Day1 English 2017 0824

ISO 26262 TRAINING
Day 1: – Introduction - Management of Functional Safety – HARA

DAY 1 - CONTENTS
1. Introduction to Functional Safety

2. ISO 26262 & its Legal Consequences
3. Functional Safety Management
4. Overview of Additional Supporting Processes
5. Hazard Analysis and Risk Assessment (HARA)
6. HARA Training Exercise
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 2
INTRODUCING KVA
 Founded in 2010, kVA is a U.S. based technical and management

consulting group specializing in automotive functional safety.
 All of kVA’s technical personnel are Automotive Functional Safety
Professionals (AFSP) and Managing Partners are Automotive
Functional Safety Experts (AFSE), designations conferred by SGS-TÜV.
 kVA offers a wide variety of technical services including consulting for
autonomous vehicles, ADAS, powertrain, steering & chassis,
hybrid/electric and body controllers.
 medini™ analyze is a software tool for safety analysis, including FTA,
FMEA and FMEDA. kVA distributes and supports the medini™ analyze
tool in North America.
AFSP Seminar – Module K2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 3
INTRODUCING SGS-TÜV
 SGS was established in 1878, operating today with more than 1,800
offices and laboratories around the world.
 Viewed as the world’s leading inspection, verification, testing and
certification company
 With over 90,000 employees, SGS works with customers throughout the
supply chains of 13 global industries
 Agriculture and Food; Automotive; Chemical; Construction; Consumer
Goods and Retail; Energy; Finance; Industrial Manufacturing; Life Sciences;
Logistics; Mining; Oil and Gas; and Public Sector
 SGS-TÜV Saar GmbH is a joint-venture between SGS-Group and TÜV
Saarland e.V.
AFSP Seminar – Module K2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 4
DAY 1 - CONTENTS

DEFINITION OF FUNCTIONAL SAFETY
ISO 26262-1 (Vocabulary)
Absence of unreasonable risk due

to hazards caused by
malfunctioning behaviour of
E/E systems
DEFINITION OF FUNCTIONAL SAFETY
POTENTIAL RISK
 Definition of “unreasonable”
 Unacceptable
 Excessive
 Based on societal moral
concepts
 Definition of “risk”
 Combination of the
probability of harm and
severity of damage
 Definition of “damage”
 Harm to persons
 It is very difficult to objectively assess the acceptance of risk

POTENTIAL RISK
POTENTIAL RISK
• What is an individual’s risk of fatality within a typical year?

– Statistically never better than about 1E-04 per year
– Very roughly 1E-08 per hour, with wide variations by age
Age Male Female

0 0.007379 0.006096
1 0.000494 0.000434
2 0.000317 0.000256
3 0.000241 0.000192
4 0.0002 0.000148
5 0.000179 0.000136
6 0.000166 0.000128
7 0.000152 0.000122
8 0.000133 0.000115
9 0.000108 0.000106
10 0.000089 0.0001
11 0.000094 0.000102
12 0.000145 0.00012
13 0.000252 0.000157
14 0.000401 0.000209
15 0.000563 0.000267
Source: U.S. Social Security Administration
MALFUNCTIONS IN ROAD VEHICLES
 Malfunctions of operating functions

Examples:
 Unintended acceleration
 Unintended deceleration
 Unintended loss of acceleration
 Unintended loss of deceleration
 Unintended vehicle motion
 Malfunctions of safety functions
Examples:
 Failure of high voltage detection
 Failure of over heating detection
POTENTIAL RISK
 How do we determine the potential

risk of vehicle functions due to
malfunctioning behavior?
Answer:
POTENTIAL RISK
 How do we determine the potential

risk of vehicle functions due to
malfunctioning behavior?
Answer:
 ISO 26262 provides a
standardized method to determine
the potential risk
MEASURE FOR THE RISK POTENTIAL OF
VEHICLE FUNCTIONS / SYSTEMS
 Automotive Safety Integrity Level

(ASIL)
 5-step scale (QM, A, B, C, D)
 QM means “standard Quality
Assurance is sufficient” (oriented to
application of ISO TS 16949 or ISO 9001)
 ASILx means additional risk
reduction measures are required
 ASIL D describes the highest risk
potential
 Each ASIL has requirements
allocated to it: The defined safety
goals at vehicle level are the top-
level safety requirements
COMPONENTS OF RISK POTENTIAL
always Unacceptable
risk
Probability of
occurrence of Harm
Probability of
occurrence
Acceptable
extremely (residual) risk
improbable Severity
low Severity of Harm Death
 The risk potential is defined by two components, severity and probability

RISK REDUCTION
 What has to be done if the

acceptable risk limit has been
Not OK
surpassed?
Answer:
OK
RISK REDUCTION
 What has to be done if the

acceptable risk limit has been
Not OK
surpassed?
Answer:
OK
 ISO 26262 describes
standardized actions for the
necessary risk reduction
CATEGORISATION OF RISK POTENTIAL
always Unacceptable
risk
Probability of
occurrence of Harm
Acceptable
extremely (residual) risk
improbable
low Severity of Harm death
 The ASIL is described as the distance from the risk acceptance limit
CONCEPT FOR RISK REDUCTION
Residual Tolerable Risk due

risk risk to E/E malfunction
Necessary risk reduction Increasing

risk
Current risk reduction
Risk reduction achieved by all safety-relevant systems
and external equipment
Risk partially
Risk partially
covered by Risk partially
covered
safety-relevant covered by
by safety-relevant
systems of other external systems
E/E systems
technologies
 Risk reduction is typically done by a combination of different measures

DAY 1 - CONTENTS

HISTORY OF ISO 26262
IEC 61508 DIN EN

EN 61508
(1999
(2010)
61508 Agenda
2010) (2011)
CD = Commitee Draft
International Acceptance by Acceptance by
DIS = Draft International Standard
standard CENELEC as DKE (DIN and
European VDE) as German
standard standard
sector specific adaptations
SAE ARP
EN 501xx IEC 60601 IEC 61513 IEC 61511 IEC 62061
4754
e.g.: (1999) (2005) (2001) (2004) (2005)
(1996)
similar standards
Avionics Railway Medical Nuclear power Process Machinery

equipment plants industry
ISO/CD ISO/DIS ISO/DIS

or
Road vehicles ISO 26262 ISO 26262

26262 26262 26262
(2011) (2018)
(2008) (2009) (2016)
Edition 1 Draft Edition 2 Final Edition 2
SCOPE OF ISO 26262 EDT.1 (2011)
 Title: “Road vehicles – Functional Safety”

 Safety-relevant systems
 one or several E/E subsystems
 production passenger cars
(up to 3,500kg)
 excluding special purpose vehicles
(e.g. vehicles for disabled persons)
 Deals with possible risks
 arising from the malfunction of E/E systems
 caused by the respective E/E system itself
 Edt. 2 (2018) will include also motorcycles and commercial vehicles

SCOPE OF ISO 26262 EDT.1 (2011)
 Components and systems under development

prior to the publication date (Nov. 15, 2011) of
ISO 26262, are exempted from the scope
 Does not address hazards related to electric
shock, fire, smoke, heat, radiation, toxicity,
flammability, reactivity, corrosion, release of
energy and similar hazards, unless directly
caused by malfunctioning behavior of E/E
safety-related systems.
 Does not address the nominal performance of
E/E systems
CONTENTS OF ISO 26262 (2011)
Part 1: Vocabulary – Terms and abbreviations

Part 2: Management of functional safety – Organisational aspects
Part 3: Concept phase – Risk assessment and safety concept design
Normative
Part 4: Development: system level – Safety aspects in system development

Part 5: Product development: hardware level – Safety aspects in hardware development
Part 6: Product development: software level – Safety aspects in software development
Part 7: Production and operation – Safety aspects after SOP
Part 8: Supporting processes – Quality assuring processes
Part 9: ASIL-oriented and safety-oriented analyses – Safety analyses
Part 10: Guideline on ISO 26262 – Guide to application
CONTENTS OF ISO 26262 (2011)
V-cycle introduced
First 4 Clauses are identical for Part 2

through Part 9
Clause 5 starts the new content

specific for a particular Part
Each Clause is broken up into 5 main Sub-Clauses:
X.1 Objectives: describes the objective of the clause

