SlideShare a Scribd company logo
1 of 32
© CEFRIEL 2013; FOR DISCUSSION PURPOSES ONLY: ANY OTHER USE OF THIS PRESENTATION- INCLUDING REPRODUCTION FOR PURPOSES
OTHER THAN NOTED ABOVE, MODIFICATION OR DISTRIBUTION - WITHOUT THE PRIOR WRITTEN PERMISSION OF CEFRIEL IS PROHIBITED
Functional Safety
Hazard & Risk Analysis
MILANO - April, 23rd 2013
Embedded - IC & Automation Fortronic
This presentation was prepared exclusively for the benefit and internal use of the customer and does not carry any right of
publication or disclosure to any other party.
No right to publish or distribute this document is neither expressly nor implicitly allowed to third party.
The present original document was produced by CEFRIEL and no third party may claim any right or paternity on it.
No part of this document may be reproduced. The entire document or part of it may not be used for any personal interest
without any previous written authorization from CEFRIEL.
© copyright CEFRIEL - Milan, Italy - 2013. All rights reserved in accordance with rule of law and international agreements.
Disclaimer
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
CEFRIEL OVERVIEW
December 2011
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
Center of excellence for research, innovation and education in
What is CEFRIEL?
Independent, super-partes and not-for-profit organization
Information & Communication Technologies
Established in 1988
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
Bridging the gap between industries and academia
to boost innovation
Our mission
Research Innovation Market Delivery
LowMediumMediumHighHighLow
CEFRIEL
Academic universities
Industrial companies
CEFRIEL Unique
Value Proposition
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
Our activities
Education
Knowledge and IP Sharing
Innovation
Knowledge and IP Application
Research
Knowledge and IP Creation
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
FUNCTIONAL SAFETY: (Brief) Introduction
December 2011
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Introduction to Functional Safety
What is Functional Safety? What is Functional Safety about?
• IEC 61508 Definition:
• Safety is the freedom from unacceptable risk of physical injury or of damage to the health of
people, either directly, or indirectly as a result of damage to property or to the environment.
• Risk is a combination of the probability of occurrence of harm and the severity of that harm.
• Functional Safety is part of the overall safety that depends on a system or equipment
operating correctly (i.e. perform a safety function) in response to its inputs.
• Functional Safety is thus about achieving “absence of unreasonable risk due to hazards (potential
source of harm) caused by malfunctioning behavior of the electrical/electronic/programmable
electronic (E/E/PE) systems”.
• Failures are the main impairment to safety:
• Systematic Failures: failure related in a deterministic way to a certain cause that can only be
eliminated by a change of the design or of the manufacturing process, operational
procedures, documentation or other relevant factors  ROBUST PROCESS
• Random HW Failures: failure that can occur unpredictably during the lifetime of a hardware
element and that follow a probability distribution  ROBUST DESIGN
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Functional Safety standards
INDUSTRIAL
AUTOMATION
[IEC 61508]
MEDICAL
[IEC 60601, IEC 62304]
PROCESS
INDUSTRY
[IEC 61511]
TRANSPORTATION
[EN 50126. EN 50128,
EN 50129]
MACHINERY
[IEC 62061]
NUCLEAR
[IEC 61513, IEC 60880,
IEC 60987, IEC 61226]
AUTOMOTIVE
[ISO 26262]
Introduction to Functional Safety
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Risk Reduction
Introduction to Functional Safety
• The risk emerging from the EUC (Equipment Under Control) is classified according to its tolerability
• A risk is at a tolerable level, if the involved persons (the society) can accept it
• Standards and rules describe methods to determine the limits of acceptance
• If such a risk is not tolerable, it must be reduced by means of suitable measures (standards and
rules describe measures to reduce risk to an accepted level):
• E/E/PE measures
• Other technology measures (e.g., mechanic, hydraulic, …)
• External risk reduction measures or facilities (e.g., instructions, labels, safety fences, …)
Rising Risk
Necessary risk reduction
Actual risk reduction
Non tolerable riskResidual risk Tolerable risk
Partial risk covered by
other technology
Partial risk covered by
E/E/PE measures
Partial risk covered by
external measures
Risk reduction achieved by all safety-related
systems and external risk reduction facilities
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Risk Reduction - Example
Introduction to Functional Safety
Rising RiskNecessary risk reduction
Actual risk reduction
Non tolerable riskResidual risk Tolerable risk
Partial risk covered by
other technology
Partial risk covered by
external measures
Partial risk covered by
other technology
Partial risk covered by
E/E/PE measures
Partial risk covered by
external measures
Partial risk covered by
E/E/PE measures
Partial risk covered by
external measures
SYSTEM
CONVENTIONAL
BRAKE
(mechanics, hydraulics)
ELECTRO
HYDRAULIC BRAKE
(hydraulic backup)
ELECTRO
MECHANIC BRAKE
(no hydraulic backup)
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Safety Function vs Safety Integrity
Introduction to Functional Safety
• Key Concepts in IEC 61508 standard are RISK and SAFETY FUNCTION
• Risk is a function of frequency (or likelihood) of the hazardous event and the event
consequence severity
• Risk is reduced to a tolerable level by applying safety function.
• The SIL (Safety Integrity Level) is the measure of the “risk reduction level” of the Safety
Function.
SAFETY FUNCTION SAFETY INTEGRITY
Function, which is intended to achieve or maintain a
safe state for the equipment under control (EUC) in
respect to a specific hazardous event.
• Probability of a safety-related system satisfactorily
performing the required safety function under all
stated conditions within a stated period of time
(process safety time)
• Four Level of safety integrity (SIL 1 to 4)
• Consider all causes of failures (random HW faults and
systematic failures) which lead to an unsafe state
SAFETY-RELATED SYSTEM
Designated system that both:
• Implements the required safety functions necessary to achieve and maintain a safe state for the EUC
• Is intended to achieve, on its own or with other E/E/PE safety-related systems, other technology safety-related
systems or external risk reduction facilities, the necessary safety integrity for the required safety functions
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Safety Integrity Level
Introduction to Functional Safety
• According to IEC 61508:
• The Safety Integrity Level describes the level for the required risk reduction
• Scale with 4 levels (SIL 1 to SIL 4): SIL 1 = low, SIL 4 = high
• Identification by approved measures (Risk analysis)
• Derivation of requirements and measures for the risk reduction depending on the SIL
• According to ISO 26262:
• The Automotive Safety Integrity Level describes the level for the required risk reduction
• Scale with 4 levels (ASIL A to ASIL D): SIL A = low, SIL D = high
• Identification by the method proposed in the standard
IEC 61508 ISO 26262
- QM
SIL 1 ASIL A
SIL 2 ASIL B
SIL 3
ASIL C
ASIL D
SIL 4
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Development of Safety Function
Introduction to Functional Safety
• The development of Safety Functions requires the following main steps:
• Identify and analyze the risks
• Determine the tolerability of each risks
• Determine the risk reduction necessary for each intolerable risk
• Specify the safety requirements for each risk reduction, including their Safety Integrity Level
• Design the Safety Functions to meet the safety requirements
• Implement the safety functions
• Validate the safety function
• The safety lifecycle specifies all aspects related to the development process
of safety related systems
• Management of the process itself
• Definition of system
• Specification of the system and sub-systems
• Documentation and configuration management
• Architectural design
• Hardware & software design
• Hardware & software development
• Test & validation planning
• Operation, maintenance and decommissioning planning
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Safety Lifecycle according to IEC 61508
Introduction to Functional Safety
Concept
Overall scope definition
Hazard and risk analysis
