汽车 ISO26262&ASPICE培训课件

1、Joint Approach of Automotive SPICE & Functional Safety Presentation in the following Gate4SPICE event:2020-01-11-Gate4SPICE Event “Quality of Software”Automotive SPICE与ISO26262的区别Automotive SPICE与ISO26262融合导入Automotive SPICE与ISO26262联合评审2主要内容Automotive SPICE与ISO26262的区别Automotive SPICE与ISO26262融合导入A

2、utomotive SPICE与ISO26262联合评审3引言：质量与安全HazardASIL = Automotive Safety Integrity LevelQM4Acceptable? How to measure?ASIL = Automotive Safety Integrity LevelControllabilityC1for each hazardous event : The controllability of the driver or other personsC3C2E3E2E1The severity of potential harm to personsS3

3、S2S1SeverityProbability of exposure regarding operational situationsE45ExposureSEControllability CC1C2C3S1E1QMQMQME2QMQMQME3QMQMASIL AE4QMASIL AASIL BS2E1QMQMQME2QMQMASIL AE3QMASIL AASIL BE4ASIL AASIL BASIL CS3E1QMQMASIL AE2QMASIL AASIL BE3ASIL AASIL BASIL CE4ASIL BASIL CASIL DFaultSystematic failur

4、eTransient Random failurePermanentRandom failureHow to Ensure “Quality” + “Safety”Safety MechanismSafety measure for technical solution Safety measure related to process (product design process, product production process, product maintenance process etc.)Safety / Quality Measure防止检测控制6Content of Au

5、tomotive SPICE: HIS Scope, (HIS: Audi AG, BMW, DaimlerChrysler, Porsche, Volkswagen) VDA Scope: Ford & Volvo Scope7Content of ISO26262公司级功能安全流程项目功能安全管理概念、硬件阶段功能安全的技术方法支持流程：软件工具和软件组件安全分析8Safety Mechanism - WatchdogMCUResetWatch-dog with separate time base without time-windowSeparate time baseNo Later

6、 Triggering, other wise the fault condition is invoked.Diagnostic Coverage: LowWatch-dog with separate time base with time-window9Separate time baseNo Later and Earlier Triggering, other wise the fault condition is invoked.Diagnostic Coverage: MediumAutomotive SPICE与ISO26262的区别Automotive SPICE与ISO26

7、262融合导入Automotive SPICE与ISO26262联合评审10为什么需要融合导入？Organization ProcessISO26262Automotive SPICEProcess No.1ProcessNo.nProcess No.211Example: SW Architecture Design12More for SW Architecture Design in ISO262627.4.1 the description of the software architectural design shall address the following characte

8、ristics supported by notations for software architectural design as listed7.4.3 In order to avoid systematic faults, the software architectural design shall exhibit the following characteristics by use of the principlesReference: ISO 26262-6:201813More for SW Architecture Design in ISO2626214The sof

9、tware safety requirements shall be hierarchically allocated to the software components down to software units. As a result, each software component shall be developed in compliance with the highest ASIL of any of the requirements allocated to it.If a pre-existing software architectural element is us

10、ed without modifications in order to meet the assigned safety requirements without being developed according to the ISO 26262 series of standards, then it shall be qualified in accordance with ISO 26262-8:2018, Clause 12If the embedded software has to implement software components of different ASILs

11、, or safety related and non-safety-related software components, then all of the embedded software shall be treated in accordance with the highest ASIL, unless the software components meet the criteria for coexistenceIf software partitioning (see Annex D) is used to implement freedom from interferenc

12、e betweensoftware components it shall be ensured thatSafety-oriented analysis shall be carried out at the software architectural levelIf the implementation of software safety requirements relies on freedom from interference or sufficient independence between software components, dependent failures a

13、nd their effects shall be analysed in accordance with ISO 26262-9:2018, Clause 7.Depending on the results of the safety-oriented analyses at the software architectural level inaccordance with 7.4.10 or 7.4.11, safety mechanisms for error detection and error handling shall beapplied.Reference: ISO 26

14、262-6:2018More for SW Architecture Design in ISO262627.4.14 The software architectural design shall be verified in accordance with ISO 26262-8:2018, Clause 9 and by using the software architectural design verification methods listed in Table 4 to provide evidence that the following objectives are ac

15、hieved:Reference: ISO 26262-6:201815如何实施：Development Lifecycle16如何实施：模板+ChecklistBP3 interface17BP5 resourceBP1BP6 BP2BP4 resource7.4.3如何实施：模板+Checklist7.4.6187.4.7+ safety analysis的模板（SW-FMEA + SW-DFA）如何实施：Work Flow（Procedure）SW-FMEA SW-DFA SW-FFI19Overall Process Definition20ISO26262项目路线图（ISO26262

16、+ASPICE CL 2）ASPICE第四轮ASPICE第三轮 安全档案ASPICE第二轮软件工具和软硬件组件认可功能安全的技术方法、硬件阶段+安全分析（FMEA/FTA/DFA）ASPICE第一轮 功能安全计划 功能安全模板ISO26262流程认证ASPICE CL221Automotive SPICE与ISO26262的区别Automotive SPICE与ISO26262融合导入Automotive SPICE与ISO26262联合评审主要内容Confirmation Measure23Confirmation MeasureReference: ISO 26262-02:201824C

