WIXLIB

Functional Safety (ISO26262) and SOTIF (ISO/PAS21448)WebinarDr. Arnulf Braatz/Andreas Horn, June 16th 2020V1.10 2020-05-12

Welcome and IntroductionWebinar: Functional Safety and SOTIFSpeaker:Dr. Arnulf BraatzQ&A:Andreas HornTechnical Notes2/28 AudioThere should be music to hear.If the audio transmission over the Internet is notworking, ask for the participation in a conference call.Contact the "host" in the "chat" window. ScreenDisable your screen saver. Feedback & communicationOpen and review the "chat" window to get all organizational messages of the "hosts".Use the "chat" window to the "host" to contact all organizational WebEx and transfer requests or disturbances.Use the "Q & A" window instead of the "chat" window for substantive questions about the webinar.Ask your questions at "All Panelists". Questions are answered online during and after the presentation. Slides & PresentationWithin 1-2 days after the webinar, you will receive a link to the slides and additional information.After the webinar a link will guide you to a feedback form.We are looking forward to receiving your feedback to continuously improve our services. 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Welcome and IntroductionVector Group DevelopmentVector provides tools for developing,testing, calibration and diagnosticsas well as software components anddevelopment services.USAFranceDetroitParisGermanyStuttgart, Brunswick, Hamburg, Karlsruhe, Munich, RegensburgGreat BritainSwedenBirminghamGothenburgNetworkingVector provides components andengineering services for thenetworking of electronic systems.JapanTokyo, NagoyaItalyOptimizationVector provides a comprehensiveconsulting portfolio as well assuitable tools o Paulo3/28India 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12ChinaShanghai

Welcome and IntroductionVector Client Survey 2020: Risk of vicious circleLong-term challenges70%Safety &Security60%Quality50%Innovative productsFlexibility30%Vicious cycle: cost pressure lack of competences less innovation and quality Complexity Distributeddevelopment20%10%Competencesand knowledgeDigital transformation40%Cost term ChallengesVector Client Survey 2020.Details: www.vector.com/trends.Horizontal axis shows short-term challenges;vertical axis shows mid-term challenges.Sum 300% due to 5 answers per question. Strongvalidity with 4% response rate of 2000 recipients fromdifferent industries worldwide.Vector provides tailored consulting solutions to keep OEM and suppliers competitive:Efficiency – Quality – Competences4/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

AgendaWelcome and Introduction Challenges and ConceptsVector Safety ExperiencesConclusions and Outlook5/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsMany functions are safety relatedElectrical Power SteeringUnintended steering andloss of steering assistCollision AvoidanceAcceleration instead ofdeceleration in trafficElectronic Park BrakeUnintended activationin motionAirbagUnintended deploymentduring normal operationMal-functions caused by failures of E/E systems6/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsFunctional Safety – Wide ImpactIdeaSystemTestSystemReq. AnalysisSystemIntegrationSystemDesignComponentReq. AnalysisOEMSupplierManagement ActivityComponentDesignEngineering ActivityAffected by ISO nagementWide impact on entire life-cycle Risk of gaps and inconsistencies7/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsEffectFunctional Safety – Many MethodsHazardInability to performthe required functionas specifiedFailureFailureFailure4Incorrect state thatmay lead to a failureCause of the error,e.g. code mistakeErrorX1FaultX2Error3XErrorXFaultFaultSystem layer1 Fault prevention Guidelines Processes2 Fault detection Code analysis Review, Test3 Fault tolerance Redundant design Memory protection4 Robustness Redundant shut-off Fail-operationalMany methods and techniques Risk of uninformed usage8/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsParts of ISO 26262:2018 – 2nd Edition – Main ChangesISO/PAS 21448 Road vehicles -- Safety of the intended functionality (SOTIF)1. Vocabulary2. Management of functional safety3. Conceptphase4. Product development at thesystem level12. Adaption ofISO 26262 formotorcycles5. Productdevelopment atthe hardwarelevel7. Productionand operation6. Productdevelopment atthe softwarelevel8. Supporting processes8-13 to 8-169. ASIL-oriented and safety-oriented analyses10. Guideline on ISO 2626211. Application of ISO 26262 to semiconductor9/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsScope of SOTIF (ISO/PAS 21448)Safety of the intended functionality (SOTIF) – The absence of unreasonable risk due to hazardsresulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuseby persons.Area 2 & 3 toolarge meansunacceptableresidual risk4123SOTIF activitiesprovide anargument thatthe residual riskis acceptablePAS 21448 Maximize Area 1 Minimize Area 2 & 3StartingPointGoal for thefinishedDevelopmentPAS 21448, chapter4, figure 8Unknown safe scenarios (Area 4)known safe scenarios (Area 1)known unsafe scenarios (Area 2)MentalModelunknown unsafe scenarios (Area 3)Note: Intentional alteration of the system operation (Feature abuse) is not in scope.10/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsOverview Automotive Safety: Functional Safety & SOTIFSOTIF: Triggering events are analyzed if acceptable or function needs to be modified.Triggering event:Limited max torqueTriggering event:Camera sensor blindedby sunsetMisuse: Applinghighway traffic signrecognition in urbantrafficFunctional Safety: Methods required by ISO 26262 focus on those faults need to be identified and mitigated, whichpotentially violate a safety goal. systematic & random faults of HW &SW11/28 known limitations of sensors, actuators and algorithms, environmental conditions and foreseeable misuse (PAS 214448, Chapter 7.2) 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsLegal Liability: State of the art of science and technologyProcessConferences, white papers, etc.-Safety ManagementProject ManagementRisk ManagementQuality AssuranceRequirements-Mgmt.Configuration-Mgmt.Test Management ISO 26262Process governance (e.g. CMMI, SPICE)Basic regulations: Laws, statutory provisions, nongovernmental standards (ISO9001, ISO/TS 16949, etc.)Technology- Measures against random HWfailures- Measures against systematic failures(System, HW, SW)- Development of safety concepts- Implementation of safetymechanisms- Methods- FMEA,FTA- FMEDA- Analysis of dependent failures- ASIL decomposition- 12/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsBasic Concept of ISO 26262: Risk Classification by „ASIL“RiskR SeverityxProbabilitySPEx sary IntegrityASILAutomotive Safety Integrity Level( required integrity of a function)ResidualRiskToleratedRiskE/E functionsRisk byadd. FunctionSafety functionsRisk levelSource: IEC 61508:201013/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsDevelopment – HARA for deriving Safety Goals and ASILMalfunction ofAdaptive Front SteeringECSASILNo superimposition 100 km/hHighwayWet roadE3C1S3ASteering inversion 50 km/h 100 km/hMain RoadDry roadE4C3S3DOversteering 50 km/h 100 km/hMain RoadDry roadE4C3S3DOversteeringParking 10 km/hSide RoadDry roadE4C1S1QMExposure: E3: 1-10% of averageoperating time E4: 10% of averageoperation time14/28Operational SituationControllability (Average Driver): C1: Hazardous situation is simplycontrollable C3: Hazardous situation is usually notcontrollable 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12Severity: S1: Light to moderateinjuries S3: Critical injuries