Overall safety requirements
Safety requirements allocation
Realisation
E/E/PE
Safety
lifecycle
Software
safety
lifecycle
Overall
operation and
maintenance
planning
Overall
safety
validation
planning
Overall
installation and
commissioning
planning
Overall planning
Overall installation and commissioning
Overall safety validation
Overall operation, maintenence and repair
Decommissioning or disposal
Overall modification and retrofit
Safety related systems
Other technology
Realisation
External risk reduction
facilities
Realisation
1
2
3
4
5
6 7 8
9
Safety related systems
E/E/PE
10 11
12
13
14
16
15
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 29, 2013
Safety Lifecycle according to ISO 26262
Introduction to Functional Safety
2.5 Overall safety management 2.6 Safety management during item development 2.6 Safety management after release for production
1. Vocabulary
2. Management of functional safety
3. Concept phase 4. Product development: system level
5. Product development: hardware level 5. Product development: software level
7. Production and operation
8. Supporting processes
9. ASIL-oriented and safety-oriented analyses
10. Guidelins on ISO 26262 (Informative)
3.5 Item definition
3.6 Initiation of the safety
lifecycle
3.7 Hazard analyses and risk
assesment
3.8 Functional safety concept
5.5 Initiation of product
development at hardware level
5.6 Specification of hardware
safety requirements
5.8 Hardware architetcural metrics
5.7 Hardware design
5.9 Evaluation of violation of the safety goal
due to hardware random failures
8.5 Interfaces within distributed developments
6.5 Initiation of product development at
software level
6.6 Specification of software safety
requirements
6.7 Software architectural design
6.8 Software unit design and implementation
6.9 Software unit testing
6.10 Software integration and testing
6.11 Verification of software safety requirements
7.5 Production
7.6 Operation, service and
decommiissioning
4.5 Initiation of product
development at systemlevel
4.6 Specification of the technical
safety requirements
4.7 System design 4.8 System integration and testing
4.9 Safety validation
4.11 Release for production
4.10 Functioanl safety assesment
9.5 Requirement decomposition with respect to ASIL tailoring
9.6 Criteria for coexistence of elements
9.7 Analysis of dependent failures
9.9 Safety analyses
8.9 Verification 8.12 Qualification of software components
8.6 Specification & management of safety requirements 8.10 Documentation 8.13 Qualification of hardware components
8.7 Configuration management 8.11 Qualification of software tools 8.14 Proven in use argument
8.8 Change management
FUNCTIONAL SAFETY: Hazard & Risk Analysis
December 2011
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Hazard Analysis
Hazard & Risk Analysis
• In order to perform a risk assessment
• The hazards (potential source of harm) of the EUC shall be determined
systematically, as well as the event sequences leading to them
• Techniques can be used for the extraction of hazards at system level:
• Brainstorming
• Checklists
• Quality history
• FMEA
• Fault Tree Analysis (FTA)
• Event Tree Analysis (ETA)
• Product metrics
• Field studies
• For each identified hazard, risks shall be determined and assessed
• If a risk is not tolerable, necessary risk reduction must be evaluated.
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Risk Assessment
Hazard & Risk Analysis
• In order to determine the necessary level of risk reduction (expressed as SIL, ASIL, …)
• Two reference risk levels must be estimated
• The EUC risk associated with the Equipment Under Control
• The level of risk considered tolerable
• Risk assessment is the procedure to evaluate the EUC risk
• Risk assessment can be summarized in answering the question: “How likely is the EUC to fail
and if it does fail, what is the outcome?”  Frequency x Consequence
• The EUC risk must be assessed independently from the measures adopted to reduce it
• The EUC risk must be assessed separately for each determined hazardous event
• Risk assessment techniques can be
• Qualitative: provides qualitative risk assessment (used mainly in early risk assessment phase)
• Semi-quantitative (semi-qualitative): provides discrete risk "levels"
• Quantitative: provides quantitative risk estimates based on formal mathematical models
• Several techniques can be adopted
• ALARP Model
• Risk Graph / Calibrated Risk Graph
• Hazardous Event Severity Matrix
• Layer of protection analysis (LOPA)
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
ALARP Model
Hazard & Risk Analysis
• According to this model, risks can
be classified into three classes
• The risk is so great that it cannot
be justified in any ordinary
circumstance
• The risk is, or has been made,
so small as to be insignificant
• The risk falls between the two
previous classes and has been
reduced to the lowest practicable
level
• When the risk falls in the last
class, then it must be reduced to
a level which is "ALARP", i.e.
• "As Low As Reasonably Practicable"
Intolerable region
ALARP region:
Risk is undertaken
only if a benefit is
desired
Broadly accepted
region
Risk cannot be accepted
except in extraordinary
circumstances
Risk is tolerable only if
further risk redusction
is impracticable or
disproportionate to the
benefits obtained
The more the risk is
reduced, the less must be
spent to reduce it further
to satisfy ALARP
Negligible risk
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
ALARP Model
Hazard & Risk Analysis
• According to this model, risks can
be classified into three classes
• The risk is so great that it cannot
be justified in any ordinary
circumstance
• The risk is, or has been made,
so small as to be insignificant
• The risk falls between the two
previous classes and has been
reduced to the lowest practicable
level
• When the risk falls in the last
class, then it must be reduced to
a level which is "ALARP", i.e.
• "As Low As Reasonably Practicable"
Intolerable region
ALARP region:
Risk is undertaken
only if a benefit is
desired
Broadly accepted
region
Risk cannot be accepted
except in extraordinary
circumstances
Risk is tolerable only if
further risk redusction
is impracticable or
disproportionate to the
benefits obtained
The more the risk is
reduced, the less must be
spent to reduce it further
to satisfy ALARP
Negligible risk
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
ALARP Model - Example
Hazard & Risk Analysis
 As an example consider the following table where risk classes are
– I (lowest risk), II, III, IV (highest risk)
 The interpretation of risk classes in terms of the ALARP model might be:
Frequency
Consequence
Catastrophic Critical Marginal Negligible
Frequent IV IV IV III
Probable IV IV III II
Occasional IV III II II
Remote III II II I
Improbable II II I I
Incredible I I I I
Risk class ALARP Interpretation
I Negligible risk
II Tolerable risk if the cost of risk reduction would exceed the improvement gained
III Undesirable risk. Tolerable only if risk reduction is impracticable or if the costs are
grossly disproportionate to the improvement gained.
IV Intolerable risk
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Risk Graph Method
Hazard & Risk Analysis
• The risk graph method is based on the following equation
• R = function of f, C
• Where
• R is the risk with no safety-related systems in place
• f is the frequency of the hazardous event with no safety-related systems in place
• C is the consequence of the hazardous event
• The frequency is in turn influenced by
• Frequency and exposure time in the hazardous zone
• Possibility of avoiding the hazardous event
• Probability of the hazardous event taking place with no safety-related measures in
place but with other risk reduction facilities (probability of unwanted occurrence)
• This extends the number of parameters to be considered to four
• C = Consequence of the hazardous event  S = Severity
• F = Frequency and exposure time in the hazardous zone  E = Exposure
• P = Possibility of failing to avoid the hazardous event  C = Controllability
• W = Probability of the unwanted occurrence  ---
ISO 26262
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Risk Graph Method - Example
Hazard & Risk Analysis
• The implementation of a risk graph requires
• Defining values / levels for each parameter
• Defining the relations between parameters and their levels
• The values / levels of the parameters, expressed qualitatively or quantitatively as number, must be:
• Justified on a rigorous and widely accepted basis
• Agreed with all the parties involved
