日本无码免费高清在线|成人日本在线观看高清|A级片免费视频操逼欧美|全裸美女搞黄色大片网站|免费成人a片视频|久久无码福利成人激情久久|国产视频一二国产在线v|av女主播在线观看|五月激情影音先锋|亚洲一区天堂av

  • 手機(jī)站
  • 小程序

    汽車測試網(wǎng)

  • 公眾號(hào)

    • 汽車測試網(wǎng)

    • 在線課堂

    • 電車測試

功能安全標(biāo)準(zhǔn)ISO26262解析(1-6)

2020-02-27 00:45:08·  來源:研車有道、燃云汽車  
 
昨天來源 |研車有道、燃云汽車知圈 |進(jìn)ISO26262社群,請(qǐng)加微13636581676,備注ISO功能安全標(biāo)準(zhǔn)ISO26262解析(一):總述部分0. ISO26262應(yīng)用對(duì)象:ISO26262 is in
功能安全標(biāo)準(zhǔn)ISO26262解析(一):總述部分

0. ISO26262應(yīng)用對(duì)象:

ISO26262 is intended to be applied to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars with a maximum gross vehicle mass up to 3500kg. 

(1) ISO26262適用于安全相關(guān)的汽車電子電氣系統(tǒng);

(2) ISO26262適用于3.5噸以下的乘用車輛,專用車輛不適用。

ISO26262 addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems, including interaction of these systems. It does not address hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards, unless directly caused by malfunctioning behaviour of E/E safety-related systems.

ISO26262只針對(duì)由于電子電氣系統(tǒng)故障而導(dǎo)致的危險(xiǎn),不包括振動(dòng)、火、煙、熱、放射、有毒性、可燃性、反應(yīng)、腐蝕、熱傳遞等導(dǎo)致的危險(xiǎn)。
1. ISO26262作用:

a) provides an automotive safety lifecycle(management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases;
保證整個(gè)生命周期內(nèi)的安全性,包括管理、開發(fā)、生產(chǎn)、運(yùn)行、服務(wù)、報(bào)廢,并在這些階段內(nèi)幫助定制必要的工作。

b) provides an automotive-specific risk-based approach to determine integrity levels[Automotive Safety Integrity Levels(ASIL)];
提供了一種汽車行業(yè)專有的基于風(fēng)險(xiǎn)的分析方法,來決定汽車安全等級(jí)。

c) uses ASILs to specify applicable requirements of ISO26262 so as to avoid unreasonable residual risk;
使用ASIL等級(jí)來標(biāo)明可執(zhí)行的需求,以達(dá)到避免不合理的殘余風(fēng)險(xiǎn)。

d) provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved;
為驗(yàn)證和確認(rèn)測試提供需求,來保證達(dá)到足夠的且可接受的ASIL等級(jí)。

e) provides requirements for relations with suppliers。
為供應(yīng)商提供需求。

2. ISO26262總體框圖


由上圖可見,ISO26262涵蓋了整個(gè)產(chǎn)品設(shè)計(jì)的各個(gè)方面,包括系統(tǒng)設(shè)計(jì)、軟件設(shè)計(jì)、硬件設(shè)計(jì)等,并貫穿于整個(gè)產(chǎn)品的生命周期,從產(chǎn)品概念階段一直到產(chǎn)品報(bào)廢。

功能安全標(biāo)準(zhǔn)ISO26262解析(二): 需求部分

1. 對(duì)需求的要求

When claiming compliance with ISO26262, each requirement shall be complied with.
當(dāng)要求產(chǎn)品滿足ISO26262標(biāo)準(zhǔn)時(shí),每一條需求都應(yīng)該滿足。


The requirements for recommendations of each subclause shall be complied with for ASIL A, B, C and D, if not stated otherwise. These requirements and recommendations refer to the ASIL of the safety goal. If ASIL decomposition has been performed at an earlier stage of development, in accordance with ISO26262-9, the ASIL resulting from the decomposition shall be complied with.

