Professional Documents
Culture Documents
Abstract
Companies developing safety-related E/E products may have SPICEcompliant processes. However, this is not enough to fulfill the requirements
specified by functional safety standards like the new ISO 26262. These
processes definitely need an update, and the way the organization works
needs a change. But how is this change best implemented in practice, at
lowest possible cost, and with the highest possible success rate?
This tutorial presents the essential steps to be taken to achieve processes
and projects capable of functional safety, covering questions like:
How can we systematically identify what to change in which element of which process?
Where is there little to do, and where is a lot of work ahead?
What are the success factors to be considered?
How is the change to be organized?
What needs to be planned?
How long will it take, and what are the costs to be expected?
Contents
Initial Situation
What are the challenges?
Not all organizations are already set up to fully comply with safety
standards and able to achieve safety goals
Processes
Product architecture (hardware, software)
Skilled staff
Requirements from
CMMI / SPICE
Processes (What)
Methods (How)
Risk
Analysis
Safety
Requirements
Processes (What)
Architecture
Integrity
(SIL/ASIL)
CMMI /
SPICE
e.g. Project
Management,
Configuration
Management
Process Assessment
Safety Assessment
Trigger
Purpose
Qualification of
the assessor
Model
Criteria
Rating scale
N, P, L, F
Assess what?
Frequency
Scope split
Information
Maturity Model:
Automotive SPICE PAM 2.5
Control
Actuator
Sensor
System
ISO/IEC 15504
Processes
Engineering Process Group (ENG)
A ENG.1 Requirements elicitation
A ENG.2 System requirements analysis
A ENG.3 System architectural design
A ENG.4 Software requirements analysis
A ENG.5 Software design
A ENG.6 Software construction
A ENG.7 Software integration
A ENG.8 Software testing
A ENG.9 System integration
A ENG.10 System testing
ENG.11 Software installation
ENG.12 Software and system maintenance
The Acquisition Process Group (ACQ)
ACQ.1 Acquisition preparation
ACQ.2 Supplier selection
A ACQ.3 Contract agreement
A ACQ.4 Supplier monitoring
ACQ.5 Customer acceptance
A ACQ.11 Technical requirements
A ACQ.12 Legal and administrative requirements
A ACQ.13 Project requirements
A ACQ.14 Request for proposals
A ACQ.15 Supplier qualification
Automotive SPICE
& ISO/IEC 15504-5
Management Process Group (MAN)
MAN.1 Organizational alignment
MAN.2 Organization management
A MAN.3 Project management
MAN.4 Quality management
A MAN.5 Risk management
A MAN.6 Measurement
Supply Process Group (SPL)
A SPL.1 Supplier tendering
A SPL.2 Product release
SPL.3 Product acceptance support
Supporting Process Group (SUP)
A SUP.1 Quality assurance
A SUP.2 Verification
SUP.3 Validation
A SUP.4 Joint review
SUP.5 Audit
SUP.6 Product evaluation
A SUP.7 Documentation
A SUP.8 Configuration management
A SUP.9 Problem resolution management
A SUP.10 Change request management
Automotive SPICE is a registered trademark of the Verband der Automobilindustrie e.V. (VDA).
Copyright 2010 KUGLER MAAG CIE GmbH
Page 10 SPICE Upgrade for Functional Safety
3. Concept phase
5. Product development:
hardware level
7- 6 Operation, service
(maintenance and repair), and
decommissioning
8. Supporting processes
8- 5 Interfaces within distributed
development s
8- 7 Configuration management
8- 10 Documentation
8- 13 Qualific. Of HW components
8- 14 Proven in use argument
8- 8 Change management
8- 9 Verification
9- 5 Requirements decomposition
with respect to ASIL tailoring
EN 5012x
Railway
IEC 50156
Furnaces
IEC 60335
Houshold
Appliances
IEC 61513
Nuclear Power
IEC 60601
Medical
Copyright 2010 KUGLER MAAG CIE GmbH
Page 12 SPICE Upgrade for Functional Safety
IEC 62061
Machinery
IEC 61508
IEC 61511
Process Industry
Relationship between
ISO/DIS 26262
and
Automotive SPICE
SPICE
ISO 26262
If compliant
?
