Challenges Implementing Functional Safety for Commercial ... · Challenges Implementing Functional...
Transcript of Challenges Implementing Functional Safety for Commercial ... · Challenges Implementing Functional...
Be
ingenious
Challenges Implementing Functional
Safety for Commercial VehiclesFunctional Safety Competence Cluster
BRACE AutomotiveBart Oosthoek
Be
ingenious
o Short introduction BRACE Automotive FSM cluster
o Functional Safety and the SE approach
o Challenges? Why not just use the new ISO 26262?
o The breakdown approach
o Raised Questions
Content
Be
ingenious Passionate about technology
3
o BRACE Automotive is active in the specialized domains powertrain, interior and chassis
systems.
o Our services incorporate mechanical, mechatronics and software aspects in automotive
system development and integration.
o As a service provider we tailor our services around the heartbeat of our customers’
projects to deliver practical, agile and smart solutions.
o We typically distinguish different service levels: from resource staffing for client teams to
our own knowledge products offered in our consultancy services.
o Partnerships:
Be
ingenious
o The FSM services include implementation of development processes, methodologies and
tools according to ISO 26262, INCOSE and other standards, aiming to demonstrate their
appropriateness on application projects.
o We do not impose a fixed process. Starting with a gap analysis, from which our functional
safety experts derive the changes that need to be implemented, we deliver appropriate
tools, version management systems, requirements management systems and methods
such as HARA and FSM concepts.
o In addition also technical activities in functional safety can be offered. Not only do we
know how to make the processes; we also know how to use them.
Competence Functional Safety
Be
ingenious
o Ensuring the safe execution of the design intent under all conditions
o Safe execution has the objective of removing unacceptable risk of injury and damage to health and environment
o Capability to reduce risk can be indicated with an Integrity Level (e.g. PL, AgPL, SIL or ASIL)
o End-to-end scope, but (most) industry standards only address E/E systems
Functional Safety? What and How.
Be
ingenious
o Meticulous engineering can be achieved using primary process areas
o Risk identification
o Use of accepted FuSy Standard
o Various Safety lifecycles based on primary process areas
Functional Safety? What and
How.
Be
ingenious
o Meticulous engineering can be achieved using primary process areas
o Risk identification
o Use of accepted FuSy Standard
o Various Safety lifecycles based on primary process areas
Functional Safety? What and
How.
Be
ingenious
Functional Safety? What and
How.
FailureNon fulfilled
function
HazardSeverity and
controllability
TriggerExposure,
presence of
actor
Harm
Be
ingenious
o SIL = Safety Integrity Level as a general statement (AgPL, PL, SIL and ASIL)
o Risk = Harm
o Feature = System function
o Safety Function = Function to mitigate risk
o Safety Goal = High level Safety Function on vehicle or machine level
o User = Interactor with the system, can be the operator, driver, bystanders or other systems (out of scope)
o Other terminology will be explained on the way.
Functional Safety? What and
How.
Be
ingenious
o Engineering methodology
o Focus on complex systems over their life cycle
o Holistic view
o Interdisciplinary field
• Requirements engineering
• Controls engineering
• Industrial engineering
• Project management
• Etc
System Engineering? What and
How.
Be
ingenious
o ISO 26262 is intended to be applied to safety-related
E/E systems installed in series produced passenger
cars.
o Why not just use this? Developing commercial vehicles
or machines brings some additional challenges:
o Broad application with one base product
o Modular construction/configuration
o Shared responsibility with bodybuilder
o Additional standards and legislation corresponding to commercial use
Challenges? Why not just use
the new ISO 26262?
Be
ingenious
o Broad application across different fields with one base
product
Challenges? Why not just use
the new ISO 26262?
Be
ingenious
o Shared responsibility with bodybuilder
Challenges? Why not just use
the new ISO 26262?
Be
ingenious
o Shared responsibility with bodybuilder
Challenges? Why not just use
the new ISO 26262?
Be
ingenious
o Shared responsibility with bodybuilder
Challenges? Why not just use
the new ISO 26262?
