Introduction

Analysis of ISO 26262 Compliant Techniques for the Automotive Domain

S. Manoj Kannan

Yanja Dajsuren

y.dajsuren@cwi.nl 0

Yaping Luo

y.luo2@tue.nl 1

Ion Barosan

i.barosan@tue.nl 1 0 Centrum Wiskunde & Informatica , Amsterdam , The Netherlands 1 Eindhoven University of Technology , Eindhoven , The Netherlands

The ISO 26262 standard de nes functional safety for automotive E/E systems. Since the publication of the rst edition of this standard in 2011, many di erent safety techniques complying to the ISO 26262 have been developed. However, it is not clear which parts and (sub-) phases of the standard are targeted by these techniques and which objectives of the standard are particularly addressed. Therefore, we carried out a gap analysis to identify gaps between the safety standard objectives of the part 3 till 7 and the existing techniques. In this paper the results of the gap analysis are presented such as we identi ed that there is a lack of mature tool support for the ASIL sub-phase and a need for a common platform for the entire product development cycle.

ISO 26262 vehicle safety safety standard gap analysis

Introduction

Development of innovative features such as advanced driver assistance systems in modern day automobiles have led to an increased complexity in product development and maintenance. This imposes an increased risk in terms of system failure that could lead to unacceptable hazards. Thus it becomes crucial to ensure functional safety. The ISO 26262 standard [ 15 ] de nes functional safety for automotive Electric/Electronic (E/E) safety-related systems. Its objective is to address possible hazards caused by the malfunctioning behavior of E/E systems throughout the product development cycle.

Most of the automotive companies have already started using safety analysis, veri cation and validation techniques to ensure vehicle safety [ 22 ]. One of the main objectives of the ISO 26262 is that these techniques should be applied as a standardized methodology for all automobile manufacturers. These techniques focus mainly on traceability which is the ability to track the safety requirements from initial concept design till the production and operation phase. Upon trying to improve the traceability, the researchers seek more techniques for e ective product development process.

The introduction of the ISO 26262 functional safety standard provides more speci c development processes that help to avoid the hazards and threats in the development phases. Following steps should be taken to ensure compliance with the standard: a) The manufacturers should adopt the development processes; b) The manufacturers should determine the Automotive Safety Integrity Level (ASIL) for safety-critical systems; c) The manufacturers should satisfy the additional requirements.

The standardization process requires the consistency of methods, languages and tools across all the sub-phases of the software lifecycle as well as system and hardware development phases as stated in the section 5.4.4 of the ISO 26262 Part 6 [15, p. 4]. In recent years, safety related platforms such as OPENCOSS [ 6 ] and AutoFOCUS3 [ 2 ] have been developed. OPENCOSS provides a common safety certi cation platform for the railway, avionics and automotive markets. AutoFOCUS3 provides a model-based tool for distributed, reactive, embedded software systems. The consistency can be assured through the availability of a tool that ensures the compatibility within the ISO 26262 (sub-) phases. The automobile manufacturers are challenged in the selection of the optimal techniques to ensure this compatibility which helps to prove the functional safety. This paper focuses on examining the gap between the ISO 26262 standard objectives and state-of-the-art safety related techniques.

The remainder of the paper is organized as follows: In Section 2 we provide background information on the V-model of the ISO 26262 standard. In Section 3, we describe the systematic literature review process and the summary of the papers selected for the analysis. Section 4 presents the gap analysis results and Section 5 discusses the ndings. Finally, we present the concluding remarks and some related future works. 2

Background

The safety standard ISO 26262 [ 15 ] is an adaptation of the functional safety standard IEC 61508 [ 14 ] for automotive E/E systems. Similar to IEC 61508, ISO 26262 is also a risk-based safety standard. It provides a risk-driven safety life-cycle for developing safety-critical systems in the automotive domain.

The ISO 26262 consists of ten parts as shown in Figure 1. Part 1, 2, and Part 8 to 10 are out of the scope of this paper, because Part 3 to Part 7 correspond to the safety life-cycle. The main part of ISO 26262 is structured based upon the V-model, as well as Part 5 and Part 6. Part 3 and Part 7 focus on the vehicle level. The main goal of Part 3 is to identify system hazards and risks through Hazard Analysis and Risk Assessment (HARA), then derive safety goals and Functional Safety Concepts (FSC) from them. Part 4 focuses on the system level. In this part, Technical Safety Requirements (TSR) are derived from FSC. Then system design can be carried out based on TSR. Part 5 and Part 6 focus on the subsystem/component level. In these two parts more detailed safety requirements are derived from TSR. Those safety requirements are assigned to the concrete subsystems or components for implementation.