What is supported?
Suppose we have a CMMI or SPICE compliant process landscape. Which phases of the
safety lifecycle and which clauses of the safety standard ISO/DIS 26262 then already have
a good support? Expressed in a different way: Which requirements of the safety standards
ask for little process changes or extension in order to become compliant?
Copyright 2010 KUGLER MAAG CIE GmbH
Page 15 SPICE Upgrade for Functional Safety
SPICE
ISO 26262
If compliant
What is missing?
Suppose we have a CMMI or SPICE compliant process landscape. Which phases of the
safety lifecycle and which clauses of the safety standard ISO/DIS 26262 then will not be
fulfilled? Expressed in a different way: Which requirements of the safety standards are
missing and need explicit addition in the process landscape in order to become compliant?
Copyright 2010 KUGLER MAAG CIE GmbH
Page 16 SPICE Upgrade for Functional Safety
Notation
Within the following slides the phases and requirements of
ISO/DIS 26262 are marked as follows:
3. Concept phase
7- 6 Operation, service
(maintenance and repair), and
decommissioning
6. Product development:
software level
8. Supporting processes
8- 7 Configuration management
8- 8 Change management
8- 9 Verification
9- 5 Requirements decomposition
with respect to ASIL tailoring
Strong support
7-5 Production
5. Product development:
hardware level
8- 10 Documentation
8-11 Qualification of SW tools
8-12 Qualific. of SW components
Medium Support
8- 13 Qualific. Of HW components
8- 14 Proven in use argument
Weak support
9-8 Safety analyses
Item definition
3-6
3-7
Production
Operation
4-11
7-5
7-6
Product development:
system level
5
6
HW
SW
level
level
Other
technologies,
controllability,
external
measures
Product
development
After
SOP
Planning
7-6 7-5
3-5
Concept
phase
SPICE
What is necessary?
ISO 26262
If required
In case compliance with ISO/DIS 26262 is required which processes, which practices and
which work products are specifically necessary? Expressed in a different way: Which
elements of SPICE or CMMI should specifically be emphasized? Which elements are
important and which ones are not?
Copyright 2010 KUGLER MAAG CIE GmbH
Page 22 SPICE Upgrade for Functional Safety
1
1
2
3
2
3
3
2
1
1
2
3
0
3
3
1
2
3
2
3
3
2
3
0
1
0
1
2
1
2
2
0
2
1
1
Capability Level
A
SPICE
Necessary Automotive
Capability Levels vary from 0 to 3.
Formally no Capability Level necessary for Functional Safety.
Recommendation from Functional Safety point of view only.
Standard Process
A-SPICE
ISO/DIS
26262
Gap Analysis
Example / Extract / Tool
ISO/DIS 26262
ClauseNo.
Topic
Evidence
Work Prod.
2-6
6.4.5
Safety case
Safety case
2-6
6.4.6
Confirmation
measures
Results of the
confirmation
measures
Table
Question
Notes
Explanation
-2, table 1
Findings
Measures
Action
Findings
Charact.
ISO/DIS 26262
Clause
Work Product
5.5.1 Organization specific rules and processes
for functional safety
5.5.2 Evidence that the persons assigned to carry Extend organizational training program
5: Overall safety out activities provided by ISO26262 have a
sufficient level of skills, competences and
management
qualification
Include functional safety criteria in QM activities. Update
5.5.3 Evidence of an operational E/E quality
checklists. Maintain QM system certification.
