Functional Safety in the Automotive Industry,

Process and methods

Matthias Findeis, BMW AG
Ilona Pabst, RELNETyX AG

1 Introduction

During the last years components within vehicles were more and more displaced
by electronic components which were taking over additional control, monitoring,
and diagnostic functions. The consequence is an increased complexity of safety
requirements, preventive actions to avoid faulty states and failures of those
components, respectively, and documentations in form of safety confirmations or
certificates.
The European Standard DIN EN 61508 [1] applies since August 2004 as a master
standard for functional safety of electric, electronic and programmable electronic
safety related systems (E/E/EPS) and components. It contains a generic solution
for all activities during the safety life cycle of E/E/EPS that are performing safety
functions. Base on the various fields of application of E/E/EPS, tailored standards
were established, e. g. IEC 61513 [2] for nuclear power stations or ISO EN 12100
[3] for work machines. An adapted standard for the functional safety within the
automotive sector [4] is in preparation.
Although methods for the application of specifications of the safety requirements
necessary to obtain the required functional safety level of the E/E/EPS the
treatment of functional safety is still not yet an integral element within the
automotive industry.

In the following a brief survey of standards related to safety projects are given and
the way from the meta safety standard IEC 61508 to a tailored ISO safety
standard for the automotive industry is explained. The safety life cycle according
to the new standard, activities necessary for the achievement of functional safety
during the development phase are shown and methods e. g. hazard analysis and
risk-assessment are explained. Additional methods applicable during the safety
life cycle are then shortly presented.

2 Functional Safety – Standards, Regulations, and Definitions

The basis for all safety activities and developments, respectively, are the
installation, implementation, and application of the common quality standards like
ISO/TS 16949 [5] which states particular requirements for the application of
ISO 9001:2000 for automotive production and relevant service part organizations
or the guidelines for dependability management [6] as well as neighboured
engineering standards like the so called V-Modell or ISO/IEC 12207 for software
life cycle processes [7].
Specific design instructions as e. g. the standardised E-Gas-Safety Concept or
equivalent type approval regulations help in collecting safety requirements.
Additionally provided assessment models assist in checking the quality of the
development and safety process.

Figure 1 Safety related standards and regulations

As shown in figure 1 special safety standards are on top of the safety

development pyramid. Here, the IEC 61508 [1] as a generic standard is the meta
standard for functional safety of E/E/EPS. As the application of this generic
standard has spread widely through most sectors of industry, different tailored
standards have been published as IEC 61511 [8] for the process industry, IEC
61513 for the nuclear [2], and ISO EN 12100 [3] for the machinery sector.
In 2002 the international safety standard IEC 61508 [1] was transferred to a
European and German safety standard DIN EN 61508. In 2003 German OEMs
started working on an automotive standard. Therefore, the VDA/FAKRA working
group was founded in January 2004 to generate a functional safety standard
especially applicable to the automotive industry. The first ISO draft for the
automotive standard then was established in cooperation with the EU, the USA,
Japan, and Great Britain and pre-published in September 2005. The next planned
steps are the new working item in the end of 2006, the committee draft at the end
of 2007, and the draft international standard in 2008. Before becoming a
normative standard, the working draft can be applied by the members of the ISO
association to verify and test its usability.

According to the ISO draft, functional safety is given if and only if “… a vehicle
function does not cause any intolerable endangering states, which are resulting
from specification, implementation or realisation errors, failure during operation
period, reasonably foreseeable operational errors [and/or] reasonably foreseeable
misuse.”

In this context the term “risk” is defined as the combination of the probability of a
harm/damage occurring and the severity of the evolving harm or damage.
3 The functional safety process within the automotive safety life cycle

As IEC 61508 the automotive safety standard is based on a safety life cycle
approach. The description, allocated activities, and requirements are therefore
based on this automotive safety life cycle. It encompasses principal safety
activities during the concept phase, product development and product release.
The planning, coordination and documentation of these activities for all phases of
the lifecycle is a central management task.
As can be seen in figure 2, the safety life cycle can be separated into three
phases, i. e. the concept phase, the product development phase, and the phase
after starting production (SOP). Here, the management of functional safety and
supporting processes apply to all activities during the safety life cycle. The first is
to install a management of functional safety. Here, responsibilities of the persons,
departments and organisations in charge of each phase during the overall safety
life cycle, or for activities within the various phases have to be defined. This
relates to both the activities necessary to ensure the required functional safety of
the item, and to the confirmation of functional safety measures.

