a critical view on independence
TRANSCRIPT
A Critical View on “Independence“ in ISO 26262-2
4th EUROFORUM conference “ISO 26262”,Sept 12th–14th 2012 Leinfelden-Echterdingen Germany
Peter Grabs, Ph.D.
Sept 12th 14th, 2012, Leinfelden Echterdingen, Germany
intedis GmbH & Co. KG, Germany
Pierre Metz, Ph.D.
Brose Fahrzeugteile GmbH & Co. KG, Hallstadt, Germany
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.C
opyright: Peter G
rabs;Pierre M
etz. Stand: 12.09.2012. E
xemplar für V
eranstaltungsteilnehmer.
Content
1 Wh t ISO 26262 2 S1. What ISO 26262-2 Says
2. Different Views on Independence
3. Our Considerations
4. Change Request to ISO 26262-2
5 Scenarios5. Scenarios
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.2
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
“Independence“ for confirmation measures
A tl i d d i d fi d i t f i ti l t tApparently, independence is defined in terms of organizational structure:
ISO 26262-2, clause 6.4.7
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.3
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Content
1 Wh t ISO 26262 2 S1. What ISO 26262-2 Says
2. Different Views on Independence
3. Our Considerations
4. Change Request to ISO 26262-2
5 Scenarios5. Scenarios
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.4
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Different Views on Independence (1/3)
S thi d t i id l i Some third-party service providers claim
certification of individuals would be necessary for satisfying I1 and I2 1
it would be state of the art to have safety assessments performed by accredited third parties 2,3parties 2,3
I3 would require purely external services being free of economical or any other kind of dependency to the organization assessed 2
1) as perceived by the authors from 2009 to 2012 based on personal community communications, EUROFORUM ISO 26262 conference publications & debates, IQPC ISO 26262 conference publications & debates, VDA Sys Conference debates, public advertisements & service offers, “Functional Safety Executive Summary“ publication of ZVEI working group on functional safety, internet articles, white papers, journal articles
2) Schmidt M., Rau M., Helmig E., Bauer B., SGS TÜV Saar, “Funktionale Sicherheit – Umgang mit Unabhängigkeit, rechtlichen Rahmenbedingungen und Haftungsfragen“ (http://www.sgs-tuev-saar.com/pdf/Fachartikel-ISO-26262-Jura-08-2011.pdf) and “Rechtliche Folgen der ISO26262“, Hanser Automotive, g g ( p g p p ) gGermany, Nov. 2011Quotation: “In Bezug auf die Sorgfaltspflicht ist es als Stand der Wissenschaft und Technik anzusehen, dass der Teil der Produktabsicherung „Assessment“ zur Funktionalen Sicherheit von hierfür gemäß ISO/IEC 17025 bzw. ISO/IEC 17020 akkreditierten, sich nicht im eigenen Konzernverbund befindlichen Prüfstellen durchgeführt wird.“Quotation: “Wirkliche Unabhängigkeit ist nur gegeben, wenn keine wirtschaftliche oder arbeitsrechtliche Abhängigkeit der analysierenden Stelle vom herstellenden Unternehmen gegeben ist.“
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
3) Molle E. Rau M. “Bestätigungsmaßnahmen der ISO 26262 und organisatorische Umsetzungsbeispiele”, Safetronic conference, Nov.2011, Munich, Germany. Quotation: “Für eine höchtmögliche Risikoreduzierung im Umfeld der Produkthaftung wird empfohlen … auf unabhängige nach ISO/IEC 17025 akkreditierte Prüfstellen zurückzugreifen.”
