Implementing Functional Safety Standards – Experi-

ences from the Trials about Required Knowledge and

Competencies (SafEUr)

Richard Messnarz1 , Christian Kreiner2 , Ovi Bachmann3, Andreas Riel4, Klaudia

Dussa-Zieger5, Risto Nevalainen6, Serge Tichkiewitch

4

1 ISCN LTD, Ireland

rmess@iscn.com 2 Graz University of Technology, Institute for Technical Informatics, Graz, Austria

christian.kreiner@tugraz.at 3 SIBAC, Mittelbiberach, Germany

info@sibac.de 4 EMIRAcle c/o Grenoble Institute of Technology GSCOP UMR5272, Grenoble, France,

andreas.riel@grenoble-inp.fr, serge.tichkiewitch@grenoble-inp.fr 5 Methodpark, Erlangen, Germany,

Klaudia.Dussa-Zieger@methodpark.de 6 Spinet Oy and FISMA, Finland

risto.nevalainen@falconleader.fi

Abstract. In the EU project SafEUr (518632-LLP-1-2011-1-AT-LEONARDO-

LMP) the partnership developed a skill set with learning objectives, training

materials, and tools to teach and coach the implementation of IEC 61508 and

ISO 26262. Automotive, Medical, and Nuclear industry gave inputs to the pro-

ject. A group of above 20 multinational companies (SOQRATES

www.soqrates.de) which also are active in automotive industry (some of them

represent the largest suppliers in Automotive industry) organised reviews and

trial courses with safety managers. This led to a defined set of skills and tools

we expect from functional safety managers and functional safety engineers. In

this paper we describe the results of SafEUr, the feedback we received from the

collaboration with leading automotive industry and the next steps in 2013 to

launch this schema with official certificates from end of 2013 onwards.

Keywords: Functional Safety Manager, Functional Safety Engineer, Integrated

Safety Design and Technical Safety Concept, ECQA, Certification

1 Introduction to SafEUr

Functional safety of modern products and industry systems containing embedded

systems has become a first priority in several industrial sectors. The IEC61508 group

of standards require companies to have in place “Functional Safety Management”.

Domain specialized standards like ISO 26262 [1] for the passenger cars complement

IEC 61508. The objective of SafEUr was to create a European-wide accredited train-

ing and certification program for Functional Safety Managers, based on a skill card

which is compliant to the European Qualification Framework. SafEUr [2] delivers

modern e-learning based and vocational training, which is based on practical case

studies and best industry practices. This training will be complemented by a world-

wide unique web-based integration platform for industry and academia in the domain

of Embedded Systems. Certified SafEUr trainers are available all across Europe,

assuring a major impact and sustainability of this ECQA job role.

Results we achieved in the project include:

Skills set with 15 learning elements / training units

A pool of test questions

Training courses and coaching experiences in collaboration with leading

automotive industry such as Continental Automotive, ZF Friedrichshafen

AG, KTM Sport Motorcycle GmbH., etc.

Training courses integrated in University Education (Grenoble Institute of

Technology, France, and Graz University of Technology, Austria)

A pool of certified trainers and coaches (in progress)

A Europe wide Job Role Committee set up under ECQA Schema to maintain

the profession

Based on SafEUr the EuroSPI community started the Build Up of an Experience

Exchange Community in form of a series of international workshops attached with

EuroSPI.

The Certified Functional Safety Manager [2] follows the ECQA quality procedures

and sets up a Europe wide schema in collaboration with ECQA, thus assuring the

compliance with European quality standards in training.

The ECQA (European Certification and Qualification Association) [3] has set up

defined guidelines and procedures for (see www.ecqa.org, about ECQA, Guidelines):

Standards about how to define skills sets

Standards about how to design tests and test questions

Standards about learning material development

Standards about certification

Standards about accreditation of training bodies

To base the Functional Safety approach on a practical set of case studies, a set of

success factors has been defined with the support of European leading companies [4],

[5], [6] to be considered when applying “Functional Safety”. Also, this industry group

[7] has developed an integrated SPICE (ISO 15504) [8] and safety (IEC 61508, ISO

26262) assessment approach. These companies are also members of the functional

safety working group of SOQRATES initiative. In addition partners from ISO 15504

Part 10 working party are invited to integrate their approach of an extended safety

assessment.

2 Functional Safety Manager Skills Set and Knowledge Areas

The skills set has been reviewed at an international workshop at EuroSPI 2012 [2] and

further reviewed by an expert team and applied in an industry workshop with leading

automotive industry in Feb. 2013. The industry feedback showed that some of our

elements are too technical for safety managers. In the industry they use 2 roles, a

functional safety manager and a functional safety engineer and they asked the team to

split the two roles in the approach. In general the feedback was positive because all

the contents supported by real automotive examples and best practices used in lead

projects.