Figure 2 Automotive safety life cycle

The concept phase again can be separated into thee sub-phases which are in
detail described in the new ISO standard. Firstly, the item under consideration has
to be defined, then the safety life cycle of this item has to be installed, a hazard
analysis and risk assessment has to be performed, and a functional safety
concept has to be set up. During the product development phase system analysis
and functional safety requirement allocation is separated for hardware and
software. The detailed planning of operation, service, and decommissioning is
also described within the new standard. The driver controllability assumed during
hazard analysis and risk assessment has to be verified during this phase.
External measures for risk reduction independent from the system under
consideration, like a tunnel ventilation system, are to be considered, too. Purely
mechanic risk reducing measures fall into the category of “other technology”.
It must be emphasized that the management of functional safety as well as
supporting processes as a document management system, requirement
management system, configuration management system, change management
system, supplier management system as well as employee training and project
planning are applicable to the whole life cycle.

Figure 3 shows the elements of the automotive safety process in more detail.

Figure 3 Elements of the safety life cycle

Here it is evident that more activities have to be performed in safety related

development compared to normal development processes. Management
processes, e.g. qualification of parts and components, definition of responsibilities
etc. and supporting process elements as documentation, configuration
management and review management have been already mentioned. Thus, the
most important phases are system definition, hazard analysis and risk
classification, definition of safety requirements, and realization of safety
requirements. After the function and its boundaries have been described, driving
situations and corresponding malfunctions of the technical system have to be
searched out as they are input conditions for the hazard analysis and risk
assessment (see figure 4).
Based on the description of possible accident scenarios safety functions are
defined to avoid these scenarios and to reach a safe state. For each accident
scenario parameters for (situation) frequency, (harm/damage) severity, and driver
controllability have to be defined. The combination of the parameters then yield
the automotive safety integrity level (ASIL) for the appropriate safety function. A
safety function has at least to meet the so defined ASIL to cope with the risk
belonging to the appropriate accident scenario.
 Figure 4 ASIL determination

Depending on the ASIL safety requirements result from the new standard
regarding safety integrity attributes (how good), e. g. 10-x dangerous failures per
hour, and functional requirements (What), e. g. avoiding undesirable events like
wrong signals. With the safety requirements in mind, the realization of the
function, i. e. the development, can be started. Safety analyses verify and validate
the safety requirements. Such analyses are, for example, Failure Mode and Effect
Analysis, Fault or Event tree Analysis, Reliability Block Diagrams, Markov
Analysis etc.

The Failure Mode and Effect Analysis (FMEA) (see e. g. [9], [10])is a method
used for the identification of potential failure/error types in order to define its effect
on the examined object (System, Segment, SW/HW Unit) and to classify the
failure/error types with regard to criticality or persistency. This is to prevent
failures/errors and thus weak points in the design which might result in an
endangering or loss of the system/software and/or in an endangering of the
persons connected with the system/software. The FMEA is also to state results
for corrective measures, for the definition of test cases and for the determination
of operating and application conditions of the system/software. The Failure Mode,
Effect and Diagnostic Analysis (FMEDA) is an extended FMEA where the
diagnostic coverage of occurring failures or errors can quantitatively classified.

Reliability Block Diagrams (RBDs) (see e. g. [11], [12]) establish system reliability
on a modular or block oriented basis, respectively, rather than a component basis
using a block diagram approach. The objective is to develop a reliability model
using blocks or modules to make the model easier to understand and to change.
As a quantitative reliability parameter can be allocated to each block or module,
the system design, i. e. whether the blocks/modules are set serial and/ or parallel,
redundancies etc. is strongly taken into account an the overall system reliability
can be calculated quite easily. For complex systems, RBDs make the reliability of
a system much easier to understand, expose weaknesses much quicker, and
make what-if analyses much easier.

The Fault Tree Analysis (FTA) (see e. g. [13], [15]) is a method to identify
potential design weaknesses using a highly detailed logic diagram depicting basic
faults and events that can lead to system failure and/or safety hazard. As a top-
down approach to failure analysis, the FTA starts with an undesirable event (top
event) such as a failure or malfunction and determines all the ways it may
happen. The analysis proceeds by determining how these top events can be
caused by individual or combined lower level failures or events.
The Markov Analysis (for an overview see [14]) provides a means of analysing the
reliability and availability of systems whose components exhibit strong
dependencies. Other systems analysis methods such FTA often assume
component independence which may lead to optimistic predictions for the system
availability and reliability parameters. Some typical dependencies which can be
handled using Markov models are cold or warm standby redundancies,
maintenance etc. The major drawback of Markov methods is that Markov
diagrams for large systems are generally exceedingly large and complicated and
difficult to construct. However, Markov models may be used to analyse smaller
systems with strong dependencies requiring accurate evaluation.

