1、Safety Cases and their role in ISO 26262 Functional Safety Assessment John Birch1, Roger Rivett2, Ibrahim Habli3, Ben Bradshaw4, John Botham5, Dave Higham6, Peter Jesty7, Helen Monkhouse8, Robert Palin9 1 AVL Powertrain UK Ltd, Basildon, UK 2 Jaguar Land Rover, Coventry, UK 3 University of York, Yor
2、k, UK 4 TRW Conekt, Solihull, UK 5 Ricardo UK Ltd, Cambridge, UK 6 Delphi Diesel Systems 7 Peter Jesty Consulting Ltd, Tadcaster, UK 8 Protean Electric Ltd, Surrey, UK 9 MIRA Ltd, Nuneaton, UK Abstract. Compliance with the automotive standard ISO 26262 requires the development of a safety case for e
3、lectrical and/or electronic (E/E) systems whose malfunction has the potential to lead to an unreasonable level of risk. In order to justify freedom from unreasonable risk, a safety argument should be developed in which the safety requirements are shown to be complete and satis-fied by the evidence g
4、enerated from the ISO 26262 work products. However, the standard does not provide practical guidelines for how it should be devel-oped and reviewed. More importantly, the standard does not describe how the safety argument should be evaluated in the functional safety assessment pro-cess. In this pape
5、r, we categorise and analyse the main argument structures re-quired of a safety case and specify the relationships that exist between these structures. Particular emphasis is placed on the importance of the product-based safety rationale within the argument and the role this rationale should play in
6、 assessing functional safety. The approach is evaluated in an industrial case study. The paper concludes with a discussion of the potential benefits and chal-lenges of structured safety arguments for evaluating the rationale, assumptions and evidence put forward when claiming compliance with ISO 262
7、62. Keywords. Safety cases, safety arguments, ISO 26262, automotive safety. 1 Introduction Critical functions in road vehicles are increasingly being implemented using electrical and/or electronic (E/E) systems. The malfunctioning behaviour of these systems can contribute to the safety risk to the v
8、ehicle occupants and/or other road users. As such, it is necessary to provide assurance that any unreasonable residual risks have been avoided. The safety standard ISO 26262 has been developed to address this necessity by providing guidance, in the form of requirements and processes, for avoiding un
9、rea-sonable residual risk caused by the malfunctioning behaviour of E/E systems 1. Like many safety standards that cover complex software-based systems, ISO 26262 defines requirements for the creation of work products i.e. outputs from the safety lifecycle, and leaves it to the developers to interpr
10、et these requirements in the context of their products 2. In order to provide a product-specific justification, compliance with the ISO 26262 standard requires the development and evaluation of a safety case for the safety-related items. The standard defines an item as a “system or array of systems
11、to implement a function at the vehicle level” 1. In order to justify freedom from unrea-sonable risk, a safety case argument should be developed in which the safety require-ments are shown to be complete and satisfied by the evidence generated from the ISO 26262 work products. However, the standard
12、does not provide practical guidance on the development and review of the safety argument, nor does it describe how the safety argument should be evaluated in the functional safety assessment process. In this paper, we build on the experience of the authors in developing and evaluat-ing safety cases
13、in the context of ISO 26262. We examine the significance and nature of the product-based safety rationale within the argument and the role this rationale should play in assessing functional safety. The paper also builds on existing work on safety cases across different domains 3-5, and in the automo
14、tive industry in particu-lar 6, 7, taking into account issues related to product-based and process-based assurance 8, the process of compliance 9 and assessment of confidence 10, 11. The paper is organised as follows. In Section 2, we categorise and analyse the main argument structures of a safety c
15、ase and the relationships that exist between the safety case and the ISO 26262 functional safety assessment. The approach is evaluated in an industrial case study in Section 3. In Section 4, we discuss the potential benefits and challenges of structured safety arguments for evaluating the rationale,
16、 assumptions and evidence put forward when claiming compliance with the ISO 26262 standard. 2 Safety Argument Categories in ISO 26262 ISO 26262 defines a safety case as an “argument that the safety requirements for an item are complete and satisfied by evidence compiled from work products of the saf
17、ety activities during development” 1. That is, the argument should play a central role in justifying why the available evidence, in the form of work products (e.g. design and analysis artefacts), has achieved a set of safety requirements and, therefore, why an acceptable level of safety has been ach
