管理 ISO26262 生命周期技术的有效方法——原理与实践

Dr Eckhardt Holz Eckhardt Holz 博士 邓伟 2 27 2014 2014年2月24日 Efficient approach to manage ISO 26262 lifecycle Principles and Practice 管理 ISO 26262 生命周期技术的有效方法 原理与实践 1 KPIT Technologies Limited ikv technologies ag A KPIT Company ikv 科技股份公司 KPIT 公司 2 German shareholder company recently became KPIT family member Functional Safety Practice 是一家德国控股公司 最近成为 KPIT 家族的一员 功能安全实践 focus on products and solutions for automotive safety reliability and quality 专注于实现汽车的安全性 可靠性和高质量的产品和解决方案 efficient team of experienced safety engineers safety managers and software and hardware specialists 拥有资深的安全工程师 安全经理和软件和硬件专家高效团队 Global service consulting and support capabilities 全球服务 咨询和支持能力 10 years in the market 10 多年的市场经验 120 customers worldwide 在全球拥有 120 多个客户 AUTOSAR Development Member AUTOSAR 成员 partner of IBM Rational and The Mathworks 是 IBM Rational 和 Mathworks 的合作伙伴 sales partnership with HIRAIN Technologies in China 是中国恒润科技的销售合作伙伴 KPIT Technologies Limited our products lines software and services for automotive safety and reliability 我们的产品 汽车安全和可靠性的软件和服务 medini analyze the integrated solution for the analysis of functional safety reliability and quality according to standards such as IEC 61508 and ISO 26262 VDA and SAE 符合 IEC 61508 和 ISO 26262 VDA 和 SAE 等标准 用于分析功能安全 可靠性和质量的集成解决方案 medini unite the product for change and configuration management support for model based software engineering 支持基于模型的软件工程 是可做变更管理和配置管 理的产品 3 KPIT Technologies Limited functional safety importance and definition 功能安全 重要性和定义 the provision of any technical system may cause harms to humans 任何技术系统可能对人类造成的危害的规定 directly burning electrical shock physical damage etc 直接 烧伤 触电 物理损伤等 indirectly pollution of the environment 间接 对环境的污染 it is an important development goal to deliver safe products 提供安全的产品是一个重要的发展目标 safety 安全性 absence of unacceptable risks 不存在不可接受的 风险 functional safety 功能安全 absence of unacceptable risks due to hazards caused by mal functional behavior of the system 不存在 由于系统的功能故障行为导致的危害而造成的不可接受的风险 the risk of the system has to be reduced to a tolerable level 必须将系统的风险降低至可接受的级别 a risk evaluation becomes necessary 有必要进行风险评估 a definition of tolerable is necessary 有必要对 允许的 进行定义 strong regulations are required and in place 要求健全的法规并实施到位 safety standards and legal requirements emphasize safety aspects during systems engineering 强调系统工程设计安全问题的安全标准和法律要求 Examples ISO 26262 IEC 61508 DO 178C 例如 ISO 26262 IEC 61508 DO 178C 等 caused by malfunction of the electronic gas pedal 是由电动油门踏板故障引起的 4 KPIT Technologies Limited safety related activities in systems engineering processes 系统工程设计过程的安全相关活动 hazard analysis 危害分析 driving situation analysis 驾驶情况分析 risk assessment 风险评估 controllability analysis 可控性分析 safety goals 安全目标 safety requirements 安全要求 fault tree analysis 故障树分析 hardware metrics 硬件指标 failure mode and effects analysis 故障模式和影响分析 FMEA argumentation of freedom from interference 无干扰证明 safety validation 安全验证 configuration management 配置管理 change management 变更管理 safety architecture 安全架构 functional safety concept 功能安全性概念 safety standards like ISO 26262 require to perform multiple activities and to produce additional work products ISO 26262 等安全标准要求执行多项活动并产生额外的工作成果 5 KPIT Technologies Limited safety and engineering lifecycle 安全和工程的生命周期技术 import export ISO 26262 Safety related activities have to go hand in hand with engineering activities ISO 26262 安全相关活安全相关活动动必必须须 与工程与工程设计设计活活动动同步同步进进行行 Configuration management 配置管理配置管理 Dev 开发 Val 确认 import generate Item Definition FTA FME D A Architecture Func Struct Validation Plan 确认计划 Integration Test Unit Test Reports Item Definition Architecture Func Struct Item Definition Hazard Risk Analysis Architecture Func Struct FTA Item Definition Hazard Risk Analysis Architecture Func Struct FME D A FTA Item Definition Prelimenanry architecture 初步架构 FMEA FTA Item description 项目定义 HAZOP HW models 硬件模型 SW models 软件模型 Integration Test Unit Test Reports Integration Test Unit Test Reports Validation results 确认结果 Unit tests 单元测试 Integration tests 集成测试 Unit test reports 单元测试报告 Coding 编程 Coverage analysis 覆盖度分析 Safety requirements 安全要求 6 KPIT Technologies Limited role of system design models 系统设计模型的作用 the system design models are a key artifact for the integration of engineering and