In the following section, we present state-of-the-art techniques complying to the ISO 26262 standard. We use a Systematic Literature Review (SLR) methodology [ 16 ] to obtain stateof-the-art information on the techniques in the area of the ISO 26262 standard. In a comprehensive SLR analysis, documents that contain ISO 26262 related information are analyzed. Sources are collected from various popular resources such as IEEE [ 5 ], ACM [ 1 ], Springer [ 8 ], SAE [ 7 ], and FISITA [ 3 ]. Scienti c journal articles, research papers, and industrial technical reports are considered.

Peer-reviewed articles on the topics \ISO 26262" and \vehicle safety", published between 2008 and 2015, are included. We exclude duplicate reports of the same or similar studies as well as white papers are excluded. After the search and inclusion/exclusion processes, we identify 120 unique papers. In our ndings, we discover that higher number of papers are published in the concept phase (63 papers) than the development phases (51 papers) i.e., product development, software development, and hardware development phases of the ISO 26262 Vmodel. The remaining six papers are considered as general publications, since they cover all the phases of the V-model. To further narrow down the search results, citations are used as a key tool to assess the quality of the identi ed papers. Publications between 2013 and 2015 are included.

In the case of concept and product development phases, more than half of the papers have been cited at least once and number of papers cited more than ve are 18. Figure 2 shows the trend of papers published in each sub-phases from the selected sources. It can be inferred that the focus of the papers are more on the improvement of FSC (Functional Safety Concepts) in the conceptual phase and IVTA (Integration,Validation,Testing and Assessment) in the development phase. This shows the following observations: { More additional standardized procedures have been implemented from the IEC 61508 standard on the conceptual and development phases where automobile manufacturers required clear process for implementation. { Engineers and researchers were involved in the development of methodologies to ensure safety compliance of the system at these phases.

The summary of the selected papers mapped to the standard phases is presented in Table 1. Following section presents the gap analysis results between the ISO 26262 standard and the techniques identi ed from the selected papers. 4

Gap Analysis

A gap analysis helps to understand the shortcoming of existing approaches suggested by literatures. The gap analysis is carried out between the ISO 26262 objectives of the Part 3 till Part 7 sub-phases. i.e., Item De nition, Functional Safety Concept, and ASIL [ 13, 19, 20, 12, 18 ] is presented in the Table 2. 4.2

Gap Analysis for the Product Development Phase

From the gap analysis of the product development phase, it is observed that there are few tools [ 23, 21 ] suggested by literature and industrial technical report for requirement speci cation. These tools support only for speci c sub-phases and there are more opportunities to integrate these tools with testing and validation tools [ 4, 17 ]. By this integration, it becomes more sophisticated to perform all the activities of a phase using single technique. This also gives clear way of understanding the standard norms to the developers and verifying it by testers using same platform. The nding of this gap analysis can be found in the Table 3 on the previous page. 4.3

Gap Analysis for the Software Development Phase

Similar to the system architecture level, more techniques are used for the software level [ 11 ]. Some of the common architecture description languages are EASTADL [ 17 ] and AADL [ 9 ] which help to reduce the development cost and time. In addition, such techniques provide a way to make the veri cation of safety requirements easier. But there is no tool available that integrates both architectural design and safety veri cation together. This is found to be one of the gap. Table 4 on the previous page shows the gap analysis performed for the software development phase. 4.4

Gap Analysis for the Hardware Development Phase

In the case of hardware development phase, only few literatures are published about the development required for the evaluation of safety violation. These literatures provide techniques mainly to support two claims. One is hardware architectural metrics and second is evaluation of safety goal violations. Techniques like UML based meta-model [ 9 ] support for design process and help to perform safety evaluation in a uni ed model based environment. The ndings of the gap analysis for the hardware development phase are shown in the Table 5. Following section discusses the main results of the gap analysis. 5

Discussion

Based on the gap analysis, the shortcoming and challenges of the techniques suggested by literature while ful lling the standard objectives are found. In the concept phase, gap analysis identi ed the lack of mature techniques that provide wider possible solutions for ASIL decomposition. It showcases the opportunity for integrating various techniques within the phase. For product development phase, gap analysis shows similar results. There are tools used for each sub phases of the product development but there is no common platform where all sub phase activities can be performed. This tool integration could facilitate the understanding and correct interpretation of the standard norms.

For the software and hardware development phase, same type of architecture description languages, such as EAST-ADL and AADL, are used. But there is a lack of common platform that supports both design and safety evaluations. 6

Conclusion and Future Work

Since the ISO 26262 standard does not specify which techniques to be applied in ful lling the safety requirements, variety of techniques are developed for each phase of the ISO 26262 standard. However, a general overview of existing and emerging ISO 26262 related techniques is lacking. Therefore, in this paper, we carried out a gap analysis to identify the challenges and future trends to ful ll the ISO 26262 (part 3 to Part 7) safety objectives. We identi ed that the focus of research techniques is for the concept and product development phases. However, more techniques are needed for ful lling the objectives of the software and hardware phases.

As a future work, we plan to conduct similar study on the remaining phases of the ISO 26262 and develop a method for the software and hardware development phases. Furthermore, our analysis focused on the research results rather than the practical application of the standard. This requires further survey on the gap between research results and the practical applicability of the standard to re ect the actual situation in the automotive industry.