The role of safety analyses is shown in the next figure.

Figure 5 Safety analysis in the V-model

The V-model describes the general development steps. Starting with the
requirement specification on the top of the left side, the special safety activities
here are to define the top safety goals and the functional safety concept. During
architecture and system design, the technical safety concept has to be defined.
During HW- and SW component design, measures for fault avoidance and
mitigation have to be described before implementation. All safety requirements
are covered backwards by appropriate safety analyses. On the right side of the V-
model, requirements are covered by testing.

At the end of the safety process, the safety concept covers any credible failure.
The correct implementation of the system is validated by tests where the test
coverage is constrained by the corresponding ASIL (compare figure 5).

4 Summary

Safety turns out to be one of the key issues of (future) automobile development as
new functionalities as driver assistance, dynamics control and additional safety
systems increasingly emerge.
Vehicles shall be constructed and equipped such that at normal operation
conditions no one is inevitable harmed or endangered, hampered or harassed
and that the passengers are as possible protected against accidental injuries and
that the extend and the consequence of injuries are as small as possible.

The basic idea behind reducing risk emanating from vehicle systems is that based
on the severity of possible accidents, the probability of exposure to certain driving
situation and the risk reduction due to external measures, i. e. the controllability
by the driver, a safety class (ASIL) is defined which, in case that all requirements
are satisfied, reduces the intolerable risk to a tolerable residual risk, see also
figure 6.

Figure 6 The automotive functional safety approach

It is therefore the aim of the new automotive standard to support and facilitate the
development of safe products in the automotive industry. This standard sets out
an approach for all safety life cycle activities for safety related systems comprised
of electrical and/or electronic and/or programmable electronic components.

In this paper, based on the automotive safety life cycle, a brief overview of safety
process elements, ASIL determination, management and supporting processes
and safety methods needed to verify and validate the safety requirements set by
the corresponding ASIL according the new automotive safety standard have been
given.
 5 References

[1] IEC 61508, First edition, International Electrotechnical Commission, Geneva,

Switzerland.
[2] DIN IEC 61513 Nuclear power plants - Instrumentation and control systems
important to safety. Beuth Verlag, Berlin, 2002.
[3] ISO EN 12100 Safety of Machinery. Beuth-Verlag, Berlin 2004.
[4] ISO/WD 26262
[5] ISO/TS16949 Quality management systems - Particular requirements for the
application of ISO 9001:2000 for automotive production and relevant
service part organizations. Beuth Verlag GmbH, Berlin, 2005
[6] DIN EN 60300-2 Dependability management - Part 2: Guidelines for
dependability management (IEC 60300-2:2004); German version
EN 60300-2:2004. Beuth Verlag GmbH, Berlin, 2004.
[7] ISO/IEC 12207 Software life cycle processes. Beuth Verlag GmbH, Berlin,
1995.
[8] IEC 61511 Functional safety - Safety instrumented systems for the process
industry sector. Beuth Verlag GmbH, Berlin, 2003.
[9] DIN IEC 60812 Analysis techniques for system reliability - Procedure for
failure mode and effects analysis (FMES) (IEC 56/735/CD:2001). Beuth
Verlag GmbH, Berlin, 2001.
[10] VDA Band 4 Sicherung der Qualität vor Serieneinsatz: System FMEA (in
German). Verband der Automobilindustrie e.V. (VDA),
Qualitätsmanagement-Center (QMC), Oberursel, 2003.
[11] DIN IEC 61078 Analysis techniques for dependability - Reliability block
diagram method (IEC 56/846/CD:2003). Beuth Verlag GmbH, Berlin,
2003.
[12] Birolini, A.: Qualität und Zuverlässigkeit.technischer Systeme, 3. Auflage (in
German). Springer Verlag, Berlin, 1991.
[13] DIN IEC 61025 Fault Tree Analysis. Beuth Verlag GmbH, Berlin, 1993.
[14] Meyna, A. und Pauli B.: Taschenbuch der Zuverlässigkeits- und
Sicherheitstechnik. Quantitative Bewertungsverfahren (in German). F. J.
Brunner (Hrsg.) Praxisreihe Qualtitätswissen, Hanser Verlag, München, 2003.
[15] VDA Band 4 Sicherung der Qualität vor Serieneinsatz: Fehlerbaumanalyse
FTA (in German). Verband der Automobilindustrie e.V. (VDA),
Qualitätsmanagement-Center (QMC), Oberursel, 2003.