Analysis of ISO 26262 Compliant Techniques for the Automotive Domain

Analysis of ISO 26262 Compliant Techniques for the Automotive Domain SManojKannan Eindhoven University of Technology

Eindhoven The Netherlands

YanjaDajsuren y.dajsuren@cwi.nl Centrum Wiskunde & Informatica

Amsterdam The Netherlands

YapingLuo y.luo2@tue.nl Eindhoven University of Technology

Eindhoven The Netherlands

IonBarosan i.barosan@tue.nl Eindhoven University of Technology

Eindhoven The Netherlands

Analysis of ISO 26262 Compliant Techniques for the Automotive Domain 925423AD673F825AE03F67793FAFBED4 GROBID - A machine learning software for extracting information from scholarly documents ISO 26262 vehicle safety safety standard gap analysis

The ISO 26262 standard defines functional safety for automotive E/E systems. Since the publication of the first edition of this standard in 2011, many different safety techniques complying to the ISO 26262 have been developed. However, it is not clear which parts and (sub-) phases of the standard are targeted by these techniques and which objectives of the standard are particularly addressed. Therefore, we carried out a gap analysis to identify gaps between the safety standard objectives of the part 3 till 7 and the existing techniques. In this paper the results of the gap analysis are presented such as we identified that there is a lack of mature tool support for the ASIL sub-phase and a need for a common platform for the entire product development cycle.

Introduction

Development of innovative features such as advanced driver assistance systems in modern day automobiles have led to an increased complexity in product development and maintenance. This imposes an increased risk in terms of system failure that could lead to unacceptable hazards. Thus it becomes crucial to ensure functional safety. The ISO 26262 standard [15] defines functional safety for automotive Electric/Electronic (E/E) safety-related systems. Its objective is to address possible hazards caused by the malfunctioning behavior of E/E systems throughout the product development cycle.

Most of the automotive companies have already started using safety analysis, verification and validation techniques to ensure vehicle safety [22]. One of the main objectives of the ISO 26262 is that these techniques should be applied as a standardized methodology for all automobile manufacturers. These techniques focus mainly on traceability which is the ability to track the safety requirements from initial concept design till the production and operation phase. Upon trying to improve the traceability, the researchers seek more techniques for effective product development process.

The introduction of the ISO 26262 functional safety standard provides more specific development processes that help to avoid the hazards and threats in the development phases. Following steps should be taken to ensure compliance with the standard: a) The manufacturers should adopt the development processes; b) The manufacturers should determine the Automotive Safety Integrity Level (ASIL) for safety-critical systems; c) The manufacturers should satisfy the additional requirements.

The standardization process requires the consistency of methods, languages and tools across all the sub-phases of the software lifecycle as well as system and hardware development phases as stated in the section 5.4.4 of the ISO 26262 Part 6 [15, p. 4]. In recent years, safety related platforms such as OPENCOSS [6] and AutoFOCUS3 [2] have been developed. OPENCOSS provides a common safety certification platform for the railway, avionics and automotive markets. AutoFO-CUS3 provides a model-based tool for distributed, reactive, embedded software systems. The consistency can be assured through the availability of a tool that ensures the compatibility within the ISO 26262 (sub-) phases. The automobile manufacturers are challenged in the selection of the optimal techniques to ensure this compatibility which helps to prove the functional safety. This paper focuses on examining the gap between the ISO 26262 standard objectives and state-of-the-art safety related techniques.

The remainder of the paper is organized as follows: In Section 2 we provide background information on the V-model of the ISO 26262 standard. In Section 3, we describe the systematic literature review process and the summary of the papers selected for the analysis. Section 4 presents the gap analysis results and Section 5 discusses the findings. Finally, we present the concluding remarks and some related future works.

Background

The safety standard ISO 26262 [15] is an adaptation of the functional safety standard IEC 61508 [14] for automotive E/E systems. Similar to IEC 61508, ISO 26262 is also a risk-based safety standard. It provides a risk-driven safety life-cycle for developing safety-critical systems in the automotive domain.

