    Introduction to functional safety

    Marc Van Vlimmeren
Flanders DRIVE

    April 24th, 2013

    Introduction to Flanders DRIVE

    Introduction to functional safety

    Overview of functional safety standards and regulations

    ISO 26262 for safety-related automotive E/E development Scope

    Parts of the standard

    Safety lifecycle

    Core safety engineering processes V-model System and environment description Hazard analysis and risk assessment Functional safety concept Hardware Development Software Development


    Flanders DRIVE

    Research institute for the vehicle and mobility industry developing and presenting technological solutions in the following R&D domains

    Open innovation approach driven by the industry

    High-tech Infrastructure for vehicle, system and component testing

    Wide international network of 34 partners

    Located in an inspiring environment

    Broad partnership within the vehicle and mobility industry

    Safety related R&D projects

    Introduction to Flanders DRIVE

    Introduction to functional safety

    Overview of functional safety standards and regulations

    ISO 26262 for safety-related automotive E/E development Scope

    Parts of the standard

    Safety lifecycle

    Core safety engineering processes V-model System and environment description Hazard analysis and risk assessment Functional safety concept Hardware Development Software Development


    ,ecalls at ig level

    2000: Accidents due to detachment of Bridgestone tyre tread. Worldwide 700 injured and 203 dead

    Recall more than 14 million tyres

    Costs 1.3 billion USD

    In addition: actions for damages

    Toyota recently had to recall nine millioncars back to the garage because of problems

    with the accelerator and brake. More often, this kind of problems have a root cause in mechatronic and software components.

    Break by wire example: 30 million USD(American Auto press, June 1, 2004)

    Possible damage to companies: invaluable!

    Overview of functional safety


    Software error Random hardware failure




    Development Production

    Definition of functional safety

    Safety is the freedom from unreasonable risk of physical injury or of damage to the healthof people, either directly, or indirectly as a result of hazards caused by damage to propertyor to the environment.

    Functional safety is part of the overall safetythat depends on electric, electronic orprogrammable electronic systems ( E/Esystems ) operating correctly in response to itsinputs.E/E/PE


    Extent of E/E/PE System

    Unreasonable risk: unacceptable adverse effects on humans or to the environment taking into accountits economic, environmental, medical and social benefits and costs.

    Hazard: potential source of harm. The term includes danger to persons arising within ashort time scale (eg. fire, explosion) and also those that have a long term effect(eg. release of toxic substance).

    E/E systems include power supplies, sensors and other input devices, communication networks, actuators and other output devices.


    Input devices (e.g. sensors)


    "e>g> actuators$

    Different types of safety

    Passive Safety: features that help reduce the effects of an accident

    Active Safety

    systems t at use an understanding oft e state of t e ve icle to ot avoid

    and minimise t$e effects of anaccident >

    Functional Safety: Ensures correct functioning of the E/E systems

    (including active safety related systems)

    Possible causes for incorrect functioning of E/E systems

    Incorrect specifications of the system, hardware and/or software

    Omissions in the safety requirements specification

    Random hardware failure mechanisms (tin whisker)

    Systematic hardware failure mechanisms

    Software errors

    !ommon cause failures

    Environmental influences

    Failure AElement A

    Fault %

    temperature, mechanical phenomena

    Supply system voltage distur ances loss of supply

    reduced voltages

    re-connection of supply


    cause Failure &Element &

    Fault '

    Common cause failures

    A fault in an active suspension leading to a safety critical situation.

    But it's not all about technology!

    False assumption

    Safety is a question of technology?


    The greater the complexity of a technical system, the more stringent the requirements to be met by management!

    Prof. Hartwig Sassen, Engineering Univ. Wuppertal

    Examples of poor safety management

    1986: explosion of the Challenger, 7 fatalities

    Cause was a sealing ring of a fuel tank

    Problem was known since 6 years and an engineer had warned for the possibility of such a catastrophe

    Typical causes of accidents: Organizational deficits, Bad communication, Poor risk management

    Poor management of safety concerns

    Introduction to Flanders DRIVE

    Introduction to functional safety

    Overview of functional safety standards and regulations

    ISO 26262 for safety-related automotive E/E development Scope

    Parts of the standard

    Safety lifecycle

    Core safety engineering processes V-model System and environment description Hazard analysis and risk assessment Functional safety concept


