Information - Automotive Functional Safety 18-Jan-2017

19.01.
2017
Automotive
Functional Safety
ISO 26262 Synopsis
18.01.2017
Christian Nowak, TÜV SÜD Rail GmbH

Automotive Department
19.01.2017
Bio Christian Nowak
• Diploma in telecommunication engineering at University of Applied Sciences

Dortmund, Germany
• 2002-2012: R&D Engineer at Honeywell Analytics for the development of safety-

critical gas detection systems acc. IEC 61508 and EN 50402
• since 2012: Safety Expert at TÜV SÜD conducting audits, assessments and
trainings acc. IEC 61508 and ISO 26262
• participation in standardization working groups for EN 50402 and ISO 26262
• technical certifier for functional safety acc. IEC 61508 and ISO 26262
TÜV SÜD Rail GmbH 18.01.2017 Folie 2
1
19.01.2017
150 years TÜV SÜD – 150 years of inspiring trust
Inspiring trust since 1866

The year 2016 marks the 150th anniversary of
TÜV SÜD. Since 1866, the company has been
partnering businesses and inspiring people to trust
in new technologies.
Today, TÜV SÜD has grown into an international

service company with global representation in over
800 locations, and with over 50 per cent of its
employees working outside Germany.
In the decades to come, it will continue to make the

world a safer place as a future-oriented company
shaping the “next practice” in safety, quality and
sustainability.
TÜV SÜD Automotive Functional Safety
TÜV SÜD Auto Service GmbH TÜV SÜD Rail GmbH TÜV SÜD Rail GmbH
Team Automotive
Knowledge Knowledge
transfer transfer
• National and international • Evaluation of concepts, systems, • Head of Functional Safety

Homologation components and processes • Evaluation of safety systems for
• Vehicle Emission Testing regarding means of functional safety railway, infrastructure and
• Analytical Expertise • Automotive specific safety automation
• Trainings regarding functional safety • Evaluation of generic safety
• ISO 26262 Audits and Assessments systems (µC, SW Tools)
• Electronic Annexes – • IEC 61508, ISO 25119, EN 50128,
ECE 13 and ECE 79 …
TÜV SÜD Rail GmbH 19.01.2017 18.01.2017 Folie 4
2
19.01.2017
ISO 26262 Services: CTCT
• Product Certification • ISO 26262 Training:

• Generic SW Tool Basic – Advanced – Expert
Certification • IEC 62443 Training
• Functional Safety
• Process Certification Certification Program
(FSCP)
Certification Training
Testing Consulting
• Assessments • Workshops
• Supplier Audits • Development
• Penetration Tests accompanying support
Agenda
• What is Functional safety?

• Principles and Concepts
• ISO 26262: Overview
• ISO 26262: Functional Safety Management
• ISO 26262: Concept-, System-, Hardware- and Software Level
• Competency Requirements for FS assessment staff
TÜV SÜD Rail GmbH 18.01.2017 Folie 6 6
3
19.01.2017
Functional Safety
What does
it mean?
(FSM)
What is functional safety?
„ Ein Konstruktionsfehler liegt vor, wenn

das Produkt schon seiner Konzeption nach
unter dem gebotenen Sicherheitsstandard
bleibt. Zur Gewährleistung der
erforderlichen Produktsicherheit hat der
Hersteller bereits im Rahmen der
Konzeption und Planung des Produkts
diejenigen Maßnahmen zu treffen, die zur
Vermeidung einer Gefahr objektiv
erforderlich und nach objektiven
Maßstäben zumutbar sind.“
[BGH Urteil VI ZR 107/08 vom 16.06.2009]
4
19.01.2017
What is functional safety?
„ With electronic systems assuming safety-

critical roles in nearly all vehicle
controls, NHTSA is facing the need to
develop general requirements for electronic
control systems to ensure their reliability.
Reliability includes the areas of functional
safety design, fail-safe strategies,
software reliability, diagnostic and
notification strategies, and human
factors considerations.“
[Overview of NHTSA Priority Plan for Vehicle

