Dr.-Ing. Alexander Schloske Funktionale Sicherheit

Machine Translated by Google
FUNCTIONAL SAFETY ACCORDING TO ISO 26262
AND THEIR PRACTICAL IMPLEMENTATION
DGQ regional district Braunschweig, 02/28/2013
Dr.-Ing. Alexander Schloske
Senior Expert Quality Management
Head of the Stuttgart Production Academy
Telephone: +49(0)711/9 70-1890

Fax: +49(0)711/9 70-1002
E-mail: alexander.schloske@ipa.fraunhofer.de
Internet: www.ipa.fraunhofer.de
1427/08
© Fraunhofer IPA
performance
Alexander Schloske and quality management
Active in the field of quality management since 1983

Member of the DGQ since 1992
Lecture on quality management at the University
of Stuttgart since 1996
Trainer of the DGQ since 2003
Lecture on quality in product development at the

Vienna University of Technology since 2006
Functional Safety Engineer seit 2008
Trainer of the DGQ since 2003
© Fraunhofer IPA
performance
The Fraunhofer Society
Rostock
Bremen
Berlin
Dortmund Hanover Dresden
Darmstadt
Saarbrucken
Karlsruhe
Stuttgart Munich
Freiburg
60 institutes at around
40 locations
20,000 employees
2.0 billion € Budget
© Fraunhofer IPA
Networking of science and practice

Fraunhofer IPA as the basis for knowledge transfer
chairs at the
university industrial
Stuttgart, research
ISW and IFF
SPA
Teach research development realization application
Industry experience
© Fraunhofer IPA
Example project for functional safety

Protection of a safety logic in the automotive
Surroundings
Task: 1965
Protection of a safety logic for an

innovative system in the automotive industry
Ensuring "functional safety" according to
IEC 61508 and ISO/DIS 26262
2010
Activities of the IPA:
Carrying out system risk analyses
Definition von Software-Requirements
Development of test plans and test scenarios
Image
source: http://www.autobild.de//artikel/opel-meriva-2010-_1030625.html
© Fraunhofer IPA
"Volvo City Safety" - press presentation
© Fraunhofer IPA
functional safety
Real-world examples of “Functional Safety”
"Volvo City Safety" failed in 2010 at press presentation

The City Safety system is designed to recognize obstacles on the road
and automatically brake the car to avoid a collision. As the
automaker later stated, a malfunctioning battery was to
blame for the system failure.
Those: www.auto.de
Renault recalls 695,000 Scénic worldwide in 2010

With this model, according to Renault, the automatic
parking brake can be applied unintentionally while
driving.
Those: www.welt.de
Toyota is recalling 373,000 cars in 2010

Recall due to the possibility that during the
the steering wheel lock engages automatically. It is
then no longer possible to steer the vehicle.
Those: http://www.auto-motor-und-sport.de/
7
© Fraunhofer IPA
functional safety
Lecture content
Basics of functional safety

Structure and content of ISO 26262
Methods and tools to ensure functional safety
examples
© Fraunhofer IPA
BASIS OF
FUNCTIONAL SAFETY
9
© Fraunhofer IPA
functional safety
Origin of functional safety
Chemical accident in Seveso, Italy 1976:

Highly toxic dioxin leaked with catastrophic
consequences for people, wildlife and nature
Uncontrolled reaction led to
overheating
Automatic cooling systems and warning
systems were not available
Accident triggered standardization efforts

for functional safety:
IEC 61508 (general)

ISO 26262 (automotive)
10
© Fraunhofer IPA
functional safety
Definition and objective of functional safety according to ISO 26262 (11/2011)
Functional safety is the ability of an electrical,

electronic or programmable electronic system (E/E
system) when it occurs
systematic failures (e.g.

faulty system design)
random hardware failures (e.g.

aging of components)
with the dangerous effect of assuming a safe state or

Objective: remaining in a safe state.
"Risk Mitigation"
to the technically
unavoidable
Primary focus: E/E systems
residual risk
11
© Fraunhofer IPA
functional safety
Safety function, safety integrity, (A)SIL
Safety function or functional safety requirement