Start
CA
CB
CC
CD
FA
FB
FA
FB
FA
FB
PA
PB
PA
PB
PA
PB
PA
PB
X1
X2
X3
X4
X5
X6
a
SIL 1
SIL 2
SIL 3
SIL 4
b
a
SIL 1
SIL 2
SIL 3
SIL 4
---
---
a
SIL 1
SIL 2
SIL 3
W3 W2 W1
--- No safety requirements
a No special safety requirements
b Single E/E/PE system not sufficient
Using different integrity scales, e.g. W1, W2 and W3
• Allows accounting explicitly for other risk reduction measures
• From one scale to another there is an integrity level "shift"
C: CA < CB < CC < CD
F: FA < FB
P: PA < PB
W: WA < WB < WC
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
HRA acc. to ISO 26262 - SEVERITY
Hazard & Risk Analysis
Class S0 S1 S2 S3
Reference for
single injuries
(from AIS scale)
Maximum AIS 0
Damage that cannot be
classified safety-related,
e.g. bumps with roadside
infrastructure
Maximum AIS 1-2
more than 10%
probability of
AIS 1-6 (and not S2
or S3)
Maximum AIS 3-4
more than 10%
probability of
AIS 3-6 (and not S3)
Maximum AIS 5-6
more than 10%
probability of
AIS 5-6
AIS (Abbreviated Injury Scale): The AIS represents a classification of the severity of injuries and is
issued by AAAM (Association for the Advancement of Automotive Medicine):
• AIS 0: no injuries.
• AIS 1: light injuries such as skin-deep wounds, muscle pains, whiplash etc.
• AIS 2: moderate injuries such as deep flesh wounds, concussion with up to 15 minutes of unconsciousness, …
• AIS 3: severe but not life-threatening injuries such as skull fractures without brain injury, spinal dislocations
below the fourth cervical vertebra without damage to the spinal cord, …
• AIS 4: severe injuries (life-threatening, survival probable) such as concussion with or without skull fractures with
up to 12 hours of unconsciousness, paradoxical breathing.
• AIS 5: critical injuries (life-threatening, survival uncertain) such as spinal fractures below the fourth cervical
vertebra with damage to the spinal cord, more than 12 hours of unconsciousness including intracranial bleeding,…
• AIS 6: extremely critical or fatal injuries such as fractures of the cervical vertebrae above the third cervical
vertebra with damage to the spinal cord, extremely critical open wounds of body cavities (thoracic and abdominal
cavities),…
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
HRA acc. to ISO 26262 – SEVERITY (Informative examples)
Hazard & Risk Analysis
Class S0 S1 S2 S3
Informative examples
• Pushing over roadside
infrastructure
• Light collision
• Light grazing damage
• Damage while entering or
leaving a parking space
• Leaving the road without
collision or rollover
Side collision, e.g.
crashing into a tree
Δv <15km/h 15 < Δv <25 km/h Δv >25 km/h
Side collision with a
passenger car
Δv <15km/h 15 < Δv <35 km/h Δv >35 km/h
Rear/front collision
between two
passenger cars
Δv <20km/h 20 < Δv <40 km/h Δv >40 km/h
Other collisions
Scrape collision with
little vehicle to vehicle
overlap
Roof or side
collision with
considerable
deformation
Under riding a truck
Without deformation
of the passenger cell
With deformation of
the passenger cell
Pedestrian/bicycle
accident
E.g. during a turning
manoeuver inside
built-up area
Outside built-up area
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
HRA acc. to ISO 26262 – EXPOSURE
Hazard & Risk Analysis
Class E0 E1 E2 E3
Description Very low probability Low probability Medium probability High probability
Definition of duration
/ probability of
exposure
Not specified
< 1% of average
operating
time
1% - 10% of
average operating
time
> 10% of average
operating time
Informative examples -
• Pulling a trailer
• Driving with roof rack
• Driving on a mountain
pass with unsecured
steep slope
• Snow and ice
• Driving backwards
• Fuelling
• Overtaking
• Car wash
• Tunnels
• Hill hold
• Night driving on roads
without streetlights
• Wet roads
• Congestion
• Accelerating
• Braking
• Steering
• Parking
• Driving on highways
• Driving on secondary
roads
• City driving
Classes of probability of exposure regarding duration/probability of exposure in initial situations
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
HRA acc. to ISO 26262 – EXPOSURE
Hazard & Risk Analysis
Class E0 E1 E2 E3
Description Extremely low probability Low probability Medium probability High probability
Definition of
frequency of
exposure
Situations that occur less
often than once a year for
the great majority of drivers
Situations that occur
a few time a year for
the great majority of
drivers
Situations that occur
once a month or
more often for an
average driver
All situations that
occur during almost
every drive on
average
Informative
examples
• Stop at railway crossing, which
requires start of engine
• Towing
• Jump start
• Pulling a trailer, driving
with roof rack
• Driving on a mountain
pass with unsecured
steep slope
• Driving situation with
deviation from desired
path
• Snow and ice
• Fuelling
• Overtaking
• Tunnels
• Hill hold
• Car wash
• Wet roads
• Congestion
• Starting
• Shifting gears
• Accelerating
• Braking
• Steering
• Using indicators
• Parking
• Driving backwards
Classes of probability of exposure regarding frequency in initial situations
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
HRA acc. to ISO 26262 – CONTROLLABILITY
Hazard & Risk Analysis
Class C0 C1 C2 C3
Description
Controllable
in general
Simply
controllable
Normally controllable
Difficult to control or
uncontrollable
Definition
Controllable in
general
99% or more of all
drivers or other traffic
participants are
usually able to avoid a
specific harm
90% or more of all drivers or
other traffic participants are
usually able to avoid a
specific harm
Less than 90% of all
drivers or other traffic
participants are usually
able, or barely able, to
avoid a specific harm.
Informative
examples
• Unexpected
increase in radio
volume
• Situations that
are considered
distracting
• Unavailability of
a driver assisting
system
• When starting the
vehicle with a locked
steering column, the car
can be brought to stop
by almost all drivers
early enough to avoid a
specific harm to persons
nearby.
• Faulty adjustment of
seats while driving can
be controlled by almost
all drivers by bringing
the vehicle to a stop.
• Avoid departing from the lane
in case of a failure of ABS
during emergency braking.
• Avoid departing from the lane
in case of a motor failure at
high lateral acceleration
(motorway exit).
• Bring the vehicle to a stop in
case of a total lighting failure at
medium or high speed on an
unlighted country road without
departing from the lane in an
uncontrolled manner.
• Avoid hitting an unlit vehicle on
an unlit country road.
• Wrong steering with high
angular speed at medium or
high vehicle speed can hardly
be controlled by the driver.
• Cannot avoid departing from
the lane on snow or ice on a
bend in case of a failure of ABS
during emergency braking.
• Cannot bring the vehicle to a
stop if a total loss of braking
performance occurs.
• In the case of faulty airbag
release at high or moderate
vehicle speed, the driver
usually cannot prevent vehicle
from departing from the lane.
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
HRA acc. to ISO 26262 – RISK MATRIX
Hazard & Risk Analysis
Note: If a hazard is assigned to a Severity class S0 or Controllability class C0, or
Exposure class E0, no ASIL (SIL) assignment is required.
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
When the required SIL is assessed?
Hazard & Risk Analysis
 Based on the required Safety Integrity Level
– Different requirement on the design and the process apply
– Different techniques and measures should be used
 Requirements to the integrity of HW
 Requirements to the integrity of SW
– Requirements to SW design and development (architecture, support tools,
programming language, code implementation, testing,…)
– Requirements to SW diagnostics to achieve the required HW integrity
SIL Low Demand Mode of Operation
(PFD probability of failure on demand)
e.g., airbag
High Demand Mode of Operation
(PFH probability of failure per hour)
e.g., brake / steer by wire
1 10–2  PFD < 10–1 10–6  PFH < 10–5 1.000  FIT< 10.000
2 10–3  PFD < 10–2 10–7  PFH < 10–6 100  FIT < 1.000
3 10–4  PFD < 10–3 10–8  PFH < 10–7 10  FIT < 100
4 10–5  PFD < 10–4 10–9  PFH < 10–8 1  FIT < 10
April 23, 2013
© copyright CEFRIEL 2013| All rights reserved | Milano, Italy
Training Course: An introduction to Functional Safety
• Basic course on Functional Safety (2 days)
• Info:
• Web: www.cefriel.it
• Mail: dk@cefriel.it
• Tel: 02.239541
For any request related to Functional Safety area:
• ENRICO SILANI
• Mail: enrico.silani@cefriel.com
April 23, 2013