The ISO 26262 consists of ten parts as shown in Figure 1. Part 1, 2, and Part 8 to 10 are out of the scope of this paper, because Part 3 to Part 7 correspond to the safety life-cycle. The main part of ISO 26262 is structured based upon the V-model, as well as Part 5 and Part 6. Part 3 and Part 7 focus on the vehicle level. The main goal of Part 3 is to identify system hazards and risks through Hazard Analysis and Risk Assessment (HARA), then derive safety goals and Functional Safety Concepts (FSC) from them. Part 4 focuses on the system level. In this part, Technical Safety Requirements (TSR) are derived from FSC. Then system design can be carried out based on TSR. Part 5 and Part 6 focus on the subsystem/component level. In these two parts more detailed safety requirements are derived from TSR. Those safety requirements are assigned to the concrete subsystems or components for implementation.

In the following section, we present state-of-the-art techniques complying to the ISO 26262 standard. Peer-reviewed articles on the topics "ISO 26262" and "vehicle safety", published between 2008 and 2015, are included. We exclude duplicate reports of the same or similar studies as well as white papers are excluded. After the search and inclusion/exclusion processes, we identify 120 unique papers. In our findings, we discover that higher number of papers are published in the concept phase (63 papers) than the development phases (51 papers) i.e., product development, software development, and hardware development phases of the ISO 26262 Vmodel. The remaining six papers are considered as general publications, since they cover all the phases of the V-model. To further narrow down the search results, citations are used as a key tool to assess the quality of the identified papers. Publications between 2013 and 2015 are included.

In the case of concept and product development phases, more than half of the papers have been cited at least once and number of papers cited more than five are 18. Figure 2 shows the trend of papers published in each sub-phases from the selected sources. It can be inferred that the focus of the papers are more on the improvement of FSC (Functional Safety Concepts) in the conceptual phase and IVTA (Integration,Validation,Testing and Assessment) in the development phase. This shows the following observations: -More additional standardized procedures have been implemented from the IEC 61508 standard on the conceptual and development phases where automobile manufacturers required clear process for implementation. -Engineers and researchers were involved in the development of methodologies to ensure safety compliance of the system at these phases.

The summary of the selected papers mapped to the standard phases is presented in Table 1. Following section presents the gap analysis results between the ISO 26262 standard and the techniques identified from the selected papers.

Gap Analysis

A gap analysis helps to understand the shortcoming of existing approaches suggested by literatures. The gap analysis is carried out between the ISO 26262 objectives of the Part 3 till Part 7 sub-phases. Key objective is to support an adequate understanding of the item so that the activities in subsequent phases can be performed.

Need further analysis to understand the method used for item definition.

Need further analysis to understand the gap.

To derive the functional safety requirements and allocate them to the architectural elements of the item.

Enhanced architecture description language techniques are developed that helps for allocation and reduce ambiguity.

Need further analysis to understand the gap.

Gap Analysis for the Concept Phase

Table 2 summarizes the finding of a gap analysis for the concept phase. In the area of Hazard Analysis and Risk Assessment (HARA), various techniques are available to identify and categorize the hazards. Techniques suggested by the literature elucidate the way of estimating the hazard parameters (i.e., severity, exposure and controllability) and help to formulate the safety goals. After identifying the safety goals, safety requirements can be derived for each goals. Literature provides more options for writing the requirement by different notations [10]. Once the requirements are elicited, they are allocated to the relevant architectural elements. This is performed using various architecture description languages such as EAST-ADL [17] and AADL [9]. Though existing techniques fulfill the objectives given for HARA in the standard, more techniques are required to achieve this effort. There is no standard common method or tool suggested by literature for meeting this objective. This is found to be one of the gaps by contrasting the standard objectives and literature approaches. A gap analysis for other sub-phases of the concept phase To ensure all the safety cases generated in the concept phase are validated.

As mentioned above, to verify the design and concepts compilation with the specification, fewer tools are developed that also ensures the traceability.

Need for enhanced tool that integrates both design and verification process together.

To verify whether TSR comply with the FSR. To manage the system requirements with complete traceability across the product life cycle.

Fewer tools like IBM Rational Team Concert, PTC Integrity, Papyrus are developed for requirement specification to improve the traceability. But the detailed semantic traceability for each sub phase has not been explored.