(1) 依據(jù)ISO26262-9對(duì)需求進(jìn)行分解;

(2) 根據(jù)分解的結(jié)果,確定每一條需求的ASIL等級(jí)要求。

功能安全標(biāo)準(zhǔn)ISO26262解析(三): 硬件部分

1. The necessary activities and processes for the product development at the hardware level include:

(1) the hardware implementation of the technical safety concept;

(2) the analysis of potential hardware faults and their effects;

(3) the coordination with software development.

為了滿足ISO26262,硬件方面需要做的工作包括:

(1) 功能安全概念的硬件實(shí)現(xiàn);

(2) 潛在硬件失效及后果分析;

(3) 與軟件開發(fā)協(xié)同合作。

2. 硬件功能安全相關(guān)工作:


硬件功能安全方面相關(guān)工作包括:

(1) 5.5 initiation of product development at the hardware level: 啟動(dòng)硬件設(shè)計(jì)

目的是決定并計(jì)劃硬件設(shè)計(jì)每個(gè)階段的功能安全活動(dòng)。

輸入:完善后的項(xiàng)目計(jì)劃、完善前的安全計(jì)劃、完善后的集成測試計(jì)劃

輸出:完善后的安全計(jì)劃

(2) 5.6 specification of hardware safety requirements: 定義硬件功能安全需求

輸入:安全計(jì)劃、安全概念、系統(tǒng)設(shè)計(jì)說明書、硬件軟件接口說明

輸出:硬件安全需求(包括測試和驗(yàn)證標(biāo)準(zhǔn))、完善的硬件軟件接口說明、硬件安全需求驗(yàn)證報(bào)告

如何定義硬件功能安全需求,使用什么工具軟件,模板如何?

They are derived from the technical safety concept and system design specification.

硬件功能安全需求來源于系統(tǒng)安全概念和系統(tǒng)設(shè)計(jì)文檔。

The hardware safety requirements specification shall include each hardware requirement that relates to safety, including the following:

硬件功能安全需求文檔包括所有和安全相關(guān)的硬件需求,包含如下幾方面:

i. the hardware safety requirements and relevant attributes of safety mechanisms to control internal failures of the hardware of the element, this includes internal safety mechanisms to cover transient faults when shown to be relevant due, for instance, to the technology used; 

EXAMPLE 1 Attributes can include the timing and detection abilities of a watchdog.

為了控制硬件元器件內(nèi)部錯(cuò)誤的安全機(jī)制需求,例如看門狗的定時(shí)和檢測能力。

ii. the hardware safety requirements and relevant attributes of safety mechnisms to ensure the element is tolerant to failures external to the element.

EXAMPLE 2 The functional behaviour required for an ECU in the event of an external failure, such as an open-circuit on an input of the ECU.

為了保證硬件元器件對(duì)于元器件外部的失效有一定容忍能力的安全機(jī)制需求,例如當(dāng)輸入引腳開路時(shí),整個(gè)控制器產(chǎn)品的功能行為應(yīng)該符合安全需求。

iii. the hardware safety requirements and relevant attributes of safety mechanisms to comply with the safety requirements of other elements.

EXAMPLE 3 Diagnosis of sensors or actuators.

其他硬件元器件的安全需求,例如傳感器或執(zhí)行器的診斷功能。

iv. the hardware safety requirements and relevant attributes of safety mechanisms to detect and signal internal or external failures; 

EXAMPLE 4 The specified fault reaction time for the hardware part of a safety mechanism, so as to be consistent with the fault tolerant time interval.

為了檢測內(nèi)部或外部失效的相關(guān)安全機(jī)制,例如為了達(dá)到失效可容忍的時(shí)間間隔而定義好的失效反應(yīng)時(shí)間。

v. the hardware safety requirements not specifying safety mechanisms.

EXAMPLE 5 

---requirements on the hardware elements to meet the target values for random hardware failures as described in 6.4.3 and 6.4.4

---requirements for the avoidance of a specific behaviour(for instance, "a particular sensor shall not produce an unstable output");

---requirements allocated to hardware elements implementing the intended functionality;

---requirements specifying design measures on harnesses or connectors.