17、onfirmation MeasureWork ProductProject ProcessWork ProductWork ProductdeliverProduct Functional Safety Audit: evaluates the implementation of theprocesses required for the functional safety activities Confirmation Review: check the compliance of critical work productsto the corresponding requirement

18、s of ISO 26262; functional safety assessment: Evaluates the functional safety achieved by the item.25Required Independence For the Confirmation Measures26The confirmation measures, as a matter of principle, need to be performed byindependent professionals.Further requirements are:- :No requirementsI

19、0 :The confirmation measure should be performed , by a different person (recommendation)I1 :The confirmation measure shall be performed, by a different person (mandatory)I2 :The confirmation measure shall be performed by a member of a different team (different direct supervisor)I3 :The confirmation

20、measure shall be performed by a person from a different department or organisation (independence in terms of management, resources and responsibility for production approval)Required Independence For the Confirmation MeasuresHead of DevelopmentPM1SM1SW1HW1SYS1PM2SM2SW2HW2SYS2PM3SM3SW3HW3SYS3Head of

21、QualitySafety LeaderInternal AuditorInternalAssessorInternal ExpertsQAsPM:SM:SW:HW:SYS:Project Manager Safety ManagerSoftware Engineer HW EngineerSystem Engineer3rd Party(e.g.: IQI, SGS)The Safety Plan was produced by SM3.The Confirmation review of the completeness of the safety plan should be perfo

22、rmed.Which levels of independency can be realized in the organizational chart below?CEO27Required Independence For the Confirmation MeasuresHead ofDevelopmentPM1SM1HW1SYS1PM2SM2SW2HW2SYS2PM3SM3HW3SYS3Head of QualitySafety LeaderInternal AuditorInternalAssessorInternal ExpertsQAsCEOPM:SM:SW:HW:SYS:Pr

23、oject Manager Safety ManagerSoftware Engineer HW EngineerSystem Engineer3rd Party (e.g.: IQI, SGS)The Safety Plan was produced by SM3.The Confirmation review of the completeness of the safety plan should be performed.Which levels of independency can be realized in the organizational chart below?I1 S

24、W3SW1I2I328Independence for the ASPICE Assessment29independent professional shall be authorized and competent305.4.2.8 The organization shall ensure that the persons performing or supporting the safety activities are given sufficient authority to fulfil their responsibilities.5.4.4.1 The organizatio

25、n shall ensure that the persons involved in the execution of the safety lifecycle have a sufficient level of skills, competence and qualification corresponding to their responsibilities.Levels of competence, for example:Supervised practitionerPractitionerExpertCompetence demonstration can be based o

26、n:Participation in similar development projectsParticipation in seminars, trainingsProfessional certificates, accreditations (e.g. AFSP qualification of SGS TV Saar)Confirmation Review31check the compliance of critical work products to the corresponding requirements of ISO 26262;Steps of Confirmatio

27、n ReviewStep 1: Map Project work product to ISO26262 work productE.g.:Project work product:Project plan (include safety activities planning)MapISO26262 work product:Safety Plan32Steps of Confirmation Review33Step 2: Get the specific requirements of ISO26262E.g.:- Safety PlanPart2: 6.5.1 Safety plan,

28、 resulting from requirements 6.4.3 to 6.4.5Part3: 6.5.2 Safety plan (refined) resulting from requirements 6.4.2.5 to 6.4.2.9.Part4: 5.5.2 Safety plan (refined) resulting from requirement 5.4.1 to 5.4.4.Part5: 5.5.1 Safety plan (refined) resulting from requirements 5.4.1 to 5.4.4.Part6: 5.5.1 Safety

29、plan (refined) resulting from requirements 5.4.1 to 5.4.7.Part8: 10.5.2 Documentation guideline requirements resulting from requirements 10.4.3 to10.4.6.Steps of Confirmation Review34Step 3: Conduct the Confirmation Review and record the result and open issues.- The specific requirements of ISO26262

30、 is the review criteria.Step 4: Manage the open issues to closure and formulate the Confirmation review report.Functional Safety Audit35evaluates the implementation of the processes required for the functional safety activitiesFunctional Safety AuditActivities defined insafety planOrganization-speci

31、fic rules and processesISO 26262RequirementsCompliant with?Project Implementation36Compliant with?Compliant with?Functional Safety Audit & Automotive SPICE AssessmentFunctional Safety AuditAutomotive SPICE AssessmentFocus on Process37Measure the effectiveness of the process implementationA functiona

32、l safety audit can be performed together, or synchronized, with an Automotive Software Process Improvement and Capability determination assessment (see also the ISO/IEC 33000 series of standards).However, an Automotive SPICE assessment is not sufficient to perform the functionalsafety assessment in

33、accordance. Reference: ISO 26262-2Functional Safety Audit & Automotive SPICE AssessmentFunctional Safety Audit method has not been defined in ISO26262 SPICE Assessment Method (ISO/IEC 15504-2 or ISO/IEC 33002) can be adopted.Reference: ISO/IEC 15504-2:2003 Figure 1Documents and affirmations evidence collectionRating criteria: N, P, L, F38Process Attributes (PA) Rating39Process Attributes (PA) ar