Making It Real—The ISO 26262

Functional Safety Standard Takes

Safety Centre Stage
Dr. Franck Galtié
Functional Safety Director

November 2019 | EUF-AUT-T3871

Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP
B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.
Agenda
• Introduction
• ISO 26262:2018 Edition 2
• Functional Safety @ NXP
• Example of a System Safety Solution:
Power Inverter Module (PIM)

COMPANY PUBLIC 1
 Global Megatrends

Autonomy Electrification Connectivity

Saving lives: Zero emission: Enjoying the ride:
90% of accidents caused by human error increasing global regulations One h per day spent in the car

Safe and Secure Mobility - More than tripling the semi value per car
COMPANY PUBLIC 2
Automated SENSE THINK ACT

Driving Broadcast Radio

Cellular
Evolving Vehicle Connectivity Connectivity
WiFi, BT, GNSS, NFC Domain
Architecture Controller
Smart Car Access

V2X
Sensor Fusion
ADAS & Highly Radar & Planning
Automated Driving Domain
Camera Controller
Lidar

Network Gateway
Motion & Pressure
Engine Steering
Powertrain & Powertrain
Powertrain
Transmission Airbag
Speed Domain
Domain Brake Suspension
Vehicle Dynamics Controller
Controller Battery Cell Management
Ultrasonic

Temp, Light, Humidity Body

Body HVAC, Interior Lighting
Body & Comfort Domain
Domain
Doors, seats, steering wheel,
Switch Panels Controller
Controller mirrors, wipers, sunroof

Audio
Infotainment and Cockpit
eCockpit eCockpit
In-Vehicle Touch Displays Domain
Domain
Controller
Controller Amplifiers
Experience Voice Recognition

COMPANY PUBLIC 3
 Requirements for a Safe System

Cyber Security
Functional Safety Zero accidents due to
Zero accidents due to system hacks
system failures

Vehicle Safety
Zero accidents due to
human error

Device Reliability
Zero accidents due
to device defects

COMPANY PUBLIC 4
Why Safety Is Important

Legal – knowing who is responsible

Trust – knowing the car will do what

it’s meant to do

Standardization – consolidating
platforms and harmonizing systems

COMPANY PUBLIC 5
Safety and Security Are Closely Linked

>25
Vehicle hacks
published since 2015 Why hacking? Why is it possible? Why now?

Valuable Data High System Complexity Wireless Interfaces

1.4M attracts hackers implies high vulnerability enable scalable attacks

Car-generated data Up to 150 ECUs per car, 250M connected

Vehicles recalled may become a 750B up to 200M lines of vehicles on the
in the largest USD market by 2030 software code road in 2020
incident to date

COMPANY PUBLIC 6
ISO 26262: 2018 Edition 2

COMPANY PUBLIC 7
What is Functional Safety?

Functional safety is the absence of

unreasonable risk due to hazards caused
by malfunctioning behavior of electrical or
electronic systems

Mitigation or control of risk

Available Standard : ISO26262 : 2018

PUBLIC 8
 Quantify a Risk: Automotive Safety Integrity Level

S=Severity E= Exposure C=Controllability

What is the level of injury? How often is it likely to happen? Can the hazard be controlled?

COMPANY PUBLIC 9
 Automotive Functional Safety Standards
• Indicator of industry maturity

ISO PAS SOTIF

ISO 26262 1st Ed PAS ISO 26262 2nd Ed
21448

2011- 2016- 2018-

11 07 2019
12 WD review
IS Pub

• Evolving to address the challenges of Autonomous, but not there yet

COMPANY PUBLIC 10
ISO 26262: 2018 - What’s New Compared to Edition 1
ISO 26262 Deliverables

Impact Analysis Reinforced

IP Management New

Safety Analysis- FTA Reinforced

2018 Edition 2
Safety Analysis- DFA Improved

Safety Anlysis- Improved

FMEDA

Fault Injection Reinforced

Confirmation Improved
Measures

COMPANY PUBLIC 11
Functional Safety @ NXP

COMPANY PUBLIC 12
 NXP BCAM7 Process Development

Automotive
IATF 16949 ISO 26262
SPICE

Improving Applying CMMi

efficiency & quality maturity stages
Automotive BCaM7

Templates
Policies Roles & Resp. Procedures Tools
Checklists

COMPANY PUBLIC 13
ISO 26262 : 2018 – NXP Tailoring
Roles Functional Safety
Development Types
Project Functional Safety Safety Element out of Context
Manager (SEooC)

