Enabling Efficient Functional Safety Audits - The Missing Link between ISO 26262 and Automotive SPICE 2019-01-0144

In the field of electric and electronic (E/E) design for the automotive industry, there are separate traditions related to functional safety and software quality assurance. Both relying on the evaluation of the processes used; Automotive SPICE provides detailed guidance on how to perform this evaluation whilst ISO 26262 does not and simply mention Automotive SPICE as one possible solution. ISO 26262 additionally requires for an evaluation of the functional safety achieved by the product and uses the process evaluation (or functional safety audit in ISO 26262 terms) to support the final functional safety assessment. The purpose is to evaluate the implementation of the necessary safety processes according to the claimed scope defined in the safety plan.

Automotive SPICE does not make a distinction on whether the application of the software under evaluation is safety related or not. ISO 26262 requires formal functional safety audits as a minimum for the part of the life cycle activities related to elements having ASIL C and ASIL D requirements

In this paper we show how the link between ISO 26262 and Automotive SPICE can be established by the formalization of a process assessment model (PAM) fulfilling the purpose of a functional safety audit according to ISO 26262. This PAM is named SS 7740, as it has been developed by industry contributors in Sweden. The second edition of SS 7740 is based on ISO 26262 Edition 1 and Automotive SPICE version 2.5. Currently work ongoing to publish Edition 3 of SS 7740, where the assessment model relates to the process capabilities called for by ISO 26262 Edition 2 and referencing the Automotive SPICE version 3.1 In ISO 26262 there is a general proposal to coordinate the functional safety audit with an Automotive SPICE assessment. However, it is also noted that the Automotive SPICE assessment as such is not sufficient for this purpose. This implies that a dedicated process assessment model, complementary to Automotive SPICE, is necessary in order to specifically audit the processes prescribed by ISO 26262. In the paper the complete structure of SS 7740 is described in detail, and it is also shown how combined Functional Safety Audits and Automotive SPICE Assessments are performed in a coordinated way.