Safety and Fuel Economy, 2015 to 2017 ]
A simple example.
Function
whip cream
ON è run
OFF è stop
Hazards from
Malfunctions Operation
ON è stop ON + Finger
OFF è run
5
19.01.2017
A simple example.
Hazards from
Function Operation
whip cream ON + Finger Safety Function

Finger proximity
ON è run
detection
OFF è stop
Malfunctions
ON è stop
OFF è run Safe Development

Two switches,
connected in
series
Functional Safety Risks caused by malfunctions in a vehicle

Unintended
Potential Failures
acceleration
High
Voltage
Unintended
deceleration
Non
Unintended
Functional Functional
loss of
Failures Fire Failures
acceleration
Unintended loss
of deceleration
Unintended Risk reduction measures Explosion

vehicle movement
• Functional measures • Design measures, e.g., isolation

• Monitoring functions • Organizational measures, e.g.,
(safety functions, e.g., pinch protection) operation procedures
• Reliability of target function • Driver instruction
6
19.01.2017
What is Functional Safety?
• Example: Motor drives for electrical vehicles:

- Developed and investigated in accordance
- with IEC 61800-5-1:
source: siemens.com
- A ”safe” product in terms of risks for fire, shock, and injury.

- You can touch it
- It doesn’t start a fire
- No dangerous emissions or emanations
- This is what generally is referred to as PRODUCT SAFETY
What is Functional Safety ?
• Example: Motor drive in powertrain of

hybrid electrical vehicle
source: wikipedia.com
- Still ”safe”?
- Unintended acceleration!
- Safety beyond the single product: SYSTEM SAFETY!
- Depends on correctness of product’s functions, implemented in
electronics and software:
FUNCTIONAL SAFETY
7
19.01.2017
The opposite of functional safety
Mass air flow

Throttle
Valve
Valve position
Position
sensor
Throttle Cruise
Drive Control
Engine
Control Stability
Ignition Module Control
Control
Engine Gear Box
Injection Control
Control
Toyota Camry, unintended acceleration, Barr Report:

• ”Spaghetti” code: no structure, no traceability, jumps, …
• Insufficient fault protection: e.g. memory single bit flip can cause UA
• No smoking gun… but the software itself ”deletes” any evidence, no error
logging.
• ”unreasonable”, no safety culture
Examples for Business Risks due to Safety and Security Issues
Chevy recalls 2013 Malibu Eco

Cyber hack triggers mass Fiat Fiat Chrysler Fined $70 Million on
over unintended airbag
Chrysler car recall Safety-Reporting Lapses
deployment fears
(Financial Times) (Bloomberg)
(Auto Blog)
Fiat Chrysler has issued a safety

recall affecting 1.4m vehicles in
Fiat Chrysler recalls another Nissan recalls 300,000 cars for
the US, after security researchers
570,000 utility vehicles acceleration concerns
showed that one of its cars could
(Detroit Free Press) (The Detroit News)
be hacked
(BBC)
Analysis shows over 40 percent Ford recalls 485,000 Escape

Maserati recalls 28k sedans for
of sudden-acceleration SUVs for unintended acceleration
unintended acceleration
complaints involve Toyotas concerns
(Auto Blog)
(Consumer Reports) (Torque News)
BMW recalls more than 1.6million These are the events that led up
Hackers Expose How Airbag
3 Series models over problems to GM’s worldwide recall of 2.6
System can be Hacked in an Audi
with the airbags that could lead to million cars, blamed for at least
Car
passenger injuries 13 deaths
(Hackread)
(Daily Mail) (CNN Money)
8
19.01.2017
How the Risk of Safety or Security Issues can effect your business
Criminal
Regulations
Prosecution
Product Customer
Liability Risk awareness
due to Safety
or Security
issues
Legal / Market considerations
Product Criminal Customer