New Opportunity that integrates the requirement specification with Item

Integration, testing and validation.

To test compliance with each safety requirement and to verify the system design covering those requirements.

Methods are available that ensures the requirement traceability and verify the system design compliance.

Need for tool that combines all the sub phases of the product development.

i.e., Item Definition, Functional Safety Concept, and ASIL [13,19,20,12,18] is presented in the Table 2.

Gap Analysis for the Product Development Phase

From the gap analysis of the product development phase, it is observed that there are few tools [23,21] suggested by literature and industrial technical report for requirement specification. These tools support only for specific sub-phases and there are more opportunities to integrate these tools with testing and validation tools [4,17]. By this integration, it becomes more sophisticated to perform all the activities of a phase using single technique. This also gives clear way of understanding the standard norms to the developers and verifying it by testers using same platform. The finding of this gap analysis can be found in the Table 3 on the previous page.

Safety Requirement Verification

Need further analysis to understand the gap.

To specify and implement the software units identifies as specified in accordance with software design and the associated software safety requirements.

Need further analysis to understand the methods used for unit testing.

To demonstrate the software units fulfil the software unit design specification and do not contain undesired functionality.

Need further analysis to understand the methods used for implementation process.

Need further analysis to understand the gap.

To demonstrate that the embedded software fulfils the software safety requirements

As mentioned in the previous phase, to verify the safety requirements with the software, fewer tools are developed that also ensures the traceability.

Need for enhanced tool that integrates both design and verification process together.

To develop and verify the architectural design that realizes the software safety requirements.

Several methods such as GSN (Goal Structuring Notation) are used to reduce the developing Cost and time. This also helps for verification with the safety requirements.

Need tools for integrating the architectural design and verification the safety Requirements with the elements.

Gap Analysis for the Software Development Phase

Similar to the system architecture level, more techniques are used for the software level [11]. Some of the common architecture description languages are EAST-ADL [17] and AADL [9] which help to reduce the development cost and time.

In addition, such techniques provide a way to make the verification of safety requirements easier. But there is no tool available that integrates both architectural design and safety verification together. This is found to be one of the gap. Table 4 on the previous page shows the gap analysis performed for the software development phase.

Gap Analysis for the Hardware Development Phase

In the case of hardware development phase, only few literatures are published about the development required for the evaluation of safety violation. These literatures provide techniques mainly to support two claims. One is hardware architectural metrics and second is evaluation of safety goal violations. Techniques like UML based meta-model [9] support for design process and help to To demonstrate that the hardware fulfils the hardware safety requirements As mentioned in the product development phase, to verify the safety requirements with the components, fewer tools are developed that also ensures the traceability.

Need for enhanced tool that integrates both design and verification process together.

Need further analysis to understand the gap.

Need more analysis to understand the evaluation techniques used along with the hardware architectural metrics.

To demonstrate the compliance of the design with the safety metrics.

To demonstrate the hardware components fulfil the hardware design specification and do not contain undesired functionality.

Need more analysis to understand the hardware testing procedures.

Need further analysis to understand the gap. perform safety evaluation in a unified model based environment. The findings of the gap analysis for the hardware development phase are shown in the Table 5. Following section discusses the main results of the gap analysis.

Discussion

Based on the gap analysis, the shortcoming and challenges of the techniques suggested by literature while fulfilling the standard objectives are found. In the concept phase, gap analysis identified the lack of mature techniques that provide wider possible solutions for ASIL decomposition. It showcases the opportunity for integrating various techniques within the phase. For product development phase, gap analysis shows similar results. There are tools used for each sub phases of the product development but there is no common platform where all sub phase activities can be performed. This tool integration could facilitate the understanding and correct interpretation of the standard norms.

For the software and hardware development phase, same type of architecture description languages, such as EAST-ADL and AADL, are used. But there is a lack of common platform that supports both design and safety evaluations.

