Roger Rivett

Model-Based Assurance for Justifying Automotive Functional Safety

With the growing complexity of, and reliance on, safety-related electrical/electronic (E/E) systems in the automotive sector, the development of an explicit safety case is highly recommended to provide assurance to the different stakeholders interested in automotive functional safety. The production of a safety case is explicitly mandated by the draft automotive functional safety standard ISO26262. A safety case should consider all organisational and technical factors that may contribute to safety. For example, it should provide assurance for the safe behaviours of a particular system as well as assurance for the process by which this system is developed, operated and maintained. In this paper, we address one component of the overall safety case, namely the assurance of the functional safety concept. In particular, we examine how model-driven development and assessment can provide a basis for the systematic generation of functional safety requirements. We demonstrate how an automotive safety case can be structurally and traceably developed, justifying why and how the defined functional safety requirements can adequately mitigate the risk of the identified hazards to an acceptable level. A case study is also presented throughout this paper, discussing examples and lessons learnt from the development of a safety case for an air suspension system.

Safety Cases and Their Role in ISO 26262 Functional Safety Assessment

Compliance with the automotive standard ISOa26262 requires the development of a safety case for electrical and/or electronic (E/E) systems whose malfunction has the potential to lead to an unreasonable level of risk. In order to justify freedom from unreasonable risk, a safety argument should be developed in which the safety requirements are shown to be complete and satisfied by the evidence generated from the ISOa26262 work products. However, the standard does not provide practical guidelines for how it should be developed and reviewed. More importantly, the standard does not describe how the safety argument should be evaluated in the functional safety assessment process. In this paper, we categorise and analyse the main argument structures required of a safety case and specify the relationships that exist between these structures. Particular emphasis is placed on the importance of the product-based safety rationale within the argument and the role this rationale should play in assessing functional safety. The approach is evaluated in an industrial case study. The paper concludes with a discussion of the potential benefits and challenges of structured safety arguments for evaluating the rationale, assumptions and evidence put forward when claiming compliance with ISOa26262.

A Layered Model for Structuring Automotive Safety Arguments (Short Paper)

We present a model for structuring automotive safety arguments comprising four different, yet interrelated, layers of safety claims. The layered model is structured by the rationale behind safety requirements, their relationship to corresponding physical artefact(s) and hazardous events, the means used in their development and the environment in which safety activities are undertaken. The layered approach allows for focus and clarity in communicating and assessing the functional safety of automotive Electrical/Electronic systems, particularly in the context of the automotive standard ISO 26262.

Technology, Society and Risk

There remains a healthy debate among those working in the fun-ctional safety field over issues that appear to be fundamental to the discipline. Coming from an industry that is a relative newcomer to this discipline I look to the more established industries to give a lead. Not only are they in debate about key issues, the approaches taken do not always transfer easily to a mass market product, developed within very tight business constraints. Key issues that are debated include: What is meant by risk, what is acceptable risk and who does the accepting? How do we justify that an acceptable risk has been, or will be, achieved? What role does the development process play? What is meant by the concept of a Safety Integrity Level? In this talk I will air some views on these questions based on my experience of deve-loping automotive systems and authoring industry sector guidelines and standards in the hope that this will provoke informed discussion.