和安全機(jī)制無關(guān)的其他硬件安全需求。例如:

--- 在FMEDA、FMEA、FTA分析過程中,為了達(dá)到安全目標(biāo)等級(jí)的要求,而對(duì)硬件元器件的需求;

---為了避免指定行為的需求,例如,指定的傳感器不能產(chǎn)生不穩(wěn)定的輸出;

--- 為了實(shí)現(xiàn)設(shè)定功能的硬件元器件需求;

--- 指定的線束和連接器的設(shè)計(jì)方法。

(3) 5.7 hardware design: 硬件設(shè)計(jì)

The first objective of this clause is to desgin the hardware in accordance with the system design specification and the hardware safety requirements.

The second objective of this clause is to verify the hardware design against the system desgin specification and the hardware safety requirements.

硬件設(shè)計(jì)的目的一是依據(jù)系統(tǒng)設(shè)計(jì)文檔和硬件功能安全需求來設(shè)計(jì)硬件,二是驗(yàn)證硬件設(shè)計(jì)是否符合系統(tǒng)設(shè)計(jì)文檔和硬件功能安全需求。

Hardware design includes hardware architectural design and hardware detailed design.

硬件設(shè)計(jì)包括硬件架構(gòu)設(shè)計(jì)和硬件具體設(shè)計(jì)。

i. Hardware architectural design

i. 硬件架構(gòu)設(shè)計(jì):

Each hardware component shall inherit the highest ASIL from the hardware safety requirements it implements. If ASIL decomposition is applied to the hardware safety requirements during hardware architectural design, it shall be applied in accordance with ISO 26262-9:2011, Clause 5.

每一個(gè)硬件元器件應(yīng)該從硬件安全需求繼承最高的ASIL等級(jí)。如果需要ASIL等級(jí)分解,詳細(xì)分解方法參考ISO 26262-9:2011中第五章。

Non-functional causes for failure of a safety-related hardware component shall be considered during hardware architectural design , including the following influences, if applicable: temperature, vibrations, water, dust, EMI, cross-talk originating either from other hardware components of the hardware architecture or from its environment.

硬件元器件的非功能失效原因需要在硬件結(jié)構(gòu)設(shè)計(jì)時(shí)考慮,包括:溫度、振動(dòng)、防水、防塵、EMI、串?dāng)_等。

ii. Hardware detailed design

ii. 硬件詳細(xì)設(shè)計(jì):

In order to avoid common design faults, relevant lessons learned shall be applied in accordance with ISO 26262-2:2011, 5.4.2.7.

為了避免通常的設(shè)計(jì)錯(cuò)誤,相關(guān)的經(jīng)驗(yàn)教訓(xùn)應(yīng)確保被實(shí)施。有關(guān)經(jīng)驗(yàn)教訓(xùn)的說明與規(guī)定見ISO 26262-2:2011,5.4.2.7.

Non-functional causes for failure of a safety-related hardware part shall be considered during hardware detailed design, including the following influences, if applicable: temperature, vibrations, water, dust, EMI, noise factor, cross-talk originating either from other hardware parts of the hardware component or from its environment.

硬件元器件的非功能失效原因需要在硬件具體設(shè)計(jì)時(shí)考慮,包括:溫度、振動(dòng)、防水、防塵、EMI、串?dāng)_等。

The operating conditions of the hardware parts used in the hardware detailed design shall comply with the specification of their environmental and operational limits.

硬件元器件的工作條件在硬件具體設(shè)計(jì)時(shí)要滿足環(huán)境使用規(guī)范和工作限值。

Robust design principles should be considered. Robust design principles can be shown by use of checklists based on QM methods. 

可靠性設(shè)計(jì)原則應(yīng)該被考慮??煽啃栽O(shè)計(jì)原則可以通過基于QM方法的檢查表來體現(xiàn)。

EXAMPLE Conservative specification of components.

