Category Archives: ISO 26262

How Can reuse results of the Advanced Development Project for Production Development Project when executing ISO26262 project


Can a project in production development project achieve functional safety requirements when its previous project in the advanced development project doesn’t consider functional safety ?

It is not easy to satisfy functional safety requirements in production project unless being prepared in advanced development project.

Or it will take longer than normal production project.

How to improve this situation?

We can get a hint from SEooC section in the ISO 26262-10, Clause 9

A picture below depicts SEooC development and Item development process

In general, advanced development project starts without customer, so its situation is similar to SEooC development situation. During the project many assumptions are made.

If Advanced Development Project follows like SEooC development process, Production Development Projects might reuse previous results. Additional tasks might be to compare between assumptions and requirements and to bridge gaps.

SEooC

Advertisements

What are meaning to make plans in the project which is required functional safety ?


I’ve seen many project that initiated without in depth plan. They acted as if they are ready. But it was not.

They almost have various kinds of troubles as time pass by.

They are apt to out of control and behind of schedule.

Persons involved in the project fight each other because of responsibility.

They recognize that they should have do some activities several months ago.

They always regret.

I hope that project will begin when conditions are ready.

otherwise it is easily anticipated as if we know what happens after 10 seconds when person jumps forwards on the bridge.

So that is why I emphasize that process is very important.

To appeal that our safety engineering is good, compliance for functional safety process is basic. It won’t work without it.

 

ASIL decomposition


I read an interesting discussion about ASIL decomposition. He questioned that when ASIL C is decomposed, why ASIL B(C)+ASIL B(C) is missing.

ASIL decomposition – what about the "missing" ones?
[Picture 1. ASIL decomposition. Reference 1]

To explain this, let me refer to a paper, “Understanding the Use, Misuse and Abuse of Safety Integrity Levels”.

There is a move from the belief that a system can be either safe or unsafe, i.e. that safety is a binary attribute, to the acceptance that there is a continuum between absolute safety and certain catastrophe and that this continuum is a scale of risk.

In this sense, SIL is a result of artificial separations between absolute safety and certain catastrophe.

ALARP에 대한 이미지 검색결과

reference 3: picture

There are many standards which adapts SIL concept and their SIL decomposition concepts are similar. So I’d like to explain with IEC 61508 which is a mother standard of functional safety. Because it defines SILs  with a ranged safety levels, which concept is needed to explain.

Table 1. Safety Integrity Levels specifying what has to be observed to achieve the safety certification of a system according to IEC 61508 or ISO 26262.
[Picture 2. Target level of safety for SILs. reference 2]

For a product that has SIL3, probability of failure mode  shall be between 1.0e-4 to 1.0e-3 on continuous mode(low demand rate).

If we assume that the product has two sub-systems, which has no common cause or dependent failure between them, we can decompose target level of safety into two pieces.

 

Decomposition

5.0E-4 = 5.0E-1 * 1.0E-3

SIL(5.0E-4) = SIL(5.0E-1) + SIL(1.0E-3)

SIL C = SIL A + SIL B

 

In this sense, generalization rules are defined in the standards.

 

Then, why ISO26262 doesn’t have a safety target concept? In fact it has, but not in the system level. But similar rules defined in proven in use part,  hw component qualification part, and hw development process part. Not in system part and software part, because there is no reliable reliability model in software, and system consists of software.

Why ASIL C(B)+ASIL C(B) is missing for decomposition of ASIL C ? Because composition of decomposed safety level is not equal to original one.

Reference 1. Linked-in community (ISO 26262 Functional Safety)
Reference 2. http://www.dataweek.co.za/43184n

reference 3. https://www.graphicproducts.com/media/70398/alarp-floating.jpg