A Critical View On Independence

Copyright: Peter Grabs;Pierre Metz. Stand: 12.09.2012. Exemplar fr Veranstaltungsteilnehmer.
A Critical View on Independence in ISO 26262-2

4th EUROFORUM conference ISO 26262, Sept 12th14th 2012 Leinfelden-Echterdingen Germany 12th 14th, 2012, Leinfelden Echterdingen,
Peter Grabs, Ph.D. intedis GmbH & Co. KG, Germany Pierre Metz, Ph.D. Brose Fahrzeugteile GmbH & Co. KG, Hallstadt, Germany
Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG. All rights reserved.
Content
1. What 1 Wh t ISO 26262-2 S 26262 2 Says 2. Different Views on Independence 3. Our Considerations 4. Change Request to ISO 26262-2 5. 5 Scenarios
Independence for confirmation measures
Apparently, i d A tl independence is defined in terms of organizational structure: d i d fi d i t f i ti l t t
ISO 26262-2, clause 6.4.7
Content
Different Views on Independence (1/3)
Some thi d S third-party service providers claim t i id l i certification of individuals would be necessary for satisfying I1 and I2 1 it would be state of the art to have safety assessments performed by accredited third parties 2,3 I3 would require purely external services being free of economical or any other kind of dependency to the organization assessed 2
1)
as perceived by the authors from 2009 to 2012 based on personal community communications, EUROFORUM ISO 26262 conference publications & debates, IQPC ISO 26262 conference publications & debates, VDA Sys Conference debates, public advertisements & service offers, Functional Safety Executive Summary publication of ZVEI working group on functional safety, internet articles, white papers, journal articles Schmidt M., Rau M., Helmig E., Bauer B., SGS TV Saar, Funktionale Sicherheit Umgang mit Unabhngigkeit, rechtlichen Rahmenbedingungen und Haftungsfragen ( p g g (http://www.sgs-tuev-saar.com/pdf/Fachartikel-ISO-26262-Jura-08-2011.pdf) and Rechtliche Folgen der ISO26262, Hanser Automotive, g p p ) g Germany, Nov. 2011 Quotation: In Bezug auf die Sorgfaltspflicht ist es als Stand der Wissenschaft und Technik anzusehen, dass der Teil der Produktabsicherung Assessment zur Funktionalen
Sicherheit von hierfr gem ISO/IEC 17025 bzw. ISO/IEC 17020 akkreditierten, sich nicht im eigenen Konzernverbund befindlichen Prfstellen durchgefhrt wird.
2)
Quotation: Wirkliche Unabhngigkeit ist nur gegeben, wenn keine wirtschaftliche oder arbeitsrechtliche Abhngigkeit der analysierenden Stelle vom herstellenden
Unternehmen gegeben ist.
3)
Molle E. Rau M. Besttigungsmanahmen der ISO 26262 und organisatorische Umsetzungsbeispiele, Safetronic conference, Nov.2011, Munich, Germany. Quotation: Fr eine hchtmgliche Risikoreduzierung im Umfeld der Produkthaftung wird empfohlen auf unabhngige nach ISO/IEC 17025 akkreditierte Prfstellen
zurckzugreifen. Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG. All rights reserved. 5
Helmig H l i 4
Even an external service provider is not entirely independent as he might seek follow-up contracts
Kriso/Unruh5
Certification of processes, products, or indidivuals is required neither by ISO 26262 nor from a legal point of view Organizational independency does not necessarily mean external 5,6 Competence is necessary for functional safety audits and assessments However, the more independent a person is, the less is its specific knowledge and vice versa
4)
Helmig E. Funktionale Sicherheit nach ISO 26262 und Produkthaftung fr No-trouble-found-Flle, journal Haftpflicht Interational Recht & Versicherung, No. 1/2012, http://www.fb.tmg-web.de/genre/HI_recht_versicherung_2012_01/index.html, also available on (http://www.notarhelmig.de/de/publikationen.html). Quotation: Auch ein externer Berater ist kaum unabhngig, wenn er um den nchsten Auftrag in diesem sehr begrenzten Umfeld
seiner Geschftsmglichkeiten nur weniger Kunden frchten muss.
5)
Kriso S./Unruh J. Implementation of Functional Safety Audits and Assessments at Bosch, IQPC conference Experiences with ISO 26262, Munich, Germany, 28th 30th March 2012 FAQ Ed. 2 on IEC internet page, answered by IEC 61508 standardization board (IEC/SC65A/WG14) http://www.iec.ch/functionalsafety/faq-ed2/page4.htm
Intedis GmbH & Co. KG, Brose Fahrzeugteile GmbH & Co. KG. All rights reserved. 6
6)
Molle/Rau M ll /R 7
It is considered necessary to have confirmation measures done by company-internal parties.
Technical pros and cons for external safety assessment services 8