5
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Different Views on Independence (2/3)
H l i 4 Helmig4
Even an external service provider is not entirely independent as he might seek follow-up contracts
Kriso/Unruh5
Certification of processes, products, or indidivuals is required neither by ISO 26262 nor from a legal point of view
“Organizational independency does not necessarily mean external“ 5,6
Competence is necessary for functional safety audits and assessmentsHowever, “…the more independent a person is, the less is its specific knowledge – and vice versa“
5) Kriso S./Unruh J. “Implementation of Functional Safety Audits and Assessments at Bosch“, IQPC conference ‘Experiences with ISO 26262‘, Munich, Germany, 28th – 30th March 2012
4) Helmig E. “Funktionale Sicherheit nach ISO 26262 und Produkthaftung für No-trouble-found-Fälle“, journal „Haftpflicht Interational – Recht & Versicherung“, No. 1/2012, http://www.fb.tmg-web.de/genre/HI_recht_versicherung_2012_01/index.html, also available on (http://www.notar-helmig.de/de/publikationen.html). Quotation: “Auch ein externer Berater ist kaum unabhängig, wenn er um den nächsten Auftrag in diesem sehr begrenzten Umfeld seiner Geschäftsmöglichkeiten nur weniger Kunden fürchten muss.“
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
6) FAQ Ed. 2 on IEC internet page, answered by IEC 61508 standardization board (IEC/SC65A/WG14) http://www.iec.ch/functionalsafety/faq-ed2/page4.htm
6
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Different Views on Independence (3/3)
M ll /R 7 Molle/Rau7
It is considered necessary to have confirmation measures done by company-internal parties.
Technical pros and cons for external safety assessment services 8 Technical pros and cons for external safety assessment services independence can be argued more easily different assessors may have different opinions
Technical pros and cons for independent internal depts.8A temporary issue onlyTechnical pros and cons for independent internal depts.
more internal competence arguing independence is more difficult less know-how/skill at present stage of ISO 26262 experience
establishing central depts next to the product lines leads to bigger organizations
issue only
establishing central depts. next to the product lines leads to bigger organizations
7) Molle E., Rau M. “Bestätigungsmaßnahmen der ISO 26262 und organisatorische Umsetzungsbeispiele”, Safetronic conference, Nov.2011, Munich, Germany. Quotation: “… Daher ist es unumgänglich, die erforderlichen Bestätigungsmaßnahmen zur Funktionalen Sicherheit durch firmeninterne Organisationslösungen praktikabel und effizient zu erfüllen.”
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
8) Taken from the reported results of workshop “Process Experience With ISO 26262 Audits and What Can Be Concluded From These“ led by Richard Krüger, BMW AG, at IQPC conference ‘Experiences with ISO 26262‘, Munich, Germany, 28th – 30th March 2012
7
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Content
1 Wh t ISO 26262 2 S1. What ISO 26262-2 Says
2. Different Views on Independence
3. Our Considerations
4. Change Request to ISO 26262-2
5. Scenarios
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.8
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Step 1 – Realizing the problem
The apparent definition of “independence“ in 26262 2 The apparent definition of independence in 26262-2…
creates confusion (e.g. whether external services are required or not, see above)
does not prevent economical bias(e.g. external service providers might strive for follow-up contracts, see above)
does not prevent “selective hiring“(e.g. customer might choose an external service provider/assessor being “most beneficial“)beneficial )
neither addresses nor guarantees competence (see above)
can lead to arbitrary organizational changes( t bli hi d t “j t” b f ISO 26262 2)(e.g. establishing new depts. “just” because of ISO 26262-2)
does not reflect psychology(e.g. in small companys employees being located closely to each other having personal interrelationships affects “independence”)
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
personal interrelationships affects independence )
9
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Step 2 – Drawing the conclusion
C l i Conclusion:“Independence“ merely is a method but not a goal !
I t t 9 10 11 In contrast 9,10,11:The ISO 26262 philosophy is to provide objectives and requirements instead of “hard-coded“ solutions
Therefore:The true goal needs to be identified !