Challenges and ConceptsEfficient Traceability and ConsistencySafety GoalsSG1HZ1, HZ3 ASIL BHazard Analysis &Risk AssessmentSafety Goal 1SG2HZ2ASIL D.Item DefinitionSafety Goal 2System ArchitecturalDesign (external input).Functional SafetyConceptFunctional Safety RequirementsFSR 1SG1ASIL BFunct. Safety Req. 1FSR 2SG1ASIL BFunct. Safety Req. 2.Allocation of FSRs toarchitectural elements.Refinement ofArchitectural DesignTechnical SafetyConceptTechnical Safety RequirementsRequirementsTSR 1.1FSR Technical1ASIL B SafetyKomp1Tech. Safety Req. 1.1TechnicalSafetyRequirementsTSR 1.1FSR 1ASIL BKomp1Tech. Safety Req. 1.1Allocation of TSRs toarchitectural elementsTSR 1.2FSR 1ASIL BKomp1Tech. Safety Req. 1.2TSR 1.1FSR 1ASIL BHW/SW Tech. Safety Req. 1.1TSR 1.2FSR 1ASIL BKomp1Tech. Safety Req. 1.2.TSR 1.2FSR 1ASIL BHW/SW Tech. Safety Req. 1.2.15/28 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12System Architectural Design

Challenges and ConceptsFMEA and FTA – Safety Analysis on System and HW levelMost common methods forsafety-oriented analysesFMEA16/28FTA Failure Mode Effect Analysis Fault Tree Analysis Inductive analysis method Deductive analysis method Used to identify root causes offailures and effects of failures inthe system. Used to identify root causes offailures and their correlation inthe system. Can only be applied to an existingdesign or implementation. Development of designalternatives Discovery of unexpectedscenarios 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12

Challenges and ConceptsApproaches to Risk ReductionObjectives:FailureRandomFailure RedundancySafety mechanisms(“Diagnostics”)Self-tests Technical measures againstsystematic system, HW andSW failures: Make unavoidable failures safeRedundancyDiagnosticsSelf-testsModular HW/SWarchitectureArchitecture patternsDefensive programming Methodological measures to ensurethe application of a safety-conformdevelopment process: Top-down design flow Requirements based engineering Design methods Analysis techniques Test methods Traceability Reproducibility Detailed process requirements Process MeasuresProduct MeasuresISO26262 (ASIL)17/28Avoid failuresSystematicFailureTechnical measures againstrandom HW failures: 2020. Vector Consulting Services GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.10 2020-05-12