功能安全标准ISO26262解析(1-6)
0. ISO26262应用对象:
ISO26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross vehicle mass up to 3500kg.
(1) ISO26262适用于安全相关的汽车电子电气系统;
(2) ISO26262适用于3.5吨以下的乘用车辆,专用车辆不适用。
ISO26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems.
ISO26262只针对由于电子电气系统故障而导致的危险,不包括振动、火、烟、热、放射、有毒性、可燃性、反应、腐蚀、热传递等导致的危险。
a) provides an automotive safety lifecycle(management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases;
b) provides an automotive-specific risk-based approach to determine integrity levels[Automotive Safety Integrity Levels(ASIL)];
c) uses ASILs to specify applicable requirements of ISO26262 so as to avoid unreasonable residual risk;
d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved;
e) provides requirements for relations with suppliers。
2. ISO26262总体框图
由上图可见,ISO26262涵盖了整个产品设计的各个方面,包括系统设计、软件设计、硬件设计等,并贯穿于整个产品的生命周期,从产品概念阶段一直到产品报废。
功能安全标准ISO26262解析(二): 需求部分
1. 对需求的要求
When claiming compliance with ISO26262, each requirement shall be complied with.
The requirements for recommendations of each subclause shall be complied with for ASIL A, B, C and D, if not stated otherwise. These requirements and recommendations refer to the ASIL of the safety goal. If ASIL decomposition has been performed at an earlier stage of development, in accordance with ISO26262-9, the ASIL resulting from the decomposition shall be complied with.
(1) 依据ISO26262-9对需求进行分解;
(2) 根据分解的结果,确定每一条需求的ASIL等级要求。
功能安全标准ISO26262解析(三): 硬件部分
1. The necessary activities and processes for the product development at the hardware level include:
(1) the hardware implementation of the technical safety concept;
(2) the analysis of potential hardware faults and their effects;
(3) the coordination with software development.
为了满足ISO26262,硬件方面需要做的工作包括:
(1) 功能安全概念的硬件实现;
(2) 潜在硬件失效及后果分析;
(3) 与软件开发协同合作。
2. 硬件功能安全相关工作:
硬件功能安全方面相关工作包括:
(1) 5.5 initiation of product development at the hardware level: 启动硬件设计
目的是决定并计划硬件设计每个阶段的功能安全活动。
输入:完善后的项目计划、完善前的安全计划、完善后的集成测试计划
输出:完善后的安全计划
(2) 5.6 specification of hardware safety requirements: 定义硬件功能安全需求
输入:安全计划、安全概念、系统设计说明书、硬件软件接口说明
输出:硬件安全需求(包括测试和验证标准)、完善的硬件软件接口说明、硬件安全需求验证报告
如何定义硬件功能安全需求,使用什么工具软件,模板如何?
They are derived from the technical safety concept and system design specification.
硬件功能安全需求来源于系统安全概念和系统设计文档。
The hardware safety requirements specification shall include each hardware requirement that relates to safety, including the following:
硬件功能安全需求文档包括所有和安全相关的硬件需求,包含如下几方面:
i. the hardware safety requirements and relevant attributes of safety mechanisms to control internal failures of the hardware of the element, this includes internal safety mechanisms to cover transient faults when shown to be relevant due, for instance, to the technology used;
EXAMPLE 1 Attributes can include the timing and detection abilities of a watchdog.
为了控制硬件元器件内部错误的安全机制需求,例如看门狗的定时和检测能力。
ii. the hardware safety requirements and relevant attributes of safety mechnisms to ensure the element is tolerant to failures external to the element.
EXAMPLE 2 The functional behaviour required for an ECU in the event of an external failure, such as an open-circuit on an input of the ECU.
为了保证硬件元器件对于元器件外部的失效有一定容忍能力的安全机制需求,例如当输入引脚开路时,整个控制器产品的功能行为应该符合安全需求。
iii. the hardware safety requirements and relevant attributes of safety mechanisms to comply with the safety requirements of other elements.
EXAMPLE 3 Diagnosis of sensors or actuators.
其他硬件元器件的安全需求,例如传感器或执行器的诊断功能。
iv. the hardware safety requirements and relevant attributes of safety mechanisms to detect and signal internal or external failures;
EXAMPLE 4 The specified fault reaction time for the hardware part of a safety mechanism, so as to be consistent with the fault tolerant time interval.