Be
ingenious
o Standards, rules and legislation corresponding to commercial use and functional safety
State of the art, like ISO 26262 and ISO25119
General accepted standards like IEC 61508
Machine directive legislation and ECE R79 regulations
o But also not related to FSM, but safety in a general way
ADR 2009, transport of dangerous goods
Directive 91/628/EEC 1991, protection of animals during transport
And more…
Challenges? Why not just use
the new ISO 26262?
Confidential
Be
ingenious
How to handle the challenges?
Combine SE and FSM by breaking down the:
The breakdown approach
Be
ingenious
How to handle the challenges?
Combine SE and FSM by breaking down the:
The breakdown approach
2. The functions and
solutions
3. Identify the risk
4. The use of the item
(application, environment
and users)
1. The system
framework
5. The standards,
legislation and
process
Be
ingenious
2. Define the main system functions (problem domain), but
how?
The breakdown approach
req [Package] FR [FR]
PF01
notes
The system shall generate power and deliver it to the
road surface and vice versa
VF01
notes
The system shall transport material from departure to
destination point
CF01
notes
The system shall support the load and vehicle
subsystems in a effective, safe and comfortable
manner
IF01
notes
The system shall provide a comfortable and safe
environment for the operator which controls the
vehicle
«deriveReqt»
«deriveReqt» «deriveReqt»
Be
ingenious
Now the framework comes in handy….
The breakdown approach
req [Package] FR [FR]
PF01
notes
The system shall accelerate or decelerate the vehicle
VF01
notes
The system shall transport material from departure to
destination point
CF01
notes
The system shall support the load and vehicle
subsystems in a effective, safe and comfortable
manner
IF01
notes
The system shall provide a comfortable and safe
environment for the operator which controls the
vehicle
«deriveReqt»
«deriveReqt»
«deriveReqt»
Be
ingenious
Now the framework comes in handy….
The breakdown approach
req [Package] FR [FR]
PF01
notes
The system shall accelerate or decelerate the vehicle
VF01
notes
The system shall transport material from departure to
destination point
CF01
notes
The system shall support the load and vehicle
subsystems in a effective, safe and comfortable
manner
IF01
notes
The system shall provide a comfortable and safe
environment for the operator which controls the
vehicle
«deriveReqt»
«deriveReqt»
«deriveReqt»
Be
ingenious
Now the main functions are define the solutions can be
picked…
The breakdown approach
req [Package] FR [FR]
PF01
notes
The system shall accelerate or decelerate the vehicle
Be
ingenious
3. Identify the risk
o Use the framework to define the generic vehicle functions
top down.
o Use these “generic vehicle functions” within the risk
assessment to create “generic hazards”
The breakdown approach
Be
ingenious
3. Identify the risk
o Use the framework to define the generic vehicle functions
top down.
o Use these “generic vehicle functions” within the risk
assessment to create “generic hazards”
o Lets pick the example of the powertrain function
The breakdown approach
req [Package] FR [FR]
PF01
notes
The system shall accelerate or decelerate the vehicle
Be
ingenious
This approach defines “generic” hazards per main vehicle function. But also “generic” Safety Goals (e.g. for Powertrain):
o The vehicle shall prevent unintended acceleration
o The vehicle shall prevent unintended deceleration
o The vehicle shall prevent unintended loss of engine brake
The height of the risk is not defined yet……
The breakdown approach
Be
ingenious
4. The use of the item
Consists of:
o The application
o The environment
o And the users
The breakdown approach
Be
ingenious
To create the “generic Safety Goal” we need to add the
following to the “generic defined hazards”:
o The use of the item
o The contribution of the features to the hazard
The breakdown approach
Be
ingenious
Use the break down approach to create item use cases
o First the generic cases
o Then the application specific
o Feature specific
The breakdown approach
Be
ingenious The breakdown approach
req [Package] Ov erv iew [Ov erv iew]
Vehicle
Main Vehicle
FunctionSafety Goal
Safety FunctionFeature
(from UC)
Generic use
(from UC)
Application use
(from UC)
Feature specific use
«deriveReqt»«deriveReqt»
«deriveReqt» «deriveReqt»
Be
ingenious
By creating the “generic” sets with the breakdown approach:
o You only need to check if a feature contributes to a
generic hazard (is the hazard applicable)
o The height of the risk can be found by assessing the
basic sets of use cases
o The SIL level of the “generic Safety goals” will be
determined by combining above.