Conclusion and Future Work

Since the ISO 26262 standard does not specify which techniques to be applied in fulfilling the safety requirements, variety of techniques are developed for each phase of the ISO 26262 standard. However, a general overview of existing and emerging ISO 26262 related techniques is lacking. Therefore, in this paper, we carried out a gap analysis to identify the challenges and future trends to fulfill the ISO 26262 (part 3 to Part 7) safety objectives. We identified that the focus of research techniques is for the concept and product development phases. However, more techniques are needed for fulfilling the objectives of the software and hardware phases.

As a future work, we plan to conduct similar study on the remaining phases of the ISO 26262 and develop a method for the software and hardware development phases. Furthermore, our analysis focused on the research results rather than the practical application of the standard. This requires further survey on the gap between research results and the practical applicability of the standard to reflect the actual situation in the automotive industry.

Fig. 1 .1Fig. 1. An overview of the ISO 26262 V-model

Fig. 2 .2Fig. 2. Trend of publications related to the ISO 26262 over a period of time

Table 1 .1Mapping between safety related techniques and safety phasesPHASESSUB PHASESTECHNIQUESIMPORTANT FEATURESREFCONCEPTASILSRGM (Safety-* Consider all risk factor apart from development[10]PHASEReliability Growthmethod.Model)HIP-HoPs[17]Systems of Linear[9]EquationsExact Solver*Provides all possible solutions based on Cost[15]Optimization for ASIL decomposition.PRODUCTSpecification ofIBM Rhapsody*Ensures requirement traceability throughout the[3]DEVELOPMENTRequirementsproduct life cycle.PHASEPapyrus*Ensures requirement traceability and also can perform[14]safety analysis.SafetyGSN ( Goal*Reduce cost and time during certification process.[8]ValidationStructuring*It also helps to reuse the models.Notation )*Act as basis for systematic functional safetyrequirements.SmartTestGen*Integrates different test generation techniques and[18]covers maximum test cases to ensure safety.Time Usage*Describe time and data dependencies of the system to[19]Model (TUM)be tested.HARDWARESafetyUML complaint*Provides evaluation of preliminary hardware[7]DEVELOPMENTevaluationmeta modelarchitecture.PHASE*It supports the design process as the completehardware design including safety evaluation can beperformed in one model based environment.SOFTWAREArchitectureSimulink Model*This tool enhancement is capable of generating[14]DEVELOPMENTandGenerator andSimulink models to support application softwarePHASEImplementationSafety Driverdevelopment.Generator*Also for configuring and generating safety drivers forinitialization, runtime testing and error handling.

*First Automatic ASIL allocation tool. *Applicable for complex large scale systems. *Consumes more processing time. *Provides less options for ASIL decomposition. *Easy to implement and consumes less processing time. *Not proven to be applicable for complex systems. *Provides all possible solutions based on Cost Optimization for ASIL decomposition.

Table 2 .2Schematic illustration of the gap between objectives of the ISO 26262 concept phase and the respective techniques from the literatureISO 26262Standard ObjectiveTechniques DevelopedGap AnalysisPhaseSubphasesItem DefinitionTo Identify and categorizeSeparate methods are availableNeed for enhanced toolthe hazards and formulateto identify hazards. Whereasthat integrates the HARAConcept PhaseASIL Allocation and HARADecompositionand Decomposition to reduce the complexity and the development cost of the design. Effective ASIL Allocation the safety goals. Then derive the safety requirements from safety goals and allocate them to the architectural elementsthat provides optimized possible combination of solutions for decomposition. Most of these methods takes more processing time. Various methods are developed different methods are used to allocate the safety goals to the architectural elements.suitable for complex large scale systems and provides all possible solutions for decomposition. Need effort to reduce the processing Only few methods are analysis, derivation of safety requirements and safety goal allocation to the architectural elements.time.Functional SafetyConcept

Table 3 .3Schematic illustration of the gap between standard objectives and techniques in the area of product development phaseISO 26262Standard ObjectiveTechniques DevelopedGap AnalysisPhaseSubphasesTechnical SafetyRequirement SpecificationTo develop the systemProduct Development PhaseSystem Design Safety validationdesign. To verify the system design and the technical safety concept comply with the TSR specificationSeparate tools like Medini Analysis are developed to ensure safety validation. All these tools Depends on the input of requirement management.Need for tool that integrates the requirement management with the safety validation.Integration andTesting