为了检测内部或外部失效的相关安全机制,例如为了达到失效可容忍的时间间隔而定义好的失效反应时间。
v. the hardware safety requirements not specifying safety mechanisms.
EXAMPLE 5
---requirements on the hardware elements to meet the target values for random hardware failures as described in 6.4.3 and 6.4.4
---requirements for the avoidance of a specific behaviour(for instance, "a particular sensor shall not produce an unstable output");
---requirements allocated to hardware elements implementing the intended functionality;
---requirements specifying design measures on harnesses or connectors.
和安全机制无关的其他硬件安全需求。例如:
--- 在FMEDA、FMEA、FTA分析过程中,为了达到安全目标等级的要求,而对硬件元器件的需求;
---为了避免指定行为的需求,例如,指定的传感器不能产生不稳定的输出;
--- 为了实现设定功能的硬件元器件需求;
--- 指定的线束和连接器的设计方法。
(3) 5.7 hardware design: 硬件设计
The first objective of this clause is to desgin the hardware in accordance with the system design specification and the hardware safety requirements.
The second objective of this clause is to verify the hardware design against the system desgin specification and the hardware safety requirements.
硬件设计的目的一是依据系统设计文档和硬件功能安全需求来设计硬件,二是验证硬件设计是否符合系统设计文档和硬件功能安全需求。
Hardware design includes hardware architectural design and hardware detailed design.
硬件设计包括硬件架构设计和硬件具体设计。
i. Hardware architectural design
i. 硬件架构设计:
Each hardware component shall inherit the highest ASIL from the hardware safety requirements it implements. If ASIL decomposition is applied to the hardware safety requirements during hardware architectural design, it shall be applied in accordance with ISO 26262-9:2011, Clause 5.
每一个硬件元器件应该从硬件安全需求继承最高的ASIL等级。如果需要ASIL等级分解,详细分解方法参考ISO 26262-9:2011中第五章。
Non-functional causes for failure of a safety-related hardware component shall be considered during hardware architectural design , including the following influences, if applicable: temperature, vibrations, water, dust, EMI, cross-talk originating either from other hardware components of the hardware architecture or from its environment.
硬件元器件的非功能失效原因需要在硬件结构设计时考虑,包括:温度、振动、防水、防尘、EMI、串扰等。
ii. Hardware detailed design
ii. 硬件详细设计:
In order to avoid common design faults, relevant lessons learned shall be applied in accordance with ISO 26262-2:2011, 5.4.2.7.
为了避免通常的设计错误,相关的经验教训应确保被实施。有关经验教训的说明与规定见ISO 26262-2:2011,5.4.2.7.
Non-functional causes for failure of a safety-related hardware part shall be considered during hardware detailed design, including the following influences, if applicable: temperature, vibrations, water, dust, EMI, noise factor, cross-talk originating either from other hardware parts of the hardware component or from its environment.
硬件元器件的非功能失效原因需要在硬件具体设计时考虑,包括:温度、振动、防水、防尘、EMI、串扰等。
The operating conditions of the hardware parts used in the hardware detailed design shall comply with the specification of their environmental and operational limits.
硬件元器件的工作条件在硬件具体设计时要满足环境使用规范和工作限值。
Robust design principles should be considered. Robust design principles can be shown by use of checklists based on QM methods.
可靠性设计原则应该被考虑。可靠性设计原则可以通过基于QM方法的检查表来体现。
EXAMPLE Conservative specification of components.
例如,保守的元器件说明书,即:设计时充分考虑元器件的裕量。
iii. safety analyses
iii. 安全分析
safety analyses on hardware design to identify the causes of failures and the effects of faults shall be applied in accordance with Table 2 and ISO 26262-9:2011, Clause 8.
安全分析的目的是确定失效的原因及后果。
The initial purpose of the safety analyses is to support the specfication of the hardware design. Subsequently, the safety analyses can be used for verification of the hardware design. In its aims of supporting the specification of the hardware design, qualitative analysis can be appropriate and sufficient.
安全分析的最原始目的是用来支持硬件设计文档。后来,安全分析也能用来做硬件设计的验证。当安全分析作为支持硬件设计的手段时,定量的分析是合适的,并且是足够的。
在硬件设计阶段,安全分析的手段主要有FTA和FMEA。
iv. Verification of hardware design
iv. 硬件设计验证
If it is discoverd, during hardware design, that the implementation of any hardware safety requirement is not feasible, a request for change shall be issued in accordance with the change management process in ISO 26262-8.