More Related Content

What's hot

ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introductionKoenLeekens
 
Shb900 rm001 -en-p
Shb900 rm001 -en-pShb900 rm001 -en-p
Shb900 rm001 -en-pVo Quoc Hieu
 
An approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyzeAn approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyzeBernhard Kaiser
 
Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019Tonex
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaVo Quoc Hieu
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyBernhard Kaiser
 
TÜV SÜD on functional safety for multi-core architectures
TÜV SÜD on functional safety for multi-core architecturesTÜV SÜD on functional safety for multi-core architectures
TÜV SÜD on functional safety for multi-core architecturesTorben Haagh
 
Autonomous Industry Feedback
Autonomous Industry Feedback Autonomous Industry Feedback
Autonomous Industry Feedback amitgangwar2010
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-systemMowaten Masry
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation Living Online
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction KoenLeekens
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - Automotive IQ
 
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...John Kingsley
 
Functional integrity certification exida
Functional integrity certification   exidaFunctional integrity certification   exida
Functional integrity certification exidaKoenLeekens
 
ISO 26262 2nd Edition
ISO 26262 2nd EditionISO 26262 2nd Edition
ISO 26262 2nd EditionCedric Heller
 
SOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas Instruments
SOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas InstrumentsSOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas Instruments
SOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas InstrumentsTorben Haagh
 

What's hot (20)

ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introduction
 
Tdoct0713a eng
Tdoct0713a engTdoct0713a eng
Tdoct0713a eng
 
Shb900 rm001 -en-p
Shb900 rm001 -en-pShb900 rm001 -en-p
Shb900 rm001 -en-p
 
An approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyzeAn approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyze
 
Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019Automotive functional safety iso 26262 training bootcamp 2019
Automotive functional safety iso 26262 training bootcamp 2019
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safety
 
TÜV SÜD on functional safety for multi-core architectures
TÜV SÜD on functional safety for multi-core architecturesTÜV SÜD on functional safety for multi-core architectures
TÜV SÜD on functional safety for multi-core architectures
 
Autonomous Industry Feedback
Autonomous Industry Feedback Autonomous Industry Feedback
Autonomous Industry Feedback
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-system
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systems
 
IEC 61511 introduction
IEC 61511 introduction IEC 61511 introduction
IEC 61511 introduction
 
MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines - MISRA Safety Case Guidelines -
MISRA Safety Case Guidelines -
 
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
 
Functional integrity certification exida
Functional integrity certification   exidaFunctional integrity certification   exida
Functional integrity certification exida
 
Understanding sil
Understanding silUnderstanding sil
Understanding sil
 
ISO 26262 2nd Edition
ISO 26262 2nd EditionISO 26262 2nd Edition
ISO 26262 2nd Edition
 
SOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas Instruments
SOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas InstrumentsSOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas Instruments
SOTIF Conference 2019 - APTIV, Toyota, Delphi Tech, Texas Instruments
 
HARA ISO 26262: What is HARA and Why is it Required?
HARA ISO 26262: What is HARA and Why is it Required?HARA ISO 26262: What is HARA and Why is it Required?
HARA ISO 26262: What is HARA and Why is it Required?
 

Similar to Embedded & ic - fs risk analysis

Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuatorsJohn Kingsley
 
WESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiWESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiKenji Taguchi
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationISA Boston Section
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Vincenzo De Florio
 
Functional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.pptFunctional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.pptssuserba01d94
 
Functional Safety, high demand/low demand mode med fokus på de funktioner, so...
Functional Safety, high demand/low demand mode med fokus på de funktioner, so...Functional Safety, high demand/low demand mode med fokus på de funktioner, so...
Functional Safety, high demand/low demand mode med fokus på de funktioner, so...InfinIT - Innovationsnetværket for it
 
Safety of machinery - Application of standard EN ISO 13849-1
Safety of machinery - Application of standard EN ISO 13849-1Safety of machinery - Application of standard EN ISO 13849-1
Safety of machinery - Application of standard EN ISO 13849-1dnunez1984
 
Safety of machinery
Safety of machinerySafety of machinery
Safety of machineryVo Quoc Hieu
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsIRJET Journal
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopmentCISEC
 
ARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems EngineeringARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems EngineeringVincenzo De Florio
 
Vijeo citect quick start tutorial - part 1 ver d
Vijeo citect   quick start tutorial - part 1 ver dVijeo citect   quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver dAbdul Budiman
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systemsevatjohnson
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsIntland Software GmbH
 

Similar to Embedded & ic - fs risk analysis (20)

Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuators
 
Iec61508 guide
Iec61508 guideIec61508 guide
Iec61508 guide
 
Abb technical guide no.10 revd
Abb technical guide no.10 revdAbb technical guide no.10 revd
Abb technical guide no.10 revd
 
WESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV TaguchiWESPr 18 presentation slides CAV Taguchi
WESPr 18 presentation slides CAV Taguchi
 
Introduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL CertificationIntroduction to Functional Safety and SIL Certification
Introduction to Functional Safety and SIL Certification
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
Sis training course_1
Sis training course_1Sis training course_1
Sis training course_1
 
Functional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.pptFunctional-Safety-Overview-UL.ppt
Functional-Safety-Overview-UL.ppt
 
Functional Safety, high demand/low demand mode med fokus på de funktioner, so...
Functional Safety, high demand/low demand mode med fokus på de funktioner, so...Functional Safety, high demand/low demand mode med fokus på de funktioner, so...
Functional Safety, high demand/low demand mode med fokus på de funktioner, so...
 
