challenges implementing functional safety for commercial ... · challenges implementing functional...

Be

ingenious

Challenges Implementing Functional

Safety for Commercial VehiclesFunctional Safety Competence Cluster

BRACE AutomotiveBart Oosthoek

Be

ingenious

o Short introduction BRACE Automotive FSM cluster

o Functional Safety and the SE approach

o Challenges? Why not just use the new ISO 26262?

o The breakdown approach

o Raised Questions

Content

Be

ingenious Passionate about technology

3

o BRACE Automotive is active in the specialized domains powertrain, interior and chassis

systems.

o Our services incorporate mechanical, mechatronics and software aspects in automotive

system development and integration.

o As a service provider we tailor our services around the heartbeat of our customers’

projects to deliver practical, agile and smart solutions.

o We typically distinguish different service levels: from resource staffing for client teams to

our own knowledge products offered in our consultancy services.

o Partnerships:

Be

ingenious

o The FSM services include implementation of development processes, methodologies and

tools according to ISO 26262, INCOSE and other standards, aiming to demonstrate their

appropriateness on application projects.

o We do not impose a fixed process. Starting with a gap analysis, from which our functional

safety experts derive the changes that need to be implemented, we deliver appropriate

tools, version management systems, requirements management systems and methods

such as HARA and FSM concepts.

o In addition also technical activities in functional safety can be offered. Not only do we

know how to make the processes; we also know how to use them.

Competence Functional Safety

Be

ingenious

o Ensuring the safe execution of the design intent under all conditions

o Safe execution has the objective of removing unacceptable risk of injury and damage to health and environment

o Capability to reduce risk can be indicated with an Integrity Level (e.g. PL, AgPL, SIL or ASIL)

o End-to-end scope, but (most) industry standards only address E/E systems

Functional Safety? What and How.

Be

ingenious

o Meticulous engineering can be achieved using primary process areas

o Risk identification

o Use of accepted FuSy Standard

o Various Safety lifecycles based on primary process areas

Functional Safety? What and

How.

Be

ingenious

To summarize and some terminology


How.

Be

ingenious


How.

FailureNon fulfilled

function

HazardSeverity and

controllability

TriggerExposure,

presence of

actor

Harm

Be

ingenious

o SIL = Safety Integrity Level as a general statement (AgPL, PL, SIL and ASIL)

o Risk = Harm

o Feature = System function

o Safety Function = Function to mitigate risk

o Safety Goal = High level Safety Function on vehicle or machine level

o User = Interactor with the system, can be the operator, driver, bystanders or other systems (out of scope)

o Other terminology will be explained on the way.


How.

Be

ingenious

o Engineering methodology

o Focus on complex systems over their life cycle

o Holistic view

o Interdisciplinary field

• Requirements engineering

• Controls engineering

• Industrial engineering

• Project management

• Etc

System Engineering? What and

How.

Be

ingenious

o What is a system and what is a sub-system?


How.

Be

ingenious

o Problem vs Solution Domain


How.

Be

ingenious


How.

Be

ingenious

o ISO 26262 is intended to be applied to safety-related

E/E systems installed in series produced passenger

cars.

o Why not just use this? Developing commercial vehicles

or machines brings some additional challenges:

o Broad application with one base product

o Modular construction/configuration

o Shared responsibility with bodybuilder

o Additional standards and legislation corresponding to commercial use

Challenges? Why not just use

the new ISO 26262?

Be

ingenious

o Broad application across different fields with one base

product


the new ISO 26262?

Be

ingenious

o Modular construction/configuration


the new ISO 26262?

Be

ingenious

o Shared responsibility with bodybuilder


the new ISO 26262?

Be

ingenious

o Standards, rules and legislation corresponding to commercial use and functional safety

State of the art, like ISO 26262 and ISO25119

General accepted standards like IEC 61508

Machine directive legislation and ECE R79 regulations

o But also not related to FSM, but safety in a general way

ADR 2009, transport of dangerous goods

Directive 91/628/EEC 1991, protection of animals during transport

And more…


the new ISO 26262?

