[Trustable-distros] ISO 26262 for Trustable Distributions

Wed Jul 4 12:10:35 BST 2018

What is ISO26262 ? [1]
==================
"ISO 26262 defines a safety case to be ‘argument that the safety 
requirements for an item are complete and satisfied by evidence complied 
from work products of the safety activities during development’." [2]

This safety case is driven by
* automotive-specific risk-based approach for determining risk classes 
(SIL/ASIL)[2a]
* A process for collating functional safety plans at an acceptable 
residual risk during
     * requirements specification
     * design
     * implementation, integration
     * verification, validation
     * configuration

There are TWO certification bodies Exida [8] and TuV[9].

The safety case consists of
    * "Goal" i.e. what risk you are attempting to address
    * "Action" i.e. what you did you address this "Goal"
    * "Evidence" i.e. what results you have which support this case.

The delivery of "Evidence" has to be repeatable and support the "Goal" 
for the functional safety.
The "Action" can be given in the form of a reasoned argument, or in the 
form of behavioural test confirm the level of failure.

Thus it would be possible to write Given/When/Then tests where the 
Scenario is the "Goal", the "Action" are described in the 
Given/When/Then" and the execution of this would produce the Evidence. 
In effect this evidence is presented to an assessor for confirmation.

These produce the following piece of information
   * Safety Manual             [essentially a list of the goals you 
address]
   * Compliance statement      [evidence offered for the compliance with 
these goals]
   * Safety Certificate        [auditors report on the evidence and 
goals]
   * List of Errata (Errors)   [details of how often you delivery of the 
above fail and explanations of why]

"a prescriptive SIL/DAL approach does not provide a clear argument that 
the software is acceptably safe." ...
"Assurance of a process does not provide explicit, or generally 
sufficient confidence in the level of safety." [3]

"Currently, there is not a consensus on the real value of an automotive 
safety case, particularly when a safety process is compliant with ISO 
26262. On the one hand, some are treating the safety case as a 
repository of the work products generated from the safety life-cycle 
phases. On the other hand, others are emphasising the role of the 
argument in showing how and why the work products (i.e. evidence) 
support the overarching claim that residual risks are acceptable.

Due to a perceived effort overhead, many will initially regard the 
development of a safety case as a documentation exercise needed merely 
for compliance. However, clear and practical industry guidance, 
supported by example safety arguments and evidence, should help in 
paving the way for a smooth introduction of the safety case concept in a 
way that ensures a consistent understanding of this concept" [2]

"The work products required in the safety plan are subject to 
configuration management, change management and documentation 
management, in accordance with ISO 26262 – Part 8 (Clauses 7, 8 and 10 
respectively), no later than the time of entering the phase 'product 
development at system level'" [4]

"Documentation management represents a relevant and mandatory activity 
according to ISO 26262. The same activity tends to be considered as a 
waste according to the agile manifesto. Thus, agile and ISO 
26262-compliant documentation management styles seem to form an odd 
couple" [5]

"Products in Green Hills Platforms for Automotive have achieved the 
highest levels of safety certifications including ISO 26262 (ASIL D), 
IEC 61508 (SIL 4) and EN 50128 (SWSIL 4) and together with Green Hills 
Safety Services specialists, enable customers to choose the safety level 
right for their business goals." [6]

"QNX OS for Safety is a software solution that provides the reliable 
foundation necessary for building competitive automotive and 
mission-critical systems in a cost-effective and safe manner. 
Pre-certified to high SIL levels in ISO 26262 and IEC 61508 to reduce 
development, certification cost and risk"

However, as I understand ISO26262, the QNX or Green Hills platforms only 
support the delivery of an "Element" and certifications are performed on 
"Items". For the purpose of the standard and Item is typically the 
"hardware, BSP, Software and Application" so it isn't possible to have a 
certified distribution.

[1] https://www.slideshare.net/KoenLeekens/iso-26262-introduction 
[provides an OK overview]
[2] 
https://www-users.cs.york.ac.uk/~ihabli/Papers/2011IETPalinWardHabliRivett.pdf
[2a] https://en.wikipedia.org/wiki/Safety_integrity_level
[3] 
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.64.3627&rep=rep1&type=pdf
[4] 
http://www.opencoss-project.eu/sites/default/files/D1.2a_IUC_Automotive_domain_public_summary.pdf
[5] https://hal.archives-ouvertes.fr/hal-01192981/document
[6] https://www.ghs.com/products/auto_solutions.html
[7] https://blackberry.qnx.com/en/products/certified_os/safe-kernel
[8] http://www.exida.com/Certification/ISO-26262
[9] 
https://www.tuv-sud.co.uk/uk-en/industry/automotive-transportation/automotive-solutions/quality-and-safety-services/automotive-functional-safety/iso-26262-functional-safety-certified-programme
]10]https://www-users.cs.york.ac.uk/~ihabli/Papers/2013Habli_Safecomp.pdf