Fig. 1. SafEUr Skill Set with Functional Safety Manager and Engineer Scope

The role of the functional safety manager relates to the safety planning, the safety

life cycle, the safety case and the prove of coverage of the safety case, the coverage of

all selected methods required in the method tables of ISO 26262, and the legal aspects

and the qualification of the product.

The role of the functional safety engineer relates to the technical work of deriving a

technical safety concept from the functional safety concept, moderating an FMEDA

and defining a set of diagnose functions to be part of the monitoring functionality, the

hardware design (decisions about hardware redundancy), design of the HSI (Hard-

ware/Software Interface), and the use of test methods to achieve a 100% test coverage

of the fault injections and diagnose functionality.

Both roles closely collaborate in a functional safety team according to the integrated

engineering design approach that is characteristic for modern product development

[9]. Also the industrial experience clearly outlined that functional safety is not a topic

you can assign to one responsible person. A technical safety concept is usually cre-

ated by a team of software, hardware and system level experts and moderated by a

systems architect collaborating with the functional safety engineers. Also an FMEDA

is usually done in a multidisciplinary team and the same applies for a hazard and risk

analysis.

This means that the functional safety manager is a role which is played a few times

in a company, while the role of a safety engineer (and the knowledge of it) can be

assigned to even a whole team.

For the SafEUr project this results in a concept where two roles are covered by one

skills set, and depending on the roles, different skills elements and training units can

be selected.

3 SafEUr Best Practices Approach – Learning by Real Examples

Another main feature of SafEUr is that we explain the very complex theory of the

functional safety standard based on real case automotive examples. We use examples

of ASIL-D classified items in gear box design, in ABS brake design, and steering

wheel system design. In the courses and coaching we then ask the attendees to apply

that on their systems (“learning by doing” approach) and discuss the result in the

team. This results in a number of fruitful discussions and a real knowledge transfer.

The trial courses so far already yielded as broad spectrum of functional safety ex-

ample items elaborated by course attendees, like active suspension, lighting system,

power window, hydrogen tank, drive-by-wire, as well as battery management and

“electronic differential” systems for an electric race car.

Below we would like to give some illustrations of the level of knowledge which is

expected for functional safety managers and functional safety engineers. This helps to

understand the depth of knowledge transferred for the units and elements outlined in

Fig. 1. One of the most important steps at the beginning of the safety life cycle is the

item definition and the hazard and risk analysis. This results in an ASIL classification

of the hazard and the formulation of an overall safety goal.

Fig. 2. SafEUr – Selected Example of an Item Definition (Example ABS Break Sys-

tem)

Fig. 3. SafEUr – Selected Example of a Hazard and Risk Analysis (Example ABS

Brake System)

Fig. 4. SafEUr – Selected Example of a Safety Goal (Example ABS Brake System)

Fig. 5. ISO 26262 – Determination of an ASIL level

The Anti-lock braking system (ABS) allows the driver to maintain steering control

in situations like heavy braking or on slippery surfaces by preventing signifi-

cant wheel slip.

The system constantly monitors the rotational speed of each wheel. When it detects

a wheel rotating significantly slower than the others (a condition indicative of im-

pending wheel lock) it actuates the valves within the brake hydraulics to reduce hy-

draulic pressure to the brake at the affected wheel, thus reducing the braking force on

that wheel. The wheel then turns faster; when the wheel is turning significantly faster

than the others, brake hydraulic pressure is increased so the braking force is reapplied

and the wheel slows. This process is repeated continuously, and can be detected by

the driver via brake pedal pulsation.

The Figs. 3 and 4 show an implementation example of the methods of ISO 26262

illustrated in the Figs. 5 and 6.

Fig. 6. ISO 26262 – Classification schema used in Figs. 3 and 4

The risk analysis results in a so called safety goal (see Fig. 4) and an ASIL-

classification. In this example case the hazard is identified as ASIL D. The safety goal

mentioned there is: “No hydraulic pressure by an electronic fault must be avoided!”.

Such an analysis is now the starting point of work for the functional safety manager

and the functional safety engineer.

Then, the systems architect, a multidisciplinary team of experts from different de-

partments and the functional safety engineer analyse the system and create an item

definition (see Fig. 1) outlining the elements which can cause such a hazardous situa-

tion.

Especially the so-called safety critical signal flow is analysed (from sensors

through the ECU to the actuators). Safety critical signals are described in the HSI

(hardware software interface). In this case e.g. we must be able to trust the speed

calculation of the car. So we would carefully analyse the speed sensors and realise

that the speed can be calculated from 4 single inputs as an average speed. If one of the

sensors fails we can still use 3 sensors and if two of the sensors fail we might not trust

the average speed any more.