Confidential

Be

ingenious

How to handle the challenges?

Combine SE and FSM by breaking down the:

The breakdown approach

Be

ingenious

How to handle the challenges?

Combine SE and FSM by breaking down the:


2. The functions and

solutions

3. Identify the risk

4. The use of the item

(application, environment

and users)

1. The system

framework

5. The standards,

legislation and

process

Be

ingenious The breakdown approach

1. The system framework

Be

ingenious

2. Define the main system functions (problem domain), but

how?


req [Package] FR [FR]

PF01

notes

The system shall generate power and deliver it to the

road surface and vice versa

VF01

notes

The system shall transport material from departure to

destination point

CF01

notes

The system shall support the load and vehicle

subsystems in a effective, safe and comfortable

manner

IF01

notes

The system shall provide a comfortable and safe

environment for the operator which controls the

vehicle

«deriveReqt»

«deriveReqt» «deriveReqt»

Be

ingenious

Now the framework comes in handy….



PF01

notes

The system shall accelerate or decelerate the vehicle

VF01

notes

The system shall transport material from departure to

destination point

CF01

notes

The system shall support the load and vehicle

subsystems in a effective, safe and comfortable

manner

IF01

notes

The system shall provide a comfortable and safe

environment for the operator which controls the

vehicle

«deriveReqt»

«deriveReqt»

«deriveReqt»

Be

ingenious

Now the main functions are define the solutions can be

picked…



PF01

notes


Be

ingenious

Like…


Be

ingenious


o Use the framework to define the generic vehicle functions

top down.

o Use these “generic vehicle functions” within the risk

assessment to create “generic hazards”


Be

ingenious


o Use the framework to define the generic vehicle functions

top down.

o Use these “generic vehicle functions” within the risk

assessment to create “generic hazards”

o Lets pick the example of the powertrain function



PF01

notes


Be

ingenious

This approach defines “generic” hazards per main vehicle function. But also “generic” Safety Goals (e.g. for Powertrain):

o The vehicle shall prevent unintended acceleration

o The vehicle shall prevent unintended deceleration

o The vehicle shall prevent unintended loss of engine brake

The height of the risk is not defined yet……


Be

ingenious

4. The use of the item

Consists of:

o The application

o The environment

o And the users


Be

ingenious

The application


Be

ingenious

The environment


Be

ingenious

Present actors


Be

ingenious

To create the “generic Safety Goal” we need to add the

following to the “generic defined hazards”:

o The use of the item

o The contribution of the features to the hazard


Be

ingenious

Use the break down approach to create item use cases

o First the generic cases

o Then the application specific

o Feature specific


Be

ingenious The breakdown approach

req [Package] Ov erv iew [Ov erv iew]

Vehicle

Main Vehicle

FunctionSafety Goal

Safety FunctionFeature

(from UC)

Generic use

(from UC)

Application use

(from UC)

Feature specific use

«deriveReqt»«deriveReqt»

«deriveReqt» «deriveReqt»

Be

ingenious

By creating the “generic” sets with the breakdown approach:

o You only need to check if a feature contributes to a

generic hazard (is the hazard applicable)

o The height of the risk can be found by assessing the

basic sets of use cases

o The SIL level of the “generic Safety goals” will be

determined by combining above.


Be

ingenious

Also a clearly defined functional framework allows:

o To link technical solutions to these functions (validation and verification)

o Ensure technical solutions to Safety functions do not violate the SG

o To identify interfaces between subsystems and hand over to suppliers without losing tractability and clear sharing of responsibility

o Note. The framework is company specific


Be

ingenious

5. The standards, legislation and process


Be

ingenious

5. The standards, legislation and process


req [Package] PR [PR]

PR-ISO26262-001

notes

The organization shall create, foster, and sustain a safety culture

that supports and encourages the effective achievement of

functional safety.