Mynd company presentation
Mynd   company presentationMynd   company presentation
Mynd company presentation
 
Safety system
Safety systemSafety system
Safety system
 
Vortrag LWS Schweiz
Vortrag LWS SchweizVortrag LWS Schweiz
Vortrag LWS Schweiz
 
Safety of machinery - Application of standard EN ISO 13849-1
Safety of machinery - Application of standard EN ISO 13849-1Safety of machinery - Application of standard EN ISO 13849-1
Safety of machinery - Application of standard EN ISO 13849-1
 
Safety of machinery
Safety of machinerySafety of machinery
Safety of machinery
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment
 
ARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems EngineeringARRL: A Criterion for Composable Safety and Systems Engineering
ARRL: A Criterion for Composable Safety and Systems Engineering
 
Vijeo citect quick start tutorial - part 1 ver d
Vijeo citect   quick start tutorial - part 1 ver dVijeo citect   quick start tutorial - part 1 ver d
Vijeo citect quick start tutorial - part 1 ver d
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systems
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded Systems
 

More from Cefriel

How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...
How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...
How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...Cefriel
 
Social media e istituzioni culturali
Social media e istituzioni culturaliSocial media e istituzioni culturali
Social media e istituzioni culturaliCefriel
 
BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...
BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...
BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...Cefriel
 
Infrastrutture, piattaforme digitali e nuovi ecosistemi
Infrastrutture, piattaforme digitali e nuovi ecosistemiInfrastrutture, piattaforme digitali e nuovi ecosistemi
Infrastrutture, piattaforme digitali e nuovi ecosistemiCefriel
 
Il ruolo delle API per lo sviluppo di nuovi Ecosistemi Digitali
Il ruolo delle API per lo sviluppo di nuovi Ecosistemi DigitaliIl ruolo delle API per lo sviluppo di nuovi Ecosistemi Digitali
Il ruolo delle API per lo sviluppo di nuovi Ecosistemi DigitaliCefriel
 
Le politiche per l'innovazione
Le politiche per l'innovazioneLe politiche per l'innovazione
Le politiche per l'innovazioneCefriel
 
Gamification e risk checklist applicati ai processi di identificazione e anal...
Gamification e risk checklist applicati ai processi di identificazione e anal...Gamification e risk checklist applicati ai processi di identificazione e anal...
Gamification e risk checklist applicati ai processi di identificazione e anal...Cefriel
 
Success and Impact in Innovation Programs
Success and Impact in Innovation ProgramsSuccess and Impact in Innovation Programs
Success and Impact in Innovation ProgramsCefriel
 
Bridging the Gap between Research and Industrial Practice
Bridging the Gap between Research and Industrial PracticeBridging the Gap between Research and Industrial Practice
Bridging the Gap between Research and Industrial PracticeCefriel
 
Deployment and Enactment - CHOReVOLUTION
Deployment and Enactment - CHOReVOLUTIONDeployment and Enactment - CHOReVOLUTION
Deployment and Enactment - CHOReVOLUTIONCefriel
 
Mobi health2016 - Driving forces shaping healthcare
Mobi health2016 - Driving forces shaping healthcareMobi health2016 - Driving forces shaping healthcare
Mobi health2016 - Driving forces shaping healthcareCefriel
 
Safer security day 2016
Safer security day 2016Safer security day 2016
Safer security day 2016Cefriel
 
La chiusura del cerchio
La chiusura del cerchioLa chiusura del cerchio
La chiusura del cerchioCefriel
 
Dai trend futuribili alle applicazioni concrete
Dai trend futuribili alle applicazioni concreteDai trend futuribili alle applicazioni concrete
Dai trend futuribili alle applicazioni concreteCefriel
 
Inno vision paper: digital media e istituzioni culturali
Inno vision paper: digital media e istituzioni culturaliInno vision paper: digital media e istituzioni culturali
Inno vision paper: digital media e istituzioni culturaliCefriel
 
DeepSec: Social driven vulnerability assessment
DeepSec: Social driven vulnerability assessmentDeepSec: Social driven vulnerability assessment
DeepSec: Social driven vulnerability assessmentCefriel
 
CEFRIEL General meeting 2014
CEFRIEL General meeting 2014CEFRIEL General meeting 2014
CEFRIEL General meeting 2014Cefriel
 
Modelli e percorsi di Innovazione nelle imprese
Modelli e percorsi di Innovazione nelle impreseModelli e percorsi di Innovazione nelle imprese
Modelli e percorsi di Innovazione nelle impreseCefriel
 
Alto Apprendistato
Alto ApprendistatoAlto Apprendistato
Alto ApprendistatoCefriel
 
IOE: Time to act
IOE: Time to actIOE: Time to act
IOE: Time to actCefriel
 

More from Cefriel (20)

How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...
How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...
How to assess Social Engineering 2.0 attacks using SDVAs. The experience of t...
 
Social media e istituzioni culturali
Social media e istituzioni culturaliSocial media e istituzioni culturali
Social media e istituzioni culturali
 
BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...
BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...
BotDCAT-AP: An Extension of the DCAT Application Profile for Describing Datas...
 
Infrastrutture, piattaforme digitali e nuovi ecosistemi
Infrastrutture, piattaforme digitali e nuovi ecosistemiInfrastrutture, piattaforme digitali e nuovi ecosistemi
Infrastrutture, piattaforme digitali e nuovi ecosistemi
 
Il ruolo delle API per lo sviluppo di nuovi Ecosistemi Digitali
Il ruolo delle API per lo sviluppo di nuovi Ecosistemi DigitaliIl ruolo delle API per lo sviluppo di nuovi Ecosistemi Digitali
Il ruolo delle API per lo sviluppo di nuovi Ecosistemi Digitali
 
Le politiche per l'innovazione
Le politiche per l'innovazioneLe politiche per l'innovazione
Le politiche per l'innovazione
 
Gamification e risk checklist applicati ai processi di identificazione e anal...
Gamification e risk checklist applicati ai processi di identificazione e anal...Gamification e risk checklist applicati ai processi di identificazione e anal...
Gamification e risk checklist applicati ai processi di identificazione e anal...
 
Success and Impact in Innovation Programs
Success and Impact in Innovation ProgramsSuccess and Impact in Innovation Programs
Success and Impact in Innovation Programs
 
Bridging the Gap between Research and Industrial Practice
Bridging the Gap between Research and Industrial PracticeBridging the Gap between Research and Industrial Practice
Bridging the Gap between Research and Industrial Practice
 
Deployment and Enactment - CHOReVOLUTION
Deployment and Enactment - CHOReVOLUTIONDeployment and Enactment - CHOReVOLUTION
Deployment and Enactment - CHOReVOLUTION
 
Mobi health2016 - Driving forces shaping healthcare
Mobi health2016 - Driving forces shaping healthcareMobi health2016 - Driving forces shaping healthcare
Mobi health2016 - Driving forces shaping healthcare
 
Safer security day 2016
Safer security day 2016Safer security day 2016
Safer security day 2016
 
La chiusura del cerchio
La chiusura del cerchioLa chiusura del cerchio
La chiusura del cerchio
 
Dai trend futuribili alle applicazioni concrete
Dai trend futuribili alle applicazioni concreteDai trend futuribili alle applicazioni concrete
Dai trend futuribili alle applicazioni concrete
 
Inno vision paper: digital media e istituzioni culturali
Inno vision paper: digital media e istituzioni culturaliInno vision paper: digital media e istituzioni culturali
Inno vision paper: digital media e istituzioni culturali
 
DeepSec: Social driven vulnerability assessment
DeepSec: Social driven vulnerability assessmentDeepSec: Social driven vulnerability assessment
DeepSec: Social driven vulnerability assessment
 
CEFRIEL General meeting 2014
CEFRIEL General meeting 2014CEFRIEL General meeting 2014
CEFRIEL General meeting 2014
 
Modelli e percorsi di Innovazione nelle imprese
Modelli e percorsi di Innovazione nelle impreseModelli e percorsi di Innovazione nelle imprese
Modelli e percorsi di Innovazione nelle imprese
 
Alto Apprendistato
Alto ApprendistatoAlto Apprendistato
Alto Apprendistato
 
IOE: Time to act
IOE: Time to actIOE: Time to act
IOE: Time to act
 

Recently uploaded

How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Dave Phillips
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17Celine George
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 

Recently uploaded (20)