Another issue is that we must trust that the rotational speed sensor on each wheel is

measuring correctly, otherwise the ECU would make false decisions for the opening

or closing of valves on that wheel.

At this stage the standard would impose a so called decomposition. An ASIL-D

imposes the selection of a hardware at a very low FIT rate (1 FIT = the probability of

a failure per hour is 10-9

) and a high diagnostic coverage (a lot of diagnose and inde-

pendent monitoring SW development). This can get very expensive and you might

realise that a rotational speed sensor does not fulfil the ASIL-D error rates in general,

and there is no realistic scenario to realise this reliability without extensive diagnosis.

The standard proposes a redundancy in such cases. So you can (splitting ASIL-D in

two ASIL-B) use two rotational speed sensors at ASIL-B quality (lower error rate

demands) at each wheel. However, the standard also allows other types of redun-

dancy. In the industry, for instance, a model simulation is used as a parallel model to

monitor the speed vector at each wheel concluding that the rotational speed sensor is

still working.

Based on such technical analysis the functional safety engineer (in collaboration

with experts from different departments) creates a functional safety concept, including

safe states, safety functions, diagnose functionality and monitoring, etc.

Here are some examples:

A default safe state in the ABS is the switching off of the ABS ECU and

having the traditional brake system as a backup. However, a system can have

many safe states. There could be e.g. a limp home mode when we can only

trust 3 of the 4 wheel speed sensors and thus coordinate with the motor con-

trol unit a maximum rpm supported (resulting in e.g. a speed limit).

A functional safety concept would define e.g. that a trusted speed for the

overall vehicle must be calculated with an ASIL-D quality. Or it can demand

that a mathematical model is used as a parallel monitoring to check whether

the speed vector for a specific wheel speed sensor is behaving correctly, oth-

erwise we would not trust the value any more.

While the functional safety engineer does his technical work the functional safety

manager would establish safety plan and a major part in the safety plan is that the

standard proposes specific methods to be applied in the design. Most of the methods

proposed have a direct impact on the design implemented in the technical safety con-

cept (see Fig. 7).

The method tables list methods per ASIL level which are highly recommended

(++). The functional safety manager must go through each table and for each method

depending on the ASIL level clarify its usage. If a specific method is not used, this

must be explained.

Beside the safety plan (as a Gantt plan) the analysis of all method tables forms an

appendix to the safety plan.

Fig. 7. ISO 26262 – Method Table Example 1

This method table has an influence on the work of the functional safety engineer

and what level of monitoring, plausibility checks, range checks etc. will be required.

In the SafEUr examples we also look deeply into the hardware and software de-

sign, including hardware FIT rate analysis and software architectural design (e.g. E-

Gas model) and software diversity. One of the SafEUr goals in the engineering part is

to point out the necessity of iterations while stepping down from the Hazard&Risk

Analysis, via Functional and Technical Safety Concepts to Hardware and Software

Design as well as to make aware of the mutual influence between hardware and soft-

ware design and verification.

Beyond implementing safety in the corporate organisation and the engineering

process, the SafEUr syllabus also deals with methods for taking into account the reli-

ability of the mechanical systems and subsystems, as well as the required safety con-

trol mechanisms in production and maintenance. Often not addressed in comparable

trainings, both these subjects are vital to implementing safety on a complete system

level, as major architectural design decisions depend on component availabilities, and

safety-critical subsystems have to be treated in special ways in production and End-

of-Line tests.

4 SafEUr – European Vision

The SafEUr results are on trial by major Automotive Tier 1 companies at the moment.

The results will lead to a Release 3 development in autumn 2013. Interested compa-

nies can join an online training in summer 2013: certified trainers will guide and sup-

port trainees via an e-learning platform where all the training material will be avail-

able, and exercises be submitted and discussed on-line in groups.

In 2013 at EuroSPI 2013, the safety community will be extended to include also

major medical device industry and the safety design strategies in this industry domain.

This way the experience exchange between Automotive and Medical device industry

might lead to further best practices to implement functional safety standards.

SafEUr can also lead to innovation. The keynote at EuroSPI 2012 (KTM Mo-

torsport) applied the functional safety concepts on their new bikes and invented a lot

of new functionality by that approach. E.g. when analysing the light control system

and the safety state (“there is always light”) the system and software design was

adapted so that if a lamp is faulty it automatically switches to a different light (high

beam, low beam, parking light, day light). The probability that the lamp of all 4 types

of light fails is then very low fulfilling the ASIL requirement. However, all this has an

impact on product design because it must be possible to diagnose each light sepa-

rately, to switch the light on by a separate bridge on the ECU (otherwise a failure can

switch off all 4 at once), etc.