X.2 General: provides general information of the clause
X.3 Inputs to this clause: lists out all of the prerequisite documents and any
other supporting documents
X.4 Requirements and recommendations: the actual content describing the
specific requirements for the clause
X.5 Work products: lists out all of the required work products (outputs) of the
clause
STRUCTURE OF THE STANDARD
(FIRST EDITION 2011)
Reference:
ISO 26262-2,
Figure 1
TIMING
OF ISO 26262 SECOND EDITION (2018)
2nd Edition Draft Available 2nd Edition Release Available

Reference: CTI ‘15, ISO 26262 – Status and Roadmap, Carsten Gebauer
EXPECTED STRUCTURE
New Parts
PLANNED CHANGES
 New Part 11: Semiconductors (ISO/PAS 19451)

o Base failure rates
o Dependent failure analysis
o Multi-core
o Programmable logic devices (e.g. FPGA)
o HW qualification
 New Part 12: Motorcycles (ISO/PAS 19695)
o Necessary adaptations for motorcycles
o Hazard Analysis and Risk Assessment
o Safety Validation
 Inclusion of commercial vehicles
 Safety of the intended functionality (SOTIF)
 SW Safety Analysis
 Security
 Modification of the HW metrics Reference: CTI ‘15, ISO 26262 – Status and
Roadmap, Carsten Gebauer
SAFETY LIFE CYCLE
Reference:
ISO 26262-2,
Figure 2
WHY TO APPLY ISO 26262?
Vehicle’s E/E systems are complex and are growing rapidly
Source: Lisa Whalen, Making Products and Systems Functionally Safe, 2012 CTi Conference on ISO 26262, Troy, MI
Complex Vehicle Software Size (lines of code)
F-22 Raptor F-35 Joint Strike Fighter Boeing 787 Dreamliner

1.7 Million 5.7 Million 6.5 Million
~100 Million (today) ~200-300 Million

2009 MB S-Class ~70-100 ECUs (predicted future)
20 Million1 (radio and navigation only)
1 Source: Robert Charette, This Car Runs on Code, IEEE Spectrum, February 2009
Aspects to be considered
Technical
Law
Recommendation
Recommended
Mandatory
application
application of legal
of IEC / ISO / FMVSS / SAE
Directives and Regulations
standards for the Relevant for
for
current ISO 26262
Approvals State of the art
 ISO 26262 is not a law, but may have legal consequences

How to adapt to the State of the Art?
 Manufacturers must implement any safety measure, that is:

 Necessary to reduce the residual risk of a product
 Available according to the current State of the Art
 Affordable considering the cost-benefit ratio
 Obligation to apply available solutions, but not to develop new solutions

or to press ahead of the State of the Art
Reference: CTi ‘15, Functional safety new questions arise; Andreas Reuter
Trials deal with what you did 10 or 15 years ago…
 What can save you are:
 Well defined processes that were followed

 Good documentation
Reference: CTi ‘15, U.S. Legal Issues – Overview and Practical Considerations; Clay Guise
How a standard can be used in U.S. Law
– Product meets the standard

– Standard applies but it was not met
– If standard had been met, product would be “better”
– Others do it “better” or “differently”
Reference: CTi ‘15, U.S. Legal Issues – Overview and Practical Considerations; Clay Guise
WHAT DOES NHTSA SAY?
GROW AMERICA Act, SEC. 4105
Although NHTSA
currently hasn’t
used this, they
have the
authority to
require a
functional safety
process
Reference: CTi ‘15, NHTSA’s Electronics Reliability – Functional Safety Research; Cem Hatipojlu
Product liability puts the burden of

proof for acting with due care on the
manufacturer. Therefore
manufacturers must be able to
provide evidence by appropriate
documentation that they ensured the
safety of its product with due care.
Reference: CTi ‘15, Functional safety new questions arise; Andreas Reuter
LEGAL CONSEQUENCES
§§ Legal obligation of the manufacturer

Fulfillment of safety expectations which can be expected by the end customer
according to the State-of-the-art at the point of time of placing product into market
Applicable safety standards (e.g. ISO 26262)

Minimum state-of-the-art which has to be reached at least
Non-compliance with standards

in product liability case: evidence necessary Compliance with standards
that state-of-the-art has been achieved necessary but not sufficient to reach state-
anyway of-the art
(reversal of burden of proof)
Unpredictable risk of
product liability
WHAT ABOUT EXISTING DESIGNS
 ISO26262 allows for E/E systems

developed prior to the publication date
of the standard to be exempted
 Also system, which development has
been started before publication of the
standard are exempted from the scope
Problem: Conflict with product

liability laws, which consider the date
of product placement in the market
 In case of subsequent alterations a delta
assessment is required, which means
that only the contents actually altered
must be evaluated according to ISO
26262
WHEN TO APPLY ISO 26262?
Determination of risk potential of E/E vehicle function
Not OK No
Exit Point to
ASIL ≥ A Standard Process QM
(typically ISO/TS16949)
OK
Yes
Apply ISO 26262 by adding

measures to reduce the risk to an accepted level
(to achieve the determined safety integrity of the specified safety goals)
HOW IS RISK REDUCTION REALIZED
IN ELECTRONICS?
 Risk reduction means to reduce the probability in failing due to safety

and security reasons
 Three main aspects are relevant for risk reduction in electronic
systems
Avoidance of Control of Defense against

systematic faults random and systematic faults unauthorized access
Realized by: Realized by:

Realized by:
Technical measures at Technical measures at
Management-, development-, function, system,
function, system,
test- and supporting component , hardware and
component , hardware,
processes software, IC and IP level
software, IC and IP level
Functional Safety (ISO26262) Security

SUMMARY GENERAL
 It is very difficult objectively to assess the

acceptance of risk
 The risk potential is defined by two components,
severity and probability
 The ASIL is described as the distance from the risk
acceptance limit
 Risk reduction is typically done by a combination of
different measures
 Edition 2 (2018) will also include motorcycles and
commercial vehicles
 ISO 26262 is not a law, but may have legal
consequences
DAY 1 - CONTENTS

SAFETY MANAGEMENT PROCESS
Reference:
ISO 26262-2,
Figure 1
CONTENT OF ISO 26262-2
ISO 26262-2
“Management of
Functional Safety“
2-5: Overall Safety Management
2-6: Safety Management during Concept
Phase and Product Development
2-7: Safety Management after the Item’s
Release for Production
FSM = Functional Safety Management
 Three levels of FSM to be installed

WHAT IS SAFETY MANAGEMENT?
 Safety Management can be described as

 Provision for safety in a professional manner
by adequately trained and experienced
specialists.
 Safety management encompasses the
preventive assurance of safety and
protection against hazards using human and
technical resources.
PART 2, CLAUSE 5
OVERALL SAFETY MANAGEMENT
Ref. ISO 26262-2, Clause 5

 Safety culture
 Competence management
 Quality management during the safety lifecycle
 Project independent tailoring of the safety lifecycle
 The Overall Safety Management provides the framework for safety related
E/E-development projects
PART 2, CLAUSE 5.4.2
SAFETY CULTURE
 Functional safety as a company objective

 Company-specific policies and processes
 Resource management (i.e., sufficient resources
for functional safety)
 Continuous improvement process
 Escalation process for functional safety
 Authority of safety managers, responsible parties
Reference: ISO 26262-2, §5.4.2