    Overview of functional safety standards and regulations


    IEC 61508 On-road
ISO 26262

    Agriculture
ISO 25119

    Functional safety standards Quality standards
ISO 9001:2008

    ISO TS 16949

    Basis for Quality



    Systems engineering

    Machinery
IEC 62061

    Machinery
ISO 13849

    Earth moving machines
ISO 15998

    Process improvement & assessment models

    ASPICE v1.2

    Required standards to follow by manufacturer


    SSC Increasing degree

    State of Science and Technology

    State of Practice

    enerally Accepted


    ISO 26262

    State of t e Art

    Laws / directives

    degree of obligation

    Rules of Technology

    e.g. ECE R, 5


    Introduction to Flanders DRIVE

    Introduction to functional safety

    Overview of functional safety standards and regulations

    ISO 26262 for safety-related automotive E/E development Scope

    Parts of the standard

    Safety lifecycle

    Core safety engineering processes V-model System and environment description Hazard analysis and risk assessment Functional safety concept Hardware Development Software Development


    Scope of ISO 26262

    This International Standard is applicable to safety-related systems that include one ormore E/E systems and that are installed in series production passenger cars with amaximum gross weight up to 3500 kg.

    ISO 26262 does not address unique E/E systems in special purpose vehiclessuch as vehicles designed for drivers with disabilities;

    It does not address hazards related to electric shock, fire, smoke, heat,radiation, toxicity, flammability, reactivity, corrosion, release of energy, andsimilar hazards unless directly caused by malfunctioning behaviour of E/Esafety-related systems.

    Parts of t e ISO 26262 standard

    Source: ISO 26262 standard

    Source: ISO 26262 standard

  • 8/12/2019 Introduction to Functional Safety KdG Seminar 20130424 Handout


    Explanation of the V-model

    User requirements

    System requirements

    Architectural design


    User acceptance testing

    System integration and testing

    HW/SW integration and testing

    Unit and integration testing

    Validation traceability

    Development and coding

    tracea ility

    The purpose of Verification is toensure that selected work products

    meet their specified requirements.

    The purpose of Validation is to demonstrate that aproduct or product component fulfills its intended use

    when placed in its intended environment.

    Safety lifecycle according to ISO 26262

    Ways of achieving risk reduction

    E/E facilities

    Other technologies (eg. safety valves)

    According to ISO 26262

    External measures (eg. physical containment)

    Out of scope ISO 26262

    Out of scope ISO 26262

    V-model from vehicle to component perspective

    Responsibilities of the OEM

    AgPL a

    SIL 1, SIL 2, SIL 3, SIL 3


    PL a, PL b, PL c, PL d

    AgPL b, AgPL c, AgPL d, AgPL e

    Safety integrity level (2/7)

    Safety integrity level (5/7)

    The ASIL level defines the requirements, methods, techniques and measures to manage systematic failures (system, HW and SW) and random failures (HW)

    Source for tables: ISO 26262 standard parts 4 and 5

    First steps in the process

    Organizational processes

    Closer look

    Core systems and safety engineering processes

    Supporting processes

    Safety-oriented analyses
Source: Flanders DRIVE FLAME methodology

    F l i i

    Use-case electric powertrain

    ! t t d i t d i ti "Jit d fi iti $

    Create system and environment description (item definition)

    Understanding of the system, its environment and actors to facilitate the hazard analysis and risk assessment

    The boundaries of the system

    The elements of the system

    The systems interfaces Requirements received from other

    systems and the environment

    The allocation and distribution of functions among the systems

    The allocation and distribution offunctions among the systems

    E t & d l i d i ' t " /2$

    Execute hazard analysis and risk assessment (HARA)

    Context for the hazard analysis and risk assessment

    Definition of safetygoals to prevent

    $azardous eventsleading to $arm2

    Execute hazard analysis and risk assessment (2/2)

    Execute hazard analysis and risk assessment (2/2)

    System and environment description: Functional behaviour of the system at vehicle level

    Operating modes, operational situations, vehicle states Already known hazards

    Systematic determination of system hazards: Brainstorming, checklists, quality history, FMEA,

    )perating modes %ill descent control mode

    Agility control mode Craction !ontrol mode


    Operational situations: City driving, Snow and ice

    Snow and ice

    Classification of Severity (S)

    The risk assessment of

    hazardous eventsfocuses on the harm to

    each endangered person including the

    driver or the

    passengers of the

    vehicle causing thehazardous event, andother endangeredpersons such as

    cyclists ,pedestrians or

    occupants of othervehicles .