Functional Safety Architect

Application Specific (ASIC)
Functional Safety Assessor

Organization Functional Safety

Manager

Process Functional Safety Deliverables

Safety Safety Safety

Safety processes integrated in Plan Case Assess
BCAM7 ment
Safety Safety Safety
Safety deliverables integrated in Concept Analysis Manual
AMD HW & SW developped as Safety
Element Out Of Context (SEooC)
Safety review integrated in AMC
COMPANY PUBLIC 14
 NXP Auto BCaM7 Process Fully Compliant with ISO 26262
2018

- QM or ASILx
- Safety analysis (FTA, DFA, FMEDA)
- Confirmation review Safety Analysis
- Impact Analysis - Functional Safety design assessment
- CR Impact Analysis
- Assessment plan - Safety concept
(Requirements
& Architecture)
- Safety Case
- Safety Manual
- Functional Safety Release assessment
- Safety plan - Confirmation review Safety case
- SW tool criteria Evaluation
- Verification Plan (inc. safety)
- Confirmation review Safety Plan
- CR technical safety concept

COMPANY PUBLIC 15
Functional Safety Competence Management

Technical Skills Soft Skills

Standard
Trainign Library

E-Learning courses
COMPANY PUBLIC 16
System Safety Solution
Example of Power Inverter Module

COMPANY PUBLIC 17
 Key Growth Areas of Automotive
Electronic Systems
30% Automotive Systems Growth 17-22

25%
The car is evolving to a sophisticated
electronic system that
20% senses, thinks, connects,
and acts and is ‘always on’
15%
Internal combustion engines are
replaced or complemented by
10%
electric propulsion
5%

0%

Source: IHS, ABI, and NXP Internal

COMPANY PUBLIC 18
 Electric Vehicles: Base Architecture Components
Major Components
Battery management
system

Motor control
(HV inverters)

Hybrid Control Unit

(Torque/Energy Management & Optimisation)

48 V eMachine
(BSG, ISG, HVAC)

DC/DC voltage
domain converter
On-board charger
AC/DC converter

PUBLIC COMPANY PUBLIC 19

Managing Complexity of System & IP Perspectives
ISO 26262 & System Safety
Use Cases
SOTIF Concept

System perspective

Requirements Verification &

Management Safe Development Validation
Process

IP perspective

HW IP SW IP
Safety Analysis Safety Design Safety
(SEooC) (SEooC)
Verification

COMPANY PUBLIC 20
System Safety Enablement

• NXP Safety value proposal:

- Help customer on their safety architecture
- Reduce engineering time (~6 months -
1year)
- Methodology for start-ups and new OEM
- More than a standard demo board
(~ A or B samples) (Not a “T1 certified”)

• Support customer on:

- Customization
- Safety Analysis & Metrics
- Safety Process
- Interaction with certification agencies
Customer
COMPANY PUBLIC 21
Power Module Inverter Example

FS65

Smart, flexible
Fail-safe SBCs
Leadership ASIL-D
Certified MCUs

Integrated Isolated HV
IGBT gate driver

Customer Partner Advanced Si IGBT

Power module

Traction Motor
Inverter Systems
COMPANY PUBLIC 22
Functional Safety ISO 26262 - 2018 Applies NXP

Part 1: Vocabulary
Part 2: Management of Functional Safety
Part 3: Concept Phase
Part 4: Product development at system level
Part 5: Product development at HW level
Part 6: Product development at SW level
Part 7: Production and operation
Part 8: Supporting processes
Part 9: Automotive Safety Integrity Level
(ASIL) oriented and safety oriented
analyses
Part 10: Guideline on ISO 26262
Part 11: Guideline for Semiconductors