safety activities 系统设计模型是将工程设计与安全活动融为一体的关键工件 many safety activities require at least preliminary architectural information 许多安全活动需要 至少初步的 架构信息 safety requirements need to be realized by specific design choices that need to be reflected in system models 需通过反映在系统模型中的特定设计选择来实现安全要求 architectural elements obtain their Safety Integrity Levels SIL ASIL by allocation of safety requirements to them 架构元件通过分配安全要求获得安全完整性等级 SIL ASIL safety analysis e g special architecture metrics are performed based on architecture models 在结构模型的基础上进行安全分析 例如特殊的架构指标 model based approaches gaining increasing popularity in the automotive industry 基于模型的方法在汽车行业中得到越来越广泛的应用 EAST ADL SysML EAST ADL SysML 等 7 KPIT Technologies Limited hierarchies in automotive system development 汽车系统开发的层次结构 OEM 整车厂 Tier 1 一级供应商 Tier 1 2 Semiconductors 一级 二级 半导体供应商 SysML w Messages SysML 带消息 Functions Malfunctions 功能 故障 SysML w signals FM SysML 带 FM 信号 SysML w signals electrics HW FM BOM SysML 带 HW FM BOM 电信号 Part library SysML 零件库 SysML FR FM catalogs or database FR FM 目录 或数据库 Functions Malfunctions 功能 故障 SysML w subpart failures SysML 带子部件故障 FR databases or FR catalogs FR 数据库 或 FR 目录 Item 项目 Subsystem 子系统 Subsystem 子系统 Subsystem 子系统 Component 组件 Component 组件 Component 组件 Component 组件 HW Part 硬件部 分 HW Part 硬件部 分 HW Part 硬件部 分 HW Part 硬件部 分 8 FM Failure Mode FR Failure Rate BOM Bill Of Materials KPIT Technologies Limited architecture V x 架构放大 Workflow 工作流程 System Designer 系统设计师 Safety Engineer 安全工程师 initial architecture 初步架构 ACU Controler 1 Attributes Operations outgoing int incoming int Bumper Sensor Crash sensor 1 Attributes Operations outgoing int Inflator D Inflator 1 Attributes Operations incoming int Inflator P Inflator 1 Attributes Operations incoming int Power Battery 1 Attributes Operations Creates 创建 adds safety data analyzes and derives Requirements 添加安全数据 分析和衍生要求 RMS 需求管理系统 Updates 更新 ACU Controler 1 Attributes Operations outgoing int incoming int Bumper Sensor Crash sensor 1 Attributes Operations outgoing int Inflator D Inflator 1 Attributes Operations incoming int Inflator P Inflator 1 Attributes Operations incoming int Power Battery 1 Attributes Operations ACU Controler 1 Attributes Operations outgoing int incoming int Bumper Sensor Crash sensor 1 Attributes Operations outgoing int Inflator D Inflator 1 Attributes Operations incoming int Inflator P Inflator 1 Attributes Operations incoming int Power Battery 1 Attributes Operations enhanced architecture 改善的架构 updates safety data 更新安全数据 re analysis 重新分析 potential new Requirements 潜在的新要求 9 KPIT Technologies Limited 1 SysML model import into medini analyze 将 SysML 模型导入 medini analyze ACU Controler 1 Attributes Operations outgoing int incoming int Bumper Sensor Crash sensor 1 Attributes Operations outgoing int Inflator D Inflator 1 Attributes Operations incoming int Inflator P Inflator 1 Attributes Operations incoming int Power Battery 1 Attributes Operations development of a SysML model with Rhapsody 采用 Rhapsody 开发的 SysML 模型 model is produced as result of the ordinary development process 模型是普通开发过程的结果 model contains parts blocks ports and connectors 模型包含部件 模块 端口和连接器 SysML model is imported into medini analyze 将 SysML 模型导入 medini analyze model elements are derived according to the Rhapsody information 模型元件包含了 Rhapsody中的信息 Rhapsody API is applied 可直接应用 Rhapsody 的API接口 10 KPIT Technologies Limited 2 establishing relations between model elements 建立模型元件之间的关系 Functional Safety Requirements 功能安全需求功能安全需求 imported preliminary architecture 导入的初步架构导入的初步架构 the imported model is traced to other model elements 导入的模型追溯到其他模型元件 an example is the allocation of functional safety requirements 例如分配功能安全需求 such semantic links are used to relate or compute safety information for an architecture element e g ASIL 这些语义链用来联系或计算架构元件的安全信息 如 ASIL 11 KPIT Technologies Limited 3 specification of safety properties 安全性能规范 extension of the architecture by safety properties 通过安全性能扩展架构 failure modes and failure rates must be specified for the elements of the safety architecture 必须为安全体系结构中的元件 规定失效模式和失效率 such data can be calculated or taken from common catalogs such as SN 29500 IEC 62380 or Birolini Safety Handbook 可从如 SN29500 IEC 62380 或 Birolini安全手册等常见失效 率手册计算得出或获得这些数 据 the quantitative verification