[Trustable-distros] ISO 26262 for Trustable Distributions
Edmund Sutcliffe
edmund.sutcliffe at codethink.co.uk
Wed Jul 4 12:10:35 BST 2018
What is ISO26262 ? [1]
==================
"ISO 26262 defines a safety case to be ‘argument that the safety
requirements for an item are complete and satisfied by evidence complied
from work products of the safety activities during development’." [2]
This safety case is driven by
* automotive-specific risk-based approach for determining risk classes
(SIL/ASIL)[2a]
* A process for collating functional safety plans at an acceptable
residual risk during
* requirements specification
* design
* implementation, integration
* verification, validation
* configuration
There are TWO certification bodies Exida [8] and TuV[9].
The safety case consists of
* "Goal" i.e. what risk you are attempting to address
* "Action" i.e. what you did you address this "Goal"
* "Evidence" i.e. what results you have which support this case.
The delivery of "Evidence" has to be repeatable and support the "Goal"
for the functional safety.
The "Action" can be given in the form of a reasoned argument, or in the
form of behavioural test confirm the level of failure.
Thus it would be possible to write Given/When/Then tests where the
Scenario is the "Goal", the "Action" are described in the
Given/When/Then" and the execution of this would produce the Evidence.
In effect this evidence is presented to an assessor for confirmation.
These produce the following piece of information
* Safety Manual [essentially a list of the goals you
address]
* Compliance statement [evidence offered for the compliance with
these goals]
* Safety Certificate [auditors report on the evidence and
goals]
* List of Errata (Errors) [details of how often you delivery of the
above fail and explanations of why]
"a prescriptive SIL/DAL approach does not provide a clear argument that
the software is acceptably safe." ...
"Assurance of a process does not provide explicit, or generally
sufficient confidence in the level of safety." [3]
"Currently, there is not a consensus on the real value of an automotive
safety case, particularly when a safety process is compliant with ISO
26262. On the one hand, some are treating the safety case as a
repository of the work products generated from the safety life-cycle
phases. On the other hand, others are emphasising the role of the
argument in showing how and why the work products (i.e. evidence)
support the overarching claim that residual risks are acceptable.
Due to a perceived effort overhead, many will initially regard the
development of a safety case as a documentation exercise needed merely
for compliance. However, clear and practical industry guidance,
supported by example safety arguments and evidence, should help in
paving the way for a smooth introduction of the safety case concept in a
way that ensures a consistent understanding of this concept" [2]
"The work products required in the safety plan are subject to
configuration management, change management and documentation
management, in accordance with ISO 26262 – Part 8 (Clauses 7, 8 and 10
respectively), no later than the time of entering the phase 'product
development at system level'" [4]
"Documentation management represents a relevant and mandatory activity
according to ISO 26262. The same activity tends to be considered as a
waste according to the agile manifesto. Thus, agile and ISO
26262-compliant documentation management styles seem to form an odd
couple" [5]
"Products in Green Hills Platforms for Automotive have achieved the
highest levels of safety certifications including ISO 26262 (ASIL D),
IEC 61508 (SIL 4) and EN 50128 (SWSIL 4) and together with Green Hills
Safety Services specialists, enable customers to choose the safety level
right for their business goals." [6]
"QNX OS for Safety is a software solution that provides the reliable
foundation necessary for building competitive automotive and
mission-critical systems in a cost-effective and safe manner.
Pre-certified to high SIL levels in ISO 26262 and IEC 61508 to reduce
development, certification cost and risk"
However, as I understand ISO26262, the QNX or Green Hills platforms only
support the delivery of an "Element" and certifications are performed on
"Items". For the purpose of the standard and Item is typically the
"hardware, BSP, Software and Application" so it isn't possible to have a
certified distribution.
[1] https://www.slideshare.net/KoenLeekens/iso-26262-introduction
[provides an OK overview]
[2]
https://www-users.cs.york.ac.uk/~ihabli/Papers/2011IETPalinWardHabliRivett.pdf
[2a] https://en.wikipedia.org/wiki/Safety_integrity_level
[3]
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.64.3627&rep=rep1&type=pdf
[4]
http://www.opencoss-project.eu/sites/default/files/D1.2a_IUC_Automotive_domain_public_summary.pdf
[5] https://hal.archives-ouvertes.fr/hal-01192981/document
[6] https://www.ghs.com/products/auto_solutions.html
[7] https://blackberry.qnx.com/en/products/certified_os/safe-kernel
[8] http://www.exida.com/Certification/ISO-26262
[9]
https://www.tuv-sud.co.uk/uk-en/industry/automotive-transportation/automotive-solutions/quality-and-safety-services/automotive-functional-safety/iso-26262-functional-safety-certified-programme
]10]https://www-users.cs.york.ac.uk/~ihabli/Papers/2013Habli_Safecomp.pdf
More information about the Trustable-distros
mailing list