Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 Introduction
During the last years components within vehicles were more and more displaced
by electronic components which were taking over additional control, monitoring,
and diagnostic functions. The consequence is an increased complexity of safety
requirements, preventive actions to avoid faulty states and failures of those
components, respectively, and documentations in form of safety confirmations or
certificates.
The European Standard DIN EN 61508 [1] applies since August 2004 as a master
standard for functional safety of electric, electronic and programmable electronic
safety related systems (E/E/EPS) and components. It contains a generic solution
for all activities during the safety life cycle of E/E/EPS that are performing safety
functions. Base on the various fields of application of E/E/EPS, tailored standards
were established, e. g. IEC 61513 [2] for nuclear power stations or ISO EN 12100
[3] for work machines. An adapted standard for the functional safety within the
automotive sector [4] is in preparation.
Although methods for the application of specifications of the safety requirements
necessary to obtain the required functional safety level of the E/E/EPS the
treatment of functional safety is still not yet an integral element within the
automotive industry.
In the following a brief survey of standards related to safety projects are given and
the way from the meta safety standard IEC 61508 to a tailored ISO safety
standard for the automotive industry is explained. The safety life cycle according
to the new standard, activities necessary for the achievement of functional safety
during the development phase are shown and methods e. g. hazard analysis and
risk-assessment are explained. Additional methods applicable during the safety
life cycle are then shortly presented.
The basis for all safety activities and developments, respectively, are the
installation, implementation, and application of the common quality standards like
ISO/TS 16949 [5] which states particular requirements for the application of
ISO 9001:2000 for automotive production and relevant service part organizations
or the guidelines for dependability management [6] as well as neighboured
engineering standards like the so called V-Modell or ISO/IEC 12207 for software
life cycle processes [7].
Specific design instructions as e. g. the standardised E-Gas-Safety Concept or
equivalent type approval regulations help in collecting safety requirements.
Additionally provided assessment models assist in checking the quality of the
development and safety process.
According to the ISO draft, functional safety is given if and only if “… a vehicle
function does not cause any intolerable endangering states, which are resulting
from specification, implementation or realisation errors, failure during operation
period, reasonably foreseeable operational errors [and/or] reasonably foreseeable
misuse.”
In this context the term “risk” is defined as the combination of the probability of a
harm/damage occurring and the severity of the evolving harm or damage.
3 The functional safety process within the automotive safety life cycle
As IEC 61508 the automotive safety standard is based on a safety life cycle
approach. The description, allocated activities, and requirements are therefore
based on this automotive safety life cycle. It encompasses principal safety
activities during the concept phase, product development and product release.
The planning, coordination and documentation of these activities for all phases of
the lifecycle is a central management task.
As can be seen in figure 2, the safety life cycle can be separated into three
phases, i. e. the concept phase, the product development phase, and the phase
after starting production (SOP). Here, the management of functional safety and
supporting processes apply to all activities during the safety life cycle. The first is
to install a management of functional safety. Here, responsibilities of the persons,
departments and organisations in charge of each phase during the overall safety
life cycle, or for activities within the various phases have to be defined. This
relates to both the activities necessary to ensure the required functional safety of
the item, and to the confirmation of functional safety measures.
The concept phase again can be separated into thee sub-phases which are in
detail described in the new ISO standard. Firstly, the item under consideration has
to be defined, then the safety life cycle of this item has to be installed, a hazard
analysis and risk assessment has to be performed, and a functional safety
concept has to be set up. During the product development phase system analysis
and functional safety requirement allocation is separated for hardware and
software. The detailed planning of operation, service, and decommissioning is
also described within the new standard. The driver controllability assumed during
hazard analysis and risk assessment has to be verified during this phase.
External measures for risk reduction independent from the system under
consideration, like a tunnel ventilation system, are to be considered, too. Purely
mechanic risk reducing measures fall into the category of “other technology”.
It must be emphasized that the management of functional safety as well as
supporting processes as a document management system, requirement
management system, configuration management system, change management
system, supplier management system as well as employee training and project
planning are applicable to the whole life cycle.
Figure 3 shows the elements of the automotive safety process in more detail.