例如,保守的元器件說明書,即:設(shè)計(jì)時(shí)充分考慮元器件的裕量。

iii. safety analyses

iii. 安全分析

safety analyses on hardware design to identify the causes of failures and the effects of faults shall be applied in accordance with Table 2 and ISO 26262-9:2011, Clause 8.

安全分析的目的是確定失效的原因及后果。

The initial purpose of the safety analyses is to support the specfication of the hardware design. Subsequently, the safety analyses can be used for verification of the hardware design. In its aims of supporting the specification of the hardware design, qualitative analysis can be appropriate and sufficient.

安全分析的最原始目的是用來支持硬件設(shè)計(jì)文檔。后來,安全分析也能用來做硬件設(shè)計(jì)的驗(yàn)證。當(dāng)安全分析作為支持硬件設(shè)計(jì)的手段時(shí),定量的分析是合適的,并且是足夠的。


在硬件設(shè)計(jì)階段,安全分析的手段主要有FTA和FMEA。

iv. Verification of hardware design

iv. 硬件設(shè)計(jì)驗(yàn)證


If it is discoverd, during hardware design, that the implementation of any hardware safety requirement is not feasible, a request for change shall be issued in accordance with the change management process in ISO 26262-8.

如果在硬件設(shè)計(jì)驗(yàn)證的過程中,發(fā)現(xiàn)任何硬件安全需求沒有滿足,那么需要提出變更申請(qǐng)。變更申請(qǐng)的管理流程參見ISO 26262-8。

硬件設(shè)計(jì)驗(yàn)證的手段中提到的安全分析指的是FMEDA。

=> 安全分析的手段有三種:FTA, FMEA, FMEDA。其中FTA和FMEA用來支持硬件設(shè)計(jì),F(xiàn)MEDA用來進(jìn)行硬件設(shè)計(jì)的驗(yàn)證。

(4) 5.8 evaluation of the hardware architectural metrics: FMEDA

定義了兩個(gè)度量單位(SPF和LMSF)來衡量為了處理硬件隨機(jī)失效而采取的硬件架構(gòu)和功能安全機(jī)制的有效性。

(5) 5.9 evaluation of safety goal violations due to random hardware failures: FTA 

作為FMEDA的補(bǔ)充,定義了兩種替代方案來衡量違反安全目標(biāo)的殘余風(fēng)險(xiǎn)的概率是否足夠低。兩種方案分別是全局概率分布和使用割集分析的方法,目的是研究硬件元器件關(guān)于違反安全目標(biāo)的每一個(gè)失效的影響。

(6) 5.10 hardware integration and testing: 硬件集成測試

功能安全標(biāo)準(zhǔn)ISO26262解析(四): FMEDA

evaluation of the hardware architectural metrics.

FMEDA是硬件架構(gòu)度量的一種驗(yàn)證方法。

The objective of this clause is to evaluate the hardware architecture of the item against the requirements for fault handling as represented by the hardware architectural metrics.

FMEDA的目的是通過硬件架構(gòu)度量參數(shù)來驗(yàn)證硬件架構(gòu)中為了滿足需求而采用的錯(cuò)誤處理機(jī)制。

This clause describes two hardware architectural metrics for the evaluation of the effectiveness of the architecture of the item to cope with random hardware failures.

為了處理硬件隨機(jī)失效,采用兩種硬件架構(gòu)度量參數(shù)來驗(yàn)證架構(gòu)的有效性。

=> FMEDA是針對(duì)硬件隨機(jī)失效的分析方法。

For electromechanical hardware parts, only the electrical failure modes and the failure rates are considered.

對(duì)于電子-機(jī)械硬件元器件,只考慮電子方面的失效模式和失效率。

The estimated failure rates for hardware parts used in the analyses shall be determined:

硬件元器件的失效率可以通過以下幾種方法決定:

(1) using hardware part failure rates data from a recognised industry source.

使用公認(rèn)的工業(yè)數(shù)據(jù)庫中的硬件元器件失效率,例如 SN29500。

(2) using statistic hased on field returns or tests. In this case, the estimated failure rate should have an adequate confidence level.