independence can be argued more easily different assessors may have different opinions
Technical pros and cons for independent internal

depts.8
A temporary issue only
more internal competence arguing independence is more difficult less know-how/skill at present stage of ISO 26262 experience establishing central depts next to the product lines leads to bigger organizations depts.
7)
Molle E., Rau M. Besttigungsmanahmen der ISO 26262 und organisatorische Umsetzungsbeispiele, Safetronic conference, Nov.2011, Munich, Germany. Quotation: Daher ist es unumgnglich, die erforderlichen Besttigungsmanahmen zur Funktionalen Sicherheit durch firmeninterne Organisationslsungen praktikabel und
effizient zu erfllen.
8)
Taken from the reported results of workshop Process Experience With ISO 26262 Audits and What Can Be Concluded From These led by Richard Krger, BMW AG, at IQPC conference Experiences with ISO 26262, Munich, Germany, 28th 30th March 2012
Content
1. What 1 Wh t ISO 26262-2 S 26262 2 Says 2. Different Views on Independence 3. Our Considerations 4. Change Request to ISO 26262-2 5. Scenarios
Step 1 Realizing the problem
The apparent definition of independence in 26262-2 independence 26262 2

creates confusion (e.g. whether external services are required or not, see above) does not prevent economical bias (e.g. external service providers might strive for follow-up contracts, see above) does not prevent selective hiring (e.g. customer might choose an external service provider/assessor being most beneficial ) beneficial) neither addresses nor guarantees competence (see above) can lead to arbitrary organizational changes (e.g. establishing new d t j t b ( t bli hi depts. just because of ISO 26262 2) f 26262-2) does not reflect psychology (e.g. in small companys employees being located closely to each other having personal interrelationships affects independence) independence )
Step 2 Drawing the conclusion
C Conclusion: l i
Independence merely is a method but not a goal !
I contrast 9 10 11: In t t 9,10,11

The ISO 26262 philosophy is to provide objectives and requirements instead of hardcoded solutions
Therefore:
The true goal needs to be identified !
9)
Statements of VDA AK 16 members and delegates to ISO/TC22/SC3/WG16, e.g. during debates at EUROFORUM ISO 26262 conferences 2010, 2011 and VDA AK 16 board meetings e.g. the ASIL method tables are recommendations and guidance only; the actual requirements to fulfill are the goals stated in the corresponding paragraphs above. Generally, the requirements in chapters x.4 are designed to be refinements of the objectives in chapters x.1 (indirectly by means of grouping those requirements in terms of logical work products) Personal opinion, and experiences with international standards, of the authors
10)
11)
10
Step 3 Identifying the true goal
Our proposal: the goals are to be

1. Objectivity of judgement12,13 2. Competence wrt. technical product details internal processes 13,14,15 p ISO 26262 comprehension i.e. free of conflict of interests, unbiased people bi d l
for confirmation measures
12) 13) 14)
This goal is also explicitly required by ISO/IEC TR 15504-7 (SPICE assessment types A to D) This goal is also explicitly required by ISO/IEC 15504-2 This goal is also explicitly required by ISO/IEC TR 15504-7 (SPICE assessment types A to D)11) This goal is also required by Standard CMMI Appraisal Method for Process Improvement (SCAMPISM) A, Version 1.3, Method Definition Document SCAMPI, Upgrade Team, March 2011, HANDBOOK CMU/SEI-2011-HB-001 Process step Select and Prepare Appraisal Team Guidelines for auditing management systems (ISO 19011:2011); German and English version EN ISO 19011:2011
15)
Step 4 Identifiying adequate methods for the identified goals

P Possible methods ibl th d
1. 2. 3. 4. Different person, same team Person from different team External service providers Independent depts.
internal representatives approval is upon the entire team therefore requires group consensus (no majority vote or overruling)
Already mentioned
5. Internal heterogeneous teams Our new suggestions (do not require additional headcount/ resources)
6. Mixed h t 6 Mi d heterogeneous teams t

internal representatives external party representatives approval is upon the entire team therefore requires group consensus (no majority vote or overruling)
12
Content
13
Our change request to 26262-2
(1/3)
Table 1 Evaluation of methods wrt. the proposed goals Different person, same team Person from different team Independent. dept. Purely external services Internal heterogeneous teams Mixed heterogeneous teams
High
Competence (T)echnical product Internal (P)rocesses