9) Statements of VDA AK 16 members and delegates to ISO/TC22/SC3/WG16, e.g. during debates at EUROFORUM ISO 26262 conferences 2010, 2011 and VDA AK 16 board meetings
10) e.g. the ‘ASIL method tables‘ are recommendations and guidance only; the actual requirements to fulfill are the goals stated in the corresponding paragraphs above. Generally, the requirements in chapters x.4 are designed to be refinements of the objectives in chapters x.1 (indirectly by means of grouping those requirements in terms of logical work products)
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
grouping those requirements in terms of logical work products)11) Personal opinion, and experiences with international standards, of the authors
10
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Step 3 – Identifying the true goal
Our proposal: the goals are to be
1. Objectivity of judgement12,13 i.e. free of conflict of interests,bi d l
2. Competence wrt. technical product details internal processes 13,14,15
unbiased people
p ISO 26262 comprehension …for confirmation measures
12) This goal is also explicitly required by ISO/IEC TR 15504-7 (SPICE assessment types A to D)13) This goal is also explicitly required by ISO/IEC 15504-214) This goal is also explicitly required by ISO/IEC TR 15504-7 (SPICE assessment types A to D)11) This goal is also required by Standard CMMI®
Appraisal Method for Process Improvement (SCAMPISM) A, Version 1.3, Method Definition Document SCAMPI, Upgrade Team, March 2011,
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
HANDBOOK CMU/SEI-2011-HB-001 Process step “Select and Prepare Appraisal Team” 15) Guidelines for auditing management systems (ISO 19011:2011); German and English version EN ISO 19011:2011
11
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Step 4 – Identifiying adequate methods for the identified goals
P ibl th d• Possible methods
1. Different person, same team2. Person from different team Already 3. External service providers4. Independent depts.
5. Internal heterogeneous teams
mentioned
• internal representatives• approval is upon the entire team• therefore requires group consensus (no majority vote or overruling)
6 Mi d h t t
Our new suggestions
6. Mixed heterogeneous teams• internal representatives• external party representatives• approval is upon the entire team
(do not require additional
headcount/ resources)
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
• therefore requires group consensus (no majority vote or overruling)
12
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Content
1 Wh t ISO 26262 2 S1. What ISO 26262-2 Says
2. Different Views on Independence
3. Our Considerations
4. Change Request to ISO 26262-2
5 Scenarios5. Scenarios
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.13
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Our change request to 26262-2 (1/3)
Competence(O)bjectivity(T)echnical product Internal (P)rocesses
Different person, same team High High Low
Table 1 – Evaluation of methods wrt. the proposed goals
Person from different team Mediuma/High Medium/Highb Medium
Independent. dept. Low/ Mediumd Medium/Highb Mediume/ High
Purely external services Low/ Medium None/ Lowg/ Mediumg Mediumc/ HighPurely external services Low/ Medium None/ Low / Medium Medium / High
Internal heterogeneous teams High High Mediumf/ Highf
Mixed heterogeneous teams High High High
a) Depending on product variants, different customers/product lines etc.b) Depends on process maturity, e.g. High only in presence of standard
processes (e.g. CMMI Maturity Level 3, SPICE Maturity Level 3, or Automotive SPICE HIS scope Capability Level 3, respectively)
c) P t ti l i l bi H l i b
d) See Kriso/Unruh, abovee) “Psychology not reflected“, see abovef) Group consensus, but still depending on team selectiong) Depending on how familiar the particular external individual is
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
c) Potential economical bias, see Helmig above Depending on how familiar the particular external individual is with the company
14
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Our change request to 26262-2 (2/3)
A B C DH d & Ri k A l i T High P Low O High
Table 2
Hazard & Risk Analysis T High, P Low, O High
Safety plan – T Low, P Medium, O Low,
T Low, P Medium,O Medium
T Low, P Medium,O High
Item Integration & T ti Pl
T Medium, P Low, O Low
T Medium, P Low, O Low
T Medium, P Low,O Medium
T Medium, P Low,O MediumTesting Plan Low O Low O Medium O Medium
Validation Plan – T Medium, P Low, O Low
T Medium, P Low, O Medium
T Medium, P Low,O Medium
Safety Analyses T High, P Low,O Low
T High, P Low,O Low
T High, P Low,O Medium
T High, P Low,O Highg
Tool Qualification Report
– T Low , P Low,O Low
T Low , P Low,O Low
T Low , P Low,O Low
Proven-In-Use Arguments
T Medium,P Low, O Low
T Medium, P Low, O Low
T Medium, P Low,O Medium
T Medium, P Low,O HighArguments
Safety Case T Medium,P Medium, O Low
T Medium, P Medium, O Low
T Medium,P Medium,O Medium
T Medium, P Medium,O High
Safety Audit – T Low, P High,O L
T Low, P High,O M di
T Low, P High,O Hi h
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
O Low O Medium O High
Safety Assessment – T High, P Medium, O Low
T High, P Medium, O Medium
T High, P Medium,O High
15
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Our change request to 26262-2 (3/3)
6 4 7 C fi ti t th it t d bj ti it6.4.7 Confirmation measures: types, authority, competence and objectivity
6.4.7.1 The confirmation measures specified in table 2 shall be performed in accordance with the requirements in tables 1 and 2 to ensure a competent and objective
l tievaluation.
