Design for Functional Safety, Concept and System
Training Length - 5 Days

Produce designs that have no verification faults, few validation faults, and offer society a design that is magnitudes safer than a human driver.  The focus of this training is ISO 26262 Parts 3 and 4.  For driving assist, the goal is to help drivers who might be unaware of risks.  The vehicle’s longitudinal/lateral controls might take over momentarily to improve stability, apply the brakes, or give the driver a warning.  L3 is a special topic as the driver might fall asleep or be deep in thought and not be able to assess risks and perform a safe controlled recovery maneuver.  Examples of this would include the Tesla crashes.  For L3 extra precautions need to be included in the design to perform a minimum risk condition maneuver if the driver does not assume control soon enough.  For L4 and L5 the design replaces the driver for the driving envioronment monitoring and all lateral/longitudinal controls.  Stability prediction must ensure that the commanded vehicle level functions avoid performance curves that produce instability and loss of control.  This includes changing road surfaces, road friction, and all six degrees of freedom (linear and angular).  ADAS functions must be disengaged for L4 and L5 solutions.  If an L2 or L3 belives that the vehicle has become unstable, the L4 or L5’s solution will be interfered with and it will likely believe a driver has assumed control. The capabilities of the L4 and L5 solutions must far exceed any L1-L3 ADAS solution.

  • Overview
  • Review the most important ISO 26262 Part 1 terms and definitions
  • Understand SAE L1 through L5 applications
  • Learn the important differences between driver-assist (L1-L3) and autonomous (L4-L5) systems.
  • Learn four levels of function mastery.
  • Learn five functional safety response levels in relationship to minimum risk conditions.
  • Understand QM and ASIL A through ASIL D requirements for concept and system designs.
  • Designing a Safe Concept Design – ISO 26262 Part 3
  • The Item Definition and its domain.
  • Domain driving segments, E/E vehicle commands, and the HARA
  • Vehicle level functions, functional safety requirements, and the safety design concept
  • The concept fault state map, concept fault detections and time to detection, the concept fault recovery and time to recovery.
  • The concept configuration and how the fault state map relates to the concept configuration and functions.
  • Designing a Safe System Design – ISO 26262 Part 4
  • The software and hardware system level analysis (two separate but conjoined studies)
  • Functions sequence and interrelations from sensors to actuation/warning devices
  • The top-level system and hardware system and technical safety requirements
  • System level function, their definitions and natural language descriptions
  • The system level function technical descriptions and measurable requirements
  • The system fault state map
  • Fault state detection and time to detect with fault recovery and recovery time
  • Five useful functional safety response table to document each function’s faults, how detected, how severe, the response, and detection and recovery times
  • The temporal fault state map and algorithm guidelines to select the best of many fault states so the correct safety mechanism is activated and all following fault states self-correct.
  • How to prevent failures, how to monitor functions, how to validate the design (function testing, fault injection, function degradation, and function failure)
  • Identifying design risks and preventing causes from being included the design
  • Hardware technical safety requirements (ISO 26262 Part 5 hardware) and Software technical safety requirements (ISO 26262 Part 6 software)
  • System integration, verification, and validation
  • Validating the system for on-road application