management system, conforming to the
requirements of this part of ISO26262
2: Management
of functional
safety
6: Safety
management
during
development of
the item
7: Safety
management
after release for
production
ISO/DIS 26262
Clause
5: Item definition
Work Product
5.5 Item definition
7: Hazard
7.5.2 Safety goals
analysis and risk
assessment
7.5.3 Verification review of hazard analysis and
risk assessment and safety goals
8.5.1 Functional safety concept
8: Functional
safety concept
8.5.2 Review of functional safety requirements
analysis report
system requirements
4: Product
development:
system level
Clause
Work Product
system requirements
specification
verification results
interface requirements
specification
test specification, verification
criteria
test result
validation strategy, validation
test plan
validation results
Clause
Work Product
5: Initiation of
product
development at
the hardware
level
6: Specification
of hardware
safety
requirements
5: Product
development:
hardware level
7: Hardware
design
8: Hardware
architectural
metrics
9: Evaluation of
violation of the
safety goal due
to random HW
failures
10: Hardware
integration and
testing
6.5.1 Hardware safety requirements specification Separate additional activity. Include in requirements
management of hardware requirements. Specific attributes for
safety requirements.
6.5.2 Hardware architectural metric requirements Separate additional activity. Include in functional or technical
safety concept.
6.5.3 Random hardware failure requirements
Separate additional activity. Include in functional or technical
safety concept.
6.5.4 Hardware-software interface specification
Maintain separate specification or include in system design
(refined)
and in software requirements
6.5.5 Hardware safety requirements verification
Perform formal review and provide review report
report
7.5.1 Hardware design specification
Maintain a hardware design
7.5.2 Hardware safety analysis report
Perform dedicated safety analyses (e.g. FTA, FMEA) and
provide report(s)
7.5.3 Hardware design verification report
Perform formal review and provide review report
7.5.4 Requirements for production and operation Update requirements for production and operation
8.5.1 Assessment of the effectiveness of the
Perform dedicated assessment of hardware architectural
system architecture to cope with the hardware
metrics and provide report
random failures
Perform formal review and provide review report
8.5.2 Review report of assessment of the
effectiveness of the system architecture to cope
with the hardware random failures
9.5.1 Evaluation of random hardware failures
Perform dedicated evaluation of random hardware failures
and provide report
9.5.2 Specification of dedicated measures
Specification of dedicated measures to be included in suited
documents, depending on the measure
9.5.3 Review report of evaluation of violation of the Perform formal review and provide review report
safety goal due to random hardware failures
10.5.1 Hardware integration and verification
Perform hardware integration and testing including the
report.
methods and tests required and document performance
carefully
ISO/DIS 26262
Clause
Work Product
5.5.1 Safety plan (refined)
5.5.2 Software verification plan
5: Initiation of
product
5.5.3 Design and coding guidelines for modelling
development at
and programming language
the software level
5.5.4 Software tool application guidelines
6.5.1 Software safety requirements specification
6: Product
development:
software level
6: Specification
of software
safety
requirements
7: Software
architectural
design
test plan
coding standard, software
development methodology
software assets register
software requirements
specification, analysis report
Perform dedicated safety analysis and provide report. Method ENG.5 Software design
needs decision.
Perform dedicated safety analysis and provide report.