    Source: ISO 26262 standard

    !lasses of pro a ility of e=posure "E$

    !lasses of pro a ility of e=posure E$

    2012 Flanders DRIVE all rights reserved

    Source: ISO 26262 standard

    )efining t e controlla ility "!$

    )efining t e controlla ility !$

    Vehicle no longer controllable 10

    System reaction dangerous




    System reaction disturbing



    S stem reaction noticeable



    Neukum andKrger method

    Analysis of dynamic driving data.Determination of error limits: via statistical analysis of subjective

    scores of malfunctions

    Analysis of dynamic driving data.Determination of error limits: via statistical analysis of subjective

    scores of malfunctions

    Safety CriteriaSafety Criteria

    Creation of error functions withdifferent error amplitudes and

    error durations in different drivingmanoeuvres

    Creation of error functions withdifferent error amplitudes and

    error durations in different drivingmanoeuvres


    #othing noticed 0

    )etermine safety goals and ASI levels

    )etermine safety goals and ASI levels

    Risk graph from ISO 26262

    A safety goal is a top-level safety requirementfor the system. Failure of the safety goal will

    Severity (S)Exposure (E)

    Controllability (C)

    resu n an mme a e ncrease o e r s .

    ASIL D = highest safety requirementsASIL A = lowest safety requirementsQM = Quality Management (no safety requirements)

    Source: ISO 26262 standard

    et+s Practice

    et s Practice

    8uild t e %A,A for an electric ve iclewit one electric motor providingtor?ue to t e front w eel via an

    automatic transmission o=>

    E=ample functional safety goals

  • 8/12/2019 Introduction to Functional Safety KdG Seminar 20130424 Handout


    a p e u ct o a sa ety goa s

    The magnitude and sign of the torque delivered to each front wheel shallnot destabilize the vehicle in all driving situations. The sign shall be correct.

    The magnitude shall be within +/-5% of the required value.

    No torque shall be delivered by the system when the vehicle is connectedto a charging spot.

    Functional Safety Goal = toplevel functional safety requirement

    The time and phase lag of the torque transfer shall not destabilize thevehicle in all driving situations. Time lag shall be less than 100 ms. Phaselag shall be less than 20 ms.

    )erive functional safety re?uirements

    ) y

    Derive the functional safety requirements (FSR),

    from the safety goals, and allocate them topreliminary architectural elements of the system inorder to ensure the required functional safety.,esults of a&ardanalysis and ris'


    Safety goal AASI !

    (unctional safety (unctional safety

    Safety goal 8ASI )

    (unctional safety

    Safety goal K

    Criteria for FSRs:

    Techniques to define FSRs:FMEA, FTA,

    brainstorming, HAZOP,

    ASI !


    ASI !


    ASI )

    At least onefunctional safetyrequirement shallbe specified for

    each safety goal.

    - Unique label.- Unambiguous

    - Comprehensible- Atomic

    - Consistent

    - Feasible- Verifiable

    System arc itecture for Electric Powertrain

    E=ample functional safety re?uirements

    (CA "(ault Cree Analysis$

    Deductive a roach

    Main Question: what is the reason?Can also be called TOP-DOWN

    What led to the top event?

    Sherlock Holmesian approach

    Deductive system analysis:Fault Tree Analysis (FTA)

    (urt er system design0 integration . testing and validation

    The technical safety conceptis a statement of how the safety

    functions are implemented inhardware or software. This isstated in the technical safety


    Hardware and software safetyrequirements state the specificsafety requirements that will be

    mp emen e as par o e

    software and hardware design


    Introduction to (landers; ),I#E Introduction to functional safety

    Overview of functional safety standards and regulations

    ISO 26262 for safety-related automotive E/E development Scope

    Parts of t e standard

    Safety lifecycle

    !ore sa ety engineering processes #-model

    System and environment description %a&ard analysis and ris' assessment (unctional safety concept ,ardware Development Software )evelopment


    %ardware development

    %ardware implementation of t e tec nical safety concept

    Analysis of potential ardware faults and t eir effects

    !oordination wit Software development

    Re3uired activities and processes

    %ardware development

    )etected (ault fault w ose presence is detected wit in a prescri ed time y a safety mec anism

    t at prevents t e fault from eing latent>

    Perceived (ault (ault w ose presence is deduced y t e driver wit in a prescri ed time interval>

    atent (ault

    ,ardware faults 4continued5

    mu t p e-po nt au t w ose presence s not etecte y a sa ety mec an sm nor

    perceived y t e driver wit in t e multiple-point fault detection interval>

    %ardware development

    C e single point faults metric reflects t e ro ustness of t e item to singlepoint faults>

