Design for Functional Safety: ISO 269262 Part 4 – System Design
Training Length - 4 Days

Produce safe functional sequences that are self-evaluating from sensors to vehicle commands. designs that have few verification and validation faults.  Identify all requirements for each top level system and hardware functions.  Identify all fault states for each top system level function and each top level hardware system level functions.  Determine the functional safety response for each system fault state and determine the fault injection tests that will prove that a safe state can be produced.  Produce a design free from sudden and catastrophic potential failures.  Determine the fault state map and design a failsafe manager that knows all system level and hardware level fault codes.  Design a system that can always identify the most appropriate initial fault state that will clear all following fault states.  

7FM techniques produce designs that are magnitudes safer than a human driver.  Driver assist goals enhance awareness, produce warnings, and correct vectors and brake to avoid hazards.  The high-risk commands affect acceleration, deceleration, braking, hold position, and braking.  L3 is an especially dangerous application because the driver might be so preoccupied that they cannot react, understand and select a safe response in time to avoid a hazard.  A L4/L5 system level design will be offered that includes most top-level system functions, their interrelations, and their failure modes.  Workshops will be used to understand failure modes, their effects, causes, fault detection and fault recovery.  Cutting edge 7FM is used to produce superior results.  This course focuses on ISO 26262 Part 4.  

  • Overview
  • The most important terms which relate to superior functional performance and safety
  • The SAE L1-L5 applications and how they relate to functional safety design goals.
  • The different sensing required for each SAE L1-L5 application.
  • Domain, complexity, design intent, object detection versus object recognition and computational load demands.
  • Four function mastery growth levels: functions, maneuvers, scenarios, and degradation
  • Five functional safety response levels initiated by fault detection.
  • The concept temporal fault state map, Functional Safety Requirements, and the Safety Concept.
  • Functional Safety QM and ASIL A through ASIL D requirements
  • Designing a Safe System Design – ISO 26262 Part 4
  • The software and hardware system level analysis (two separate but conjoined studies)
  • The top-level system architecture – System Level Functional Block Diagram: The top-level algorithm functions.  Time sequence and interactions from sensors to actuation commands
  • The top-level hardware system architecture – System Hardware Functional Block Diagram: The top-level E/E functions from sensors to actuations that carry the top-level systems functions.
  • The 7FM architecture ensures a clear and complete allocation of the functional safety requirements and safety concept to the system design.
  • Technical safety requirements are defined for each function and these are summarized in individual tables ensuring traceability and the hierarchy of the design.
  • The requirements are temporal from sensors to actuators.
  • The 7FM focus is on causes, superior parameter designs, and ensuring that causes are not included in the design
  • The 7FM focus is on monitoring functions and identifying fault states and the severity of these fault states.
  • Once the severity of a fault state has been determined an appropriate controlled response can be determined.
  • The most severe function is assigned an alternate function path through the decomposition of software and hardware redundancies.
  • The natural result are fault state detections, detection times, fault recovery, recovery times which make up rational safety mechanisms
  • The severity of function degradations relates to five levels of functional safety responses.
  • Before a function can fail catastrophically it is sensed and in the worst cases there is a safe controlled park on the side of the road.
  • In the most severe and extremely rare case, the emergency stop is in lane.
  • The strategy and criteria for selecting the best of many fault states is a natural result of 7FM and the temporal fault state map.  The system always knows which function faulted first in the failure sequence.  This is the one to which the system reacts and all following fault states self-correct.
  • The causes for all function failure are identified as function inputs.  This includes input functions, their fault states, a HSI health failure, end2end transfer, board diagnostics, and software interference failures.  The analysis removes doubt that causes have been overlooked.
  • The analysis identifies clear and meaningful recommended actions that focus on design parameters more than testing.  As a result, there will be far fewer time wasting and program delaying validation failures.
  • System integration, verification, and validation are all planned out from this analysis as well as testing strategies that will include, function capability tests, simulation testing, fault injection testing (they are all defined by the study), function degradation testing, safety mechanism testing, and failure-based reliability testing.