of the architecture is based on these data 根据这些数据对架构进行定量 验证 12 KPIT Technologies Limited 3 specification of safety properties 安全性能规范 Step by step guidance through the catalog to determine the failure rates for all elements 按照目录循序渐进的指导 以确定所有元件的失效率 13 KPIT Technologies Limited 3 specification of safety properties 安全性能规范 parameter values which may influence the failure rate can be defined at elements level or for be derived from parent components 影响到失效率的参数值 可在元件等级进行确定 或者从上一级组件中获 得 14 KPIT Technologies Limited 3 specification of safety properties 安全性能规范 Imported from BOM or ECL excel 从从 BOM 或或 ECL excel 导入导入 Element Library 元件库 Failure data derived from library 从库中获取的失效率数据从库中获取的失效率数据 refers to entry in library 参考库中的条目参考库中的条目 all entries with the same part number have the same failure information 具有相同部件号的 所有条目均具有相 同的失效信息 15 KPIT Technologies Limited 4 verification of the technical safety architecture 验证技术安全架构 the system architecture is analyzed concerning violations of the safety goal 根据安全目标违反情况来分析系统架构 failure modes and rates of the architectural elements used as source for probability values 架构元件失效模式和失效率作为概率值的来源 Drag Drop from architecture to FTA 从架构拖放至 FTA FTA trees are constructed and analyzed 构造和分析 FTA 树 16 KPIT Technologies Limited 4 verification of the technical safety architecture 验证技术安全架构 Evaluation of diagnostic coverage for all Single Point Faults of components which have the potential to directly violate a safety goal 对可能直接违反安全目标的组件的所有单点故障 进行诊断覆盖度评估 Evaluation of diagnostic coverage of all Latent Faults which have together with another fault the potential to violate a safety goal 对在其他故障的共同作用下可能违反安全目标的所 有潜伏故障 进行诊断覆盖度评估 required by ISO 26262 part 5 ISO 26262 第五部分要求 17 KPIT Technologies Limited 4 verification of the technical safety architecture 验证技术安全架构 shows if all FRC metrics SPF RF LF are fulfilled for element 显示元件是否达到 所有 RFC 指标 SPF RF LF 18 KPIT Technologies Limited 4 verification of the technical safety architecture 验证技术安全架构 as result of the different safety analyses 不同的安全分析结果 ASIL are allocated to requirements and subsequently to architecture components ASIL 分配到需求 接着分配到架构组件 new safety requirements are derived 衍生新的安全需求 safety requirements are decomposed 分解安全需求 requirements are pushed back into DOORS 将要求还原到 DOORS Changes in the architecture may be necessary to fulfill the new or updated requirements 为满足全新的或更新的需求 可能需要更改架构 19 KPIT Technologies Limited 5 model update in case of design change 设计更改中的模型更新与设计更新同步 ACU Controler 1 Attributes Operations outgoing int incoming int Bumper Sensor Crash sensor 1 Attributes Operations outgoing int Inflator D Inflator 1 Attributes Operations incoming int Inflator P Inflator 1 Attributes Operations incoming int Power Battery 1 Attributes Operations design changes may lead to a changed Rhapsody model 设计变更可能需要对 Rhapsody 模型进行更改 safety analysis needs to be repeated 需要重新进行安全分析 new model can be re imported into medini analyze 新的模型可重新导入 medini analyze SysML model is updated SysML 得到更新 update includes a model compare algorithm 更新包括模型比较算法 all traces and safety properties previously added will be preserved 之前添加的所有痕迹和安全性将被保留 safety analysis for the re imported model can be re done with minimum effort 可轻松地对重新导入的模型进行安全分析 20 KPIT Technologies Limited Consistency among design and safety analysis 设计和安全分析的一致性 SysML Models SysML 模型模型 Fault Tree Analysis 故障树分析 Update 更新 Update 更新 Derive 衍生 Review 审核 ISO 26262 SPF LF metrics diagnostic coverage ISO 26262 SPF 和 LF 指标诊断覆 盖率 FMEA FMEDA FMEA 和 FMEDA Review Assesment Checklists 审核 评估清单 Derive 衍生 21 KPIT Technologies Limited Benefits 优点 increased awareness of the engineering team for functional safety 增强工程团队对功能安全性的意识 significant reduction of the work effort for the safety analyses in round trip engineering 明显减少重复工程设计中的安全分析工作量 easier comparison of different architecture variants 不同架构变体之间的比对更轻松 consistency and traceability among the different work products as required by ISO 26262 符合 ISO 26262 所要求的不同工作成果之间需要达成的一致性和可追溯性 clear allocation of responsibilities for system design and functional safety analysis 明确分配系统设计和功能安全性分析的工作职责 avoidance of error prone manual information duplication 避免容易出错的人工信息复制 improved provision of necessary safety documentation 对改进必要的安全文件的改良规定 22 KPIT Technologies Limited 23