    C e latent faults metric reflects t e ro ustness of t e item to latent faults>

    #ro6a6ilistic Metric for random ,ardware Failures "P

    ,ardware metrics

    %ardware development

    "ingle point faults metric

    %ardware development

    7atent faults metric

    %ardware development

    E ample

    %ardware development

    E ample 4continued58 demo (9V :or;6enc$

    Introduction to (landers; ),I#E Introduction to functional safety

    Overview of functional safety standards and regulations

    ISO 26262 for safety-related automotive E/E development Scope Parts of t e standard

    Safety lifecycle

    !ore sa ety engineering processes #-model

    System and environment description %a&ard analysis and ris' assessment (unctional safety concept %ardware )evelopment "oftware Development


    Software development

    Reference #$ase Model

    Software development

    S1 as neit er potential to wear out nor produce random failures> S1?uality is determined y its development process> C e more rigorous andsystematic t e development process0 t e ig er t e ASI rating can e

    ac ieved> Programming language selection


    Is a6out

    > >

    Cool selection and ?ualification S1 !onfiguration

    Integration in ardware

    And muc more H>

    Software development

    C e safety state s all e activated y a switc off of driver 5>

    C e ogic Solver "!PF$ s all run self tests of t e internal registers>

    C e input cloc' s all e tested to detect faults> )uring t en operating p ase0 plausi ility c ec's of specific varia les

    according to t e appropriate range s all e performed>

    "oftware "afety Re3uirements< some e amples

    C e ma=imum start-up tome is 2 seconds>

    C e reaction time to a normal input c ange is ma=imum millisecond>


    Software development

    E=ample CI+s %erculesC< A,>


    C an's for your attendance@

    For more information, please contact

    Marc Van VlimmerenFunctional safety engineer

    tel. +32 11 790 [email protected]

    Bert DextersProject leader Automotive Safety Integrity Leveltel. +32 11 790 545

    [email protected]

    lossary " /5$

    Active safetySystems assisting in the prevention of a crash

    Error(1) Mistake in engineering, requirement specification, or design.(2) Mistake in design, implementation or operation which could cause a failure.

    FailureThe inability of a system or component to perform its required functions within specifiedperformance requirements.

    FaultAny change in state of an item that is considered to be anomalous and may warrant some type of

    corrective action. Examples of faults included device errors reported by Built-In Test (BIT)/Built-In

    Test Equipment (BITE), out-of-limits conditions on sensor values, loss of communication withdevices, loss of power to a device, communication error on bus transaction, software exceptions(e.g., divide by zero, file not found), rejected commands, measured performance values outside ofcommanded or expected values, an incorrect step, process, or data definition in a computerprogram, etc. Faults are preliminary indications that a failure may have occurred.

    Fault Injection Process

    The process of deliberately inserting faults into a system (by manual or automatic methods) to testthe ability of the system to safely handle the fault or to fail to a safe state. Usually, fault injectioncriteria is defined by system safety and is implemented by the software test engineeringgroup to measure the systems ability to mitigate potential mishaps to anacceptable level of risk.

    lossary "5/5$

    Safety Freedom from those conditions that can cause death, injury, occupational illness, damage to orloss of equipment or property, or damage to the environment.

    Safety AnalysisA systematic examination to determine system functionality, to identify potential hazards, andanalyze the adequacy of measures taken to eliminate, control, or mitigate identified hazards; and

    analyze and evaluate potential accidents and their associated risksSafety Critical Function

    A function whose failure to operate, or incorrect operation, will directly result in a high risk mishap(i.e., death, serious injury, system loss, environmental damage).

    Safety IntegrityThe ability of a control system to work safely (this includes shutting down safely if a fault occurs),which depends on the entire system, not just the computer

    Automotive Safety Integrity Level (ASIL)

    One of four levels to specify the item's or element's necessary requirements of ISO 26262 andsafety measures to apply for avoiding an unreasonable residual risk , with D representing the most

    stringent and A the least stringent level .

    A reviations " /2$

    ASI Automotive Safety Integrity evel


    OE< Original E?uipment