Regulations
Liability Prosecution awareness
ECE regulations
Market mechanics
Civil Law (Europe), Criminal Law & psychology
FMVSS (USA)
e.g.
Prosecutor,
Customers NHTSA (USA) Customers
Attorney
MLIT (Japan)
Market admission,
Punitive will shun the
Damages Punitive
Measures products
Measures
Safety is mandatory!
9
19.01.2017
What is Functional Safety?
Probability
always
risk not
acceptable
sporadic
Functional
seldom
Safety
improbable
risk
acceptable
impossibe
Severity
nothing low medium high extreme
Today:
Software-intensive automotive control systems
Event Data Active
Night Driver
Recorder Cabin Noise Cabin
Vision Alertness
Suppression Environment Entertainment
Monitoring
Controls System
Wiper
Control Interior Seat Position Voice/Data
Lighting Control Communications Battery
Engine Management
Accident DSRC
Control
Recorder
Lane Correction
Airbag
Control Instrument Electronic Toll
Cluster Collection
Adaptive
Front Lighting Digital Turn Signals
Navigation System
Adaptive
Cruise Control Security System
Active Exhaust
Automatic
Noise Suppression
Breaking
Electric Power Active Suspension
Steering
Hill-Hold
Electronic
OBDII Transmission Antilock
Control
Electronic Throttle Idle Control Stability
Control Control Braking Regenerative
Stop/Start Active Remote Braking
Vibration Keyless Parking
Electronic Control Entry Lane System
Active Tire
Valve Departure
Cylinder Yaw Pressure
Timing Warning
De-activation Blindspot Control Monitoring
Detection
10
19.01.2017
Immediate future:
Connected car, autonomous driving
• Functional safety challenges:

• Advanced sensing and intelligence
• Driver responsibility
• System of systems, socio-technical system
• Part of the ”Internet of things”
• Cybersecurity as a safety risk
21
Functional Safety Challenges…

• System safety
§ Complexity
§ Hidden interconnections and interactions
§ Unpredictable behavior (non linear, chaotic, backward coupling, …?)
§ "Human factor", unpredictable usage scenario
§ Fail operational systems; no “safe state”
• System and product life-cycle

§ Software easy to modify
§ Faults introduced through supply chain
§ Hazards not only in operation, but also in production, transport, disposal/decommissioning ?
• Hardware random failures

§ Permanent failures to be considered
§ Growing impact of transient failures caused by radiation due to higher degree of integration
of integrated circuits
• Systematic failures
§ Increased complexity of microelectronics and software
§ Increased complexity of project organization
11
19.01.2017
Functional Safety
Principles, Concepts
and Standards
(FSM)
Source: http://www.spiegel.de/fotostrecke/airbus-a400m-der-crash-von-sevilla-fotostrecke-127540-2.html
Concepts and principles of Functional Safety…
– Risk-based
§ Requires system approach
§ Hazard identification and risk assessment
– Lifecycle-oriented
– Address hardware random failures

§ Architecture and failure control
– Redundancy and diversity
– Diagnostics
§ Reliability and failure exclusion
– Address systematic failures

§ Fault avoidance
– Modular design
– Processes, methods, tools
– Quality assurance
– Competency of personnel
§ Increased immunity
12
19.01.2017
Concepts and principles addressed by

the safety-related control system
– Risk-based

§ Architecture and failure control Functional
– Redundancy and diversity Safety
– Diagnostics Product
§ Reliability and failure exclusion

§ Fault avoidance
– Modular design
Concepts and principles addressed by

Management of Functional Safety
– Risk-based

– Redundancy and diversity
Functional
– Diagnostics Safety
§ Reliability and failure exclusion Management
§ Fault avoidance
– Modular design
13
19.01.2017
… implemented by Functional Safety Standards

• IEC 61508 Safety Related Systems (SIL)
• ISO 13849 Safety Related Systems specifically for machinery (Performance Level)
• IEC 62061 Safety Related Systems specifically for machinery (SIL)
• IEC 61511 Safety Related Systems specifically for process sector equipment (SIL)
• IEC 61800-5-2 Safety Related Systems specifically for power drive systems (SIL)
• IEC 61496 Functional Safety for electro-sensitive products (SIL)
• EN 50271 Functional Safety for gas detection equipment (SIL)
• IEC 60730-1 (Class)
• IEC 60335-1 (Class / Table R1 or R2)
• UL 1998 Software and programmable devices (Class)
• UL 991 Solid state controls (Failure In Time / No critical component)
• ISO 26262 Functional Safety for Road Vehicles (ASIL)
• CSA 22.2 no 0.8 Safety functions incorporating electronic technology (Class)
• …
… implemented by Functional Safety Standards

