BS ISO 26262-10-2012 Road vehicles Functional safety Guideline on ISO 26262《道路车辆 功能安全性 ISO 26262标准导则》.pdf

《BS ISO 26262-10-2012 Road vehicles Functional safety Guideline on ISO 26262《道路车辆 功能安全性 ISO 26262标准导则》.pdf》由会员分享，可在线阅读，更多相关《BS ISO 26262-10-2012 Road vehicles Functional safety Guideline on ISO 26262《道路车辆 功能安全性 ISO 26262标准导则》.pdf（100页珍藏版）》请在麦多课文档分享上搜索。

1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS ISO 26262-10:2012Road vehicles FunctionalsafetyPart 10: Guideline on ISO 26262BS ISO 26262-10:2012 BRITISH STANDARDNational forewordThis British Standard is the UK implementat

2、ion of ISO26262-10:2012.The UK participation in its preparation was entrusted to TechnicalCommittee AUE/16, Electrical and electronic equipment.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necess

3、aryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2012. Published by BSI StandardsLimited 2012ISBN 978 0 580 68210 0ICS 43.040.10Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was pu

4、blished under the authority of theStandards Policy and Strategy Committee on 31 August 2012.Amendments issued since publicationDate Text affectedBS ISO 26262-10:2012Reference numberISO 26262-10:2012(E)ISO 2012INTERNATIONAL STANDARD ISO26262-10First edition2012-08-01Road vehicles Functional safety Pa

5、rt 10: Guideline on ISO 26262 Vhicules routiers Scurit fonctionnelle Partie 10: Lignes directrices relatives lISO 26262 BS ISO 26262-10:2012ISO 26262-10:2012(E) COPYRIGHT PROTECTED DOCUMENT ISO 2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or uti

6、lized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax

7、 + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2012 All rights reservedBS ISO 26262-10:2012ISO 26262-10:2012(E) ISO 2012 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Normative references1 3 Terms, definitions and abbreviated t

8、erms2 4 Key concepts of ISO 26262.2 4.1 Functional safety for automotive systems (relationship with IEC 61508) .2 4.2 Item, system, element, component, hardware part and software unit.4 4.3 Relationship between faults, errors and failures .5 5 Selected topics regarding safety management6 5.1 Work pr

9、oduct .6 5.2 Confirmation measures 6 5.3 Understanding of safety cases 9 6 Concept phase and system development.10 6.1 General .10 6.2 Example of hazard analysis and risk assessment.10 6.3 An observation regarding controllability classification11 6.4 External measures.12 6.5 Example of combining saf

10、ety goals 13 7 Safety process requirement structure - Flow and sequence of safety requirements14 8 Concerning hardware development 17 8.1 The classification of random hardware faults17 8.2 Example of residual failure rate and local single-point fault metric evaluation .22 8.3 Further explanation con

11、cerning hardware .34 9 Safety element out of context 36 9.1 Safety element out of context development.36 9.2 Use cases .37 10 An example of proven in use argument45 10.1 General .45 10.2 Item definition and definition of the proven in use candidate46 10.3 Change analysis 46 10.4 Target values for pr

12、oven in use .46 11 Concerning ASIL decomposition.47 11.1 Objective of ASIL decomposition 47 11.2 Description of ASIL decomposition 47 11.3 An example of ASIL decomposition 47 Annex A (informative) ISO 26262 and microcontrollers 51 Annex B (informative) Fault tree construction and applications 73 Bib

13、liography89 BS ISO 26262-10:2012ISO 26262-10:2012(E) iv ISO 2012 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out thro

14、ugh ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collabor

15、ates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standa

16、rds. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of t

17、his document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 26262-10 was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 3, Electrical and electronic equipment. ISO 26262 consists of the following pa

18、rts, under the general title Road vehicles Functional safety: Part 1: Vocabulary Part 2: Management of functional safety Part 3: Concept phase Part 4: Product development at the system level Part 5: Product development at the hardware level Part 6: Product development at the software level Part 7: P

19、roduction and operation Part 8: Supporting processes Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses Part 10: Guideline on ISO 26262 BS ISO 26262-10:2012ISO 26262-10:2012(E) ISO 2012 All rights reserved vIntroduction ISO 26262 is the adaptation of IEC 61508 to

20、comply with needs specific to the application sector of electrical and/or electronic (E/E) systems within road vehicles. This adaptation applies to all activities during the safety lifecycle of safety-related systems comprised of electrical, electronic and software components. Safety is one of the k

21、ey issues of future automobile development. New functionalities not only in areas such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety systems increasingly touch the domain of system safety engineering. Development and integration of these functionalities

22、will strengthen the need for safe system development processes and the need to provide evidence that all reasonable system safety objectives are satisfied. With the trend of increasing technological complexity, software content and mechatronic implementation, there are increasing risks from systemat

23、ic failures and random hardware failures. ISO 26262 includes guidance to avoid these risks by providing appropriate requirements and processes. System safety is achieved through a number of safety measures, which are implemented in a variety of technologies (e.g. mechanical, hydraulic, pneumatic, el

24、ectrical, electronic, programmable electronic) and applied at the various levels of the development process. Although ISO 26262 is concerned with functional safety of E/E systems, it provides a framework within which safety-related systems based on other technologies can be considered. ISO 26262: a)

25、 provides an automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases; b) provides an automotive-specific risk-based approach to determine integrity levels Automotive Safety In

26、tegrity Levels (ASIL); c) uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk; d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved; e) provides requirements for relatio