18、ieved. Compliance with ISO 26262, based on the normative parts of the standard, mandates the satisfaction of a specific set of ob-jectives by the generation of a concrete set of work products. As a result, all E/E sys-tems that are compliant with the standard share a common safety argument structure
19、 linking the top-level safety requirements to the available evidence. Unfortunately, this common argument structure is implicit and is not documented in the standard. 2.1 Implicit Safety Argument in ISO 26262 The implicit safety argument in ISO 26262 is centred on the following chain of rea-soning (
20、Fig. 1). A sufficient and an acceptable level of safety of an E/E system is achieved by demonstrating absence of unreasonable risk associated with each hazard-ous event caused by the malfunctioning behaviour of the item (other hazard causes are outside the scope of the standard). This is achieved by
21、 defining safety goals to avoid unreasonable risk through the prevention or mitigation of the identified hazardous events. A hazardous event is the occurrence of a hazard in particular operational situa-tions. Each hazardous event is assigned an Automotive Safety Integrity Level (ASIL), based on the
22、 combination of three parameters: severity (extent of human harm), prob-ability of exposure (to operational situations) and controllability (ability for persons at risk to take action to avoid harm). Claims are then asserted that each safety goal is satisfied by the development of a functional safet
23、y concept. The functional safety concept specifies safety measures within the context of the vehicle architecture, in-cluding fault detection and failure mitigation mechanisms, to satisfy the safety goals. Two further hierarchies of claim are defined for asserting how the functional safety concept i
24、s adequately refined and satisfied by a technical safety concept and hardware and software components (again to the required ASIL). As a result, the implicit argu-ment follows a hierarchy of claims that can be grouped as follows: Safety Goals (hierarchy 1) the vehicle in its environment; Functional
25、Safety Requirements (hierarchy 2) the vehicle and its systems; Technical Safety Requirements (hierarchy 3) the E/E system; and Hardware and software requirements (hierarchy 4) component and part level. For each hierarchy, ISO 26262 prescribes evidence, in the form of work products, for substantiatin
26、g these claims. Additionally, the standard identifies methods for gen-erating these work products in accordance with the required ASIL. For example, in order to substantiate a claim that the technical safety requirements have been correctly implemented at the hardware-software level, evidence should
27、 be provided through methods such as a requirements-based test, fault injection test or back-to-back test (Table 1, Part 4). This evidence should be captured in an Integration Testing Report (Work Product 8.5.3, Part 4). The implicit safety argument in ISO 26262 has two main categories of claim: pro
28、duct claims and process claims. Based on the hazard analysis and risk assessment, the product claims focus primarily on the safety goals and safety requirements (i.e. specifying and demonstrating behaviour which is free from unreasonable risk). The process claims focus on the adequacy of the organis
29、ations, people, lifecycles, methods and tools involved in the generation of the work products. The nature of these process claims and the rigour of the evidence needed to support them vary with the ASIL assigned to the safety goals and their corresponding safety requirements (i.e. high levels of ris
30、k require high levels of process rigour). Compliance with ISO 26262 and the evaluation of the above implicit argument is demonstrated, in part, using two types of confirmation measures: functional safety audit and functional safety assessment. The requirements for both, and the necessary independenc
31、e, are specified in Part 2 of the standard. The functional safety audit is concerned with reviewing the implementation of the processes required for functional safety. Functional safety assessment is concerned with making a judgement on the functional safety achieved by the item and hence is concern
32、ed with the characteristics of the product. The assessment includes evaluating the work products specified in the items safety plan, the required processes (i.e. the functional safety audit) and the appropriateness and effectiveness of the safety measures that are implemented. Fig. 1. Implicit ISO 2
33、6262 Safety Argument Structure 2.2 Product-Specific Safety Rationale A legitimate question at this point should be: why is it necessary to document the above safety argument if it is common to all items compliant with ISO 26262? What is the added value of developing, reviewing and maintaining this c