使用靜態(tài)的市場返回品失效率或測試失效率。這種情況下,要求估計(jì)的失效率要有足夠的置信度。

(3) using expert judgement founded on an engineering approach based on quantitative and qualitative arguments. Expert judgement shall be exercised in accordance with structured criteria as a basis for this judgement. These criteria shall be set before the estimation of failure rates is made.

通過專家判斷,專家判斷是基于定性和定量討論的一種工程方法。專家判斷在實(shí)施的過程中應(yīng)該以結(jié)構(gòu)性的標(biāo)準(zhǔn)作為基礎(chǔ)。這些結(jié)構(gòu)性的標(biāo)準(zhǔn)應(yīng)該在失效率評(píng)估之前建立完成。

The criteria for expert judgement can include field experience, testing, reliability analysis and novelty of design.

專家判斷的標(biāo)準(zhǔn)包括市場經(jīng)驗(yàn)、測試、可靠性分析和設(shè)計(jì)的新穎性。

為了達(dá)到ASIL等級(jí)的需求,每個(gè)安全目標(biāo)分析結(jié)果應(yīng)滿足表4和表5的要求。


 

功能安全標(biāo)準(zhǔn)ISO26262解析(五): FTA

evaluation of safety goal violations due to random hardware failures.

FTA是用來驗(yàn)證隨機(jī)硬件失效導(dǎo)致的違背安全目標(biāo)。

The objective of the requirements in this clause is to make available criteria that can be used in a rationale that the residual risk of a safety goal violation, due to random hardware failures of the item, is sufficiently low.

FTA的目的是驗(yàn)證由于硬件隨機(jī)失效導(dǎo)致的違背安全目標(biāo)的殘余風(fēng)險(xiǎn)足夠低。

除了FTA以外,還有一種方法可以完成和FTA類似的工作,叫做cut-set analysis,割集分析。

FTA分析結(jié)果的判定標(biāo)準(zhǔn)如表6所示。


Quantitative target values of requirement in table 6 shall be expressed in terms of average probability per hour over the operational lifetime of the item.

表6中的定量分析目標(biāo)值通過整個(gè)生命周期內(nèi)的每個(gè)小時(shí)平均失效率來表達(dá)。

A quantitative analysis of the hardware architecture with respect to the single-point, residual and dual-point faults shall provide evidence that target values of requirement table 6 have been achieved. 

硬件架構(gòu)的定量分析包括對(duì)于單點(diǎn)錯(cuò)誤、殘余錯(cuò)誤和雙點(diǎn)錯(cuò)誤,不包括多點(diǎn)錯(cuò)誤。

The quantitative analysis shall consider: 

FTA分析需要考慮以下幾點(diǎn):

a) the architecture of the item;

 設(shè)計(jì)架構(gòu)。

b) the estimated failure rate for the failure modes of each hardware part that would cause a single-point fault or a residual fault;

對(duì)于導(dǎo)致單點(diǎn)錯(cuò)誤或殘余錯(cuò)誤的每個(gè)硬件元器件的每個(gè)失效模式的失效率評(píng)估。

c) the estimated failure rate for the failure modes of each hardware part that would cause a dual-point fault;

對(duì)于導(dǎo)致雙點(diǎn)錯(cuò)誤的每個(gè)硬件元器件的每個(gè)失效模式的失效率評(píng)估。

d) the diagnostic coverage of safety-related hardware elements by safety mechanisms;

安全機(jī)制對(duì)于安全相關(guān)硬件元器件的診斷覆蓋率。

e) the exposure duration in the case of dual-point faults.

雙點(diǎn)錯(cuò)誤的暴露持續(xù)時(shí)間。

Situation when the item is in power-down mode are not included in the calculation of the average probability per hour, thereby preventing the artificial reduction of the average probability per hour.

PHMF計(jì)算中未包含下電工作模式,因此,在計(jì)算時(shí)要手動(dòng)去除下電模式的工作時(shí)間(=生命周期-整個(gè)生命周期內(nèi)的工作時(shí)間)。

功能安全標(biāo)準(zhǔn)ISO26262解析(六): 硬件集成測試

Hardware integration and testing activities shall be performed in accordance with ISO 26262-8: 2011, Clause 9.

