Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP
B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.
Functional Safety Director
Dr. Franck Galtié
Making It Real—The ISO 26262 Functional Safety Standard Takes Safety Centre Stage
November 2019 | EUF-AUT-T3871
COMPANY PUBLIC 1COMPANY PUBLIC 1
• Introduction
• ISO 26262:2018 Edition 2
• Functional Safety @ NXP
• Example of a System Safety Solution:
Power Inverter Module (PIM)
Agenda
COMPANY PUBLIC 2
AutonomySaving lives:
90% of accidents caused by human error
ElectrificationZero emission:
increasing global regulations
ConnectivityEnjoying the ride:
One h per day spent in the car
Safe and Secure Mobility - More than tripling the semi value per car
Global Megatrends
COMPANY PUBLIC 3
Automated
DrivingEvolving Vehicle
Architecture
SENSE THINK ACT
Connectivity Domain
Controller
Connectivity
Infotainment and
In-Vehicle
Experience
ADAS & Highly
Automated Driving
Body & Comfort
Powertrain &
Vehicle Dynamics
Camera
Lidar
Ultrasonic
Cockpit Domain
Controller
PowertrainDomain
Controller
Touch Displays
BodyDomain
Controller
Voice Recognition
Radar
HVAC, Interior Lighting
Doors, seats, steering wheel,
mirrors, wipers, sunroof
eCockpit
Amplifiers
Switch Panels
Motion & Pressure
Speed
Steering
Airbag
Suspension
Cellular
WiFi, BT, GNSS, NFC
V2X
Audio
Smart Car Access
Sensor Fusion& Planning
Domain Controller
PowertrainDomain
Controller
BodyDomain
Controller
eCockpitDomain
Controller
Ne
two
rk G
ate
wa
y
Engine
Transmission
Brake
Battery Cell Management
Temp, Light, Humidity
Broadcast Radio
COMPANY PUBLIC 4
Functional SafetyZero accidents due to
system failures
Cyber SecurityZero accidents due to
system hacks
Device ReliabilityZero accidents due
to device defects
Vehicle SafetyZero accidents due to
human error
Requirements for a Safe System
COMPANY PUBLIC 5
Why Safety Is Important
Legal – knowing who is responsible
Trust – knowing the car will do what
it’s meant to do
Standardization – consolidating
platforms and harmonizing systems
COMPANY PUBLIC 6
>25
Vehicle hacks
published since 2015
1.4M
Vehicles recalled
in the largest
incident to date
Why now?
Wireless Interfaces
enable scalable attacks
250M connected
vehicles on the
road in 2020
Why is it possible?
High System Complexity
implies high vulnerability
Up to 150 ECUs per car,
up to 200M lines of
software code
Why hacking?
Valuable Data
attracts hackers
Car-generated data
may become a 750B
USD market by 2030
Safety and Security Are Closely Linked
COMPANY PUBLIC 7
ISO 26262: 2018 Edition 2
PUBLIC 8
What is Functional Safety?
Functional safety is the absence of
unreasonable risk due to hazards caused
by malfunctioning behavior of electrical or
electronic systems
Mitigation or control of risk
Available Standard : ISO26262 : 2018
COMPANY PUBLIC 9
Quantify a Risk: Automotive Safety Integrity Level
S=SeverityWhat is the level of injury?
E= ExposureHow often is it likely to happen?
C=ControllabilityCan the hazard be controlled?