Depending on the ASIL safety requirements result from the new standard
regarding safety integrity attributes (how good), e. g. 10-x dangerous failures per
hour, and functional requirements (What), e. g. avoiding undesirable events like
wrong signals. With the safety requirements in mind, the realization of the
function, i. e. the development, can be started. Safety analyses verify and validate
the safety requirements. Such analyses are, for example, Failure Mode and Effect
Analysis, Fault or Event tree Analysis, Reliability Block Diagrams, Markov
Analysis etc.
The Failure Mode and Effect Analysis (FMEA) (see e. g. [9], [10])is a method
used for the identification of potential failure/error types in order to define its effect
on the examined object (System, Segment, SW/HW Unit) and to classify the
failure/error types with regard to criticality or persistency. This is to prevent
failures/errors and thus weak points in the design which might result in an
endangering or loss of the system/software and/or in an endangering of the
persons connected with the system/software. The FMEA is also to state results
for corrective measures, for the definition of test cases and for the determination
of operating and application conditions of the system/software. The Failure Mode,
Effect and Diagnostic Analysis (FMEDA) is an extended FMEA where the
diagnostic coverage of occurring failures or errors can quantitatively classified.
Reliability Block Diagrams (RBDs) (see e. g. [11], [12]) establish system reliability
on a modular or block oriented basis, respectively, rather than a component basis
using a block diagram approach. The objective is to develop a reliability model
using blocks or modules to make the model easier to understand and to change.
As a quantitative reliability parameter can be allocated to each block or module,
the system design, i. e. whether the blocks/modules are set serial and/ or parallel,
redundancies etc. is strongly taken into account an the overall system reliability
can be calculated quite easily. For complex systems, RBDs make the reliability of
a system much easier to understand, expose weaknesses much quicker, and
make what-if analyses much easier.
The Fault Tree Analysis (FTA) (see e. g. [13], [15]) is a method to identify
potential design weaknesses using a highly detailed logic diagram depicting basic
faults and events that can lead to system failure and/or safety hazard. As a top-
down approach to failure analysis, the FTA starts with an undesirable event (top
event) such as a failure or malfunction and determines all the ways it may
happen. The analysis proceeds by determining how these top events can be
caused by individual or combined lower level failures or events.
The Markov Analysis (for an overview see [14]) provides a means of analysing the
reliability and availability of systems whose components exhibit strong
dependencies. Other systems analysis methods such FTA often assume
component independence which may lead to optimistic predictions for the system
availability and reliability parameters. Some typical dependencies which can be
handled using Markov models are cold or warm standby redundancies,
maintenance etc. The major drawback of Markov methods is that Markov
diagrams for large systems are generally exceedingly large and complicated and
difficult to construct. However, Markov models may be used to analyse smaller
systems with strong dependencies requiring accurate evaluation.
The V-model describes the general development steps. Starting with the
requirement specification on the top of the left side, the special safety activities
here are to define the top safety goals and the functional safety concept. During
architecture and system design, the technical safety concept has to be defined.
During HW- and SW component design, measures for fault avoidance and
mitigation have to be described before implementation. All safety requirements
are covered backwards by appropriate safety analyses. On the right side of the V-
model, requirements are covered by testing.
At the end of the safety process, the safety concept covers any credible failure.
The correct implementation of the system is validated by tests where the test
coverage is constrained by the corresponding ASIL (compare figure 5).
4 Summary
Safety turns out to be one of the key issues of (future) automobile development as
new functionalities as driver assistance, dynamics control and additional safety
systems increasingly emerge.
Vehicles shall be constructed and equipped such that at normal operation
conditions no one is inevitable harmed or endangered, hampered or harassed
and that the passengers are as possible protected against accidental injuries and
that the extend and the consequence of injuries are as small as possible.
The basic idea behind reducing risk emanating from vehicle systems is that based
on the severity of possible accidents, the probability of exposure to certain driving
situation and the risk reduction due to external measures, i. e. the controllability
by the driver, a safety class (ASIL) is defined which, in case that all requirements
are satisfied, reduces the intolerable risk to a tolerable residual risk, see also
figure 6.
It is therefore the aim of the new automotive standard to support and facilitate the
development of safe products in the automotive industry. This standard sets out
an approach for all safety life cycle activities for safety related systems comprised
of electrical and/or electronic and/or programmable electronic components.
In this paper, based on the automotive safety life cycle, a brief overview of safety
process elements, ASIL determination, management and supporting processes
and safety methods needed to verify and validate the safety requirements set by
the corresponding ASIL according the new automotive safety standard have been
given.
5 References