High Medium/Highb Medium/Highb None/ Lowg/ Mediumg High High
(O)bjectivity
Low Medium Mediume/ High Mediumc/ High Mediumf/ Highf High
Mediuma/High Low/ Mediumd Low/ Medium High High
a) b)
Depending on product variants, different customers/product lines etc. Depends on process maturity, e.g. High only in presence of standard processes (e.g. CMMI Maturity Level 3, SPICE Maturity Level 3, or Automotive SPICE HIS scope Capability Level 3, respectively) Potential P t ti l economical bi i l bias, see H l i above Helmig b
d) e) f) g)
See Kriso/Unruh, above Psychology not reflected, see above Group consensus, but still depending on team selection Depending on how familiar the particular external individual is with the company
c)
14
(2/3)
Table 2 Hazard & Ri k A l i H d Risk Analysis Safety plan Item Integration & Testing Pl T ti Plan Validation Plan Safety Analyses Tool Qualification Report Proven-In-Use Arguments Safety Case Safety Audit Safety Assessment
B
T High, P Low O High High Low,
T Medium, P Low, O Low T High, P Low, O Low
T Low, P Medium, O Low, T Medium, P Low, O Low T Medium, P Low, O Low T High, P Low, O Low T Low , P Low, O Low T Medium, P Low, O Low T Medium, P Medium, O Low T Low, P High, O Low L T High, P Medium, O Low
T Low, P Medium, O Medium T Medium, P Low, O Medium T Medium, P Low, O Medium T High, P Low, O Medium T Low , P Low, O Low T Medium, P Low, O Medium T Medium, P Medium, O Medium T Low, P High, O Medium M di T High, P Medium, O Medium
T Low, P Medium, O High T Medium, P Low, O Medium T Medium, P Low, O Medium T High, P Low, g O High T Low , P Low, O Low T Medium, P Low, O High T Medium, P Medium, O High T Low, P High, O High Hi h T High, P Medium, O High
15
T Medium, P Low, O Low T Medium, P Medium, O Low
(3/3)
6.4.7 Confirmation measures: t 6 4 7 C fi ti types, authority, competence and objectivity th it t d bj ti it

6.4.7.1 The confirmation measures specified in table 2 shall be performed in accordance with the requirements in tables 1 and 2 to ensure a competent and objective evaluation. l ti Conflicts of interest shall be identified, documented, and justified.
16
Content
17
Scenario 1 Brose Hazards & Risk Analyses

Generic HRA for mechatronical product lines 16
Internal heterogeneous team comprising Independent central dept. Process Quality HW Engineer Basis SW Engineer Application SW Engineer Mechatronic test engineer SW system test engineer
Implicit review of the above
Project-specific documents derived from standard

Internal heterogeneous team comprising HW Engineer Basis SW Engineer Application SW Engineer
5)
Metz P. Experience report - Functional safety standard conformance via process monitoring using a product line approach, IQPC conference Experiences with ISO 26262, Munich, Germany, 28th 30th March 2012
Scenario 2 Intedis HRA Review

C Creation of th HRA t ti f the together with OEM engineering team th ith i i t Review of the HRA by external heterogeneous team comprising OEM development OEM functional safety (Intedis) Supplier development Supplier functional safety Alignment to industries best practices Deep understanding of use cases
19
Scenario 3 Safety Assessment Tier 1

S f t assessment for a component contributing to an ASIL D safety goal. Safety tf t t ib ti t f t l Safety Assessment to be conducted by an internal heterogeneous team co p s g comprising
Development Quality Testing Management Functional safety management
20
Conclusion
(1/2)
W revealed the notion of independence in ISO 26262-2 as b i We l d th ti f i d d i 26262 2 being a method instead of a goal As a c a ge request for t e upco s change equest o the upcoming ISO 26262 revision we suggested g SO 6 6 e s o e
replacing it with the goal of ensure a competent & objective evaluation mapping the approaches
1. 2. 3. 4. 5. 5 6.
Different person, same team p Person from different team Independent depts. Purely external services Internal heterogeneous teams Mixed heterogeneous teams
Our new suggestions
a corresponding redefinition of 26262-2 clauses and tables
21
Conclusion
(2/2)
Our 2 new methods

solve the problem of knowledge vs. independence (see Kriso/Unruh) can be used in organizations of any size can b mixed with th k be i d ith the known f four, i h t i.e. heterogeneous t teams can i involve l representatives of independent depts. or external parties do not require more headcount / resource demands compared to designated independent depts.
At the present stage of ISO 26262 our suggestions would have to be agreed on with the customer
22
Thank your for your attention. Questions?
pierre.metz@brose.com peter.grabs@intedis.com
Expertenwissen fr Entscheider
Die bereitgestellten Tagungsunterlagen sind urheberrechtlich geschtzt. Es gelten die bei Buchung der Veranstaltung akzeptierten AGB der EUROFORUM Deutschland SE.
www.inform-you.de

A Critical View On Independence

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Critical View On Independence

Uploaded by

Copyright:

Available Formats

Copyright: Peter Grabs;Pierre Metz. Stand: 12.09.2012. Exemplar fr Veranstaltungsteilnehmer.