COMPANY PUBLIC 10
Automotive Functional Safety Standards
• Indicator of industry maturity
2011-
11
ISO PAS SOTIF
21448ISO 26262 1st Ed
2016-
072018-
12IS Pub
PAS ISO 26262 2nd Ed
2019WD review
• Evolving to address the challenges of Autonomous, but not there yet
COMPANY PUBLIC 11
ISO 26262: 2018 - What’s New Compared to Edition 1
ISO 26262 Deliverables
Impact Analysis
Safety Analysis- DFA
Safety Anlysis-
FMEDA
Fault Injection
Confirmation
Measures
Safety Analysis- FTA
IP Management
20
18
Ed
ition
2
Reinforced
Improved
Improved
Reinforced
Improved
Reinforced
New
COMPANY PUBLIC 12
Functional Safety @ NXP
COMPANY PUBLIC 13
NXP BCAM7 Process Development
Applying CMMi
maturity stagesAutomotive BCaM7
IATF 16949 ISO 26262
Roles & Resp.PoliciesTemplates
Checklists
Improving
efficiency & quality
Automotive
SPICE
ToolsProcedures
COMPANY PUBLIC 14
Functional Safety Deliverables
ISO 26262 : 2018 – NXP Tailoring
Safety
Plan
Functional Safety
Development Types
Application Specific (ASIC)
Safety Element out of Context
(SEooC)
Safety
Case
Safety
Assess
ment
Safety
ConceptSafety
AnalysisSafety
Manual
Process
Safety deliverables integrated in
AMD
Safety processes integrated in
BCAM7
Safety review integrated in AMC
Roles
Functional Safety Architect
Project Functional Safety
Manager
Functional Safety Assessor
Organization Functional Safety
Manager
HW & SW developped as Safety
Element Out Of Context (SEooC)
COMPANY PUBLIC 15
- QM or ASILx
- Impact Analysis
- CR Impact Analysis
- Assessment plan - Safety concept
(Requirements
& Architecture)
- Safety plan
- SW tool criteria Evaluation
- Verification Plan (inc. safety)
- Confirmation review Safety Plan
- CR technical safety concept
- Safety analysis (FTA, DFA, FMEDA)
- Confirmation review Safety Analysis
- Functional Safety design assessment
NXP Auto BCaM7 Process Fully Compliant with ISO 26262
2018
- Safety Case
- Safety Manual
- Functional Safety Release assessment
- Confirmation review Safety case
COMPANY PUBLIC 16
E-Learning courses
Standard Trainign Library
Soft Skills
Functional Safety Competence Management
Technical Skills
COMPANY PUBLIC 17
System Safety Solution
Example of Power Inverter Module
COMPANY PUBLIC 18
0%
5%
10%
15%
20%
25%
30%
Source: IHS, ABI, and NXP Internal
Automotive Systems Growth 17-22
The car is evolving to a sophisticated
electronic system that
senses, thinks, connects,
and acts and is ‘always on’
Internal combustion engines are
replaced or complemented by
electric propulsion
Key Growth Areas of Automotive
Electronic Systems
COMPANY PUBLIC 19
Electric Vehicles: Base Architecture Components
Major Components
Motor control
(HV inverters)
DC/DC voltage
domain converter
On-board charger
AC/DC converter
Battery management
system
48 V eMachine
(BSG, ISG, HVAC)
Hybrid Control Unit(Torque/Energy Management & Optimisation)
PUBLIC
COMPANY PUBLIC 20
Managing Complexity of System & IP Perspectives
Verification &
ValidationSafe Development
Process
ISO 26262 &
SOTIFUse Cases
System perspective
IP perspective
SW IP
(SEooC)HW IP
(SEooC)Safety Design
Requirements
Management
System Safety
Concept
Safety
VerificationSafety Analysis
COMPANY PUBLIC 21
System Safety Enablement
• NXP Safety value proposal:
- Help customer on their safety architecture
- Reduce engineering time (~6 months -1year)
- Methodology for start-ups and new OEM
- More than a standard demo board
(~ A or B samples) (Not a “T1 certified”)
• Support customer on:
- Customization
- Safety Analysis & Metrics
- Safety Process
- Interaction with certification agencies
Customer
COMPANY PUBLIC 22
Power Module Inverter Example
Leadership ASIL-D
Certified MCUs
Smart, flexible
Fail-safe SBCs
FS65
Traction Motor
Inverter Systems
Advanced Si IGBT
Power module
Integrated Isolated HV
IGBT gate driver
Customer Partner
COMPANY PUBLIC 23
Functional Safety ISO 26262 - 2018 Applies
Part 1: Vocabulary
Part 2: Management of Functional Safety
Part 3: Concept Phase
Part 4: Product development at system level
Part 5: Product development at HW level
Part 6: Product development at SW level
Part 7: Production and operation
Part 8: Supporting processes
Part 9: Automotive Safety Integrity Level (ASIL) oriented and safety oriented analyses
Part 10: Guideline on ISO 26262
Part 11: Guideline for Semiconductors
NXP
COMPANY PUBLIC 24
Item, HaRa and Safety Goals
Safety Goals ASIL
SG1: Avoid unintended acceleration while in stop D
SG2: Avoid unintended acceleration , torque lock or over
acceleration torque while drivingB
SG3: Avoid reverse torque D
SG4: Avoid sudden loss of acceleration torque B
SG5: Avoid self-braking torque while driving at high speed D
SG6: Avoid self-braking torque while driving at low speed B
Unintended self
acceleration
Unintended reverse
accelerationUnintended loss of
acceleration
ASIL D ASIL D ASIL B
Hazard analysis and Risk assessment
Assumptions:
• Powertrain inverteur HighVoltage (>350V)
• No clutch between Electrical motor and Vehicle
Wheels
• Gas and Brake Pedals command from driver to
VCU
• Inverter Torque request from VCU
• 3 phases Motor up to 80kW
COMPANY PUBLIC 25
Simplified Functional Safety Concept
FSR1: “We need to
guarantee the received
command is correct and
the communication alive.”