Table 4 .4Schematic illustration of the gap between standard objectives and techniques in the area of software development phaseISO 26262Standard ObjectiveTechniques DevelopedGap AnalysisPhasesubphasesArchitectureSoftware Development PhaseImplementation Unit testing

Table 5 .5Schematic illustration of the gap between standard objectives and techniques in the area of hardware development phaseISO 26262Standard ObjectiveTechniques DevelopedGap AnalysisPhaseSubphasesSafety requirementTo develop and verify theNeed more analysis toNeed further analysis toarchitectural design thatunderstand the techniques usedunderstand the gap.Hardware Development PhaseSafety evaluation Designrealizes the hardware safety requirements.for hardware design and ensuring the safety requirements compliance.Testing

AutoFOCUS3 2015-09-16 <author> <persName><surname>Opencoss</surname></persName> </author> <ptr target="http://www.opencoss-project.eu/" /> <imprint> <date type="published" when="2015-09-16">2015-09-16</date> </imprint> </monogr> </biblStruct> <biblStruct xml:id="b2"> <analytic> <title level="a" type="main">Performing safety evaluation on detailed hardware level according to ISO 26262 NAdler SOtten PCuenot KMüller-Glaser SAE International journal of passenger cars-electronic and electrical systems 6 2013 Modelling support for design of safety-critical automotive embedded systems DChen RJohansson HLönn YPapadopoulos ASandberg FTörner MTörngren Computer Safety, Reliability,& Security Springer 2008 Automotive ADLs: A study on enforcing consistency through multiple architectural levels YDajsuren MGVan Den Brand ASerebrenik RHuisman ACM SIGSOFT Conference on Quality of Software Architectures (QoSA) ACM 2012 Automatic Decomposition and Allocation of Safety Integrity Level Using System of Linear Equations MSDhouibi J.-MPerquis LSaintis MBarreau Complex Syst 2014 A Calculation Method for Software Safety Integrity Level TFujiwara JMEstevez YSatoh SYamada Proceedings of the 1st Workshop on Critical Automotive applications: Robustness & Safety the 1st Workshop on Critical Automotive applications: Robustness & Safety ACM 2010 Functional Safety of Electrical/electronic /programmable Electronic Safetyrelated Systems Iec IEC 26262 2009 International Electrotechnical Commission ISO 26262: Road Vehicles -Functional safety International Organization for Standardization 2011 Procedures for Performing Systematic Reviews BKitchenham 2004. 2004 33 Keele, UK, Keele University A bridge from system to software development for safetycritical automotive embedded systems RMader GGriessnig EArmengaud ALeitner CKreiner QBourrouilh CSteger RWeiss Software Engineering and Advanced Applications (SEAA) IEEE 2012 Automated Decomposition and Allocation of Automotive Safety Integrity Levels Using Exact Solvers AMurashkin LSAzevedo JGuo EZulkoski JHLiang KCzarnecki DParker SAE International Journal of Passenger Cars-Electronic and Electrical Systems 8 2015 Automatic Allocation of Safety Integrity Levels YPapadopoulos MWalker M.-OReiser MWeber DChen MTörngren DServat AAbele FStappert HLonn Proceedings of the 1st workshop on critical automotive applications: robustness & safety the 1st workshop on critical automotive applications: robustness & safety ACM 2010 Automatic Decomposition and Allocation of Safety Integrity Levels Using a Penalty-Based Genetic Algorithm DParker MWalker LSAzevedo YPapadopoulos REAraújo 2013 An integrated test generation tool for enhanced coverage of Simulink/Stateflow models PPeranandam SRaviram MSatpathy AYeolekar AGadkari SRamesh Design,Automation & Test in Europe Conference & Exhibition (DATE) IEEE 2012 An Approach for Functional Safety Improvement of an Existing Automotive System ASaberi YLuo FCichosz MVan Den SBrand Janseny 8th Annual IEEE System Conference 2015 Formal specification and systematic model-driven testing of embedded automotive systems SSiegl K.-SHielscher RGerman CBerger Design, Automation & Test in Europe Conference & Exhibition IEEE 2011