura-08-2011.pdf) and “Rechtliche Folgen der ISO26262“, Hanser Automotive, g g ( p g p p ) gGermany, Nov. 2011Quotation: “In Bezug auf die Sorgfaltspflicht ist es als Stand der Wissenschaft und Technik anzusehen, dass der Teil der Produktabsicherung „Assessment“ zur Funktionalen Sicherheit von hierfür gemäß ISO/IEC 17025 bzw. ISO/IEC 17020 akkreditierten, sich nicht im eigenen Konzernverbund befindlichen Prüfstellen durchgeführt wird.“Quotation: “Wirkliche Unabhängigkeit ist nur gegeben, wenn keine wirtschaftliche oder arbeitsrechtliche Abhängigkeit der analysierenden Stelle vom herstellenden Unternehmen gegeben ist.“



3) Molle E. Rau M. “Bestätigungsmaßnahmen der ISO 26262 und organisatorische Umsetzungsbeispiele”, Safetronic conference, Nov.2011, Munich, Germany. Quotation: “Für eine höchtmögliche Risikoreduzierung im Umfeld der Produkthaftung wird empfohlen … auf unabhängige nach ISO/IEC 17025 akkreditierte Prüfstellen zurückzugreifen.”

5

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.


H l i 4 Helmig4

Even an external service provider is not entirely independent as he might seek follow-up contracts

Kriso/Unruh5

Certification of processes, products, or indidivuals is required neither by ISO 26262 nor from a legal point of view

“Organizational independency does not necessarily mean external“ 5,6

Competence is necessary for functional safety audits and assessmentsHowever, “…the more independent a person is, the less is its specific knowledge – and vice versa“

5) Kriso S./Unruh J. “Implementation of Functional Safety Audits and Assessments at Bosch“, IQPC conference ‘Experiences with ISO 26262‘, Munich, Germany, 28th – 30th March 2012

4) Helmig E. “Funktionale Sicherheit nach ISO 26262 und Produkthaftung für No-trouble-found-Fälle“, journal „Haftpflicht Interational – Recht & Versicherung“, No. 1/2012, http://www.fb.tmg-web.de/genre/HI_recht_versicherung_2012_01/index.html, also available on (http://www.notar-helmig.de/de/publikationen.html). Quotation: “Auch ein externer Berater ist kaum unabhängig, wenn er um den nächsten Auftrag in diesem sehr begrenzten Umfeld seiner Geschäftsmöglichkeiten nur weniger Kunden fürchten muss.“



6) FAQ Ed. 2 on IEC internet page, answered by IEC 61508 standardization board (IEC/SC65A/WG14) http://www.iec.ch/functionalsafety/faq-ed2/page4.htm

6

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.


M ll /R 7 Molle/Rau7

It is considered necessary to have confirmation measures done by company-internal parties.

Technical pros and cons for external safety assessment services 8 Technical pros and cons for external safety assessment services independence can be argued more easily different assessors may have different opinions

Technical pros and cons for independent internal depts.8A temporary issue onlyTechnical pros and cons for independent internal depts.

more internal competence arguing independence is more difficult less know-how/skill at present stage of ISO 26262 experience

establishing central depts next to the product lines leads to bigger organizations

issue only

establishing central depts. next to the product lines leads to bigger organizations

7) Molle E., Rau M. “Bestätigungsmaßnahmen der ISO 26262 und organisatorische Umsetzungsbeispiele”, Safetronic conference, Nov.2011, Munich, Germany. Quotation: “… Daher ist es unumgänglich, die erforderlichen Bestätigungsmaßnahmen zur Funktionalen Sicherheit durch firmeninterne Organisationslösungen praktikabel und effizient zu erfüllen.”



8) Taken from the reported results of workshop “Process Experience With ISO 26262 Audits and What Can Be Concluded From These“ led by Richard Krüger, BMW AG, at IQPC conference ‘Experiences with ISO 26262‘, Munich, Germany, 28th – 30th March 2012

7

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Content





5. Scenarios



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Step 1 – Realizing the problem

The apparent definition of “independence“ in 26262 2 The apparent definition of independence in 26262-2…

creates confusion (e.g. whether external services are required or not, see above)

does not prevent economical bias(e.g. external service providers might strive for follow-up contracts, see above)

does not prevent “selective hiring“(e.g. customer might choose an external service provider/assessor being “most beneficial“)beneficial )

neither addresses nor guarantees competence (see above)

can lead to arbitrary organizational changes( t bli hi d t “j t” b f ISO 26262 2)(e.g. establishing new depts. “just” because of ISO 26262-2)

does not reflect psychology(e.g. in small companys employees being located closely to each other having personal interrelationships affects “independence”)



personal interrelationships affects independence )

9

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Step 2 – Drawing the conclusion

C l i Conclusion:“Independence“ merely is a method but not a goal !