1. ACM. http://dl.acm.org/. Accessed: 2015 -04-24.

2. AutoFOCUS3. http://af3.fortiss.org/research/. Accessed: 2015 -09-16.

3. FISITA. http://www.fisita.com/publications/papers. Accessed: 2015 -04-24.

IBM

Rhapsody . http://www-03.ibm.com/software/products/en/ratidoor. Accessed: 2015 -06-02.

5. IEEE. http://ieeexplore.ieee.org/. Accessed: 2015 -04-27.

6. OPENCOSS. http://www.opencoss-project.eu/. Accessed: 2015 -09-16.

7. SAE. http://digitallibrary.sae.org/. Accessed: 2015 -04-24.

8. Springer. http://link.springer.com/. Accessed: 2015 -04-27.

Adler ,

Otten ,

Cuenot , and

Mu ller-Glaser. Performing safety evaluation on detailed hardware level according to ISO 26262. SAE International journal of passenger cars-electronic and electrical systems, 6( 2013 -01-0182): 102 { 113 , 2013 .

10.

Chen ,

Johansson , H. Lonn,

Papadopoulos ,

Sandberg , F. Torner, and M. Torngren. Modelling support for design of safety-critical automotive embedded systems . In Computer Safety, Reliability,& Security , pages 72 { 85 . Springer, 2008 .

11.

Dajsuren , M. G. van den Brand, A. Serebrenik, and

Huisman . Automotive ADLs: A study on enforcing consistency through multiple architectural levels . In ACM SIGSOFT Conference on Quality of Software Architectures (QoSA) , pages 71 { 80 . ACM, 2012 .

12. M. S. Dhouibi , J.-M. Perquis , L.

Saintis , and M.

Barreau . Automatic Decomposition and Allocation of Safety Integrity Level Using System of Linear Equations . Complex Syst , pages 1 {5 , 2014 .

13.

Fujiwara ,

J. M.

Estevez ,

Satoh , and

Yamada . A Calculation Method for Software Safety Integrity Level . In Proceedings of the 1st Workshop on Critical Automotive applications: Robustness & Safety , pages 31 { 34 . ACM, 2010 .

14. IEC . Functional Safety of Electrical/electronic /programmable Electronic Safetyrelated Systems . IEC 26262, International Electrotechnical Commission, 2009 .

15. International Standardization Organization. ISO 26262: Road Vehicles - Functional safety, International Organization for Standardization . 2011 .

16.

Kitchenham . Procedures for Performing Systematic Reviews . Keele, UK, Keele University, 33 ( 2004 ): 1 { 26 , 2004 .

17.

Mader ,

Griessnig ,

Armengaud ,

Leitner ,

Kreiner ,

Bourrouilh ,

Steger , and

Weiss . A bridge from system to software development for safetycritical automotive embedded systems . In Software Engineering and Advanced Applications (SEAA) , pages 75 { 79 . IEEE, 2012 .

18.

Murashkin ,

L. S.

Azevedo ,

Guo ,

Zulkoski ,

J. H.

Liang ,

Czarnecki , and

Parker . Automated Decomposition and Allocation of Automotive Safety Integrity Levels Using Exact Solvers. SAE International Journal of Passenger Cars-Electronic and Electrical Systems , 8 ( 2015 -01-0156): 70 { 78 , 2015 .

19.

Papadopoulos ,

Walker , M. -

O. Reiser , M.

Weber , D.

Chen , M. Torngren, D.

Servat , A.

Abele , F.

Stappert , H.

Lonn , et al. Automatic Allocation of Safety Integrity Levels . In Proceedings of the 1st workshop on critical automotive applications: robustness & safety , pages 7 { 10 . ACM, 2010 .

20.

Parker ,

Walker ,

L. S.

Azevedo ,

Papadopoulos , and

R. E.

Araujo . Automatic Decomposition and Allocation of Safety Integrity Levels Using a PenaltyBased Genetic Algorithm . pages 449 { 459 , 2013 .

21.

Peranandam ,

Raviram ,

Satpathy ,

Yeolekar ,

Gadkari , and

Ramesh . An integrated test generation tool for enhanced coverage of Simulink/State ow models . In Design,Automation & Test in Europe Conference & Exhibition (DATE) , pages 308 { 311 . IEEE, 2012 .

22.

Saberi ,

Luo ,

Cichosz , M. van den Brand, and

Janseny . An Approach for Functional Safety Improvement of an Existing Automotive System . In 8th Annual IEEE System Conference , pages 277 { 282 , 2015 .

23.

Siegl , K.-S. Hielscher,

German , and

Berger . Formal speci cation and systematic model-driven testing of embedded automotive systems . In Design, Automation & Test in Europe Conference & Exhibition , pages 1 {6 . IEEE, 2011 .