如果在硬件设计验证的过程中,发现任何硬件安全需求没有满足,那么需要提出变更申请。变更申请的管理流程参见ISO 26262-8。
硬件设计验证的手段中提到的安全分析指的是FMEDA。
=> 安全分析的手段有三种:FTA, FMEA, FMEDA。其中FTA和FMEA用来支持硬件设计,FMEDA用来进行硬件设计的验证。
(4) 5.8 evaluation of the hardware architectural metrics: FMEDA
定义了两个度量单位(SPF和LMSF)来衡量为了处理硬件随机失效而采取的硬件架构和功能安全机制的有效性。
(5) 5.9 evaluation of safety goal violations due to random hardware failures: FTA
作为FMEDA的补充,定义了两种替代方案来衡量违反安全目标的残余风险的概率是否足够低。两种方案分别是全局概率分布和使用割集分析的方法,目的是研究硬件元器件关于违反安全目标的每一个失效的影响。
(6) 5.10 hardware integration and testing: 硬件集成测试
功能安全标准ISO26262解析(四): FMEDA
evaluation of the hardware architectural metrics.
FMEDA是硬件架构度量的一种验证方法。
The objective of this clause is to evaluate the hardware architecture of the item against the requirements for fault handling as represented by the hardware architectural metrics.
FMEDA的目的是通过硬件架构度量参数来验证硬件架构中为了满足需求而采用的错误处理机制。
This clause describes two hardware architectural metrics for the evaluation of the effectiveness of the architecture of the item to cope with random hardware failures.
为了处理硬件随机失效,采用两种硬件架构度量参数来验证架构的有效性。
=> FMEDA是针对硬件随机失效的分析方法。
For electromechanical hardware parts, only the electrical failure modes and the failure rates are considered.
对于电子-机械硬件元器件,只考虑电子方面的失效模式和失效率。
The estimated failure rates for hardware parts used in the analyses shall be determined:
硬件元器件的失效率可以通过以下几种方法决定:
(1) using hardware part failure rates data from a recognised industry source.
使用公认的工业数据库中的硬件元器件失效率,例如 SN29500。
(2) using statistic hased on field returns or tests. In this case, the estimated failure rate should have an adequate confidence level.
使用静态的市场返回品失效率或测试失效率。这种情况下,要求估计的失效率要有足够的置信度。
(3) using expert judgement founded on an engineering approach based on quantitative and qualitative arguments. Expert judgement shall be exercised in accordance with structured criteria as a basis for this judgement. These criteria shall be set before the estimation of failure rates is made.
通过专家判断,专家判断是基于定性和定量讨论的一种工程方法。专家判断在实施的过程中应该以结构性的标准作为基础。这些结构性的标准应该在失效率评估之前建立完成。
The criteria for expert judgement can include field experience, testing, reliability analysis and novelty of design.
专家判断的标准包括市场经验、测试、可靠性分析和设计的新颖性。
为了达到ASIL等级的需求,每个安全目标分析结果应满足表4和表5的要求。
功能安全标准ISO26262解析(五): FTA
evaluation of safety goal violations due to random hardware failures.
FTA是用来验证随机硬件失效导致的违背安全目标。
The objective of the requirements in this clause is to make available criteria that can be used in a rationale that the residual risk of a safety goal violation, due to random hardware failures of the item, is sufficiently low.
FTA的目的是验证由于硬件随机失效导致的违背安全目标的残余风险足够低。
除了FTA以外,还有一种方法可以完成和FTA类似的工作,叫做cut-set analysis,割集分析。
FTA分析结果的判定标准如表6所示。
Quantitative target values of requirement in table 6 shall be expressed in terms of average probability per hour over the operational lifetime of the item.
表6中的定量分析目标值通过整个生命周期内的每个小时平均失效率来表达。
A quantitative analysis of the hardware architecture with respect to the single-point, residual and dual-point faults shall provide evidence that target values of requirement table 6 have been achieved.