I t t 9 10 11 In contrast 9,10,11:The ISO 26262 philosophy is to provide objectives and requirements instead of “hard-coded“ solutions

Therefore:The true goal needs to be identified !

9) Statements of VDA AK 16 members and delegates to ISO/TC22/SC3/WG16, e.g. during debates at EUROFORUM ISO 26262 conferences 2010, 2011 and VDA AK 16 board meetings

10) e.g. the ‘ASIL method tables‘ are recommendations and guidance only; the actual requirements to fulfill are the goals stated in the corresponding paragraphs above. Generally, the requirements in chapters x.4 are designed to be refinements of the objectives in chapters x.1 (indirectly by means of grouping those requirements in terms of logical work products)



grouping those requirements in terms of logical work products)11) Personal opinion, and experiences with international standards, of the authors

10

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Step 3 – Identifying the true goal

Our proposal: the goals are to be

1. Objectivity of judgement12,13 i.e. free of conflict of interests,bi d l

2. Competence wrt. technical product details internal processes 13,14,15

unbiased people

p ISO 26262 comprehension …for confirmation measures

12) This goal is also explicitly required by ISO/IEC TR 15504-7 (SPICE assessment types A to D)13) This goal is also explicitly required by ISO/IEC 15504-214) This goal is also explicitly required by ISO/IEC TR 15504-7 (SPICE assessment types A to D)11) This goal is also required by Standard CMMI®

Appraisal Method for Process Improvement (SCAMPISM) A, Version 1.3, Method Definition Document SCAMPI, Upgrade Team, March 2011,



HANDBOOK CMU/SEI-2011-HB-001 Process step “Select and Prepare Appraisal Team” 15) Guidelines for auditing management systems (ISO 19011:2011); German and English version EN ISO 19011:2011

11

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Step 4 – Identifiying adequate methods for the identified goals

P ibl th d• Possible methods

1. Different person, same team2. Person from different team Already 3. External service providers4. Independent depts.

5. Internal heterogeneous teams

mentioned

• internal representatives• approval is upon the entire team• therefore requires group consensus (no majority vote or overruling)

6 Mi d h t t

Our new suggestions

6. Mixed heterogeneous teams• internal representatives• external party representatives• approval is upon the entire team

(do not require additional

headcount/ resources)



• therefore requires group consensus (no majority vote or overruling)

12

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Content








Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Our change request to 26262-2 (1/3)

Competence(O)bjectivity(T)echnical product Internal (P)rocesses

Different person, same team High High Low

Table 1 – Evaluation of methods wrt. the proposed goals

Person from different team Mediuma/High Medium/Highb Medium

Independent. dept. Low/ Mediumd Medium/Highb Mediume/ High

Purely external services Low/ Medium None/ Lowg/ Mediumg Mediumc/ HighPurely external services Low/ Medium None/ Low / Medium Medium / High

Internal heterogeneous teams High High Mediumf/ Highf

Mixed heterogeneous teams High High High

a) Depending on product variants, different customers/product lines etc.b) Depends on process maturity, e.g. High only in presence of standard

processes (e.g. CMMI Maturity Level 3, SPICE Maturity Level 3, or Automotive SPICE HIS scope Capability Level 3, respectively)

c) P t ti l i l bi H l i b

d) See Kriso/Unruh, abovee) “Psychology not reflected“, see abovef) Group consensus, but still depending on team selectiong) Depending on how familiar the particular external individual is



c) Potential economical bias, see Helmig above Depending on how familiar the particular external individual is with the company

14

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.