Perform formal review of software architectural design and
provide review report
verification results
ISO/DIS 26262
Clause
8: Software unit
design and
implementation
9: Software unit
testing
6: Product
development:
software level
10: Software
integration and
testing
11: Verification
of software
safety
requirements
Work Product
8.5.1 Software unit design specification
ISO/DIS 26262
Clause
5: Production
7: Production
and operation
6: Operation,
service
(maintenance
and repair), and
decommissioning
Work Product
5.5.1 Production plan (refined)
5.5.2 Production control plan (refined) including
test plan
5.5.3 Documentation of performed control
measures
5.5.4 If applicable, requirements on the
producibility at system-, hardware or software
development level
5.5.5 Assessment report for capability of the
production process
6.5.1 Maintenance plan (refined)
6.5.2 Repair instructions
6.5.3 User manual
6.5.4 Instructions regarding field observations
6.5.5 Instructions for decommissioning
6.5.6 If applicable, requirements concerning
operation, maintenance and decommissioning at
system-, hardware or software development level
TBD
TBD
TBD
TBD
TBD
TBD
TBD
TBD
TBD
Clause
Work Product
5.5.1 Supplier selection report
5: Interfaces
within distributed
5.5.3 Supplier's project plan
developments
5.5.4 Supplier's safety plan
5.5.5 Safety assessment report
8: Supporting
processes
Clause
Work Product
11: Qualification
of software tools
12: Qualification
of software
components
8: Supporting
processes
13: Qualification
of hardware
components
14: Proven in
use argument
(RIN.4 Infrastructure)
customer manual
(REU.2 Reuse program
management)
reuse proposal
(REU.2 Reuse program
management)
ISO/DIS 26262
Clause
Work Product
5.5.1 Update of architectural information
5: Requirements
decomposition
with respect to
ASIL tailoring
5.5.2 Update of ASIL as attribute of safety
requirements and elements
6.5.1 Results of application of coexistence criteria
6: Criteria for
coexistence of
9: ASIL-oriented elements
and safety7.5.1 Results of analyses of dependent failures
oriented
7: Analysis of
analyses
dependent
7.5.2 Change requests for confirmed dependent
failures
failures
8.5.1 Results of safety analyses
8: Safety
analyses
requirements specification
change request
Product
Process
Management awareness
Mature processes, customer and supplier, e.g.
Process management, Project management,
Change management, Configuration management
Documentation
Quality management
Managed safety lifecycle
Safety analyses
Qualified staff members
Qualified tools
Organizational safety management
Project specific safety management, e.g. safety case
Management of distributed development
Qualified
components
Safety
products
and in the
workmechanisms
products and in
Proven-in-use components Fault detection
product
itself
the Product
product itself
Product
Safety
requirements
Product-oriented measures to avoid, detect and
Safety architecture
control systematic faults
Redundancy
To Avoid
To detect and to control
Metrics (HW, )
Verification
Tests
Process
Process
Process-oriented measures
to avoid, detect and
Audits
Validation
control systematic
faults
To Avoid
detect and
todetect
control
Measures
to avoid
Measures
To
Assessment
ofto
functional
safety
failures in work
and control failures in
To avoid
Steps, phases
Milestones, outcomes
Sequence, duration
Organization
Program Interrelationship
Process Improvement and Safety Compliance
X+1
Delta Phase
Definition of
objectives
Gap
analysis
Action
planning
Project
organization
Commitments for
plans and
organization
Process Definition
Piloting
Transition
Intermediate Assessments
X+2
Rollout
Rollout to projects according
to plan
Quality assurance
Feedback loop
Change management
Confirmation assessment
X+3
Institutionalization
Continuous changes to
processes
Improve further
processes due to
business needs and
customer requirements
Periodic reassessments
Activities
Duration
Outcomes
Activities
Process Definition
Piloting
Intermediate assessments
Duration
Transition
Includes process elements like templates and checklists, ready for piloting
Outcomes
Activities
Duration
Outcomes
Activities
Duration
Outcomes
Level 2
Level 3
Pilots
Level 3
Pilot Project 1
Initialization
Planning &
Contracting
Pilot Project 2
Pilot Project 3
Pilot Project 4
Roll-Out Project k
Roll-Out Project j
Roll-Out Project x
Roll-Out Project y
09/2005
Level 2
2006
03/2008
09/2009
Official Appraisal
Intermediate Appraisal
Level 3
Improvement
Objectives
(Engineering)
Process
Group
Ability
Support
Management
Control Board
Compliance
Verification
Performance
Targets &
Objectives
Results
Successes &
Failures
Product
Marketing
Advanced
Product
Concepts
Sales
Product
Development
Manufacturing
Delivery
Quality
Assurance
Compliance
Analysis
BUResp.
BU2
TopicResp.
TopicResp.
TopicResp.
TopicResp.