硬件集成測試按照ISO26262-8:2011 Clause9 進(jìn)行。

If ASIL decomposition is applied, the corresponding integration activities of the decomposed elements, and the subsequent activities, are applied at the ASIL before decomposition.

硬件集成測試的測試項(xiàng)目定義方法如表10所示。


1a: analysis of requirements 需求分析

1b: analysis of internal and external interfaces 內(nèi)部和外部接口分析

1c: generation and analysis of equivalence classes 相同或類似產(chǎn)品的測試案例分析

1d: analysis of boundary values邊界值分析

1e: knowledage or experience based error guessing可能出現(xiàn)的問題經(jīng)驗(yàn)分析

1f: analysis of functional dependencies功能相關(guān)性分析

1g: analysis of common limit conditions, sequences and sources of dependent failures常規(guī)極限條件、序列、失效相關(guān)源

1h: analysis of environmental conditions and operational use cases環(huán)境條件和正常工作情況分析

1i: standards if existing標(biāo)準(zhǔn)

1j: analysis of significant variants最大版本分析,包括通過worst case計(jì)算得到的最壞情況結(jié)果

硬件測試種類

為了驗(yàn)證與硬件安全需求相關(guān)的安全機(jī)制被完整且正確地實(shí)施的硬件集成測試方法包括:功能測試、電測、錯(cuò)誤注入測試。其中功能測試和電測必須執(zhí)行,而錯(cuò)誤注入測試只針對(duì)ASIL C和ASIL D的要求下,推薦執(zhí)行。如表11所示。


為了驗(yàn)證外接壓力條件下硬件可靠性的測試包括:環(huán)境測試、擴(kuò)展功能測試、統(tǒng)計(jì)測試、最壞情況測試、超限值測試、機(jī)械測試、加速生命測試、機(jī)械耐久測試、EMC和ESD測試、化學(xué)測試。如表12所示。


1a: 環(huán)境測試,依據(jù)規(guī)范是ISO 16750-4。

1b: 擴(kuò)展功能測試:檢查當(dāng)輸入的條件可以預(yù)見為幾乎不發(fā)生時(shí)或超出硬件的說明書規(guī)定時(shí)的功能表現(xiàn)。例如超過預(yù)設(shè)計(jì)的參數(shù)值或錯(cuò)誤的命令。

1c: 統(tǒng)計(jì)測試:當(dāng)輸入數(shù)據(jù)選擇為按照實(shí)際設(shè)計(jì)的參數(shù)值期望的靜態(tài)分布時(shí),測試硬件元器件。并定義可接受的標(biāo)準(zhǔn),以便驗(yàn)證需要的失效率被滿足。例如,50個(gè)晶振的jitter測試。

1d: 最差情況測試:目的在于驗(yàn)證在worst-case分析計(jì)算過程中發(fā)現(xiàn)的測試案例,例如AOT。

1e: 超限值測試:測試環(huán)境或者功能約束的嚴(yán)重度不斷逐漸增加直到停止工作或損壞。目的是為了決定元器件可靠性的裕量。

1f: 機(jī)械測試:機(jī)械沖擊等.

1g: 加速生命測試:即耐久測試。通過加速模型,模擬產(chǎn)品生命周期內(nèi)環(huán)境因素對(duì)產(chǎn)品性能的影響,例如高溫耐久、溫度循環(huán)、溫濕度耐久等。

1h: 機(jī)械耐久

1i: EMC和ESD測試:EMC測試標(biāo)準(zhǔn)包括ISO7637-2, ISO7637-3, ISO10605, ISO11452-4, ESD測試標(biāo)準(zhǔn)包括ISO16750-2.

1j: 化學(xué)測試:標(biāo)準(zhǔn)未ISO 16750-5.
 
 
分享到:
 
反對(duì) 0 舉報(bào) 0 收藏 0 評(píng)論 0
滬ICP備11026917號(hào)-25