How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830Latin American Revolutions, c. 1789-1830
Latin American Revolutions, c. 1789-1830
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17How to Print Employee Resume in the Odoo 17
How to Print Employee Resume in the Odoo 17
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 

Embedded & ic - fs risk analysis

  • 1. © CEFRIEL 2013; FOR DISCUSSION PURPOSES ONLY: ANY OTHER USE OF THIS PRESENTATION- INCLUDING REPRODUCTION FOR PURPOSES OTHER THAN NOTED ABOVE, MODIFICATION OR DISTRIBUTION - WITHOUT THE PRIOR WRITTEN PERMISSION OF CEFRIEL IS PROHIBITED Functional Safety Hazard & Risk Analysis MILANO - April, 23rd 2013 Embedded - IC & Automation Fortronic
  • 2. This presentation was prepared exclusively for the benefit and internal use of the customer and does not carry any right of publication or disclosure to any other party. No right to publish or distribute this document is neither expressly nor implicitly allowed to third party. The present original document was produced by CEFRIEL and no third party may claim any right or paternity on it. No part of this document may be reproduced. The entire document or part of it may not be used for any personal interest without any previous written authorization from CEFRIEL. © copyright CEFRIEL - Milan, Italy - 2013. All rights reserved in accordance with rule of law and international agreements. Disclaimer © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 3. CEFRIEL OVERVIEW December 2011 © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 4. Center of excellence for research, innovation and education in What is CEFRIEL? Independent, super-partes and not-for-profit organization Information & Communication Technologies Established in 1988 © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 5. Bridging the gap between industries and academia to boost innovation Our mission Research Innovation Market Delivery LowMediumMediumHighHighLow CEFRIEL Academic universities Industrial companies CEFRIEL Unique Value Proposition © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 6. Our activities Education Knowledge and IP Sharing Innovation Knowledge and IP Application Research Knowledge and IP Creation © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 7. FUNCTIONAL SAFETY: (Brief) Introduction December 2011 © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 8. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Introduction to Functional Safety What is Functional Safety? What is Functional Safety about? • IEC 61508 Definition: • Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. • Risk is a combination of the probability of occurrence of harm and the severity of that harm. • Functional Safety is part of the overall safety that depends on a system or equipment operating correctly (i.e. perform a safety function) in response to its inputs. • Functional Safety is thus about achieving “absence of unreasonable risk due to hazards (potential source of harm) caused by malfunctioning behavior of the electrical/electronic/programmable electronic (E/E/PE) systems”. • Failures are the main impairment to safety: • Systematic Failures: failure related in a deterministic way to a certain cause that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors  ROBUST PROCESS • Random HW Failures: failure that can occur unpredictably during the lifetime of a hardware element and that follow a probability distribution  ROBUST DESIGN April 23, 2013
  • 9. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Functional Safety standards INDUSTRIAL AUTOMATION [IEC 61508] MEDICAL [IEC 60601, IEC 62304] PROCESS INDUSTRY [IEC 61511] TRANSPORTATION [EN 50126. EN 50128, EN 50129] MACHINERY [IEC 62061] NUCLEAR [IEC 61513, IEC 60880, IEC 60987, IEC 61226] AUTOMOTIVE [ISO 26262] Introduction to Functional Safety April 23, 2013
  • 10. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Risk Reduction Introduction to Functional Safety • The risk emerging from the EUC (Equipment Under Control) is classified according to its tolerability • A risk is at a tolerable level, if the involved persons (the society) can accept it • Standards and rules describe methods to determine the limits of acceptance • If such a risk is not tolerable, it must be reduced by means of suitable measures (standards and rules describe measures to reduce risk to an accepted level): • E/E/PE measures • Other technology measures (e.g., mechanic, hydraulic, …) • External risk reduction measures or facilities (e.g., instructions, labels, safety fences, …) Rising Risk Necessary risk reduction Actual risk reduction Non tolerable riskResidual risk Tolerable risk Partial risk covered by other technology Partial risk covered by E/E/PE measures Partial risk covered by external measures Risk reduction achieved by all safety-related systems and external risk reduction facilities April 23, 2013
  • 11. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Risk Reduction - Example Introduction to Functional Safety Rising RiskNecessary risk reduction Actual risk reduction Non tolerable riskResidual risk Tolerable risk Partial risk covered by other technology Partial risk covered by external measures Partial risk covered by other technology Partial risk covered by E/E/PE measures Partial risk covered by external measures Partial risk covered by E/E/PE measures Partial risk covered by external measures SYSTEM CONVENTIONAL BRAKE (mechanics, hydraulics) ELECTRO HYDRAULIC BRAKE (hydraulic backup) ELECTRO MECHANIC BRAKE (no hydraulic backup) April 23, 2013
  • 12. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Safety Function vs Safety Integrity Introduction to Functional Safety • Key Concepts in IEC 61508 standard are RISK and SAFETY FUNCTION • Risk is a function of frequency (or likelihood) of the hazardous event and the event consequence severity • Risk is reduced to a tolerable level by applying safety function. • The SIL (Safety Integrity Level) is the measure of the “risk reduction level” of the Safety Function. SAFETY FUNCTION SAFETY INTEGRITY Function, which is intended to achieve or maintain a safe state for the equipment under control (EUC) in respect to a specific hazardous event. • Probability of a safety-related system satisfactorily performing the required safety function under all stated conditions within a stated period of time (process safety time) • Four Level of safety integrity (SIL 1 to 4) • Consider all causes of failures (random HW faults and systematic failures) which lead to an unsafe state SAFETY-RELATED SYSTEM Designated system that both: • Implements the required safety functions necessary to achieve and maintain a safe state for the EUC • Is intended to achieve, on its own or with other E/E/PE safety-related systems, other technology safety-related systems or external risk reduction facilities, the necessary safety integrity for the required safety functions April 23, 2013
  • 13. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Safety Integrity Level Introduction to Functional Safety • According to IEC 61508: • The Safety Integrity Level describes the level for the required risk reduction • Scale with 4 levels (SIL 1 to SIL 4): SIL 1 = low, SIL 4 = high • Identification by approved measures (Risk analysis) • Derivation of requirements and measures for the risk reduction depending on the SIL • According to ISO 26262: • The Automotive Safety Integrity Level describes the level for the required risk reduction • Scale with 4 levels (ASIL A to ASIL D): SIL A = low, SIL D = high • Identification by the method proposed in the standard IEC 61508 ISO 26262 - QM SIL 1 ASIL A SIL 2 ASIL B SIL 3 ASIL C ASIL D SIL 4 April 23, 2013
  • 14. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Development of Safety Function Introduction to Functional Safety • The development of Safety Functions requires the following main steps: • Identify and analyze the risks • Determine the tolerability of each risks • Determine the risk reduction necessary for each intolerable risk • Specify the safety requirements for each risk reduction, including their Safety Integrity Level • Design the Safety Functions to meet the safety requirements • Implement the safety functions • Validate the safety function • The safety lifecycle specifies all aspects related to the development process of safety related systems • Management of the process itself • Definition of system • Specification of the system and sub-systems • Documentation and configuration management • Architectural design • Hardware & software design • Hardware & software development • Test & validation planning • Operation, maintenance and decommissioning planning April 23, 2013