SAFETY CULTURE (EXAMPLES)
 Examples indicative of a poor  Examples indicative of a good

safety culture safety culture
Source: ISO 26262-2, Annex B
SAFETY CULTURE (EXAMPLES)
 Examples indicative of a poor  Examples indicative of a good

safety culture safety culture
 Accountability is not traceable  The process assures that
 Cost and schedule always take accountability for decisions
precedence over safety and related to functional safety is
quality traceable
 Passive attitude towards safety  Safety is the highest priority
 Heavy dependence on testing at  Proactive attitude towards safety
the end of the product  Safety and quality issues are
development cycle discovered and resolved from the
 Management reacts only when earliest stage in the product
there is a problem in the field lifecycle
Source: ISO 26262-2, Annex B
COMPETENCE MANAGEMENT
 Competence is to be assured in accordance with

the corresponding responsibility
 Training, education
 Qualification programs are recommended
(e.g. AFSP qualification of SGS TÜV Saar)
 Continuous improvement of qualification
 Documentation of qualifications (e.g. data base)
 Policies for the selection of team members involved in
functional safety activities

SAFETY VS. QUALITY
Management of Functional Safety

ASIL
“ON TOP“ coordinates the requirements to be met by
A,B,C,D
Functional Safety
Quality management (i.e. ISO/TS 16949,
BASIS QM ISO 9001 or equivalent)
coordinates quality requirements
 Functional Safety Management requires an established Quality Management
PROJECT-INDEPENDENT “TAILORING“
 Adapting safety lifecycle

phases in accordance with
responsibilities
 The responsibilities of OEMs
differ from suppliers
 Interface definitions
 The safety lifecycle must be

completely implemented
over the entire supply chain

PROJECT-INDEPENDENT
“TAILORING“
subphases, activities or tasks may be

combined or split, or
an activity or task may be performed in a
different phase or subphase, or
an activity or task may be performed in
an added phase or subphase, or
phases or subphases may be iterated.

PART 2, CLAUSE 6
REQUIREMENTS TO THE SAFETY
MANAGEMENT DURING CONCEPT AND
DEVELOPMENT

 Roles, Responsibilities
 Planning and coordination of safety activities
 Project-specific “tailoring“ of the safety lifecycle
 Safety Case
 Confirmation Measures
 Safety management during development means to coordinate

all project specific safety activities
ROLES AND RESPONSIBILITIES
 Selection of the individuals

with functional safety
responsibilities within the
project and their tasks
 Selection of the project
responsible “Safety Manager”
 Selection of the project
responsible “Project Manager”
(i.e., safety project manager)
 Selection of the individuals and
their safety activities in the
project considering their
qualifications
TYPICAL TASKS OF THE
SAFETY MANAGER ?
Designate a Safety
Manager for each Proposed responsibilities of Safety Manager:
program
 Involvement in selection of safety team
members
 Planning and tracking of the required
Ensure Safety Manager phases in the safety lifecycle (safety plan)
has skill, knowledge,  Modification of the development process
resources (tailoring)
 Performance of evaluations (deadlines,
schedules, preparation, organization)
 Initiation of escalation process if
Safety Manager and evaluations are not successfully passed
assigned staff must be  Listing of documentation to be prepared
empowered  Management of internal (departments) and
external (customer, suppliers, SGS-TÜV)
interfaces
TYPICAL TASKS OF THE
PROJECT MANAGER ?
Designate a project
manager for each Proposed responsibilities of Project
program Manager:
 Ensures a safety manager is

Project Manager must appointed
sign off on the  Ensures safety activities are
completion of performed
functional safety
activities, compliance to  Ensures compliance with ISO
ISO 26262, and 26262 is achieved (ref. 6.4.2)
suitability of resource  The project manager shall verify that
allocation the organization has provided the
required resources for functional
safety activities
TYPICAL IMPLEMENTATION STEPS
1. Introduction of a safety management structure

 Safety managers and their task profiles
 Authority of safety managers
2. Introduction of a generic safety process

 Standard procedures for safety management
 Standard procedures for development activities
 Provision of templates and tools
3. Training guidelines
 Training concept
– Understanding of the ISO 26262
– Know-how in the use of the company specific procedures
EXAMPLE: SAFETY MANAGEMENT
ORGANISATIONAL STRUCTURE #1
Company (Division)
Company (Division)
Safety Manager
Coordination
Feed Back
Level
Business Unit 1 Business Unit 2 Business Unit n

Business Unit
Safety Manager Safety Manager Safety Manager

Safety Team 1 Safety Team 2 Safety Team n
Level
Safety Safety Safety

Manager Manager Manager
(Development)
Safety Team Safety Team Safety Team

Project Level
1 2 n
Unit1: project Unit2: project Unitn: project

EXAMPLE SAFETY MANAGEMENT
ORGANISATIONAL STRUCTURE #2
Company (Division)
Company (Division)
Safety Manager
Coordination
Feed Back
Level
Business Unit
Business Unit 1 Business Unit 2 Business Unit n

Safety Manager Safety Manager Safety Manager
Level
Support Support Support

(Development)
Project Level
Project Safety Project Safety Project Safety

Project Safety Project
ManagerSafety Project
ManagerSafety
Manager
Project Safety Project Safety Project Safety
PART 2, CLAUSE 6.4.3.4, 6.4.3.5
SAFETY PLAN
 Each safety activity shall be documented and

structured in a project specific “Safety Plan”
 The safety plan may either be an independent
plan or integrated into the project plan.
 The safety plan may contain references to other
plans (e.g. V&V-plan)
 The Safety Plan is a living document for planning, coordination and

documentation of safety activities
EXAMPLE CONTENT OF THE
SAFETY PLAN
 Planning of all project-specific safety activities

 Activities in accordance with the safety lifecycle
 Definition of responsibilities according to the DIA
(Development Interface Agreement)
 Justifications of tailoring
 Planning of safety verification measures
 Planning of confirmation measures
 Planning of safety analyses
 Documentation of used software tools and their
qualification
 … Day 1_1
SafetyPlan_Template_en_2017_0321.xlsm
SAFETY CASE
 The “Safety Case” is the assembly of all

documents and information which document the
Functional Safety of a product (all the safety
arguments)
 The Safety Case is typically derived from the
Work Products of the lifecycle phases
 The Safety Plan provides the basis for the Safety
Case
Note: For ASIL A, the creation of a Safety Case is not a mandatory requirement
CONFIRMATION MEASURES
 3 activities are required to confirm the

achievement of Functional Safety
1. Review of the results (work products) of
safety activities
2. Audit of the Functional Safety processes
during series (production) development
3. Assessment of Functional Safety prior to
production approval
AUDIT VS. ASSESSMENT
 Automotive Spice and ISO 26262 use the expressions in different

meanings:
 Automotive Spice
uses the expression Assessment for the evaluation of the maturity level of
the development processes of a company or department
 ISO 26262
uses the expression Assessment for the evaluation of the product safety
with respect to Functional Safety.
For the evaluation of development processes in the context of Functional
Safety ISO 26262 uses the expression Audit
REQUIRED INDEPENDENCE FOR THE
 The confirmation measures may not be performed by the

originator of the work product or activity to be confirmed
 Further requirements are:
-: No requirements
I0 : The confirmation measure should be performed
I1 : The confirmation measure shall be performed
I2 : The confirmation measure shall be performed by a member of
a different team, i.e. not reporting to the same direct superior
I3 : The confirmation measure shall be performed by a person from
a different department or organization, i.e., independent
from the relevant department, regarding management,
resources, and responsibility for release for production
REQUIRED INDEPENDENCE FOR THE
ASIL
Confirmation Measure Scope
A B C D
The scope of this review shall include the
Confirmation review of the hazard analysis and correctness of the determined ASILs and QM
I3
risk assessment ratings of the identified hazards for the item and
a review of the safety goals
Confirmation review of the safety plan - I1 I2 I3
Confirmation review of the item integration and testing plan I0 I1 I2 I3 Applies to the highest ASIL among the safety
Confirmation review of the validation plan I0 I1 I2 I3 goals of the Item
Confirmation review of the safety analyses I1 I1 I2 I3