34、ommon safety ar-gument? In this paper, we contend that the challenge does not lie in merely capturing this common, implicit, argument. Instead, most of the effort should focus on justify-ing, through an explicit argument structure, how one hierarchy of claims, e.g. con-cerning absence of unreasonabl
35、e risk, is supported by another hierarchy of claims, e.g. safety goals that address any unreasonable risk (Fig. 1). These sub-arguments should capture the product-specific safety rationale which typically varies from one item to another. That is, although the overall structure of the argument is sta
36、ble (i.e. assess-ment of hazardous events and specification, development and assessment of safety goals and safety requirements), the assurance challenge lies in providing product-specific rationale, assumptions and justifications for why, given an operational envi-ronment, a vehicle configuration a
37、nd the condition of other vehicle systems, the avail-able evidence is sufficient to support the asserted claims. Typically, these claims, and their corresponding arguments and evidence, are the focus of the functional safety assessment process as they address the product-specific safety rationale th
38、at is often associated with unique characteristics of the system and its environment. A claim is typically made that the absence of unreasonable risk of a hazardous event has been addressed by conforming to a safety goal. However, it would be nave to define a safety goal as simply a negation of a ha
39、zardous event and simply to assign an ASIL to that safety goal. Although this approach is arguably valid from the per-spective of literal ISO 26262 compliance, it is simplistic as it limits risk mitigation to reducing the probability of the hazardous malfunction. Other risk reduction strategies rela
40、ted to reducing severity, improving controllability and/or reducing exposure (typi-cally through a measure “external” to the item, which can be another E/E system) can be taken into account. For example, if a safety goal stipulates that the system shall transition to a safe state in the presence of
41、faults that could otherwise cause the corre-sponding hazardous event, then an argument and evidence for why the specified safe state is considered to be adequately safe should be provided. This can be achieved by justifying that, were the vehicle behaviour in the safe state to be subject to ISO 2626
42、2 hazard classification criteria, then it would be classified QM (Quality Management). QM in ISO 26262 denotes a risk that does not require the satisfaction of any specific safety requirements, thereby implying that the level of risk is reasonable and no fur-ther risk reduction is necessary. The mai
43、n claim here would be that the residual risk associated with the hazardous event, after achieving the safety goal, has been reduced to a level that is reasonable. The subsequent argument used to support such a claim would then need to explicitly assert which risk parameters (controllability, severit
44、y or exposure) would be reduced if the residual risk were classified in this way. A typical approach may be to provide an argument that some reconfiguration or degradation scheme is capable of placing a system into a safe state such that the con-trollability of any reaction, e.g. to an undemanded dr
45、ive torque, is effectively C0 (con-trollable in general) whereas the hazardous event itself will have been classified with the controllability parameter taking a value of C1, C2 or C3. Another approach may be to place a system in a safe state by preventing a vehicle exceeding a speed thresh-old upon
46、 detection of a fault that can cause the hazardous event such that the exposure parameter that could be associated with the safe state is effectively E0 (incredible). Such reasoning is product-specific and the implicit safety argument in ISO 26262 does not prescribe any product-specific safety ratio
47、nale. The safety argument structure in Fig. 1 includes references to five product-specific safety rationale sub-arguments. These sub-arguments should provide justification for the inferential transition from one hierarchy of safety claims to another. For instance, the functional safety concept ratio
48、nale argument should include a justification for why the deployment of safety measures such as fault detection, failure mitigation and/or driver warnings should lead to the satisfaction of the corresponding safety goals. 3 Industrial Case Study This case study is based on a typical electric vehicle
49、architecture (technology-specific details have been abstracted for reasons of commercial sensitivity), in which a basic Item Definition and hazardous event are considered. The purpose of the case study is to examine the product-based safety rationale arguments, discussed in Section 2, for the corres
50、ponding Safety Goal and Functional Safety Concept. 3.1 Item Definition The Item Definition is shown in Fig. 2. The pertinent nominal operation is as follows: Driver requests positive longitudinal vehicle acceleration by depressing accelerator pedal Accelerator pedal provides a low voltage electrical