• IEC 61508 Safety Related Systems (SIL)
• ISO 13849 Safety Related Systems specifically for machinery (Performance Level)*
• IEC 62061 Safety Related Systems specifically for machinery (SIL)*
• IEC 61511 Safety Related Systems specifically for process sector equipment (SIL)
• IEC 61800-5-2 Safety Related Systems specifically for power drive systems (SIL)*
• IEC 61496 Functional Safety for electro-sensitive products (SIL)*
• EN 50271 Functional Safety for gas detection equipment (SIL)
• IEC 60730-1 (Class)
• IEC 60335-1 (Class / Table R1 or R2)
• UL 1998 Software and programmable devices (Class)
• UL 991 Solid state controls (Failure In Time / No critical component)
• ISO 26262 Functional Safety for Road Vehicles (ASIL)
• CSA 22.2 no 0.8 Safety functions incorporating electronic technology (Class)
• …
14
19.01.2017
ISO 26262 –
An Overview
(FSM)
Scope of ISO 26262
• intended to be applied to safety-related systems that include one or more

electrical and/or electronic (E/E) systems and that are installed in series
production passenger cars with a maximum gross vehicle mass up to 3500 kg
• addresses possible hazards caused by malfunctioning behaviour of E/E safety-

related systems, including interaction of these systems.
– Any hazard is addressed (electric shock, fire, smoke, heat, radiation, toxicity,
flammability, reactivity, corrosion, release of energy and similar hazards), that
depends on the correct behaviour of E/E safety-related systems.
15
19.01.2017
Contents and purpose of ISO 26262
• ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to the
application sector of electrical and/or electronic (E/E) systems within road
vehicles.
• It provides:
– an automotive safety lifecycle (management, development, production, operation,
service, decommissioning)
– an automotive-specific risk-based approach to determine integrity levels [Automotive
Safety Integrity Levels (ASIL)];
– requirements for validation and confirmation measures to ensure a sufficient and
acceptable level of safety being achieved;
– requirements for relations with suppliers.
Why apply ISO 26262?
• Main driver is product liability

§ To be considered state of the art
§ Created, supported, and globally applied by major car manufacturers
(OEMs) and suppliers (Tier 1, Tier 2, ...)
§ Concerns the entire value chain
– From OEM down to development tool vendors
• Not incorporated in regulations or legal frameworks as of today

§ Automotive industry is largely self-certifying
§ Homologation requirements are not as detailed as it would be necessary to

address the unintended acceleration example properly
§ But ISO 26262 (and similar standards) are being discussed by

administrations and governements
(also in the context of automated driving regulations)
16
19.01.2017
ISO 26262 Road vehicles – Functional safety
• Today: About 350 pages, about 500 requirements

• Consists of 9 normative parts
– Part 1 : Vocabulary
– Part 2 : Management of functional safety
– Part 3 : Concept phase
– Part 4 : Product development at the system level
– Part 5 : Product development at the hardware level
– Part 6 : Product development at the software level
– Part 7 : Production & Operation
– Part 8 : Supporting processes
– Part 9 : ASIL oriented and safety oriented analyses
– Part 10 : Guideline on ISO 26262 (informative)
ISO 26262 Road vehicles – Functional safety
• Tomorrow: Second edition, ISO 26262:2018