BU3
BU4
Safety Team
BUBUBUFocus:Resp.
Cross BUs
Resp.
Resp.
BUResp.
Part 1
Topic-
Part 3
Resp. in
Expert Workshops
BU
Responsibility
BUx
Responsibility
Abstimmung
PM
Part 2
Project
Project Management
Requirements Elicitation and Management
Safety Analyses and Assessment
System Architecture
System Integration, Test, and Validation
Software Architecture
Software Implementation
Software Test
Hardware Architecture
Quality Management
Build Management and Configuration Management
Problem and Change Request Management
Tool Concept and Tool Qualification
Hardware
design
Software
design
Test
Quality
Project 1
Project 2
Project 3
FSSC
FSSC Benefits
FSSC Services
The project side: Develop safe products
Planning functional safety in projects
Sales support
Supplier management
Functional safety plan including
Analyses, design, and test for safety
Confirmation measures
Project safety process
Safety know-how
FSSC
Strategy and Control
Establish functional safety competence
Safety training
Safety job aid workshop
Design for functional safety
Safety analyses training (H&A, FTA, FMEDA)
Testing safety-related products
Functional safety networking
Qualified Project Safety Engineer (QFSE)
Roles
New
Existing
Responsibilities
Project Manager
Hardware Architect
Software Architect
Reviewer
Tester
Auditor
Trainer
Safety Assessor
FSSC Implementation
Activities and timeline
1. Functional safety introduction for
management
2. Safety process gap analysis and action plan
proposal
3. Define functional safety strategy for the
organization
9. - 10.
1. - 3.
11.
4. - 6.
FSSC
Set-up &
Execution
7. - 8.
Week
FSSC Instruments
Who / Roles
Hardware Architect
Software Architect
When
Once in the concept phase of the customer project and at any change of the safety-related
system as part of impact analysis
Input
Result
Safety goals
Top level safety requirements
ASIL (Automotive Safety Integrity Level)
Effort /
Duration
H&R templates
Scope definition (vehicle class, countries, customer requirements)
List of operating modes (e.g. power up, shut down, normal operation)
List of operating situations (weather, traffic situation etc.)
Catalogue of potential operating errors
Temporal Considerations
Compliance with Safety Standard(s)
Activities
Duration
Outcomes
Team
Consulting
2. Get familiar with the documents and plan the systematic gap analysis (planning of joint working sessions for the analysis)
3. Analyze documents and check if processes, methods, infrastructure, and organizational structures are adequate to fulfill the general
requirements (planning, configuration management, documentation etc.)
4. Check whether tools in use reflect the state of practice, with particular attention to collecting evidences for the safety case
5. Perform interviews with process and product experts to clarify questions regarding the analyzed documents and to obtain additional
information not contained in the documentation
6. Derive measures to close the gaps; some measures address Automotive SPICE-related issues
7. Review the organizational set-up suitable for maintaining a functional safety culture; perform short (1h) interviews with key stakeholders, like
upper management
8. Compile the analysis report including proposed measures and suggestions for tools and their integration
9. Results presentation & discussion of measures and next steps
Customer Obligations
The organization provides relevant documents as specified in Content
Safety Manager and Safety Engineer, Project Manager and Quality Engineers (System and SW), Requirements Manager, Architects,
Developers, Testers, are available for interviews and to provide information on the projects safety concept
Functional Safety:
Additionally:
includes:
Methods how to do it
Dependence from ASIL
Tool to be used (qualified)
Independence for
confirmation measures
Mandatory activities (e.g.