Applies to the highest ASIL of the requirements
Confirmation review of the software tool qualification report - I0 I1 I1
that can be violated by the use of the tool.
Applies to the ASIL of the safety goal or
Confirmation review of the proven in use arguments I0 I1 I2 I3 requirement related to the considered behavior,
or function, of the Candidate
Applies to the highest ASIL among the safety
Confirmation review of the completeness of the safety case I0 I1 I2 I3
goals of the Item
Functional safety audit - I0 I2 I3
goals of the Item
Functional safety assessment - I0 I2 I3
goals of the Item
Reference: ISO 26262-2, §6.4.7.1 Table 1
AUDIT OF FUNCTIONAL SAFETY
 Functional safety audits can be performed

cyclically throughout development (e.g., every
year)
 One or more persons shall be appointed to carry
out one or more functional safety audits.
 The appointed persons shall provide a report that
contains an evaluation of the implementation of
the processes required for functional safety
 The Audit Report confirms that processes are followed according to ISO
26262
ASSESSMENT OF FUNCTIONAL
SAFETY
 Represents the evaluation of Functional Safety

 Has to be planned as a part of safety activities
 Can be done as one entire single step before
release for production or (recommended) done in
several steps (e.g. at each development phase
or after each major milestone)
 Output is a recommendation for acceptance,
conditional acceptance, or rejection of the
functional safety
 The Assessment Report confirms (and, if applicable, describes deficiencies)
that a product is functionally safe according to ISO 26262
EXAMPLE
ASSESSMENT REPORT
 Example of an Assessment Report
ASSESSMENT IN THE SUPPLY CHAIN
Safety FSAR
Car Manufacturer (OEM) WPs
Plan WPs Safety Case FSA
WPs
acc. contract
DIA
Exchange
FSAR
System Supplier (Tier1/2) Safety WPs
Plan WPs Safety Case FSA
WPs
acc. contract
DIA
Exchange
HW Element Supplier FSAR
Safety WPs
e.g. Sensor Supplier Plan WPs Safety Case FSA
WPs
WP = Work Product, FSA = Functional Safety Assessment, FSAR = Functional Safety Assessment Report
CONTENT OF
SAFETY
Functional Safety Assessment is described as

 ISO 26262-1:2011, 1.4
 examination of a characteristic of an item or
element
 ISO 26262-1:2016 (DIS), 3.3

 examination of a characteristic of an item or
systems or elements achieves the
ISO 26262:2018 objectives
 Functional Safety Assessment means the check of characteristics against

Functional Safety objectives
TARGET OF
SAFETY
The target of a Functional Safety Assessment is

described as:
 ISO 26262-1:2011, Clause 6.4.9.3
 […] a judgment of the achieved functional safety
 ISO 26262-1:2016 (DIS), Clause 6.4.7.3 c)

 a functional safety assessment to judge the achieved
functional safety of the item […]
 A Functional Safety Assessor needs as much information to be able to do a

judgment with respect to the achievement of Functional Safety
ROLE OF ASSESSORS
 Functional Safety Assessors are like

judges, who decide about the
 They judge on the basis of many years of
experience in their field of assessment
 Their law code is ISO 26262
 Assessors add value by a final judgment about Functional Safety

PART 2, CLAUSE 7
SAFETY MANAGEMENT AFTER
RELEASE FOR PRODUCTION

 Roles and responsibilities
 Planning of safety activities
 Field monitoring
 Modification
 Safety Management after SOP means to ensure Functional Safety

during production and operation
ROLES AND RESPONSIBILITIES
 Definition of safety responsible after SOP

 Responsibility for safety activities in production
 Responsibility for safety activities in operation
 Responsibility for safety activities in the case of
modifications (e.g. change request from recalls)
SOP = Start Of Production
 Definition of the role of one or more safety managers

is also needed after start of production
PLANNING OF SAFETY ACTIVITIES
AFTER SOP
 Planning of activities to ensure Functional Safety

also after SOP shall be started already during
system development
 Planning of the production process
 Preparation of the production control plan, including the
test activities
 Description of safe manufacturing and implementation
(e.g. SW flash/download)
 Safety instructions for maintenance (e.g. calibration)
and operation (safety related information in user
manuals)
 Handing over of safety requirements from the development

to production, maintenance and operation
FIELD MONITORING AFTER SOP
 Development of a field monitoring process

focused on “Functional Safety”
 Recording of field data (statistics)
 Recall management
 Typically an extension of the existing warranty process is needed

MODIFICATION AFTER SOP
 For each subsequent modification, the impact on

Functional Safety must be checked (impact
analysis)
 An extension of the existing modification process

is typically needed also for production factories
SUMMARY
FUNCTIONAL SAFETY
MANAGEMENT (1)
 Three levels of FSM to be implemented

 The Overall Safety Management provides the
framework for safety related E/E-development
projects
 Functional Safety Management requires an
established Quality Management
 Safety management during development means to
coordinate all project specific safety activities
SUMMARY
FUNCTIONAL SAFETY
MANAGEMENT (2)
 The Safety Plan is a living document for planning,

coordination and documentation of safety activities
 The Assessment Report confirms (and, if applicable,
describes deficiencies) that a product is functionally
safe according to ISO 26262
 Functional Safety Assessment means the check of
characteristics against Functional Safety objectives
 A Functional Safety Assessor needs as much
information to make a judgment with respect to the
 Assessors add value by a final judgment about
Functional Safety
SUMMARY
FUNCTIONAL SAFETY
MANAGEMENT (3)
 Definition of the role of one or more safety

managers is also needed after start of production
 Handing over of safety requirements from the
development to production, maintenance and
operation
 Field monitoring is typically an extension of the
existing warranty process is needed
 An extension of the existing modification
process is typically needed also for production
facilities
DAY 1 - CONTENTS

RESPONSIBILITIES AND TARGETS
Responsibilities
 Supporting processes are relevant for all parties in the supply chain,
who have to develop according to ISO 26262 requirements
 Supporting process have to be established (as far as applicable) as an
extension of existing QM-processes
 Supporting processes according to ISO 26262-8 have to be used during
all development projects
Targets
 Supporting processes shall ensure a high integrity in avoiding
systematic faults in addition to the standard processes
SUPPORTING PROCESSES -
OVERVIEW
ISO 26262-8
 Interfaces within distributed developments (clause 5)
 Specification and management of safety requirements (clause 6)
 Project management rules
 Configuration management (clause 7)
 Change management (clause 8)
 Documentation (clause 10)
 Verification (clause 9)
 Confidence in the use of software tools (clause 11)
 Qualification of
 Software components (clause 12)
 Hardware components (clause 13)
 Proven in use argument (clause 14)
PART 8, CLAUSE 5
INTERFACES WITHIN DISTRIBUTED
DEVELOPMENTS
Day 1_2
DIA_Template_en_2017_0321.xlsx
 Selection of suppliers
 Evaluate whether or not supplier is able to develop in
accordance with ISO 26262
 Address proper safety requirements within RFQ
 Provide necessary input information to the supplier
 Project handling
 Agreement of a Development Interface Agreement (DIA)
covering:
– Safety managers of all parties involved
– Tailoring of the safety lifecycle
– Assignment of activities and responsibilities
(e.g. according to RASIC - Responsible, Accountable, Supported,
Informed, Cooperation)
 The Development Interface Agreement (DIA) shall coordinate the

responsibilities for the safety lifecycle activities
HIERARCHY OF SAFETY
REQUIREMENTS
Functional Safe Vehicle
Item 1 Item 2 Item 3 … Item N Functional Safe Functions

with E/E-Components
Safety Goals (SG)to be achieved
SG 1 (ASILx) … SG n (ASILx) with a defined Safety Integrity
(=ASIL)
Functional Safety Requirements
FSR 1 (ASILx) … FSR n (ASILx) (FSR) to achieve Safety Goals
Technical Safety Requirements

TSR 1 (ASILx) … TSR n (ASILx) (TSR) to achieve FSR
(if not given by a customer, TSRs are based on assumptions)
Necessary Input
HW/SW Safety Requirements to
HW/SW-SR (ASILx) 1…n achieve TSR
PART 8, CLAUSE 6
MANAGEMENT OF SAFETY
REQUIREMENTS – TRACEABILITY
Supply chain Responsible for
Car Manufacturer (OEM) Functionally safe vehicle functions
Safety Requirements
System Supplier (1st Tier) * Functionally safe systems
Safety Requirements
Component Supplier (Sensors, etc.) Functionally safe system elements