• Consists of 10 normative parts
– Part 1 : Vocabulary
– Part 2 : Management of functional safety
– Part 3 : Concept phase
– Part 4 : Product development at the system level
– Part 5 : Product development at the hardware level
– Part 6 : Product development at the software level
– Part 7 : Production, operation, service and decommissioning
– Part 8 : Supporting processes
– Part 9 : ASIL-oriented and safety-oriented analyses
– Part 10 : Guideline on ISO 26262 (informative)
– Part 11 : Application of ISO 26262 to semiconductors (informative)
– Part 12 : Adaption of ISO 26262 for motorcycles
17
19.01.2017
9. ASIL-oriented and safety-oriented analysis

9-5 Reqmts. decomposition with respect to ASIL tailoring 9-7 Analysis of dependent failures
9-6 Criteria for coexistence of elements 9-8 Safety analyses
18.01.2017
Concepts and principles of Functional Safety…

….in general …ISO 26262 in particular
– Risk-based Determine risk associated with
§ Requires system approach control systems, using
§ Hazard identification and risk ”Automotive Safety Integrity Level”:
assessment ASIL A (lowest), B, C, or D (highest)
– Management of functional safety Safety culture, FS assessment
§ Lifecycle • Increasing independence, …
§ Roles and organisation • increasing assessment effort, …
– independence of assessors … the higher the ASIL.
§ Supplier management • throughout automotive value chain
• Development Interface Agreements
Safety mechanisms, and metrics
– Address hardware random failures with increasing target values for
– Redundancy and diversity • Architectural metrics and diagnostic
– Diagnostics capabilities (SPFM & LFM), …
§ Reliability and failure exclusion • Probability of failures (PMHF)
… the higher the ASIL.
– Address software-related Safety measures (Methods, Activities)
(”systematic”) failures • Increasing formality and
§ Fault avoidance documentation, …
– Modular design
– Processes, methods, tools • Increasing self-test requirements, …
– Quality assurance • increasing verification depth …
… the higher the ASIL.
18
19.01.2017
Major Concepts
of ISO 26262
Functional Safety
Management
(FSM)
Management of Functional Safety: What & Why
• Responsibilities and activities of organizations and individuals that apply

or manufacture safety-critical systems, in order to…
Identify, Achieve, & Maintain
…functional safety throughout the complete life cycle.
• Impacts: Organization
Staff competence
Processes, methods and tools

38
19
19.01.2017
Functional Safety Management
Item Development
Safety Development
Capability
Management of Functional
Supporting Processes
Safety
Configuration Management
FSM before SoP
Qualification of Hardware
Distributed Development
Qualification of Software
Proven in Use Argument

FSM after SoP
Overall Safety
Change Management
Safety Requirements
Management
Documentation
Software Tools
Safety Culture Verification
Quality Management System (ISO 9001 / TS 16949)
Safety Culture
• "The organization [executing the safety lifecycle] shall create, foster, and
sustain a safety culture that supports and encourages the effective
achievement of functional safety." (ISO 26262-2, 5.4.2.1 )
• Reward system reflects achievement of functional safety

• Proactively, safety is addressed early on
• Encourage dissent
• "Error culture" (errare humanum est)
• Be open about own mistakes
• Don’t take it personally if someone else points at your mistakes
• Don’t hesitate to point at someone else’s mistakes
• Implemented and enabled by processes, empowerment and
accountability of staff
– (ISO 26262-2, Annex B)
20
19.01.2017
Competence management
"The organization shall ensure that the persons involved in the

execution of the safety lifecycle have a sufficient level of skills,
competences and qualifications corresponding to their
responsibilities."
(ISO 26262-2, 5.4.3.1)
• Example: Establish a training and qualification program on:

• Common safety practices, concepts and designs
• ISO 26262 and, if applicable, further safety standards
• Organization-specific rules and processes for functional safety
=> Domain knowledge and management experience from previous professional

⇒activities can be considered
Confirmation Measures
Confirmation measure Apply to ASIL ASIL related to