Function of a safety-related system in order to assume or maintain a
state with an unavoidable residual risk in the event of danger
security integrity
Probability that a safety-related system meets the requirements
Executes safety functions as required under all specified conditions
(Automotive) Safety Integrity Level (A)SIL

Four discrete levels for specifying safety integrity requirements for the
safety functions
SIL 1 to SIL 4 (IEC 61508)
ACL A and ACL D (ISO 26262)
12
© Fraunhofer IPA
STRUCTURE AND CONTENT

OF ISO 26262
13
© Fraunhofer IPA
ISO 26262
Structure of ISO 26262
1. Glossary
2. Functional safety management 3. Concept phase 4.
Product development: system level 5. Product
development: hardware level 6. Product development:
software level
7. Production and Operations
8. Supporting Processes
9. ASIL and safety-oriented analyzes 10. Orientation
aids
(approx. 450 pages in total)
Those: ISO / FDIS 26262
14
© Fraunhofer IPA
ISO 26262
Structure of the individual standards of ISO 26262-#
1. Scope
2. Normative reference
3. Terms, definitions, abbreviated terms
4. Requirements for compliance
5. Content
- Objectivess
- General -
Inputs for this clause
- Requirements and recommendations
- Work products
6. Annex (informative)
7. Bibliography
15
© Fraunhofer IPA
ISO 26262
Compliance requirements (Chapter 4 in ISO 26262-#)
4.1 General Requirements
Planned adjustments
Reasons for deviations
4.2 Interpretation of the tables
++ Method strongly recommended for ASIL
+ Method recommended for ASIL
0 No statement (for / against) on the method
4.3 ASIL dependent requirements and

recommendations
RESULT application
(RESULT) recommendation
Those: ISO / FDIS 26262-2
16
© Fraunhofer IPA
ISO 26262
Life cycle model of ISO 26262
17
© Fraunhofer IPA
ISO 26262
Life cycle model of ISO 26262 (simplified)
1. Vocabulary
2. Management of functional safety
4. Product development
system level
3. Concept 7. Production
phase 5. Product 6. Product and operation
development development
hardware software
level level
8. Supporting processes
9. ASIL-oriented and safety-oriented analyses
10. Guideline on ISO 26262 (informative)

18
© Fraunhofer IPA
REQUIREMENTS OF
ISO 26262 (CHAPTER 2)
19
© Fraunhofer IPA
ISO 26262
Requirements of ISO 26262-2
Definition of the requirements of the organizations responsible for the safety

life cycle
safety culture
competencies
quality management
Definition of roles, responsibilities and activities for the

Security management during the development of the unit
security manager
project manager
Audit, review, assessment of security activities
Those: ISO / DIS 26262-2
20
© Fraunhofer IPA
ISO 26262
Functional safety management (safety plan)
The safety plan contains the structural and process planning (phases, milestones,
responsibilities, documents) required to ensure functional safety with regard to:
strategies and activities
Interface coordination with suppliers

supporting processes
Hazard and risk analysis
Development and implementation of security requirements

Verification and Validation
Documents
21
© Fraunhofer IPA
REQUIREMENTS OF
22
© Fraunhofer IPA
ISO 26262
safety life cycle
3-5 Item definition
Initiation of the
3-6
safety lifecycle Concept
phase
Hazard analysis
3-7 and risk assessment
Functional safety
3-8
concept
Product
4 Other
development
System level technologies
5 6 Controllability
Production
7-5 development
Product
planning Hardware Software External

Operation level level measures
7-6
planning
Release
4-11
for production
After
SOP
7-5 Production Back to

appropiate
lifecycle
Operation, service and phase
7-6
decommissioning
23
© Fraunhofer IPA
ISO 26262
Hazard analysis and risk assessment
Identification and categorization of hazards by the

object of observation
Analysis of operating conditions and identification of hazards