Safety Requirements
IC Supplier (µC, ASIC etc.) Functionally safe parts (Ics, IPs)
 Traceability of safety requirements shall be given from safety goals down to

hardware and software safety requirements
*Source: http://www.caranddriver.com/features/electric-feel-nissan-digitizes-steering-but-the-wheel-remains-feature
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED
PART 8, CLAUSE 7
PROJECT MANAGEMENT RULES (1)
 Configuration management
 In accordance with the process
– ISO TS 16949 (Quality management systems) or
– ISO 10007 (Quality management systems -- Guidelines for
configuration management) or/and
– ISO 12207 (Systems and software engineering)
 To be applied to all work products of the safety
lifecycle and to be documented in the Configuration
Management Plan
 To be performed during the entire safety lifecycle
PART 8, CLAUSE 8
CHANGE MANAGEMENT
Changed operating conditions
Systematic failures
Modification of the item
Change request Changed safety requirements
Accident experience
Amended legislation
Hazard
and risk Impact analysis
assessment Back to
relevant phase
Impact analysis
of the safety
report
lifecycle
Approval and
documentation of
change
 Documentation
 Standard QM requirements
 Documents must be referenced to work products
(traceability)
 ISO 26262 does not provide requirements regarding
retention period
 Project Management Rules are also apply for safety relevant developments
PART 8, CLAUSE 9
VERIFICATION
 Methods for verification

 Review
 Simulation
 Test
 Calculation
 Test environment
 Criteria for “pass / fail”
 Clear reference to the safety requirements
(traceability)
 Tools used
 Verification steps shall be continously planned and refined
VERIFICATION - METHODS
Alternative values (1a, 1b, 1c, etc.):
•an appropriate combination of methods shall be applied
Consecutive entry (marked by a sequence number in the leftmost column, e.g. 1, 2, 3), or
 Requirements must be verified using methods according to the ASIL:

ASIL
Method
A B C D
1a Verification by walk-through ++ + o o
1b Verification by inspection (defined process) + ++ ++ ++
1c Semi-formal verification + + ++ ++
1d Formal verification o + + +
”++” Method is highly recommended for this ASIL; rationale must be documented if not applied
“+“ Method is recommended for this ASIL
“o“ Method is neither recommended nor not recommended.
Reference: ISO 26262-8, §6.4.3.3 Table 2
PART 8, CLAUSE 11
CONFIDENCE IN THE USE OF
SOFTWARE TOOLS
 SW tools in safety applications must be qualified for their

intended use case
 A SW tool is qualified when the required Tool Confidence
Level (TCL) has been achieved
For more details see Day 4
 SW-Tools have to be confident for its use in safety relevant developments

PART 8, CLAUSE 12
QUALIFICATION OF SOFTWARE
COMPONENTS
 SW components can be qualified
 Qualification is often through testing
For more details see Day 4
 Often used SW-components are typically qualified by validation tests

PART 8, CLAUSE 13
QUALIFICATION OF HARDWARE
COMPONENTS
Safety-related Safety-related Safety-related Safety-related
Complexity basic hardware intermediate hardware intermediate hardware complex hardware
(see also next page)
part part component component
Evidence for
Functional Safety by
qualification Applicable Applicable Applicable Not applicable
(acc. AEC-Q
standards)
Evidence for
Functional Safety by
development acc. ISO
Not applicable Not applicable Applicable Applicable
26262
Acc .ISO 26262-8, Table 6, modified by SGS-TÜV Saar
Note: The standard describes a dependence between HW-complexity and the requirement to
develop the hardware according to ISO 26262. In reality it makes more sense to
develop HW according to ISO 26262, when Functional Safety Requirements are
inherited to the HW-part or HW-component to be developed
 This is to distinguish between hardware parts/components to be developed

according to ISO 26262 or only to be qualified
COMPLEXITY
OF HARDWARE COMPONENTS
(EXAMPLES)
Basic Hardware Parts Intermediate hardware Complex hardware

components and/or components
hardware parts
• Passive components • Simple sensors • ECU
(e.g switch)
• Discrete • Smart Sensors
semiconductor • Actuators
• Complex ICs
• Resistors • Simple ICs (e.g. µC, ASIC with
(e.g. ASIC with complex function)
• Transistors
dedicated function)
Table from the planned PAS 19451
PART 8, CLAUSE 14
PROVEN IN USE ARGUMENT
 Demonstrates proven safe operational

functionality
 Only that part of the safety lifecycle may be

omitted to which the “Proven in use argument” is
applied
 In all cases Field Data is required for the

arguments
 Due to incomplete field data it typically is difficult

to use the proven in use argument
PART 8, CLAUSE 14
PROVEN IN USE ARGUMENT
14.4.5.2.4 For a proven in use status to be obtained by the candidate, its service period shall
demonstrate compliance with each safety goal that can be violated by the candidate in accordance
with Table 7 with a single-sided lower confidence level of 70 % (using a chi-square distribution).
NOTE 3 Table 8 gives an example of the required minimum service period without observable
incident which is necessary to achieve 70 % confidence:
(An example of proven-in-

use argumentation is
available in ISO26262
Chapter 10, Clause 9)
SUMMARY
SUPPORTING PROCESSES (1)
 The Development Interface Agreement (DIA)

shall coordinate the responsibilities for the safety
lifecycle activities
 Traceability of safety requirements shall be
established starting from the safety goals all the
way down to hardware and software safety
requirements
 Project Management Rules are also apply for
safety relevant development
 Verification steps shall be continously planned
and refined
SUMMARY
SUPPORTING PROCESSES (2)
 SW-Tools have to be confident for its use in safety

relevant development
 Frequently used SW-components are typically
qualified by validation tests
 Distinguishing between hardware parts and
components determines the difference to develop
according to ISO 26262 or only to qualify
 Due to incomplete field data it is typically difficult
to use the proven in use argument
DAY 1 - CONTENTS

HARA AS PART OF THE CONCEPT
PHASE
RESPONSIBILITIES AND TARGETS
Responsibilities
 Typically the responsibility of the car manufacturer (OEM) or Tier 1 supplier,
who have the knowledge about the behavior of the vehicle in the event of
malfunctions together with all operational conditions.
 If the final context (item to be implemented) is not known in detail, a so called
Safety Element out of Context (SEooC) can be supplied. The SEooC is
based on assumptions for the Concept Phase of development
Targets
 Identification of potential risks due to a malfunctioning behavior of E/E-
functions at vehicle level
 In all cases the concept of the HARA has to be understood

by all parties of the supply chain
WORKFLOW DURING IN CONTEXT
AND OUT OF CONTEXT
DEVELOPMENT
 In Context development  Out of context development
Assumptions for the

Concept Phase acc. ISO 26262-3
Item Definition item‘s use and

functionality
Application assumption document

HARA Assumptions for Safety
(Hazard Analysis Goals (at vehicle level) and
and Risk Assessment) related ASIL
Functional Safety Assumptions for functional

safety requirements and
Concept design
acc. ISO
develop.
26262-4
Technical Safety Assumptions for technical

System
safety requirements and

Concept system design
HW/SW-Safety
Input requirements and Input
design
ISO 26262 Training - Day 1 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED
PART 3, CLAUSE 5
ITEM DEFINITION
INPUT INFORMATION FOR HARA
 Description of the function, which shall be implemented at

vehicle level
 Functional block diagram representing functional elements
and their interaction (includes interaction with other items)
 Definition of environmental and use conditions
 Legal and normative requirements (e.g., FMVSS, ECE)
 External risk reduction measures at vehicle level
(e.g. user manual, driver licence etc.)
 The item definition describes the context of the item within the vehicle and its
use to get enough information for the following assessment
of possible hazards at vehicle level
ITEM DEFINITION:
EXAMPLE
 Introduction to a simplified
example, which will be the
basis for the training exercises
ITEM DEFINITION:
EXAMPLE
Item Definition (1/5)
1 Purpose of the document