A B C D
Confirmation review of the hazard confirm correctness of the ASIL and QM
I3
analysis and risk assessment ratings of the identified hazards
Confirmation review
- I1 I2 I3
of the safety plan
Confirmation review
I0 I1 I2 I2
of the integration and test plan
Confirmation review applies to the highest ASIL of the item’s
I0 I1 I2 I2
of the validation plan safety goals
Confirmation review of the safety
I1 I1 I2 I3
analyses
Confirmation review of the
- I0 I1 I1
qualification of software tools
Confirmation review of the applies to the highest ASIL of the safety
I0 I1 I2 I3
"Proven in use" argumentation. goals the candidate is implementing
Confirmation review of the
I0 I1 I2 I3
completeness of the safety case
applies to the highest ASIL of the item’s
Audit of the processes for
- I0 I2 I3 safety goals
functional safety
Functional safety assessment - I0 I2 I3
21
19.01.2017
Relationship to ISO/TS 16949
• Normative requirement on quality management during the safety lifecycle:

– 5.4.4.1 The organizations involved in the execution of the safety lifecycle shall
have an operational quality management system complying with a quality
management standard, such as ISO/TS 16949, ISO 9001, or equivalent.
– ”Evidence of quality management” is a required work product.
• ISO 26262 is within the ISO/TS 16949 process frame; it extends and
instantiates the requirements.
– Instantiation: ISO/TS clause 7.3 ”Design and Development” is addressed by
ISO 26262’s core processes on System, HW and SW level.
§ ISO 26262 is strongly inspired by ISO 15288 (System Engineering) and ISO 12207
(SW Engineering)
– Extension: ISO 26262 implements the system approach (vehicle ”items”) and
relies on final OEM responsibility, ...
... whereas ISO/TS is focused on component / sub-system supplier responsibility.
New IATF16949
• Alignment with requirements of ISO 26262 can be assumed, based on

www.bsigroup.com:
– „Some of the new enhancements to the automotive quality standard to address recent issues in
the automotive industry include the following:
§ Requirements for safety-related parts and processes /* FMEAs, training of staff involved, transfer of
safety requirements throughout supply chain */
§ Enhanced product traceability requirements to support latest regulatory changes /* ISO 26262
implies responsibility to monitor and maintain functional safety after release for production*/
§ Requirements for products with embedded software /* Embedded software is crucial for functional
safety, ISO 26262-6 and supporting processes of ISO 26262-8*/
§ Warranty management process including addressing NTF (no trouble found) and use of
automotive industry guidance /* ISO 26262 is primarily about avoiding (but not guaranteeing!) NTF
situations. If a safety-related NTF cannot be avoided nevertheless, then full adherence to ISO 26262
requirements provides the best level of legal protection.*/
§ Clarification of sub-tier supplier management and development requirements /* ISO 26262 has
specific supplier-related requirements, e.g.: supplier selection and functional safety assessment,
development interface agreement (DIA)*/
§ Addition of corporate responsibility requirements /* Functional Safety management is not only
project-specific, but impacts corporate level*/“
22
19.01.2017
Major Concepts of
ISO 26262
Concept- and System
Level
(FSM)
Hazard analysis and risk assessment process
• Determination of ASIL and Safety Goals
23
19.01.2017
Hazard analysis and risk assessment example
Simple seat positioning system; Safety Goal:

”Prevent seat movement while driving with V > 5km/h, ASIL C”
=> Functional Safety requirements:

FSR_01: ”Detect vehicle movement (V), ASIL C”
FSR_02: ”Interrupt seat movement if V > 5 km/h, ASIL C”
FSR_03: ”Ignore seat control switches if V > 5 km/h, ASIL C”
...
FS BS
Preliminary architectural assumptions and allocation of FSR
• Functional safety requirements broken down to elements, e.g. ECU-B

• Element ASIL inherited from higher level FSR / Safety Goal
• Example: simple seat positioning system
§ Can ASIL C for the seat control module ECU-B be avoided?
FS BS
S2
ECU-S
S1
A
ECU-B
24
19.01.2017
Evolved preliminary architecture with ASIL decomposition
• Add elements ECU-DSC and switch (measure speed and disable

seat movement) => implementing a ”safety mechanism”
– Requirements decomposition:
ASIL C = QM(C) SeatControl + ASIL C(C) PositionMonitoring

§ QM: (automotive) ”quality management”
=> ECU-DSC and ECU-B have to be independent!