Complete listing of operating conditions
Systematic derivation and definition of the dangers and effects for everyone
operating conditions
assessment of the dangers
S0-S3: Severity of the potential hazard
E0-E4: Duration of being exposed to the operational situation
C0-C3: Controllability by driver and/or participants
Hazard Categorization (ASIL)
ASIL A - D
QM
24
© Fraunhofer IPA
Methods for analyzing mechatronic systems
Risk graph for ASIL classification according to ISO 26262
Severity
Exposure E Controllability C
S0: no risk of injury
S1: minor and moderate injuries
C0 C1 C2 C3
S2: Serious injury and possibly fatal injury
S0 E0 – E4 QM QM QM QM
S3: Serious and likely fatal injuries
E0 QM QM QM QM
Frequency of exposure (exposure)
E1 QM QM QM QM E1: rare: situation occurs less frequently for most drivers
S1 E2 QM QM QM QM than once a year
E3 QM QM QM A E2: occasionally: situation occurs for most drivers
E4 QM QM A B few times a year

E3: quite often: situation occurs once for average driver
E0 QM QM QM QM
a month or more often
E1 QM QM QM QM
E4: often: Situation that occurs with almost every journey
S2 E2 QM QM QM A
Controllability
E3 QM QM A B C1: easy to master:
E4 QM A B C more than 99% of drivers or other road users can usually avert
E0 QM QM QM QM the damage
C2: average controllable:
E1 QM QM QM A
more than 90% of drivers or other road users can usually avert
S3 E2 QM QM A B
the damage
E3 QM A B C
C3: difficult or impossible to control:
E4 QM B C D
less than 90% of drivers or other road users can usually avert the
[according to ISO/DIS damage
25
© Fraunhofer IPA
ISO 26262

Functional safety concept
Security objectives to avoid or mitigate the hazards

Definition of security goals
Specification of the functional safety requirements
condition description
Warning and degradation concept
emergency operation concept
Driver reaction concept
Verification, assessment, validation and review of the security concept
Verification, evaluation, validation and review of the functional

security concept for compliance with the security objectives
26
© Fraunhofer IPA
REQUIREMENTS OF
27
© Fraunhofer IPA
ISO 26262
System level product development
4 Product development at system level
Initiation of product
4-5
development on system level
Spezification of the
4-6
technical safety requirements
4-7 System design
5
Product development 6 Product development
at Hardware level at Software level
4-8 Item integration and testing
4-9 Safety validation
4-10 Functional safety assessment
4-11 Release for production
28
© Fraunhofer IPA
ISO 26262
Development and verification of technical security requirements
Security mechanisms and system reactions

Measures to discover, display and control deviations within the observation unit or in
external units
Measures to achieve and maintain a safe state
Warning and degradation measures
Measures to avoid latent errors
Security mechanisms (safe state)
Transition to the safe state (including requirements for controlling the actuators)
Fault Tolerance Interval (time interval that the vehicle can be operated with
deviations before a hazardous condition occurs)
Emergency operation interval (time interval from the occurrence of the deviation
to the transition to the safe state)
Measures to maintain the safe state
29
© Fraunhofer IPA
ISO 26262
Development and verification of technical security requirements
Avoiding dormant (latent) deviations

[Recommended for A and B / Required for C and D]
Specifying the time interval for detecting sleeping errors (taking component reliability
and exposure into account)
On-board tests (e.g. with "ignition on" / "ignition off")
test in operation
Test during service / maintenance
Development of safety mechanisms to avoid / diagnose dormant double errors
ASIL B for ASIL D safety goals
ASIL A for ASIL B and ASIL C safety targets
30
© Fraunhofer IPA
ISO 26262
System and technical development and verification

security concept
System specification and system architecture
Measures to avoid systematic errors
Measures to control random HW errors during operation
Allocation of security requirements to hardware and software
Specification of the hardware and software interfaces (HSI)
Specification of the diagnosis of the HSI
System design verification
31
© Fraunhofer IPA
REQUIREMENTS OF
32
© Fraunhofer IPA
ISO 26262
Product development at hardware level
4-7 System design
5 Product development at hardware level
Initiation of product
5-5
development at hardware level
Specification of
5-6
hardware safety requirements
5-7 Hardware design 5-7 Production and operation
5-8 Hardware architectural metric
Evaluation of violation of safety Qualification of

5-9 8-13
goal due to random HW failures hardware components
5-10 Hardware integration

and testing
33
© Fraunhofer IPA
ISO 26262

Hardware architectural metrics
Evaluation of the hardware architecture in terms of handling random