硬件架构的定量分析包括对于单点错误、残余错误和双点错误,不包括多点错误。
The quantitative analysis shall consider:
FTA分析需要考虑以下几点:
a) the architecture of the item;
设计架构。
b) the estimated failure rate for the failure modes of each hardware part that would cause a single-point fault or a residual fault;
对于导致单点错误或残余错误的每个硬件元器件的每个失效模式的失效率评估。
c) the estimated failure rate for the failure modes of each hardware part that would cause a dual-point fault;
对于导致双点错误的每个硬件元器件的每个失效模式的失效率评估。
d) the diagnostic coverage of safety-related hardware elements by safety mechanisms;
安全机制对于安全相关硬件元器件的诊断覆盖率。
e) the exposure duration in the case of dual-point faults.
双点错误的暴露持续时间。
Situation when the item is in power-down mode are not included in the calculation of the average probability per hour, thereby preventing the artificial reduction of the average probability per hour.
PHMF计算中未包含下电工作模式,因此,在计算时要手动去除下电模式的工作时间(=生命周期-整个生命周期内的工作时间)。
功能安全标准ISO26262解析(六): 硬件集成测试
Hardware integration and testing activities shall be performed in accordance with ISO 26262-8: 2011, Clause 9.
硬件集成测试按照ISO26262-8:2011 Clause9 进行。
If ASIL decomposition is applied, the corresponding integration activities of the decomposed elements, and the subsequent activities, are applied at the ASIL before decomposition.
硬件集成测试的测试项目定义方法如表10所示。
1a: analysis of requirements 需求分析
1b: analysis of internal and external interfaces 内部和外部接口分析
1c: generation and analysis of equivalence classes 相同或类似产品的测试案例分析
1d: analysis of boundary values边界值分析
1e: knowledage or experience based error guessing可能出现的问题经验分析
1f: analysis of functional dependencies功能相关性分析
1g: analysis of common limit conditions, sequences and sources of dependent failures常规极限条件、序列、失效相关源
1h: analysis of environmental conditions and operational use cases环境条件和正常工作情况分析
1i: standards if existing标准
1j: analysis of significant variants最大版本分析,包括通过worst case计算得到的最坏情况结果
硬件测试种类
为了验证与硬件安全需求相关的安全机制被完整且正确地实施的硬件集成测试方法包括:功能测试、电测、错误注入测试。其中功能测试和电测必须执行,而错误注入测试只针对ASIL C和ASIL D的要求下,推荐执行。如表11所示。
为了验证外接压力条件下硬件可靠性的测试包括:环境测试、扩展功能测试、统计测试、最坏情况测试、超限值测试、机械测试、加速生命测试、机械耐久测试、EMC和ESD测试、化学测试。如表12所示。
1a: 环境测试,依据规范是ISO 16750-4。
1b: 扩展功能测试:检查当输入的条件可以预见为几乎不发生时或超出硬件的说明书规定时的功能表现。例如超过预设计的参数值或错误的命令。
1c: 统计测试:当输入数据选择为按照实际设计的参数值期望的静态分布时,测试硬件元器件。并定义可接受的标准,以便验证需要的失效率被满足。例如,50个晶振的jitter测试。
1d: 最差情况测试:目的在于验证在worst-case分析计算过程中发现的测试案例,例如AOT。
1e: 超限值测试:测试环境或者功能约束的严重度不断逐渐增加直到停止工作或损坏。目的是为了决定元器件可靠性的裕量。
1f: 机械测试:机械冲击等.
1g: 加速生命测试:即耐久测试。通过加速模型,模拟产品生命周期内环境因素对产品性能的影响,例如高温耐久、温度循环、温湿度耐久等。
1h: 机械耐久
1i: EMC和ESD测试:EMC测试标准包括ISO7637-2, ISO7637-3, ISO10605, ISO11452-4, ESD测试标准包括ISO16750-2.
1j: 化学测试:标准未ISO 16750-5.
- 下一篇:在线直播 | 风噪性能开发解决方案探讨
- 上一篇:详解ADAS系统的不同车型控制模型
-
汽车测试网V课堂
-
微信公众号
-
汽车测试网手机站
最新资讯
-
NVIDIA 发布 2025 财年第三季度财务报告
2024-11-21 13:30
-
Mack卡车为买家推出创新的虚拟现场探索体验
2024-11-21 13:29
-
氢燃料电池卡车从1到100要多长时间?戴姆勒
2024-11-21 13:28
-
聚焦消费者用车极限环境,2024中国汽研汽车
2024-11-21 13:21
-
新能源汽车高寒环境可靠性行驶试验研究
2024-11-21 13:19