FS BS
S2
ECU-S
ECU-DSC
switch
S1
A
ECU-B
Major Concepts of ISO

26262
Hardware Level
(FSM)
25
19.01.2017
Fault concepts and hardware metrics
Hardware Safety Analysis: Qualitative and Quantitative (”FMEDA”)!

Open circuit 10%
Short circuit 70%
CK
Capacity Drift < 0,5*C 10%
Capacity Drift > 2*C 10% à Failure models and –
Open circuit 40%
RM
Short circuit 0% rates from industry
Resistance Drift < 0,5*R
Resistance Drift >2*R
30%
30%
reference sources
Open circuit 20%
VD
Short circuit 80%
Chart compilation
BASE FAILURE RATE
SAFE (DON`T CARE)
FAILURE
λ Multi-point fault
DISTRIBUTION
Example Value
λ Dangerous FAILURE DC REACTION

FAILURE MODE
Dangerous
REACTION for Late nt

[%]
λ Residual
Faults
λ Latent
Part No
λ SAFE
PART
TYPE
SAFE
No
Open circuit 0,400 1 0 0 4 0 0 System in safe state NA

Short circuit 0,000 1
100k
RM
0 0 0 0 0 System in safe state NA

R1
1 10
Resistance Drift < 0,5*R 0,300 0 1 0 0 3 0,3 Wrong measurement 0,9 2,7 NA 2,7
Resistance Drift > 2*R 0,300 0 1 0 0 3 1,2 Wrong measurement 0,6 1,8 NA 1,8
Fault concepts and hardware metrics
26
19.01.2017
Fault concepts and hardware metrics (SPFM & LFM)
Single-point fault metric
=
ASIL B ASIL C ASIL D
•90 % •97 % •99 %
Latent fault metric
=
ASIL B ASIL C ASIL D
•60 % •80 % •90 %
ISO 26262-5; Figure C.1 — Fault classification of safety-
related hardware elements of an item
Fault concepts and hardware metrics (random hardware failures)
• Either: “Probabilistic Metric for random Hardware Failures” (PMHF)

– to evaluate the violation of the considered safety goal using, for example, quantified
FTA or Markov and to compare the result of this quantification with a target value
• Or: Individual evaluation of each residual and single-point fault, and of each dual-
point failure leading to the violation of the considered safety goal.
– This analysis method can also be considered to be a cut-set analysis.
27
19.01.2017
Fault avoidance during hardware development
• Hardware integration tests to verify safety mechanisms and robustness
Major Concepts of ISO

26262
Software Level
(FSM)
28
19.01.2017
Reference phase model for the software development
Fault avoidance during software development
29
19.01.2017
Relationship to Automotive SPICE
• Automotive SPICE is an extension and adaptation of ISO 15504 to

automotive software development
• ISO 26262 recognizes: ”There can be sufficient commonality in content

between ISO 26262 and SPICE to allow synchronization of the planning [of
the functional safety audit].”
– This is particularly true for the system level and software level development
processes
... but other software-related processes and practices fundamental to

Functional Safety are missing:
• Safety analysis (HazOp, FMEA, FTA, …)
• Strong interaction between HW and SW development (HSI)
• Building the safety case and functional safety assessment
• Software tool qualification
Competency Requirements for FS assessments
Achievement and evaluation of functional safety requires expertise in

various disciplines (in addition to appropriate domain competency; e.g. here automotive) …
• quality and development process management and audit (FSM & compliance)
• hazard-based safety engineering
• requirements engineering
• embedded control systems engineering
• hardware engineering
• Micro-processor / semiconductor technology
• formalized and model-based software engineering
• programming languages (C, C++, assembler)
• Safety concepts on system/hw/sw level for single point & latent fault avoidance/control and independence
• hardware reliability and failure models (electric, electronic, microelectronics, electromechanical,
mechanical, pneumatic, hydraulic)
• immunity against electromagnetic phenomena and other environmental impacts
• probabilistic modeling
• safety analysis using formalized methods and techniques (FMEA, FTA, Markov, RBD,…)
• verification (reviews, analyses and testing) and validation
• compilation of safety cases
• …
30
19.01.2017
THANK YOU !!!for FS assessment staff
Your Comments and