  • 15. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Safety Lifecycle according to IEC 61508 Introduction to Functional Safety Concept Overall scope definition Hazard and risk analysis Overall safety requirements Safety requirements allocation Realisation E/E/PE Safety lifecycle Software safety lifecycle Overall operation and maintenance planning Overall safety validation planning Overall installation and commissioning planning Overall planning Overall installation and commissioning Overall safety validation Overall operation, maintenence and repair Decommissioning or disposal Overall modification and retrofit Safety related systems Other technology Realisation External risk reduction facilities Realisation 1 2 3 4 5 6 7 8 9 Safety related systems E/E/PE 10 11 12 13 14 16 15 April 23, 2013
  • 16. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 29, 2013 Safety Lifecycle according to ISO 26262 Introduction to Functional Safety 2.5 Overall safety management 2.6 Safety management during item development 2.6 Safety management after release for production 1. Vocabulary 2. Management of functional safety 3. Concept phase 4. Product development: system level 5. Product development: hardware level 5. Product development: software level 7. Production and operation 8. Supporting processes 9. ASIL-oriented and safety-oriented analyses 10. Guidelins on ISO 26262 (Informative) 3.5 Item definition 3.6 Initiation of the safety lifecycle 3.7 Hazard analyses and risk assesment 3.8 Functional safety concept 5.5 Initiation of product development at hardware level 5.6 Specification of hardware safety requirements 5.8 Hardware architetcural metrics 5.7 Hardware design 5.9 Evaluation of violation of the safety goal due to hardware random failures 8.5 Interfaces within distributed developments 6.5 Initiation of product development at software level 6.6 Specification of software safety requirements 6.7 Software architectural design 6.8 Software unit design and implementation 6.9 Software unit testing 6.10 Software integration and testing 6.11 Verification of software safety requirements 7.5 Production 7.6 Operation, service and decommiissioning 4.5 Initiation of product development at systemlevel 4.6 Specification of the technical safety requirements 4.7 System design 4.8 System integration and testing 4.9 Safety validation 4.11 Release for production 4.10 Functioanl safety assesment 9.5 Requirement decomposition with respect to ASIL tailoring 9.6 Criteria for coexistence of elements 9.7 Analysis of dependent failures 9.9 Safety analyses 8.9 Verification 8.12 Qualification of software components 8.6 Specification & management of safety requirements 8.10 Documentation 8.13 Qualification of hardware components 8.7 Configuration management 8.11 Qualification of software tools 8.14 Proven in use argument 8.8 Change management
  • 17. FUNCTIONAL SAFETY: Hazard & Risk Analysis December 2011 © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  • 18. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Hazard Analysis Hazard & Risk Analysis • In order to perform a risk assessment • The hazards (potential source of harm) of the EUC shall be determined systematically, as well as the event sequences leading to them • Techniques can be used for the extraction of hazards at system level: • Brainstorming • Checklists • Quality history • FMEA • Fault Tree Analysis (FTA) • Event Tree Analysis (ETA) • Product metrics • Field studies • For each identified hazard, risks shall be determined and assessed • If a risk is not tolerable, necessary risk reduction must be evaluated. April 23, 2013
  • 19. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Risk Assessment Hazard & Risk Analysis • In order to determine the necessary level of risk reduction (expressed as SIL, ASIL, …) • Two reference risk levels must be estimated • The EUC risk associated with the Equipment Under Control • The level of risk considered tolerable • Risk assessment is the procedure to evaluate the EUC risk • Risk assessment can be summarized in answering the question: “How likely is the EUC to fail and if it does fail, what is the outcome?”  Frequency x Consequence • The EUC risk must be assessed independently from the measures adopted to reduce it • The EUC risk must be assessed separately for each determined hazardous event • Risk assessment techniques can be • Qualitative: provides qualitative risk assessment (used mainly in early risk assessment phase) • Semi-quantitative (semi-qualitative): provides discrete risk "levels" • Quantitative: provides quantitative risk estimates based on formal mathematical models • Several techniques can be adopted • ALARP Model • Risk Graph / Calibrated Risk Graph • Hazardous Event Severity Matrix • Layer of protection analysis (LOPA) April 23, 2013
  • 20. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy ALARP Model Hazard & Risk Analysis • According to this model, risks can be classified into three classes • The risk is so great that it cannot be justified in any ordinary circumstance • The risk is, or has been made, so small as to be insignificant • The risk falls between the two previous classes and has been reduced to the lowest practicable level • When the risk falls in the last class, then it must be reduced to a level which is "ALARP", i.e. • "As Low As Reasonably Practicable" Intolerable region ALARP region: Risk is undertaken only if a benefit is desired Broadly accepted region Risk cannot be accepted except in extraordinary circumstances Risk is tolerable only if further risk redusction is impracticable or disproportionate to the benefits obtained The more the risk is reduced, the less must be spent to reduce it further to satisfy ALARP Negligible risk April 23, 2013
  • 21. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy ALARP Model Hazard & Risk Analysis • According to this model, risks can be classified into three classes • The risk is so great that it cannot be justified in any ordinary circumstance • The risk is, or has been made, so small as to be insignificant • The risk falls between the two previous classes and has been reduced to the lowest practicable level • When the risk falls in the last class, then it must be reduced to a level which is "ALARP", i.e. • "As Low As Reasonably Practicable" Intolerable region ALARP region: Risk is undertaken only if a benefit is desired Broadly accepted region Risk cannot be accepted except in extraordinary circumstances Risk is tolerable only if further risk redusction is impracticable or disproportionate to the benefits obtained The more the risk is reduced, the less must be spent to reduce it further to satisfy ALARP Negligible risk April 23, 2013
  • 22. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy ALARP Model - Example Hazard & Risk Analysis  As an example consider the following table where risk classes are – I (lowest risk), II, III, IV (highest risk)  The interpretation of risk classes in terms of the ALARP model might be: Frequency Consequence Catastrophic Critical Marginal Negligible Frequent IV IV IV III Probable IV IV III II Occasional IV III II II Remote III II II I Improbable II II I I Incredible I I I I Risk class ALARP Interpretation I Negligible risk II Tolerable risk if the cost of risk reduction would exceed the improvement gained III Undesirable risk. Tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained. IV Intolerable risk April 23, 2013
  • 23. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Risk Graph Method Hazard & Risk Analysis • The risk graph method is based on the following equation • R = function of f, C • Where • R is the risk with no safety-related systems in place • f is the frequency of the hazardous event with no safety-related systems in place • C is the consequence of the hazardous event • The frequency is in turn influenced by • Frequency and exposure time in the hazardous zone • Possibility of avoiding the hazardous event • Probability of the hazardous event taking place with no safety-related measures in place but with other risk reduction facilities (probability of unwanted occurrence) • This extends the number of parameters to be considered to four • C = Consequence of the hazardous event  S = Severity • F = Frequency and exposure time in the hazardous zone  E = Exposure • P = Possibility of failing to avoid the hazardous event  C = Controllability • W = Probability of the unwanted occurrence  --- ISO 26262 April 23, 2013