Be

ingenious

5. And support in providing evidence and follow standards and legislation

o The amount of risk is linked to the use cases and features

o Coverage of safety standards and legislation

o Conclusion: The use of one standard or SIL type is not fully feasible, perhaps creating a company specific one.

IEC 61508

+ ADR


the new ISO 26262?

Dangerous

Goods

Off-

highway

Distribution

IEC 61508

ISO 26262

Be

ingenious

o In short:

o Decomposition of vehicle functions to tackle shared responsibility and different configurations

o Creating vehicle and system use cases to serve the broad applications of the vehicle types

o Create a generic set of vehicle Safety Goals with the vehicle functions and use case as parameter

o Decompose and connect the system features to create the framework for the risk assessment

o Decomposition of all relevant standard/legislation requirements

o Link the applicable standard/legislation requirements to identified needed risk reduction and ensure design intend (OEM specific SIL)

Our vision on how to take on

these challenges

Be

ingenious

Our vision on how to take on

these challenges

Functional breakdown

Use breakdown

Compliance to standards/legislation

Be

ingenious

o Overlap standard/legislation requirements with each other and existing OEM development process

o Is a specific company SIL a wise and feasible decision?

o Optimal choice of use cases and main vehicle functions/Features

o What will be the exact responsibility of the suppliers and body/utility builders (legal possibilities etc.)

o What if the vehicle/Machine gets a second life with another application/environment. Is the OEM still responsible?

o Who is the end responsible/Overall system integrator?

o ……

Raised Questions

Weber / Subke 5427.02.2015© Conti / Softing

Who we are:

International non-profit network with individual members who are involved in the development of automotive electronics for heavy-duty applications and the respective diagnostic functions.

Vehicle manufacturer: Trucks, buses, non-road mobile machinery and their suppliers. Tool supplier, service provider and associations.

Objectives:

Identify those aspects of diagnostic systems that have particular

relevance and require specific solutions for HDD.

Assist and impact legislating, normative and administrative

organizations.

OBD4HDD® Special Interest Group (SIG)

Weber / Subke 5527.02.2015© Conti / Softing

FG1: Diagnostic Communication

(VCI technology, communication protocols, bus systems, …)

FG2: On-Board Emission Monitoring

(Detection algorithms, sensor technology, anti-tampering, …)

FG3: Diagnostic Strategy

(Remote diagnostics, integrated tools, cloud, standards, … )

FG4: Off-Board Diagnostic Tester Architecture and Technology

(MVCI, ODX, OTX …)

FG5: Legislation and Harmonization

(Trends in terms of the emission limits, monitoring requirements, … )

FG6: On-Board Diagnostic Infrastructure

(Distributed diagnostic system architecture, Cloud based diagnostic, AUTOSAR)

FG7: Functional safety and OBD

(Functional Safety for NRMM, Trucks and Busses)

OBD4HDD ® Special Interest Group (SIG)

Focus Groups

We defined seven main subjects related to HDD diagnostics we are pushing forward within so called Focus Groups. Each Focus Groups is led by a chairman who coordinates the participants and the communication.

Be

ingenious

This presentation has used images of the following commercial websites:o Caterpillar, www.cat.com

o Komatsu, www.komatsu.eu

o DANA, www.dana.com

o Scania, www.scania.com

o DAF Trucks, www.daf.com

o ISO, www.iso.org

o Carraro, www.carrarodrivetech.com

o Leidraad SE (IVW Netherlands), www.leidraadse.nl

Q & A

http://www.cat.com/

http://www.komatsu.eu/

http://www.dana.com/

http://www.scania.com/

http://www.daf.com/

http://www.iso.org/

http://www.carrarodrivetech.com/

http://www.leidraadse.nl/

challenges implementing functional safety for commercial ... · challenges implementing functional...

Documents