The breakdown approach
Be
ingenious
Also a clearly defined functional framework allows:
o To link technical solutions to these functions (validation and verification)
o Ensure technical solutions to Safety functions do not violate the SG
o To identify interfaces between subsystems and hand over to suppliers without losing tractability and clear sharing of responsibility
o Note. The framework is company specific
The breakdown approach
Be
ingenious
5. The standards, legislation and process
The breakdown approach
req [Package] PR [PR]
PR-ISO26262-001
notes
The organization shall create, foster, and sustain a safety culture
that supports and encourages the effective achievement of
functional safety.
Be
ingenious
5. And support in providing evidence and follow standards and legislation
o The amount of risk is linked to the use cases and features
o Coverage of safety standards and legislation
o Conclusion: The use of one standard or SIL type is not fully feasible, perhaps creating a company specific one.
IEC 61508
+ ADR
Challenges? Why not just use
the new ISO 26262?
Dangerous
Goods
Off-
highway
Distribution
IEC 61508
ISO 26262
Be
ingenious
o In short:
o Decomposition of vehicle functions to tackle shared responsibility and different configurations
o Creating vehicle and system use cases to serve the broad applications of the vehicle types
o Create a generic set of vehicle Safety Goals with the vehicle functions and use case as parameter
o Decompose and connect the system features to create the framework for the risk assessment
o Decomposition of all relevant standard/legislation requirements
o Link the applicable standard/legislation requirements to identified needed risk reduction and ensure design intend (OEM specific SIL)
Our vision on how to take on
these challenges
Be
ingenious
Our vision on how to take on
these challenges
Functional breakdown
Use breakdown
Compliance to standards/legislation
Be
ingenious
o Overlap standard/legislation requirements with each other and existing OEM development process
o Is a specific company SIL a wise and feasible decision?
o Optimal choice of use cases and main vehicle functions/Features
o What will be the exact responsibility of the suppliers and body/utility builders (legal possibilities etc.)
o What if the vehicle/Machine gets a second life with another application/environment. Is the OEM still responsible?
o Who is the end responsible/Overall system integrator?
o ……
Raised Questions
Weber / Subke 5427.02.2015© Conti / Softing
Who we are:
International non-profit network with individual members who are involved in the development of automotive electronics for heavy-duty applications and the respective diagnostic functions.
Vehicle manufacturer: Trucks, buses, non-road mobile machinery and their suppliers. Tool supplier, service provider and associations.
Objectives:
Identify those aspects of diagnostic systems that have particular
relevance and require specific solutions for HDD.
Assist and impact legislating, normative and administrative
organizations.
OBD4HDD® Special Interest Group (SIG)
Weber / Subke 5527.02.2015© Conti / Softing
FG1: Diagnostic Communication
(VCI technology, communication protocols, bus systems, …)
FG2: On-Board Emission Monitoring
(Detection algorithms, sensor technology, anti-tampering, …)
FG3: Diagnostic Strategy
(Remote diagnostics, integrated tools, cloud, standards, … )
FG4: Off-Board Diagnostic Tester Architecture and Technology
(MVCI, ODX, OTX …)
FG5: Legislation and Harmonization
(Trends in terms of the emission limits, monitoring requirements, … )
FG6: On-Board Diagnostic Infrastructure
(Distributed diagnostic system architecture, Cloud based diagnostic, AUTOSAR)
FG7: Functional safety and OBD
(Functional Safety for NRMM, Trucks and Busses)
OBD4HDD ® Special Interest Group (SIG)
Focus Groups
We defined seven main subjects related to HDD diagnostics we are pushing forward within so called Focus Groups. Each Focus Groups is led by a chairman who coordinates the participants and the communication.
Be
ingenious
This presentation has used images of the following commercial websites:o Caterpillar, www.cat.com
o Komatsu, www.komatsu.eu
o DANA, www.dana.com
o Scania, www.scania.com
o DAF Trucks, www.daf.com
o ISO, www.iso.org
o Carraro, www.carrarodrivetech.com
o Leidraad SE (IVW Netherlands), www.leidraadse.nl
Q & A