  • 24. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Risk Graph Method - Example Hazard & Risk Analysis • The implementation of a risk graph requires • Defining values / levels for each parameter • Defining the relations between parameters and their levels • The values / levels of the parameters, expressed qualitatively or quantitatively as number, must be: • Justified on a rigorous and widely accepted basis • Agreed with all the parties involved Start CA CB CC CD FA FB FA FB FA FB PA PB PA PB PA PB PA PB X1 X2 X3 X4 X5 X6 a SIL 1 SIL 2 SIL 3 SIL 4 b a SIL 1 SIL 2 SIL 3 SIL 4 --- --- a SIL 1 SIL 2 SIL 3 W3 W2 W1 --- No safety requirements a No special safety requirements b Single E/E/PE system not sufficient Using different integrity scales, e.g. W1, W2 and W3 • Allows accounting explicitly for other risk reduction measures • From one scale to another there is an integrity level "shift" C: CA < CB < CC < CD F: FA < FB P: PA < PB W: WA < WB < WC April 23, 2013
  • 25. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy HRA acc. to ISO 26262 - SEVERITY Hazard & Risk Analysis Class S0 S1 S2 S3 Reference for single injuries (from AIS scale) Maximum AIS 0 Damage that cannot be classified safety-related, e.g. bumps with roadside infrastructure Maximum AIS 1-2 more than 10% probability of AIS 1-6 (and not S2 or S3) Maximum AIS 3-4 more than 10% probability of AIS 3-6 (and not S3) Maximum AIS 5-6 more than 10% probability of AIS 5-6 AIS (Abbreviated Injury Scale): The AIS represents a classification of the severity of injuries and is issued by AAAM (Association for the Advancement of Automotive Medicine): • AIS 0: no injuries. • AIS 1: light injuries such as skin-deep wounds, muscle pains, whiplash etc. • AIS 2: moderate injuries such as deep flesh wounds, concussion with up to 15 minutes of unconsciousness, … • AIS 3: severe but not life-threatening injuries such as skull fractures without brain injury, spinal dislocations below the fourth cervical vertebra without damage to the spinal cord, … • AIS 4: severe injuries (life-threatening, survival probable) such as concussion with or without skull fractures with up to 12 hours of unconsciousness, paradoxical breathing. • AIS 5: critical injuries (life-threatening, survival uncertain) such as spinal fractures below the fourth cervical vertebra with damage to the spinal cord, more than 12 hours of unconsciousness including intracranial bleeding,… • AIS 6: extremely critical or fatal injuries such as fractures of the cervical vertebrae above the third cervical vertebra with damage to the spinal cord, extremely critical open wounds of body cavities (thoracic and abdominal cavities),… April 23, 2013
  • 26. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy HRA acc. to ISO 26262 – SEVERITY (Informative examples) Hazard & Risk Analysis Class S0 S1 S2 S3 Informative examples • Pushing over roadside infrastructure • Light collision • Light grazing damage • Damage while entering or leaving a parking space • Leaving the road without collision or rollover Side collision, e.g. crashing into a tree Δv <15km/h 15 < Δv <25 km/h Δv >25 km/h Side collision with a passenger car Δv <15km/h 15 < Δv <35 km/h Δv >35 km/h Rear/front collision between two passenger cars Δv <20km/h 20 < Δv <40 km/h Δv >40 km/h Other collisions Scrape collision with little vehicle to vehicle overlap Roof or side collision with considerable deformation Under riding a truck Without deformation of the passenger cell With deformation of the passenger cell Pedestrian/bicycle accident E.g. during a turning manoeuver inside built-up area Outside built-up area April 23, 2013
  • 27. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy HRA acc. to ISO 26262 – EXPOSURE Hazard & Risk Analysis Class E0 E1 E2 E3 Description Very low probability Low probability Medium probability High probability Definition of duration / probability of exposure Not specified < 1% of average operating time 1% - 10% of average operating time > 10% of average operating time Informative examples - • Pulling a trailer • Driving with roof rack • Driving on a mountain pass with unsecured steep slope • Snow and ice • Driving backwards • Fuelling • Overtaking • Car wash • Tunnels • Hill hold • Night driving on roads without streetlights • Wet roads • Congestion • Accelerating • Braking • Steering • Parking • Driving on highways • Driving on secondary roads • City driving Classes of probability of exposure regarding duration/probability of exposure in initial situations April 23, 2013
  • 28. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy HRA acc. to ISO 26262 – EXPOSURE Hazard & Risk Analysis Class E0 E1 E2 E3 Description Extremely low probability Low probability Medium probability High probability Definition of frequency of exposure Situations that occur less often than once a year for the great majority of drivers Situations that occur a few time a year for the great majority of drivers Situations that occur once a month or more often for an average driver All situations that occur during almost every drive on average Informative examples • Stop at railway crossing, which requires start of engine • Towing • Jump start • Pulling a trailer, driving with roof rack • Driving on a mountain pass with unsecured steep slope • Driving situation with deviation from desired path • Snow and ice • Fuelling • Overtaking • Tunnels • Hill hold • Car wash • Wet roads • Congestion • Starting • Shifting gears • Accelerating • Braking • Steering • Using indicators • Parking • Driving backwards Classes of probability of exposure regarding frequency in initial situations April 23, 2013
  • 29. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy HRA acc. to ISO 26262 – CONTROLLABILITY Hazard & Risk Analysis Class C0 C1 C2 C3 Description Controllable in general Simply controllable Normally controllable Difficult to control or uncontrollable Definition Controllable in general 99% or more of all drivers or other traffic participants are usually able to avoid a specific harm 90% or more of all drivers or other traffic participants are usually able to avoid a specific harm Less than 90% of all drivers or other traffic participants are usually able, or barely able, to avoid a specific harm. Informative examples • Unexpected increase in radio volume • Situations that are considered distracting • Unavailability of a driver assisting system • When starting the vehicle with a locked steering column, the car can be brought to stop by almost all drivers early enough to avoid a specific harm to persons nearby. • Faulty adjustment of seats while driving can be controlled by almost all drivers by bringing the vehicle to a stop. • Avoid departing from the lane in case of a failure of ABS during emergency braking. • Avoid departing from the lane in case of a motor failure at high lateral acceleration (motorway exit). • Bring the vehicle to a stop in case of a total lighting failure at medium or high speed on an unlighted country road without departing from the lane in an uncontrolled manner. • Avoid hitting an unlit vehicle on an unlit country road. • Wrong steering with high angular speed at medium or high vehicle speed can hardly be controlled by the driver. • Cannot avoid departing from the lane on snow or ice on a bend in case of a failure of ABS during emergency braking. • Cannot bring the vehicle to a stop if a total loss of braking performance occurs. • In the case of faulty airbag release at high or moderate vehicle speed, the driver usually cannot prevent vehicle from departing from the lane. April 23, 2013
  • 30. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy HRA acc. to ISO 26262 – RISK MATRIX Hazard & Risk Analysis Note: If a hazard is assigned to a Severity class S0 or Controllability class C0, or Exposure class E0, no ASIL (SIL) assignment is required. April 23, 2013
  • 31. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy When the required SIL is assessed? Hazard & Risk Analysis  Based on the required Safety Integrity Level – Different requirement on the design and the process apply – Different techniques and measures should be used  Requirements to the integrity of HW  Requirements to the integrity of SW – Requirements to SW design and development (architecture, support tools, programming language, code implementation, testing,…) – Requirements to SW diagnostics to achieve the required HW integrity SIL Low Demand Mode of Operation (PFD probability of failure on demand) e.g., airbag High Demand Mode of Operation (PFH probability of failure per hour) e.g., brake / steer by wire 1 10–2  PFD < 10–1 10–6  PFH < 10–5 1.000  FIT< 10.000 2 10–3  PFD < 10–2 10–7  PFH < 10–6 100  FIT < 1.000 3 10–4  PFD < 10–3 10–8  PFH < 10–7 10  FIT < 100 4 10–5  PFD < 10–4 10–9  PFH < 10–8 1  FIT < 10 April 23, 2013
  • 32. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy Training Course: An introduction to Functional Safety • Basic course on Functional Safety (2 days) • Info: • Web: www.cefriel.it • Mail: dk@cefriel.it • Tel: 02.239541 For any request related to Functional Safety area: • ENRICO SILANI • Mail: enrico.silani@cefriel.com April 23, 2013