27、ns with suppliers. Functional safety is influenced by the development process (including such activities as requirements specification, design, implementation, integration, verification, validation and configuration), the production and service processes and by the management processes. Safety issue

28、s are intertwined with common function-oriented and quality-oriented development activities and work products. ISO 26262 addresses the safety-related aspects of development activities and work products. Figure 1 shows the overall structure of this edition of ISO 26262. ISO 26262 is based upon a V-mo

29、del as a reference process model for the different phases of product development. Within the figure: the shaded “V”s represent the interconnection between ISO 26262-3, ISO 26262-4, ISO 26262-5, ISO 26262-6 and ISO 26262-7; the specific clauses are indicated in the following manner: “m-n”, where “m”

30、represents the number of the particular part and “n” indicates the number of the clause within that part. EXAMPLE “2-6” represents Clause 6 of ISO 26262-2. BS ISO 26262-10:2012ISO 26262-10:2012(E) vi ISO 2012 All rights reserved3. Concept phase2. Management of functional safety2-5 Overall safetymana

31、gement2-6Safetymanagement during the concept phase and the product development 7. Production and operation6-5Initiation of product development at the software level6-6Specification of software safetyrequirements 6-7Software architectural design6-8Software unit design and implementation6-9Software un

32、it testing6-10Software integration and testing 6-11 Verification of software safetyrequirements5-5Initiation of product development at the hardware level5-6Specification of hardware safetyrequirements5-7Hardware design5-8Evaluation of the hardware architecturalmetrics5-10Hardware integration and tes

33、ting2-7Safetymanagement after the items release for production3-6 Initiation of the safetylifecycle1. Vocabulary3-5 Item definition3-7 Hazard analysis andrisk assessment3-8 Functional safetyconcept7-6 Operation, service (maintenance and repair), and decommissioning7-5 Production8. Supporting process

34、es8-5Interfaces within distributed developments8-6Specification and managementof safetyrequirements8-8Change management8-9Verification8-7Configuration management4. Product development at the system level4-5Initiation of product development at the system level4-7System design 4-8Item integration and

35、testing4-9Safetyvalidation4-10Functional safetyassessment4-11Release for production6. Product development at thesoftware level5. Product development at thehardware level5-9Evaluation of the safetygoal violations due to random hardware failures4-6Specification of the technical safetyrequirements9. AS

36、IL-oriented and safety-oriented analyses9-5Requirements decomposition with respect to ASIL tailoring9-6Criteria for coexistence of elements8-10Documentation8-11Confidence in the use of software tools8-13Qualificationof hardware components8-14Proven in use argument8-12Qualificationof software compone

37、nts9-7Analysis of dependent failures9-8Safetyanalyses10. Guideline on ISO 26262Figure 1 Overview of ISO 26262 BS ISO 26262-10:2012INTERNATIONAL STANDARD ISO 26262-10:2012(E) ISO 2012 All rights reserved 1Road vehicles Functional safety Part 10: Guideline on ISO 26262 1 Scope ISO 26262 is intended to

38、 be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross vehicle mass up to 3 500 kg. ISO 26262 does not address unique E/E systems in special purpose vehicles such as veh

39、icles designed for drivers with disabilities. Systems and their components released for production, or systems and their components already under development prior to the publication date of ISO 26262, are exempted from the scope. For further development or alterations based on systems and their com

40、ponents released for production prior to the publication of ISO 26262, only the modifications will be developed in accordance with ISO 26262. ISO 26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems, including interaction of these systems. It does not add

41、ress hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems. ISO 26262 does not address the nominal performance of E/E syst

42、ems, even if dedicated functional performance standards exist for these systems (e.g. active and passive safety systems, brake systems, Adaptive Cruise Control). This part of ISO 26262 provides an overview of ISO 26262, as well as giving additional explanations, and is intended to enhance the unders

43、tanding of the other parts of ISO 26262. It has an informative character only and describes the general concepts of ISO 26262 in order to facilitate comprehension. The explanation expands from general concepts to specific contents. In the case of inconsistencies between this part of ISO 26262 and an

44、other part of ISO 26262, the requirements, recommendations and information specified in the other part of ISO 26262 apply. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undat

45、ed references, the latest edition of the referenced document (including any amendments) applies. ISO 26262-1:2011, Road vehicles Functional safety Part 1: Vocabulary ISO 26262-2:2011, Road vehicles Functional safety Part 2: Management of functional safety ISO 26262-3:2011, Road vehicles Functional s

46、afety Part 3: Concept phase ISO 26262-4:2011, Road vehicles Functional safety Part 4: Product development at the system level ISO 26262-5:2011, Road vehicles Functional safety Part 5: Product development at the hardware level ISO 26262-6:2011, Road vehicles Functional safety Part 6: Product developm

47、ent at the software level ISO 26262-7:2011, Road vehicles Functional safety Part 7: Production and operation BS ISO 26262-10:2012ISO 26262-10:2012(E) 2 ISO 2012 All rights reservedISO 26262-8:2011, Road vehicles Functional safety Part 8: Supporting processes ISO 26262-9:2011, Road vehicles Functiona

48、l safety Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses 3 Terms, definitions and abbreviated terms For the purposes of this document, the terms, definitions and abbreviated terms given in ISO 26262-1:2011 apply. 4 Key concepts of ISO 26262 4.1 Functional safet

49、y for automotive systems (relationship with IEC 61508) IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, is designated by IEC as a generic standard and a basic safety publication. This means that industry sectors will base their own standards for functional safety on the requirements of IEC 61508. In the automotive industry, there are a number of issues with applying IEC 61508 directly. Some of these issues and correspon