Conflicts of interest shall be identified, documented, and justified.
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.16
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Content
1 Wh t ISO 26262 2 S1. What ISO 26262-2 Says
2. Different Views on Independence
3. Our Considerations
4. Change Request to ISO 26262-2
5 Scenarios5. Scenarios
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.17
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Scenario 1 –
Generic HRA for mechatronical product lines 16
Brose Hazards & Risk Analyses
Internal heterogeneous team comprising Independent central dept. “Process Quality“ HW Engineer Basis SW Engineer Basis SW Engineer Application SW Engineer Mechatronic test engineer SW system test engineer
Implicit review of the above
Project-specific documents derived from standard
Internal heterogeneous team comprising HW Engineer Basis SW Engineer Application SW Engineer
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.
5) Metz P. “Experience report - Functional safety standard conformance via process monitoring using a product line approach“, IQPC conference ‘Experiences with ISO 26262‘, Munich, Germany, 28th – 30th March 2012
18
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Scenario 2 –Intedis HRA Review
C ti f th HRA t th ith OEM i i t Creation of the HRA together with OEM engineering team Review of the HRA by external heterogeneous team comprising
OEM development OEM functional safety (Intedis) OEM functional safety (Intedis) Supplier development Supplier functional safety
Alignment to industries best practices
Deep understanding of use cases
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.19
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Scenario 3 –Safety Assessment Tier 1
S f t t f t t ib ti t ASIL D f t l Safety assessment for a component contributing to an ASIL D safety goal.
Safety Assessment to be conducted by an internal heterogeneous team comprisingco p s g
Development Quality Testing
Management Management Functional safety management
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.20
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Conclusion (1/2)
W l d th ti f “i d d “ i ISO 26262 2 b i We revealed the notion of “independence“ in ISO 26262-2 as being a method instead of a goal
As a change request for the upcoming ISO 26262 revision we suggesteds a c a ge equest o t e upco g SO 6 6 e s o e suggested replacing it with the goal of “ensure a competent & objective evaluation“ mapping the approaches
1. Different person, same teamp2. Person from different team3. Independent depts.4. Purely external services5 Internal heterogeneous teams5. Internal heterogeneous teams6. Mixed heterogeneous teams
a corresponding redefinition of 26262-2 clauses and tables
Our new suggestions
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.21
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Conclusion (2/2)
Our 2 new methods solve the problem of “knowledge vs. independence“ (see Kriso/Unruh) can be used in organizations of any size
b i d ith th k f i h t t i l can be mixed with the known four, i.e. heterogeneous teams can involve representatives of independent depts. or external parties
do not require more headcount / resource demands compared to designated independent depts.
At the present stage of ISO 26262our suggestions would have to beagreed on with the customeragreed on with the customer
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.22
Copyright: P
eter Grabs;P
ierre Metz. S
tand: 12.09.2012. Exem
plar für Veranstaltungsteilnehm
er.
Thank your for your attention.
Questions?
© Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG.
All rights reserved.