COMPANY PUBLIC 23
Item, HaRa and Safety Goals
Assumptions:
• Powertrain inverteur HighVoltage (>350V)
• No clutch between Electrical motor and Vehicle
Wheels
• Gas and Brake Pedals command from driver to
VCU
• Inverter Torque request from VCU
• 3 phases Motor up to 80kW

Safety Goals ASIL

Hazard analysis and Risk assessment
SG1: Avoid unintended acceleration while in stop D

SG2: Avoid unintended acceleration , torque lock or over

B
acceleration torque while driving

SG3: Avoid reverse torque D

SG4: Avoid sudden loss of acceleration torque B

Unintended self Unintended reverse Unintended loss of
acceleration acceleration acceleration SG5: Avoid self-braking torque while driving at high speed D

SG6: Avoid self-braking torque while driving at low speed B

ASIL D ASIL D ASIL B
COMPANY PUBLIC 24
Simplified Functional Safety Concept
FSR3: “We monitor the torque to
detect a fault of torque
processing.”
FSR1: “We need to
guarantee the received
command is correct and
the communication alive.”

FSR5: : “When a fault of

communication, sensors or control
is detected we need to go to the
appropriate safe state”.

FSR4: : “We need to guarantee the

information we send to VCU, and FSR2: “We need to guarantee
report fault”. the sensors measurements are
correct.”

COMPANY PUBLIC 25
 Extract of Functional Block Safety Requirements
− Define FR and FSR
− Decompose Functional Safety Requirement
− Documentation

Example for function Command

COMPANY PUBLIC 26
 Extract of Technical Safety Concept
− Technical requirements
− Technical safety requirements
− Diagnostic & reaction
− Documentation

Function Current Sensing

Technical Safety Requirements

COMPANY PUBLIC 27
System Failure Matrix & System Safety Mechanism

System Fault System Safety Mechanism to detect the Fault

Detection definition Reaction definition System Re-activation

(HW & SW) FDTI (Safe State) FRTI definiton

HW / SW requirements SW requirements
for Safety Mechanism for Safety manager

Safety Mechanism Safety Manager

Library Library

COMPANY PUBLIC 28
NXP Safety Enablement Deliverables
HW Safety Architecture
• NXP System Safety Concept
documentation (FSC, TSC architecture)
• NXP System Failure matrix
• NXP Prepared System FMEDA
(with IC system FMs)

• NXP SDK SW
(with system safety mechanism)

• NXP Functional Safety support

SW Safety Architecture
• NXP ICs datasheet
• NXP ICs Safety manuel
• NXP ICs Safety analysis report
• NXP ICs Assessment report
• NXP ICs expert support

COMPANY PUBLIC 29
SafeAssure Program
SafeAssure Community

COMPANY PUBLIC 30
NXP’s Safe Assure Program
Functional Safety Standards
• Launched SafeAssure initiative in September
2011 focusing on NXP’s functional safety Automotive Industrial
solutions ISO 26262 IEC 61508
Safety
Support

• Since 2013 NXP’s Development Processes

are aligned with ISO 26262 across product lines Safety Safety
− BCaM7 deployment will align at BU Auto level Hardware Software

Safety
Process
• 100+ Products being developed to target ISO
26262:
▪ Aug 2012 AMP HW – Leopard (MPC564xL) 32-bit MCU –
Certified by Exida
▪ 2013 AMP SW – First release of Safety MCAL (sMCAL)
NXP Quality Foundation
▪ 2014 AAA HW – Analog – PowerSBC

▪ Many more products are in the development pipeline and

will come to completion in the years to come

COMPANY PUBLIC 31
 SAFEASSURE
SafeAssureCOMMUNITIES
Community
Customer Support for Functional Safety
Customer support for Functional Safety

SafeAssure Community SafeAssure NDA Support

Public Space for knowledge Private NDA space for customer to Safety Expert Group composed of
distribution and industry-wide news access safety documentation Safety Managers and Architects, Field
here here and Application Engineers

Self Sufficient
Community users find answers to their questions an safety documentation requests
COMPANY PUBLIC 32
nxp.com/SafeAssure

COMPANY PUBLIC 33
COMPANY PUBLIC 34