The system under development must be fully understood and
described in order to ensure that all activities of the safety lifecycle
can be adequately executed and that the hazard analysis and risk
assessment can be elaborated with the correct assumptions.
ITEM DEFINITION:
EXAMPLE
2 Description of function (simplified)

The considered item describes the function “Torque Demand” for
the use in E-cars.
By pressing the acceleration pedal (by driver request) the
corresponding torque shall be given from the E-motor
The function is used in series passenger vehicles all over the
world.
The energy supply is realized by a HV battery. The driver shall be
informed about operation and faults in the system.
ITEM DEFINITION:
EXAMPLE
3 Functional Block Diagram
ITEM DEFINITION:
EXAMPLE

4 Environmental Conditions
To be specified in the environmental specification
Use of the cars in public traffic
5 Laws and Standards

ECE-R100 (Europe)
Laws of other countries to be considered
ISO 26262
ITEM DEFINITION:
EXAMPLE

6 External Measures for Risk Reduction
Driver license required
Active and passive safety features (airbags, safety belt etc.)
There is an independent mechanical mechanism implemented
to protect the vehicle in parking position against unwanted
movement
PART 3, CLAUSE 7
HAZARD ANALYSIS
AND RISK ASSESSMENT(HARA)
 Analysis of the impact on

humans due to
malfunctioning behavior of
the defined item
 Assessment of the risk by
using a standardized method
 Deriving safety goals at the
vehicle level with the
required integrity (ASIL)
HAZARD ANALYSIS PROCEDURE
always Unacceptable
risk
Factor C
Probability of
occurrence of Harm (Un)-Controllability
of the dangerous
caused by E/E system
Probability
situation
malfunction
Factor E
Exposure
Acceptable
extremely to the dangerous
(residual) risk
improbable Severity (Factor S) situation
low Severity of Harm high

caused by E/E system malfunction
 The risk potential of a malfunction is derived from the parameters S, E and C
TYPICAL STEPS
HAZARD ANALYSIS AND RISK
ASSESSMENT
Step 1: Responsibilities
Step 2: Identification of possible malfunctions of the item
Step 3: Selection of scenarios under consideration
Step 4: Alignment of the risk assessment matrix and
determination of the risk parameters
Step 5: Evaluation of the results
Step 6: Verification of the analysis results
STEP 1:
RESPONSIBILITIES
 Typical responsibility is the vehicle manufacturer (OEM)

 For developing assumptions in the case of SEooC
development, it is necessary to obtain knowledge about
the methodology of the HARA and the end customer
requirements (e.g. by market analysis)
 Discussion of the analysis with a team of experts
 Covering of different points of view
(also external experts may be useful)
 With respect to legal consequences minimum number of 3
persons is recommended (recommendation by SGS-TÜV)
 Signature of all participants is recommended
STEP 2:
IDENTIFICATION OF POSSIBLE
MALFUNCTIONS OF THE ITEM
 Description of malfunctions at functional level (cause of

failures not necessary)
 Consider the following:
 Function is not or incorrectly executed, when it is required
( e.g. park break does not work, when executed)
 Function is executed without a requirement
(e.g. park break is unintentionally executed during driving)
STEP 3:
SELECTION OF SCENARIOS TO BE
CONSIDERED
 Determine representative vehicle operational conditions,

environmental conditions and driving scenarios
 Combination of all aspects to scenarios to be considered
 Reasonable selection of scenarios to be considered and
typically focus is on the worst cases
STEP 4:
ALIGNMENT OF THE RISK
ASSESSMENT MATRIX
 Combination of possible malfunctions from step 2 with

scenarios to be considered from step 3 in an assessment
matrix
Result: hazardous events
 Description of the expected impacts to involved persons
 Determination of the risk parameters (Severity S, Exposure
E, Controllability C) and argumentation for their selection
 Determination of the potential risk (ASIL) from the
standardized risk matrix (provided by the standard)
PARAMETER “S“ (SEVERITY)
 Statistical impact to persons
Class S0 S1 S2 S3
Severe injuries, Life-threatening
Light and possibly life- injuries (survival
Description No injuries
moderate injuries threatening, uncertain) or fatal
survival probable injuries
AIS 0
Damage that
Reference cannot be More than 10% More than 10%
More than 10%
for single classified safety- probability of probability of
probability of
injuries (from related, e.g. AIS 1-6 (and not AIS 3-6 (and not
AIS 5-6
AIS scale) bumps with S2 or S3) S3)
roadside
infrastructure
Reference: ISO 26262-3, Table 1 and B.1
AIS-SCALE
AIS 0: No injury
AIS 1: Light injuries such as superficial wounds, muscular pains, etc.
AIS 2: Moderate injuries such as deep flesh wounds, brain concussion with loss of consciousness up
to 15 min, uncomplicated tubular bone fractures, uncomplicated rib fractures, etc.
AIS 3: Severe, non-life-threatening injuries such as skull fractures without brain injury, spinal column
dislocations below the fourth cervical vertebra without spinal cord involvement, multiple rib
fractures without paradoxical breathing, etc.
AIS 4: Severe injuries (life-threatening, survival probable) such as brain concussion with or without
skull fracture with unconsciousness up to 12 hours, paradoxical breathing
AIS 5: Critical injuries (life-threatening, survival uncertain) such as spinal column fractures below the
fourth cervical vertebra with spinal cord involvement, intestinal ruptures, heart ruptures,
unconsciousness of more than 12 hrs including cerebral hemorrhage
AIS 6: Severest or fatal injuries such as cervical vertebra fractures above the third cervical vertebra
with spinal cord involvement, severest open dual cavity injuries (thoracic and abdominal
cavities) etc.
Reference: https://en.wikipedia.org/wiki/Abbreviated_Injury_Scale
EXAMPLES
(ONLY INFORMATIVE)
S0 S1 S2 S3
Bumps with roadside Side impact with a narrow Side impact with a narrow Side impact with a narrow
infrastructure stationary object, e.g. crashing stationary object, e.g. crashing
stationary object, e.g. crashing
into a tree (impact to into a tree (impact to into a tree (impact to
Pushing over roadside post,
passenger cell) with very low passenger cell) with low speed passenger cell) with medium
fence, etc.
speed Side collision with a passenger speed
Light collision
Side collision with a passenger car (e.g. intrudes upon Side collision with a passenger
Light grazing damage car (e.g. intrudes upon passenger compartment) with car (e.g. intrudes upon
Damage entering/exiting passenger compartment) with low speed passenger compartment) with
very low speed
parking space Rear/front collision with another medium speed
Leaving the road without Rear/front collision with another passenger car with low speed Rear/front collision with another
collision or rollover passenger car with very low passenger car with medium
Pedestrian/bicycle accident
speed speed
while turning (city intersection
Collision with minimal vehicle and streets) Pedestrian/bicycle accident
overlap (10-20%) (e.g., 2-lane road)
Front collision (e.g., rear- Front collision (e.g., rear-
ending another vehicle, semi- ending another vehicle, semi-
truck, etc.) without passenger truck, etc.) with passenger
compartment deformation compartment deformation
Reference : ISO 26262-3, §B.2.2 Table B.1
PARAMETER E (EXPOSURE)
 Parameter E0 is used for very rare events (natural disasters)
 Consider either the duration or frequency of the considered situation
E0 E1 E2 E3 E4
Incredible Very low probability Low probability Medium probability High probability
Reference: ISO 26262-3, Table 2
Duration is used when:
 the hazardous event occurs due to the sudden malfunction during the
situation under consideration
Frequency is used when:
 malfunction exists and the hazardous event only occurs, when the situation
under consideration occurs (typically change from one driving situation to
another)
EXAMPLE
DURATION - FREQUENCY
 Example when to consider “Duration”

 Scenario: Car driving on a country road in the night
 Malfunction: Headlights fail off
 The fault occurs during the considered situation. The relevant
parameter here is the duration of the situation (driving at night)
 Example when to consider “Frequency”