H&R, confirmation measures)
Mandatory work product
attributes (e.g. for functional
safety requirements)
Lifecycle
Process
Activity in a process
Work product
Template
Checklist
Method
Tool
Attribute
Role
Confirmation Measures
Confirmation Measures
Reviews, Audits and Assessments in the Lifecycle
t
Safety Lifecycle
Concept phase
Project
Start
Reviews
Product Development
Start Product
Development
Sample
Production, Operation
Sample
End of
Decommissioning
SOP
Qualification of components
Qualification of software tools
Safety case
Proven in use argument
Audits
Project independent
( ) Intermediate
( ) Intermediate
At product release
Safety
Lifecycle
Project
independent
Concept phase
Project
Start
Start Product
Development
Production,
Operation
Product Development
Sample
Sample
SOP
End of
Decommissioning
Walkthrough
Verifi- Review
cation Inspection
Testing
Validation
Safety Validation
Analysis
Safety analysis
Audit
Process assessment
Safety assessment
Quality management
Activity specific for A-SPICE
Joint activity
Optional activity
Safety Culture (ISO/DIS 26262-1, 1.104): Policy and strategy used within an
organization to support the development, production, and operation of safety
related systems
Process culture
Culture is a collective programming of the mind that distinguishes the members of one
group or category of people from another. (www.tamu.edu)
Culture is a shared, learned, symbolic system of values, beliefs and attitudes that
shapes and influences perception and behavior -- an abstract "mental blueprint" or
"mental code. (www2.eou.edu)
Vision
Resources
Improvement
Communication/
Change Mgmt.
PI Program
Management
Culture
Commitment
Vision
Skills
Incentives
Resources
Action
Plan
Change
Skills
Incentives
Resources
Action
Plan
Confusion
Incentives
Resources
Action
Plan
Anxiety
Resources
Action
Plan
Slow
Change
Action
Plan
Frustration
Vision
Vision
Skills
Vision
Skills
Incentives
Vision
Skills
Incentives
False
Starts
Resources
Health Check
Legend for overall result
Health Check
green
yellow
orange
red
Question
Answers Overall
Result
Commitment
Weighting
(1=low,
4=high)
Vision
4
Culture
Developmen Number of
t
Participants
Department
Commitment
2
1
Communication / Change
Management
Skills
How does management support the PI project, visible to its staff / employees?
How does management take an active role in the PI project, e.g. by removing
organizational barriers or by participating in a Control Board?
To what extend does management provide adequate resources, and does it
establish corresponding priorities in relation to other initiatives as well?
How does management challenge the objectives and requirements in relation to
the deployment progress in the organization?
2,3
How does management take an active role in the PI project, e.g. by removing
organizational barriers or by participating in a Control Board?
PI Project
To what extend does management provide adequate resources, and does itManagement
establish corresponding priorities in relation to other initiatives as well?
How does management challenge the objectives and requirements in relation to
the deployment progress in the organization?
2,3
How is the PI project actively supported by the goal and reward system of the
organization?
How are conflicts of interests or goals between individuals mitigated by
incentives and the organization's goal system?
Which further incentives (praise, management attention, ) are there?
1,0
To what extend are there sufficient resources for full-time staff in the PI project
(e.g. EPG, PI-PL)?
Which resources for process experts in the improvement project (e.g. process
owner, PAT members) are there?
To what extend are there sufficient resources for key functions (trainers,
auditors, coaches, consultants)?
To what extend are there sufficient resources available for the process users
to learn about the new processes?
Are sufficient resources available for the process users to execute the
processes?
3,0
PI Project
Management
How would you rate know-how and experience with respect to organizational
change and impact within the organization?
How would you rate the degree of experience in the planning and management
of change / improvement programs?
How much know-how exists regarding the required FS standard and
approach?
Culture
2,2
How does management support the PI project, visible to its staff / employees?
Communication /
Change Management
Resources
Incentives
Skills
Commitment
Vision
Success
Factor
4,00
5,00
3,00
3,99
2,00
2,99
0,00
1,99
Score (0-5); 0=low, 5=high
Functional
Functional
Quality
Safety Control Safety Team Assurance
Board
3,2
2,7
3,1
Incentives
Resources
Cost Considerations
ISO/DIS 26262
Effort Increase
15 - 25 %
20 - 40 %
30 60 %
50 100 %
Note:
Summary