BS ISO 26262-3-2011 Road vehicles Functional safety Concept phase《道路车辆 功能安全 概念阶段》.pdf

《BS ISO 26262-3-2011 Road vehicles Functional safety Concept phase《道路车辆 功能安全 概念阶段》.pdf》由会员分享，可在线阅读，更多相关《BS ISO 26262-3-2011 Road vehicles Functional safety Concept phase《道路车辆 功能安全 概念阶段》.pdf（38页珍藏版）》请在麦多课文档分享上搜索。

1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS ISO 26262-3:2011Road vehicles FunctionalsafetyPart 3: Concept phaseBS ISO 26262-3:2011 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO 2

2、6262-3:2011.ISO 26262 is published in a series of 9 parts and each has beenadopted as a British standard. However, the UK committee recordeda negative vote for ISO 26262-3. The main concerns were:- The concept of Automotive Safety Integrity Levels (ASIL)in ISO 26262 is not aligned to the concept of

3、safetyintegrity level (SIL) found in IEC 61508 and its derivativestandards, making application difficult where alignmentwith these other standards is required.- IEC 61508 requires risk matrices to be calibrated, butno information on the calibration of the factors forseverity, exposure and controllab

4、ility used in ISO 26262is provided.- There is an assumed order of magnitude betweenadjacent classes of exposure (Table 2) and controllability(Table 3) (and this can arguably also be seen in severity,Table 1). However, ASIL C is inconsistent with thispattern with the result that any movement in a sin

5、gleclass (e.g. C3 to C2, E4 to E3, S3 to S2) represents anorder of magnitude risk reduction which is not reflectedin ASIL C (e.g. targets for hardware metrics, measures toprevent multiple faults becoming latent).- It is the opinion of the UK committee that additionalguidance is needed on how to deal

6、 with a finegranularity of operational situations and the resultingexposure classifications in the case where very finegranularity is used, guidance is needed on how thescenarios can be recombined while avoiding artificialreduction of the ASIL (see Clause 7.4.4.2 and associatedNOTE).- Paragraph 3 of

7、 the Scope sets out that the hazards inthe Scope are those that the item is capable of causingthrough malfunction, and which are used in hazardanalysis and risk assessment (Clause 7). It does notaddress hazards or risks where the item is intendeddirectly to contribute their risk reduction; therefore

8、, itdoes not cover how these should be assessed, whetherthe ASIL values reflect the hazard risk or the riskreduction, and (if the ASIL values relate to the hazardrisk) how the division of risk mitigation across differentitems can be accounted for in the safety lifecycles foreach of these items.- Whi

9、le the allocation of risk reduction to measuresoutside the scope of electrical and/or electronic (E/E)systems is acknowledged and permitted, no definedmethod of doing so is provided and it is specificallynot permitted to use an ASIL value to denote the riskreduction allocated to a non-E/E safety mea

10、sure.Additional guidance on dealing with the majority of these issues canbe found in MISRA Guidelines for safety analysis of vehicle basedprogrammable systems, ISBN 978-0-9524156-5-7, MIRA, 2007.The UK participation in its preparation was entrusted to TechnicalCommittee AUE/16, Electrical and electr

11、onic equipment.A list of organizations represented on this committee can beobtained on request to its secretary.BS ISO 26262-3:2011 BRITISH STANDARDThis publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. BSI 2011ISBN 9

12、78 0 580 62305 9ICS 43.040.10Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 December 2011.Amendments issued since publicationDate Text affectedBS ISO 26262-3:2

13、011Reference numberISO 26262-3:2011(E)ISO 2011INTERNATIONAL STANDARD ISO26262-3First edition2011-11-15Road vehicles Functional safety Part 3: Concept phase Vhicules routiers Scurit fonctionnelle Partie 3: Phase de projet BS ISO 26262-3:2011ISO 26262-3:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO 2011 Al

14、l rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country

15、of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2011 All rights reservedBS ISO 26262-3:2011ISO 26262-3:2011(E) ISO 2011 All rights reserved iiiContents Page F

16、oreword iv Introduction . v 1 Scope 1 2 Normative references 1 3 Terms, definitions and abbreviated terms 2 4 Requirements for compliance 2 4.1 General requirements . 2 4.2 Interpretations of tables 2 4.3 ASIL-dependent requirements and recommendations . 3 5 Item definition 3 5.1 Objectives 3 5.2 Ge

17、neral . 3 5.3 Inputs to this clause 3 5.4 Requirements and recommendations . 4 5.5 Work products . 4 6 Initiation of the safety lifecycle 5 6.1 Objectives 5 6.2 General . 5 6.3 Inputs to this clause 5 6.4 Requirements and recommendations . 5 6.5 Work products . 6 7 Hazard analysis and risk assessmen

18、t . 6 7.1 Objectives 6 7.2 General . 7 7.3 Inputs to this clause 7 7.4 Requirements and recommendations . 7 7.5 Work products . 12 8 Functional safety concept 12 8.1 Objectives 12 8.2 General . 12 8.3 Inputs to this clause 13 8.4 Requirements and recommendations . 14 8.5 Work products . 16 Annex A (

19、informative) Overview and document flow of concept phase . 17 Annex B (informative) Hazard analysis and risk assessment 18 Bibliography 25 BS ISO 26262-3:2011ISO 26262-3:2011(E) iv ISO 2011 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation

20、 of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee.