 Scenario: Car driving into an unlit tunnel. The driver wants to switch on the
headlights
 Malfunction: Headlights fail to turn on
 The fault exists already before the situation occurs. The relevant
parameter here is the frequency of the situation (unlit tunnel)
EXAMPLES FOR PARAMETER E
(ONLY INFORMATIVE)
Consideration of duration (part 1)

Class
E1 E2 E3 E4
Duration (% of average operating time)
Definition
Not specified <1% 1%-10% >10%
Mountain pass with One-way street Highway

unsecured steep slope (city street)
Country road intersection Secondary Road

Road layout
Highway entrance ramp Country Road
Highway exit ramp
Snow and ice on road Wet road

Road surface
Slippery leaves on road
Lost cargo or obstacle
in lane of travel In car wash In tunnel
Nearby (highway)
elements
Nearing end of congestion Traffic Congestion
(highway)
Reference : ISO 26262-3, §B.3 Table B.2

(ONLY INFORMATIVE)

Class
E1 E2 E3 E4
Definition
Vehicle on
Vehicle during jump Trailer attached a hill
start (hill hold)
In repair garage Roof rack attached
(on roller rig)
Vehicle
stationary Vehicle being refuelled
state
In repair garage (during
diagnosis or repair)
On hoist
(ONLY INFORMATIVE)

Class
E1 E2 E3 E4
Definition
Driving downhill with Driving in reverse Heavy traffic
engine off Accelerating
(from parking spot) (stop and go)
(mountain pass)
Driving in reverse Decelerating

(city street)
Overtaking Executing a turn (steering)

Manoeuvre Parking (with sleeping Parking (parking lot)
person in vehicle)
Parking (with trailer Lane change (city street)

attached)
Stopping at traffic light
(city street)
Lane change (highway)
Visibility Unlighted roads at night

(ONLY INFORMATIVE)
Consideration of frequency (part 1)

Class
E1 E2 E3 E4
Occur less often than Occur a few times a year Occur once a month or Occur during almost
Frequency of Situation once a year for the great for the great majority of more often for an every drive on average
majority of drivers drivers average driver
Mountain pass with

Road layout unsecured steep slope
Road surface Snow and ice on road Wet road
In tunnel
Nearby elements In car wash
Traffic Congestion
Stopped, requiring
engine restart Trailer attached Vehicle being refuelled
Vehicle stationary (at railway crossing)
state Vehicle on
Vehicle being towed Roof rack attached a hill (hill hold)
Vehicle during jump start

(ONLY INFORMATIVE)
Consideration of frequency (part 2)

Class
E1 E2 E3 E4
Occur less often than Occur a few times a year Occur once a month or Occur during almost
Frequency of Situation once a year for the great for the great majority of more often for an every drive on average
majority of drivers drivers average driver
Evasive manoeuvre,
deviating from desired Overtaking Starting from standstill
path
Shifting transmission
gears
Accelerating
Manoeuvre Braking
Executing a turn
(steering)
Using indicators
Manoeuvring vehicle into
parking position
Driving in reverse
PARAMETER C (CONTROLLABILITY)
C0 C1 C2 C3
Normally Difficult to Control or
Controllable in general Simply Controllable
Controllable Uncontrollable
Less than 90% of all
99% or more of all 90% or more of all
drivers or other traffic
drivers or other traffic drivers or other
Controllable in participants are
participants are traffic participants
general usually able, or
usually able to avoid are usually able to
barely able, to avoid
harm avoid harm
harm
 Control of the hazardous situation by the driver and/or other traffic

participants such as pedestrians (those at risk of harm)
 C2 can be evaluated by user tests (i.e., blind tests)
 C1 typically seen as not testable due to high number of required tests
Reference: ISO 26262-3, §B.4 Table B.4
EXAMPLES FOR PARAMETER C
(ONLY INFORMATIVE)
Class C0 C1 C2 C3
Situations that are Maintain intended
considered distracting driving path
Unexpected radio volume Maintain intended

increase driving path
Maintain intended
Warning message - gas low
driving path
Unavailability of a driver Maintain intended

assisting system driving path
Faulty adjustment of seat Brake to slow/stop

position while driving vehicle
Blocked steering column Brake to slow/stop

when starting the vehicle vehicle
Maintain
Failure of ABS during
intended driving
emergency braking
path
EXAMPLES FOR PARAMETER C
(ONLY INFORMATIVE)
Class C0 C1 C2 C3
Headlights fail while night Steer to side of
driving at medium/high speed road or brake to
on unlighted road stop.
Motor failure at high lateral Maintain intended
acceleration (motorway exit) driving path
Failure of ABS when braking
Maintain intended driving
on low friction road surface
path, stay in lane
while executing a turn
Brake to slow/stop
Failure of brakes
vehicle
Incorrect steering angle with
high angular speed at medium
or high vehicle speed (steering
path, stay in lane
angle change not aligned to
driver intent)
Faulty driver airbag release path, stay in lane
when travelling at high speed Brake to slow/stop
vehicle
RISK MATRIX
– QM (Quality Management) follows normal development process

Not OK
– SAE J2980 developed to harmonize levels
Controllability C
Severity S Exposure E
C1 C2 C3
OK
E1 QM QM QM
E2 QM QM QM
S1
E3 QM QM ASIL A
E4 QM ASIL A ASIL B
E1 QM QM QM
E2 QM QM ASIL A
S2
E3 QM ASIL A ASIL B
E4 ASIL A ASIL B ASIL C
E1 QM QM ASIL A
E2 QM ASIL A ASIL B
S3
E3 ASIL A ASIL B ASIL C
E4 ASIL B ASIL C ASIL D
Reference: ISO 26262-3, Table 4
STEP 5:
EVALUATION OF THE HARA RESULTS
 Determine the worst case scenario per malfunction.

Top Event = malfunction at worst case scenario.
 Define safety goals to prevent top events with
ASIL ≥ A
 One safety goal may prevent more than one top event (create
summary of top events possible)
 For prevention of one top event more than one safety goal may
be necessary.
 Safety goals are defined at the vehicle level and represent the
top safety requirements, where all other safety requirements
are derived from.
STEP 6:
VERIFICATION OF THE H&R RESULTS
Confirmation measure Valid
QM to ASIL D
Confirmation Review of the HARA I3
ISO 26262-2, Table D.1 — Verification reviews and confirmation measures, including independence
 HARA results always need to be confirmed with

the highest level of independence
HARA EXERCISE
 Example provides situations

and scenarios to be
considered for the HARA
Exercise
HARA:
EXAMPLE
Hazard Analysis and Risk Assessment (1/3)
1 Attendees
Name, department Role

Safety Manager
Function developer
Test driver
Project manager
Etc.
HARA:
EXAMPLE

2 Situation Analysis
2.1 Definition of Possible Malfunctions
Fault No. Description
1 Providing torque without driver request (unintentional acceleration)
2 Providing no torque although driver requested torque (missing acceleration)
HARA:
EXAMPLE

2.2 Scenarios under examination
Scenario No. Vehicle operating condition Driving situation
1 Parked (transmission in park state) Parked in parking lot or garage
2 Parking Parking car in parking garage
3 Stopped At crossing or red traffic light
4 Driving At country road, overtaking
HARA EXERCISE
 Use the pre-filled HARA

template based on the Item
Definition
 Select the parameters S, E and
C then derive the required ASIL
 Provide arguments for your
decisions
 Derive safety goal(s) for the
identified safety related
malfunctions
HARA:
EXAMPLE

3 Analysis
3.1 Evaluation Matrix
HARA:
EXAMPLE

1 2 3 4 5 Top event ASIL
Scenario Parked at Parking car Stopped at Driving at (worst
parking lot in parking crossing or country case)
or garage garage red traffic road,
light overtaking
Malfunction
1 Providing torque S S S S S
without driver E E E E E
request C C C C C
2 Providing no S S S S S
torque although E E E E E
driver requested C C C C C
torque
3 S S S S S
E E E E E
C C C C C
4 S S S S S
E E E E E
C C C C C
HARA:
EXAMPLE