A B C DH d & Ri k A l i T High P Low O High

Table 2

Hazard & Risk Analysis T High, P Low, O High

Safety plan – T Low, P Medium, O Low,

T Low, P Medium,O Medium

T Low, P Medium,O High

Item Integration & T ti Pl

T Medium, P Low, O Low


T Medium, P Low,O Medium

T Medium, P Low,O MediumTesting Plan Low O Low O Medium O Medium

Validation Plan – T Medium, P Low, O Low

T Medium, P Low, O Medium


Safety Analyses T High, P Low,O Low

T High, P Low,O Low

T High, P Low,O Medium

T High, P Low,O Highg

Tool Qualification Report

– T Low , P Low,O Low

T Low , P Low,O Low

T Low , P Low,O Low

Proven-In-Use Arguments

T Medium,P Low, O Low



T Medium, P Low,O HighArguments

Safety Case T Medium,P Medium, O Low

T Medium, P Medium, O Low

T Medium,P Medium,O Medium

T Medium, P Medium,O High

Safety Audit – T Low, P High,O L

T Low, P High,O M di

T Low, P High,O Hi h



O Low O Medium O High

Safety Assessment – T High, P Medium, O Low

T High, P Medium, O Medium

T High, P Medium,O High

15

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.


6 4 7 C fi ti t th it t d bj ti it6.4.7 Confirmation measures: types, authority, competence and objectivity

6.4.7.1 The confirmation measures specified in table 2 shall be performed in accordance with the requirements in tables 1 and 2 to ensure a competent and objective

l tievaluation.

Conflicts of interest shall be identified, documented, and justified.



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Content








Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Scenario 1 –

Generic HRA for mechatronical product lines 16

Brose Hazards & Risk Analyses

Internal heterogeneous team comprising Independent central dept. “Process Quality“ HW Engineer Basis SW Engineer Basis SW Engineer Application SW Engineer Mechatronic test engineer SW system test engineer

Implicit review of the above

Project-specific documents derived from standard

Internal heterogeneous team comprising HW Engineer Basis SW Engineer Application SW Engineer



5) Metz P. “Experience report - Functional safety standard conformance via process monitoring using a product line approach“, IQPC conference ‘Experiences with ISO 26262‘, Munich, Germany, 28th – 30th March 2012

18

Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Scenario 2 –Intedis HRA Review

C ti f th HRA t th ith OEM i i t Creation of the HRA together with OEM engineering team Review of the HRA by external heterogeneous team comprising

OEM development OEM functional safety (Intedis) OEM functional safety (Intedis) Supplier development Supplier functional safety

Alignment to industries best practices

Deep understanding of use cases



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Scenario 3 –Safety Assessment Tier 1

S f t t f t t ib ti t ASIL D f t l Safety assessment for a component contributing to an ASIL D safety goal.

Safety Assessment to be conducted by an internal heterogeneous team comprisingco p s g

Development Quality Testing

Management Management Functional safety management



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Conclusion (1/2)

W l d th ti f “i d d “ i ISO 26262 2 b i We revealed the notion of “independence“ in ISO 26262-2 as being a method instead of a goal

As a change request for the upcoming ISO 26262 revision we suggesteds a c a ge equest o t e upco g SO 6 6 e s o e suggested replacing it with the goal of “ensure a competent & objective evaluation“ mapping the approaches

1. Different person, same teamp2. Person from different team3. Independent depts.4. Purely external services5 Internal heterogeneous teams5. Internal heterogeneous teams6. Mixed heterogeneous teams

a corresponding redefinition of 26262-2 clauses and tables

Our new suggestions



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Conclusion (2/2)

Our 2 new methods solve the problem of “knowledge vs. independence“ (see Kriso/Unruh) can be used in organizations of any size

b i d ith th k f i h t t i l can be mixed with the known four, i.e. heterogeneous teams can involve representatives of independent depts. or external parties

do not require more headcount / resource demands compared to designated independent depts.

At the present stage of ISO 26262our suggestions would have to beagreed on with the customeragreed on with the customer



Copyright: P

eter Grabs;P

ierre Metz. S

tand: 12.09.2012. Exem


er.

Thank your for your attention.

Questions?

[email protected]

[email protected]



Die bereitgestellten Tagungsunterlagen sind urheberrechtlich geschützt. Es gelten die bei Buchung der Veranstaltung akzeptierten AGB der EUROFORUM Deutschland SE.

www.inform-you.de

Expertenwissen für Entscheider

a critical view on independence

Documents