Hardwarefehler
ASIL (B), C, D: Application hardware metrics and compliance

target values
Robustness against simple errors
Robustness against multiple errors
Accidental hardware errors with dangerous effects
ASIL (B), C, D: Review of the assessment
34
© Fraunhofer IPA
ISO 26262
ISO 26262-5, Annex C
Random hardware failure
Single point fault (SPF)

Deviation that is not covered by any security mechanism
and immediately leads to the violation of a security objective
Residual fault (RF)
Part of a deviation that is not covered by a security
mechanism and which leads to the violation of a
security objective
Multiple point fault (MPF)

Deviation among several independent deviations, which
in combination leads to a multiple error
Perceived (MPF P)
noticed
Detected (MPF D)
discovered
Latent (MPF L)
asleep
35
© Fraunhofer IPA
Fault classification according to ISO 26262
Is the
component N unconsidered
at the considered
Fault safety-related
function
Safe Fault
involved?
Has the Can the

Component the Deviation
potential for a with another
N N
deviation in the independent
absence of safety deviation in another Safe Fault
mechanisms to component lead to
the safety goal the violation of the
safety goal?
violate?
J J
Is
any
N safety J Multiple
Will
mechanism
implemented,
the deviation Point Fault
discovered?
which controls Detected
deviations of
the component?
J N
Is
there a safety
mechanism in Will J Multiple
J
place to prevent the deviation
the component from the driver Point Fault
deviation from perceived?
violating the Perceived
safety objective?
N N
Residual Multiple
Single
Point Fault
Point Fault Fault
Latent
36
© Fraunhofer IPA
Fault classification according to ISO 26262
Is the
component N
at the considered
Fault safety-related unconsidered
function
Safe Fault
involved?
Has the Can the

Component the Deviation
potential for a with another
N N
deviation in the independent
absence of safety deviation in another Safe Fault
mechanisms to component lead to
the safety goal the violation of the
safety goal?
violate?
J J
Is
any
N safety %J Multiple
mechanism
implemented, DC % ? Point Fault
which controls Detected
deviations of
the component?
J %N
%J %J Multiple
DC % ? DC % ? Point Fault
Perceived
%N %N
Residual Multiple
Single
Point Fault
Point Fault Fault
Latent
37
© Fraunhofer IPA
functional safety
Determining the failure modes and failure rates of

system elements
Determination of the failure modes and FIT values of

System elements:
Literature on reliability (e.g. Birolini)
Company standards (e.g. SN 29500)
Reliability books (e.g. MIL-Handbook 217)

Manufacturer information and data sheets
field experience values
Conversion to ambient temperatures
FIT = Failure in Time:

Failure rate of technical components (number of components
that fail in 109 hours). 1 FIT = 1 failure in about 114,000 years
40
© Fraunhofer IPA
functional safety
Determination of the error rates of complex system elements
Procedure for dividing FIT values for

complex components: 50/50 division
Division into function groups Division
according to chip areas Division
according to recommendations (e.g.
Birolini, SN 29500)
Image source: www.kurz-elektronik.de

42
© Fraunhofer IPA
REQUIREMENTS OF
43
© Fraunhofer IPA
ISO 26262
Product development at software level
Item
4-7 testing
System design Test phase
verification
Design phase verification

Software
Specification of testing Verification of
6-6 6-11
software safety requirements Test phase software safety requirements
verification

Software
testing Software integration
6-7 Software architectural design Test phase
6-10
verification
and testing

Software
Software unit design testing
6-9
6-8 Test phase
Software unit testing
and implementation
verification
44
© Fraunhofer IPA
REQUIREMENTS OF
45
© Fraunhofer IPA
ISO 26262
Planning and ensuring the production of safety-related products
Planning and description of the production
software and calibration

test measures
The risk analysis
Deviation Management
Planning the processes for users, service, repair and

decommissioning
Creation of user documentation
field observation
46
© Fraunhofer IPA
REQUIREMENTS OF
47
© Fraunhofer IPA
ISO 26262
Supporting processes
Interface management in distributed development