21、International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance wit

22、h the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approv

23、al by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 26262-3 was prepared by Technical Commit

24、tee ISO/TC 22, Road vehicles, Subcommittee SC 3, Electrical and electronic equipment. ISO 26262 consists of the following parts, under the general title Road vehicles Functional safety: Part 1: Vocabulary Part 2: Management of functional safety Part 3: Concept phase Part 4: Product development at th

25、e system level Part 5: Product development at the hardware level Part 6: Product development at the software level Part 7: Production and operation Part 8: Supporting processes Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses Part 10: Guideline on ISO 26262 BS I

26、SO 26262-3:2011ISO 26262-3:2011(E) ISO 2011 All rights reserved vIntroduction ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the application sector of electrical and/or electronic (E/E) systems within road vehicles. This adaptation applies to all activities during the safe

27、ty lifecycle of safety-related systems comprised of electrical, electronic and software components. Safety is one of the key issues of future automobile development. New functionalities not only in areas such as driver assistance, propulsion, in vehicle dynamics control and active and passive safety

28、 systems increasingly touch the domain of system safety engineering. Development and integration of these functionalities will strengthen the need for safe system development processes and the need to provide evidence that all reasonable system safety objectives are satisfied. With the trend of incr

29、easing technological complexity, software content and mechatronic implementation, there are increasing risks from systematic failures and random hardware failures. ISO 26262 includes guidance to avoid these risks by providing appropriate requirements and processes. System safety is achieved through

30、a number of safety measures, which are implemented in a variety of technologies (e.g. mechanical, hydraulic, pneumatic, electrical, electronic, programmable electronic) and applied at the various levels of the development process. Although ISO 26262 is concerned with functional safety of E/E systems

31、, it provides a framework within which safety-related systems based on other technologies can be considered. ISO 26262: a) provides an automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these l

32、ifecycle phases; b) provides an automotive-specific risk-based approach to determine integrity levels Automotive Safety Integrity Levels (ASIL); c) uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk; d) provides requirements for validation and confir

33、mation measures to ensure a sufficient and acceptable level of safety being achieved; e) provides requirements for relations with suppliers. Functional safety is influenced by the development process (including such activities as requirements specification, design, implementation, integration, verif

34、ication, validation and configuration), the production and service processes and by the management processes. Safety issues are intertwined with common function-oriented and quality-oriented development activities and work products. ISO 26262 addresses the safety-related aspects of development activ

35、ities and work products. Figure 1 shows the overall structure of this edition of ISO 26262. ISO 26262 is based upon a V-model as a reference process model for the different phases of product development. Within the figure: the shaded “V”s represent the interconnection between ISO 26262-3, ISO 26262-

36、4, ISO 26262-5, ISO 26262-6 and ISO 26262-7; the specific clauses are indicated in the following manner: “m-n”, where “m” represents the number of the particular part and “n” indicates the number of the clause within that part. EXAMPLE “2-6” represents Clause 6 of ISO 26262-2. BS ISO 26262-3:2011ISO

37、 26262-3:2011(E) vi ISO 2011 All rights reserved3. Concept phase2. Management of functional safety2-5 Overall safetymanagement2-6Safetymanagement during the concept phase and the product development 7. Production and operation6-5Initiation of product development at the software level6-7Software arch

38、itectural design6-8Software unit design and implementation6-9Software unit testing6-10Software integration and testing 6-11 Verification of software safetyrequirements5-5Initiation of product development at the hardware level5-6Specification of hardware safetyrequirements5-7Hardware design5-8Evaluat

39、ion of the hardware architecturalmetrics5-10Hardware integration and testing2-7Safetymanagement after the items release for production3-6 Initiation of the safetylifecycle1. Vocabulary3-5 Item definition3-7 Hazard analysis andrisk assessment3-8 Functional safetyconcept7-6 Operation, service (mainten

40、ance and repair), and decommissioning7-5 Production8. Supporting processes8-5Interfaces within distributed developments8-6Specification and managementof safetyrequirements8-8Change management8-9Verification8-7Configuration management4. Product development at the system level4-5Initiation of product

41、development at the system level4-7System design 4-8Item integration and testing4-9Safetyvalidation4-10Functional safetyassessment4-11Release for production6. Product development at thesoftware level5. Product development at thehardware level5-9Evaluation of the safetygoal violations due to random ha

42、rdware failures4-6Specification of the technical safetyrequirements9. ASIL-oriented and safety-oriented analyses9-5Requirements decomposition with respect to ASIL tailoring9-6Criteria for coexistence of elements8-10Documentation8-11Confidence in the use of software tools8-13Qualificationof hardware

43、components8-14Proven in use argument8-12Qualificationof software components9-7Analysis of dependent failures9-8Safetyanalyses10. Guideline on ISO26262Figure 1 Overview of ISO 26262 BS ISO 26262-3:2011INTERNATIONAL STANDARD ISO 26262-3:2011(E) ISO 2011 All rights reserved 1Road vehicles Functional sa

44、fety Part 3: Concept phase 1 Scope ISO 26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross vehicle mass up to 3 500 kg. ISO 26262 does not address

45、 unique E/E systems in special purpose vehicles such as vehicles designed for drivers with disabilities. Systems and their components released for production, or systems and their components already under development prior to the publication date of ISO 26262, are exempted from the scope. For furthe

46、r development or alterations based on systems and their components released for production prior to the publication of ISO 26262, only the modifications will be developed in accordance with ISO 26262. ISO 26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related syste

47、ms, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems. ISO

48、 26262 does not address the nominal performance of E/E systems, even if dedicated functional performance standards exist for these systems (e.g. active and passive safety systems, brake systems, Adaptive Cruise Control). This part of ISO 26262 specifies the requirements for the concept phase for aut

49、omotive applications, including the following: item definition, initiation of the safety lifecycle, hazard analysis and risk assessment, and functional safety concept. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 26262-1:2011, Road vehicles Functional safety Part 1: Vocab