We also will continue in the safety working party of German companies

(www.soqrates.de) and further elaborate best practices and share knowledge about

what is the right way of implementation. Key stakeholders of the French automotive

industry will also be involved.

SafEUr follows the ECQA [3] (European Certification and Qualification associa-

tion) standards. This means that from autumn 2013, all the exams across Europe will

be standardised, an international job role committee will be formed to maintain the

defined skills set and knowledge structure. The ECQA will then act as the certifica-

tion body across Europe and other continents.

Conclusion

SafEUr is a real and unique industry-driven European initiative establishing a certi-

fied practice-oriented training program in Functional Safety certified by a European

Certification Organisation. SafEUr therefore fills a large gap that still exists between a

rapidly growing number and variety of functional safety standards, and their efficient

and effective implementation in modern products and systems, as well as the enabling

of engineering organisations and projects. Its initial focus is clearly on automotive

applications, and thus on ISO 26262, however, its scope will be widened up with its

increasing deployment in different industry sectors. Currently, EU-funded on-site and

on-line pilot trainings both in industry and academia help assure the high level of

quality and relevance of the complete program.

Acknowledgements for EU Project & SOQRATES Group

The SafEUr project is financially supported by the

European Commission in the Leonardo da Vinci

part of the Lifelong Learning Programme under

the project number 518632-LLP-1-2011-1-AT-

LEONARDO-LMP. This publication reflects the

views only of the authors, and the Commission cannot be held responsible for any use

which may be made of the information contained therein.

We are grateful to the experts who have contributed to the SOQRATES Design

AK and Safety AK: O. Bachmann (SIBAC), S. Habel, L. Ross, I. Sokic, R. Dreves

(Continental Automotive), F. König, A. Koundoussi, H. Galle (ZF), A. Much (Elek-

trobit), H. Zauchner, A. Kaufmann (KTM Motorsport), L. Borgmann (HELLA), G.

Spork (Magna Powertrain), M. Haimerl (IMBUS), K. Dussa-Zieger (Methodpark), A.

Riel (EMIRAcle/Grenoble INP), J. Unterreitmayer (SQS), C. Kreiner (TU Graz), D.

Ekert, R. Messnarz (ISCN).

References

1. International Organization for Standardization (ISO): ISO 26262. Road vehicles – Function-

al safety – Parts 1–9 (2011)

2. Riel, A., Bachmann, O., Dussa-Zieger, K., Kreiner, Ch., Messnarz, R., Nevalainen, R.,

Sechser, B., and Tichkiewitch, S.: EU Project SafEUr - Competence Requirements for Func-

tional Safety Managers, in Winkler, D., O'Connor, R.V., Messnarz, R. (eds): Systems, Soft-

ware and Services Process Improvement, Communications in Computer and Information

Science, CCIS 301, Springer, pp. 253-265 (2012)

3. Messnarz, R., Sicilia, M.A., Reiner, M., Europe wide Industry Certification Using Standard

Procedures based on ISO 17024, in: Proceedings of the TAEE Conference in Vigo Spain,

Publisher IEEE, June 2012 (2012)

4. Messnarz, R., König, F., Bachmann, O.: Experiences with Trial Assessments Combining

Automotive SPICE and Functional Safety Standards, in Winkler, D., O'Connor, R.V.,

Messnarz, R. (eds): Systems, Software and Services Process Improvement, Communications

in Computer and Information Science, CCIS 301, Springer, pp. 266-275 (2012).

5. SOQRATES Safety Team, Messnarz, R., Ross, H-L., Habel, S., König, F., Koundoussi, A.,

Unterrreitmayer, J., Ekert, D.: Integrated Automotive SPICE and safety assessments, in

Wiley SPIP, Volume 14 Issue 5, p 279-288 (2009)

6. Bachmann, V.O., Messner, B., Messnarz, R.: Adapting the FMEA for Safety Critical Design

Processes. In: Connor, R.V., Pries-Heje J., Messnarz, R. (eds.): Systems, Software and Ser-

vices Process Improvement. Proceedings of the 18th European Conference EuroSPI 2011,

Roskilde, Denmark, June 2011, Springer CCIS 172, Springer Verlag, pp. 290-297 (2011)

7. SOQRATES Initiative, www.soqrates.de, last accessed on 07/04/2013

8. Automotive SPICE, www.automotive-spice.com, an international standard used in Automo-

tive industry, last accessed on 07/04/2013

9. Riel, A.; Tichkiewitch, S.; Messnarz, R.: Qualification and Certification for the Competitive

Edge in Integrated Design. In: CIRP Journal of Manufacturing Science and Technology.

Elsevier, Vol. 2, Issue 4, pp. 279–289 (2010)