Management of security requirements
Configuration Management
Change Management
Documentation
Qualification of software components
Qualification of hardware components
Argumentation „Proven in use“
48
© Fraunhofer IPA
REQUIREMENTS OF
49
© Fraunhofer IPA
METHODS OF ANALYSIS
MECHATRONIC SYSTEMS
51
© Fraunhofer IPA
functional safety
Methods for SIL classification

Risikograph
Methods for analyzing systematic errors

Failure Mode and Effects Analysis (FMEA)
Error-Based System Reaction Analysis (FSR)
Methods for analyzing random errors

Failure Mode, Effects and Diagnostic Analysis (FMEDA)
Fault Tree Analysis (FTA)
52
© Fraunhofer IPA
METHODS FOR
SIL CLASSIFICATION
53
© Fraunhofer IPA

Objective:
Systematic determination of potential dangers
and risks of the system
Methodic procedure:
Definition of the main functions of the system
Determination of potential malfunctions
Identifying the hazards and risks
Benefit/note:
Early implementation
Consideration independent of the
security concept (basis for the security concept)
Prerequisite for (A)SIL classification
54
© Fraunhofer IPA

Risk graph for ASIL classification according to ISO 26262
Exposure E Exposure E Controllability C Controllability C

C0 C1 C2 C3 Objective:
E0 QM QM QM QM
E1 QM QM QM QM
Systematic determination of the ASIL level
S1 E2 QM QM QM QM
E3 QM QM QM A
Basis of the hazard and risk analysis
E4 QM QM A B
E0 QM QM QM QM Methodic procedure:
E1 QM QM QM QM
S2 E2 QM QM QM
E3 QM QM A
A
B
Determination of the ASIL level based on
E4 QM A B C
E0 QM QM QM QM the heaviness
E1 QM QM QM A
S3 E2 QM QM A B
E3 QM A B C the frequency of exposure

E4 QM B C D
[according to ISO DIS

controllability
Benefit/note:
Systematic and comprehensible procedure
Basis for specifications for method application
and for target values for further development
55
© Fraunhofer IPA
METHODS OF ANALYSIS
SYSTEMATIC ERROR
56
© Fraunhofer IPA

Objective:
1.
Systematic determination of potential
malfunctions for the components of the system
2. Method according to VDA 4 Chapter 3 (2006):

1: structure analysis (structure tree)
2: Functional Analysis (Functional Nets)
3. 3: Error Analysis (Error Nets)
4: Measure analysis and evaluation
5: Optimization (if necessary)
4.
Benefit/note:
Detailed overview of malfunctions
5. Action plan for safe system design

Precise naming of the malfunctions
57
© Fraunhofer IPA

Error-Based System Reaction Analysis (FSR)
Objective:
Analysis of the diagnostic and safety
measures for systematic errors
Method:
Takeover of the malfunctions from the system
FMEA for all components involved
Evaluation of the detectability of failure
modes, taking user-related ones into account
interactions and system states
Benefit/note:
Indications of "sleeping errors" in the system
Further comparison of sleeping errors in
paired comparison matrices
58
© Fraunhofer IPA
METHODS OF ANALYSIS
RANDOM ERROR
59
© Fraunhofer IPA
Failure Modes, Effects and Diagnostic Analysis (FMEDA)
FIT DC 1 Safe Single Point Residual DC 2 Multiple Point Fault
(10-9) (%) Fault Fault Fault (%) Detected Latent Preceived

system components
Voltage supply µC 100,00 40,00 0,00 16,04 43,80 0,08 0,08

Objective:
quartz 5,00 0,00 0,00 4,46 0,50 0,02 0,02
Relay 300,00 224,78 0,30 0,00 74,18 0,37 0,37
Taster 40,00 19,80 0,40 0,00 0,00 9,90 9,90
Analysis of the failure modes of the components involved in the safety function
HW-Watchdog components
10,00 of 0,00 0,00 0,00 0,10 9,85 0,05
µC µC-ROM µC- 25,00 12,50 12,38 0,00 0,00 0,06 0,06
RAM µC-I/O µC- security feature