3 Analysis
3.2 Scenarios – Explanation of Entries
HARA:
EXAMPLE

Scenario 1 – Fault 1: Providing torque without driver request Parked at parking lot or garage
Consequence of fault:
Reason for S:
Reason for E:
Reason for C:
Scenario 2 – Fault 1: Providing torque without driver request Parking car in parking garage
Reason for S:
Reason for E:
Reason for C:
HARA:
EXAMPLE

Scenario 3 – Fault 1: Providing torque without driver request Stopped at crossing or red traffic light
Reason for S:
Reason for E:
Reason for C:
Scenario 4 – Fault 1: Providing torque without driver request Driving at country road, overtaking
Reason for S:
Reason for E:
Reason for C:
HARA:
EXAMPLE

Scenario 1 – Fault 2: Providing no torque although driver requested torque Parked at parking lot or garage
Reason for S:
Reason for E:
Reason for C:
Scenario 2 – Fault 2: Providing no torque although driver requested torque Parking car in parking garage
Reason for S:
Reason for E:
Reason for C:
HARA:
EXAMPLE

Scenario 3 – Fault 2: Providing no torque although driver requested torque Stopped at crossing or red traffic light
Reason for S:
Reason for E:
Reason for C:
Scenario 4 – Fault 2: Providing no torque although driver requested torque Driving at country road, overtaking
Reason for S:
Reason for E:
Reason for C:
HARA:
EXAMPLE

4 Summary of Results
Malfunction (event) Safety Goal Rating: ASIL
HARA EXERCISE
 Results
HARA:
EXAMPLE

1 2 3 4 5 Top event ASIL
Scenario Parked in Parking car Stopped at Driving at (worst case)
parking lot in parking crossing or country
or garage garage red traffic road,
light overtaking
Malfunction
1 Providing torque S0 S3 S3 S3 S Scenario 3 ASIL B
without driver E E3 E4 E1 E
request C C1 C1 C2 C
2 Providing no S Not S0 S S3 S Scenario 4 QM
torque although E relevant E E E1 E
driver requested C C C0 C2 C
torque
3 S S S S S
E E E E E
C C C C C
4 S S S S S
E E E E E
C C C C C
HARA:
EXAMPLE

Scenario 1 – Fault 1: Providing torque without driver request Parked at parking lot or garage
Consequence of fault: Car moves unintended and could strike pedestrians near by
Reason for S0: The unintended movement is avoided by transmission in Park state (mechanical prevention)
Reason for E:
Reason for C:
Scenario 2 – Fault 1: Providing torque without driver request Parking car in parking garage
Consequence of fault: Car moves unintended and could strike pedestrians near by
Reason for S3: Pedestrian could be hit by car

Reason for E3: Could be parking in garage with pedestrians nearby more often than once per month
Reason for C1: Speed is low, driver can still brake and steer
HARA:
EXAMPLE

Scenario 3 – Fault 1: Providing torque without driver request Stopped at crossing or red traffic light
Consequence of fault: Car moves unintentionally into a crossing way with crossing traffic
Reason for S3: Side impact with medium to high speed is expected
Reason for E4: Stopped at a crossing or red traffic light occurs often
Reason for C1: 99% can control the situation, driver can still brake and steer
Scenario 4 – Fault 1: Providing torque without driver request Driving at country road, overtaking
Consequence of fault: Car accelerates faster than expected
Reason for S3: Could cause head-on collision with on-coming traffic
Reason for E1: Duration of the critical situation is very short, oncoming traffic is required
Reason for C2: Driver can still brake and steer
HARA:
EXAMPLE

Scenario 1 – Fault 2: Providing no torque although driver requested torque Parked at parking lot or garage
Consequence of fault: Not relevant – there is no driver request
Reason for S:
Reason for E:
Reason for C:
Scenario 2 – Fault 2: Providing no torque although driver requested torque Parking car in parking garage
Consequence of fault: No propulsion is produced
Reason for S0: No severity possible

Reason for E:
Reason for C:
HARA:
EXAMPLE

Scenario 3 – Fault 2: Providing no torque although driver requested torque Stopped at crossing or red traffic light
Consequence of fault: Car doesn’t move
Reason for S:
Reason for E:
Reason for C0: Car is stalled at stop light. It is expected that car behind recognize the situation.
Scenario 4 – Fault 2: Providing no torque although driver requested torque Driving at country road, overtaking
Consequence of fault: The overtaking cannot be completed as planned. This is critical in the case of oncoming traffic.
Reason for S3: Collision with oncoming traffic at medium to high speed
Reason for E1: Duration of the critical situation is very short, oncoming traffic is required
Reason for C2: The situation is controlled by most drivers by aborting the overtaking
HARA:
EXAMPLE

4 Summary of Results
Malfunction (event) Safety Goal Rating: ASIL
Providing torque without driver Unintended acceleration shall be B

request (unintentional acceleration) prevented
Providing no torque although driver

requested torque (missing No safety goal required for QM QM
acceleration)
SUMMARY OF DAY 1
HAZARD ANALYSIS AND RISK
ASSESSMENT (HARA)
 In all cases the concept of a HARA has to be

understood by all parties of the supply chain
 The item definition describes the context of the
item within the vehicle and is used to provide
enough information for the following assessment
of possible hazards at vehicle level
 The risk potential of a malfunction is derived from
the parameters S, E and C
 HARA results always need to be confirmed with
the highest level of independence

Day1 English 2017 0824

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Day1 English 2017 0824

Uploaded by

Copyright:

Available Formats

ISO 26262 TRAINING

Day 1: – Introduction - Management of Functional Safety – HARA

1. Introduction to Functional Safety

 Founded in 2010, kVA is a U.S. based technical and management

1. Introduction to Functional Safety

ISO 26262-1 (Vocabulary)

Absence of unreasonable risk due

 It is very difficult to objectively assess the acceptance of risk

• What is an individual’s risk of fatality within a typical year?

Age Male Female

Source: U.S. Social Security Administration

 Malfunctions of operating functions

 How do we determine the potential

 How do we determine the potential

 Automotive Safety Integrity Level

low Severity of Harm Death

 The risk potential is defined by two components, severity and probability

 What has to be done if the

 What has to be done if the

low Severity of Harm death

Residual Tolerable Risk due

Necessary risk reduction Increasing

 Risk reduction is typically done by a combination of different measures

1. Introduction to Functional Safety

IEC 61508 DIN EN

Avionics Railway Medical Nuclear power Process Machinery

ISO/CD ISO/DIS ISO/DIS

Road vehicles ISO 26262 ISO 26262

Edition 1 Draft Edition 2 Final Edition 2

 Title: “Road vehicles – Functional Safety”

 Edt. 2 (2018) will include also motorcycles and commercial vehicles

 Components and systems under development

Part 1: Vocabulary – Terms and abbreviations

Part 4: Development: system level – Safety aspects in system development

First 4 Clauses are identical for Part 2

Clause 5 starts the new content

Each Clause is broken up into 5 main Sub-Clauses:

X.1 Objectives: describes the objective of the clause

2nd Edition Draft Available 2nd Edition Release Available

 New Part 11: Semiconductors (ISO/PAS 19451)

Vehicle’s E/E systems are complex and are growing rapidly

Complex Vehicle Software Size (lines of code)

F-22 Raptor F-35 Joint Strike Fighter Boeing 787 Dreamliner

~100 Million (today) ~200-300 Million

 ISO 26262 is not a law, but may have legal consequences

How to adapt to the State of the Art?

 Manufacturers must implement any safety measure, that is:

 Obligation to apply available solutions, but not to develop new solutions

Trials deal with what you did 10 or 15 years ago…

 What can save you are:

 Well defined processes that were followed

How a standard can be used in U.S. Law

– Product meets the standard

Product liability puts the burden of

§§ Legal obligation of the manufacturer

Applicable safety standards (e.g. ISO 26262)

Non-compliance with standards

 ISO26262 allows for E/E systems

Problem: Conflict with product

Determination of risk potential of E/E vehicle function

Apply ISO 26262 by adding

 Risk reduction means to reduce the probability in failing due to safety

Avoidance of Control of Defense against