Questions are
Welcome!
FSM)
Christian Nowak
TÜV SÜD Rail GmbH
Automotive Department
Barthstraße 16
D - 80339 München
Telefon: +49 (0) 89 5791 2978
Fax: +49 (0) 89 5791 2933
mailto:christian.nowak@tuev-sued.de
http://www.tuev-sued.de
http://www.tuev-sued.de/rail/training
31

Information - Automotive Functional Safety 18-Jan-2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information - Automotive Functional Safety 18-Jan-2017

Uploaded by

Copyright:

Available Formats

19.01.

Christian Nowak, TÜV SÜD Rail GmbH

Bio Christian Nowak

• Diploma in telecommunication engineering at University of Applied Sciences

• 2002-2012: R&D Engineer at Honeywell Analytics for the development of safety-

• participation in standardization working groups for EN 50402 and ISO 26262

TÜV SÜD Rail GmbH 18.01.2017 Folie 2

150 years TÜV SÜD – 150 years of inspiring trust

Inspiring trust since 1866

Today, TÜV SÜD has grown into an international

In the decades to come, it will continue to make the

TÜV SÜD Automotive Functional Safety

• National and international • Evaluation of concepts, systems, • Head of Functional Safety

TÜV SÜD Rail GmbH 19.01.2017 18.01.2017 Folie 4

ISO 26262 Services: CTCT

• Product Certification • ISO 26262 Training:

TÜV SÜD Rail GmbH 18.01.2017 Folie 5

• What is Functional safety?

TÜV SÜD Rail GmbH 18.01.2017 Folie 6 6

What is functional safety?

„ Ein Konstruktionsfehler liegt vor, wenn

[BGH Urteil VI ZR 107/08 vom 16.06.2009]

TÜV SÜD Rail GmbH 18.01.2017 Folie 8

What is functional safety?

„ With electronic systems assuming safety-

[Overview of NHTSA Priority Plan for Vehicle

TÜV SÜD Rail GmbH 18.01.2017 Folie 9

TÜV SÜD Rail GmbH 18.01.2017 Folie 10

whip cream ON + Finger Safety Function

OFF è run Safe Development

TÜV SÜD Rail GmbH 18.01.2017 Folie 11

Functional Safety Risks caused by malfunctions in a vehicle

Unintended Risk reduction measures Explosion

• Functional measures • Design measures, e.g., isolation

TÜV SÜD Rail GmbH 18.01.2017 Folie 12

What is Functional Safety?

• Example: Motor drives for electrical vehicles:

- A ”safe” product in terms of risks for fire, shock, and injury.

TÜV SÜD Rail GmbH 18.01.2017 Folie 13 13

What is Functional Safety ?

• Example: Motor drive in powertrain of

TÜV SÜD Rail GmbH 18.01.2017 Folie 14 14

The opposite of functional safety

Mass air flow

Toyota Camry, unintended acceleration, Barr Report:

Examples for Business Risks due to Safety and Security Issues

Chevy recalls 2013 Malibu Eco

Fiat Chrysler has issued a safety

Analysis shows over 40 percent Ford recalls 485,000 Escape

TÜV SÜD Rail GmbH 18.01.2017 Folie 16

TÜV SÜD Rail GmbH 18.01.2017 Folie 17

Legal / Market considerations

Product Criminal Customer

TÜV SÜD Rail GmbH 18.01.2017 Folie 18

What is Functional Safety?

TÜV SÜD Rail GmbH 18.01.2017 Folie 19

TÜV SÜD Rail GmbH 18.01.2017 Folie 20 20

• Functional safety challenges:

Functional Safety Challenges…

• System and product life-cycle

• Hardware random failures

TÜV SÜD Rail GmbH 18.01.2017 Folie 22 22

Concepts and principles of Functional Safety…