25,00 0.00 0,00 0,00 24,75 0,25 0,00
Watchdog 25,00 12.50 0,00 0,00 12,38 0,12 0,00
25,00 12.50 12,38 0,00 0,00 0,06 0,06
25,00 0.00 0,00 0,00 0,00 25,00 0,00
total 580,00 322.08 25,45 20,49 155,70 45,73 10,55 Method:

Dangerous Failures/Hour 91,67 < 10-7 (fulfilled)
Single Point Fault Metric 92,1% ÿ 90% (fulfilled)
Latent Fault Metric 91,4% ÿ 60% (fulfilled)
Listing of all deviations of the
FMEDA
Components involved in safety function
Evaluation of the deviations/failures
Determination of error rates
Benefit/note:
Tabular procedure for calculating the FuSi parameters (e.g. PMHF, fault metrics)
Creation of an FMEDA for each security objective
60
© Fraunhofer IPA
PROCEDURE FOR ANALYSIS

MECHATRONIC SYSTEMS
61
© Fraunhofer IPA
Relationship between the methods used
Procedure for analyzing and validating functionally safe mechatronic systems
dangers Procedure according to ISO 26262 / IEC 61508

system architecture
and component information
and functional Simple
Risk (eg Birolini
block diagram error cases
Analyse and SN 29500)
Failure Modes Software DC

component functions
FIT scores FMEA concepts and
algorithms
WILL 2
complexes
error cases
error based Software DC

FuSi target values:
fault metrics system reaction concepts and
and PMHF Analyse (FSR) algorithms
FuSi actual values: FMEDA and

fault metrics calculation
? DC = Diagnostic Coverage
and PMHF procedure
62
© Fraunhofer IPA
EXPLANATION APPEAR
OF AN EXAMPLE SYSTEM
63
© Fraunhofer IPA
Explanation based on an example system

Example system (vehicle and values chosen randomly)
Those: http://www.imcdb.org Those: http://www.automobilrevue.de/dreste2002.htm
1965 20xx ?
64
© Fraunhofer IPA

main function
major malfunction
65
© Fraunhofer IPA
Possible risk graph according to ISO 26262
C0 C1 C2 C3
malfunctions and
E0 QM QM QM QM
effects from the E1 QM QM QM QM
Danger and
S1 E2 QM QM QM QM
Risk analysis E3 QM QM QM A
E4 QM QM A B
vehicle portal door E0 QM QM QM QM

Open vehicle door injured Foundation E1 QM QM QM QM
can be opened from S2 E2 QM QM QM A
passers-by at the inside at v > 4 km/h E3 QM QM A B
roadside E4 QM A B C
E0 QM QM QM QM
E1 QM QM QM A
S3 E2 QM QM A B
E3 QM A B C
E4 QM B C D
Severity – S: Exposure – E: Controllability – C: ASIL B

S2: Severity E4: high or C2: manageable on average: more than 90% of the
drivers or PMHF < 10-7
Injuries, life- constant occurrence
threatening, likely to Road users can usually avert the damage
SPFM ÿ 90%
survive
LFM ÿ 60%
66
© Fraunhofer IPA
ANALYSIS SYSTEMATIC
MISTAKE
67
© Fraunhofer IPA
Possible system structure of a "portal door"
Diagnose
system
(sensory)
68
© Fraunhofer IPA
Possible functional network of a "portal door"
function
Main function
of the system Diagnose
system
(sensory)
69
© Fraunhofer IPA
Possible error network of a "portal door"
Malfunction in
ASIL B the diagnosis
System system
malfunction (sensory)
70
© Fraunhofer IPA

Possible FSR of a diagnostic system of the "portal door"
71
© Fraunhofer IPA
Possible form of a "portal door"
No detection of
the malfunction
in the sensors
in operation and
no information
of the driver
72
© Fraunhofer IPA
Possible form of a “portal door”
Reliable error
detection
the sensors
in operation and
Information
of the driver
73
© Fraunhofer IPA

Possible FSR of a diagnostic system of the "portal door"
74
© Fraunhofer IPA

Analysis and evaluation of malfunctions, error detection and error
response in the "portal door" system
2. Error Response 1. Error detection
75
© Fraunhofer IPA
Possible form of a "portal door"
Proof
provided!
Reliable error
detection on
the sensors
in operation and
informing the driver
76
© Fraunhofer IPA

Analysis and evaluation of malfunctions, error detection and error reactions during
operation
2. Error 1. Error
A=1
response detection
Extent of Damage B
77
© Fraunhofer IPA
RANDOM ERROR ANALYSIS
78
© Fraunhofer IPA
Product and project environment

rotary switch
Switching
technology with Hall sensors
Those: www.seuffer.de
79
© Fraunhofer IPA
mechatronic system
Sensory – Logic - Actor
Error distribution in safety systems (rule of thumb according to TÜV Nord)
Sensory Logic 50% of

35% 15% actors
Project rotary switch SIL 2

PFH = 2% von PFH (SIL2)
PFH = 0.02 * 10-6 / h = 20 FIT
SFF = 90%
Image sources: www.seuffer.de and http://blog.doubleslash.de
80
© Fraunhofer IPA
Product
System structure rotary switch
81
© Fraunhofer IPA
EXAMPLE FIT/DC DETERMINATION

FOR A SIMPLE MISTAKE
82
© Fraunhofer IPA
FIT/DC determination
Simple error case "bit tipper in RAM"
µC: • 86.94
FIT • 27 functions
Failure per function
• 50% Safe • 50%
Dangerous
-> 1.61 FIT per failure
84
© Fraunhofer IPA
FMEA form sheet content (example according to DIN EN 61508)
Comp./ Function
Software
Requirements
Require
ment ID
procedure
Verification
under the
development Measures to
test the
Software
SFF target DC Act Detection / Response Test-ID
PFH-Soll FIT actual
mastery in operation
(DC = High = 99%)
85
© Fraunhofer IPA
Error detection and error response during operation by the software
1% = 0,0161 FIT
99% = 1,5939 FIT

Detection / reaction during
reaction detection in operation
in operation operation (DC = High = 99%)
86
© Fraunhofer IPA
Analysis of random errors

FMEDA
87
© Fraunhofer IPA
EXAMPLE DC DETERMINATION FOR A

COMPLEX FAILURE
88
© Fraunhofer IPA
Complex error case "Error in the Hall sensor system"
DC determination via FSR for Hall sensor system
No. starting position Sensor signals final position Sensor signals Gangausgabe
error detection
no
instantly
next
N
next
D/
R
next
DC/
RC
RC R N D DC RC R' R N' N D' D DC RC R N D DC RC R' R N' N D' D DC Ausgabe SIL-kritsch Rule
x 1 1 1 0 0 1 1 1 x 1 1 1 0 0 1 1
1 1 N no 1 x
x 1 1 1 0 0 1 1 1 X 1 1 1 0 0 1 1
2 1 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 1 0 0 1 1
3 1 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 1 0 1 1 1
4 1 kA no 2
x 1 1 1 0 0 1 1 1 x 1 1 1 0 1 1 1
5 1 kA no 2
x 1 1 1 0 0 1 1 1 x 1 1 0 0 1 1 1
6 1 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 0 0 1 1 1
7 1 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 0 0 1 1 1
8 1 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 1 0 0 1 1
9 0 kA no 3 x
x 1 1 1 0 0 1 1 1 x 1 1 1 0 0 1 1
10 0 kA no 3 R
x 1 1 1 0 0 1 1 1 x 1 1 1 0 0 1 1
11 0 kA no 3 R
x 1 1 1 0 0 1 1 1 x 1 1 1 0 1 1 1
12 0 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 1 0 1 1 1
13 0 N no 1 x
x 1 1 1 0 0 1 1 1 x 1 1 0 0 1 1 1
14 0 kA no 3 D
x 1 1 1 0 0 1 1 1 x 1 1 0 0 1 1 1
15 0 kA no 3 D
x 1 1 1 0 0 1 1 1 x 1 1 0 0 1 1 1
16 0 kA no 3 x
89
© Fraunhofer IPA
FMEA AND FMEDA
90
© Fraunhofer IPA
Analysis of systematic and random errors

Division of tasks between FMEA (systematic errors) and FMEDA (random
errors)
Systematic errors Random bugs

FMEA FMEDA
91
© Fraunhofer IPA
FORMULA OF FLUENT
92
© Fraunhofer IPA
Simple estimation of a functionally safe system

rule of thumb
Rechenweg
Sum of the FIT values of all E/E components involved 250 FIT
Allocation to 50% Dangerous and 50% Safe 125 FIT / 125 FIT
Required Safe Failure Fraction 90%
(100%- SFF ) x Dangerous FIT values 12,5 FIT
Comparison with permissible PFH value 20,0 FIT
Source: Mr. Habicht, TÜV Süd (2010)
93
© Fraunhofer IPA
CONCLUSION
94
© Fraunhofer IPA
functional safety
Conclusion
Functional safety poses a new challenge to the technical

risk management (additional effort estimated by industry 10-20%)
Prerequisites for ensuring functional safety are

Functioning management systems and maturity models
(e.g. TS 16949, SPICE, CMMI)
Organizational extensions for safety management
according to the requirements of ISO 26262
Integrated application of the methods and tools
Detailed and precise system analysis by the OEM as well as effective
Interface management/communication with suppliers
Critical consideration of the risks independent of numerical values
95
© Fraunhofer IPA
functional safety
Recommended reading
96
© Fraunhofer IPA
I hope I was able to bring you closer to the

topic of "Functional Safety".
Thank you for your attention !
Image source: Undercover Postcards

97
© Fraunhofer IPA

Dr.-Ing. Alexander Schloske Funktionale Sicherheit

Uploaded by

Copyright:

Available Formats

Dr.-Ing. Alexander Schloske Funktionale Sicherheit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dr.-Ing. Alexander Schloske Funktionale Sicherheit

Uploaded by

Copyright:

Available Formats

Machine Translated by Google

FUNCTIONAL SAFETY ACCORDING TO ISO 26262

AND THEIR PRACTICAL IMPLEMENTATION

DGQ regional district Braunschweig, 02/28/2013

Dr.-Ing. Alexander Schloske

Senior Expert Quality Management

Head of the Stuttgart Production Academy

Telephone: +49(0)711/9 70-1890

Active in the field of quality management since 1983

Lecture on quality in product development at the

The Fraunhofer Society

2.0 billion € Budget

Networking of science and practice

Teach research development realization application

Example project for functional safety

Protection of a safety logic for an

"Volvo City Safety" - press presentation

Real-world examples of “Functional Safety”

"Volvo City Safety" failed in 2010 at press presentation

Renault recalls 695,000 Scénic worldwide in 2010

Toyota is recalling 373,000 cars in 2010

Basics of functional safety

Chemical accident in Seveso, Italy 1976:

Accident triggered standardization efforts

IEC 61508 (general)

Definition and objective of functional safety according to ISO 26262 (11/2011)

Functional safety is the ability of an electrical,

systematic failures (e.g.

random hardware failures (e.g.

with the dangerous effect of assuming a safe state or

Safety function or functional safety requirement

(Automotive) Safety Integrity Level (A)SIL

STRUCTURE AND CONTENT

Structure of ISO 26262

2. Functional safety management 3. Concept phase 4.

Product development: system level 5. Product

development: hardware level 6. Product development:

7. Production and Operations

9. ASIL and safety-oriented analyzes 10. Orientation

Those: ISO / FDIS 26262

Compliance requirements (Chapter 4 in ISO 26262-#)

4.1 General Requirements

Reasons for deviations

4.2 Interpretation of the tables

++ Method strongly recommended for ASIL

+ Method recommended for ASIL

0 No statement (for / against) on the method

4.3 ASIL dependent requirements and

Those: ISO / FDIS 26262

Life cycle model of ISO 26262 (simplified)

2. Management of functional safety

9. ASIL-oriented and safety-oriented analyses

10. Guideline on ISO 26262 (informative)

Requirements of ISO 26262-2

Definition of the requirements of the organizations responsible for the safety

Definition of roles, responsibilities and activities for the

Those: ISO / DIS 26262-2

Functional safety management (safety plan)

strategies and activities