FSR2: “We need to guarantee
the sensors measurements are
correct.”
FSR3: “We monitor the torque to
detect a fault of torque
processing.”
FSR5: : “When a fault of
communication, sensors or control
is detected we need to go to the
appropriate safe state”.
FSR4: : “We need to guarantee the
information we send to VCU, and
report fault”.
COMPANY PUBLIC 26
Extract of Functional Block Safety Requirements
Example for function Command
− Define FR and FSR
− Decompose Functional Safety Requirement
− Documentation
COMPANY PUBLIC 27
Extract of Technical Safety Concept
− Technical requirements
− Technical safety requirements
− Diagnostic & reaction
− Documentation
Function Current Sensing
Technical Safety Requirements
COMPANY PUBLIC 28
System Failure Matrix & System Safety Mechanism
Safety Mechanism
Library
Safety Manager
Library
SW requirements
for Safety managerHW / SW requirements
for Safety Mechanism
System Fault System Safety Mechanism to detect the Fault
Detection definition
(HW & SW) FDTI
Reaction definition
(Safe State) FRTI
System Re-activation
definiton
COMPANY PUBLIC 29
NXP Safety Enablement Deliverables
HW Safety Architecture
SW Safety Architecture
• NXP System Safety Concept
documentation (FSC, TSC architecture)
• NXP System Failure matrix
• NXP Prepared System FMEDA (with IC system FMs)
• NXP SDK SW (with system safety mechanism)
• NXP Functional Safety support
• NXP ICs datasheet
• NXP ICs Safety manuel
• NXP ICs Safety analysis report
• NXP ICs Assessment report
• NXP ICs expert support
COMPANY PUBLIC 30
SafeAssure Program
SafeAssure Community
COMPANY PUBLIC 31
NXP’s Safe Assure Program
• Launched SafeAssure initiative in September
2011 focusing on NXP’s functional safety
solutions
• Since 2013 NXP’s Development Processes
are aligned with ISO 26262 across product lines
− BCaM7 deployment will align at BU Auto level
• 100+ Products being developed to target ISO
26262:
▪ Aug 2012 AMP HW – Leopard (MPC564xL) 32-bit MCU –
Certified by Exida
▪ 2013 AMP SW – First release of Safety MCAL (sMCAL)
▪ 2014 AAA HW – Analog – PowerSBC
▪ Many more products are in the development pipeline and
will come to completion in the years to come
NXP Quality Foundation
Functional Safety Standards
Safety
Support
Safety
Process
Safety
Hardware
Safety
Software
Automotive
ISO 26262
Industrial
IEC 61508
COMPANY PUBLIC 32
SafeAssure Community Public Space for knowledge
distribution and industry-wide news
here
SafeAssure NDAPrivate NDA space for customer to
access safety documentation
here
SupportSafety Expert Group composed of
Safety Managers and Architects, Field
and Application Engineers
Self SufficientCommunity users find answers to their questions an safety documentation requests
SAFEASSURE COMMUNITIESCustomer Support for Functional Safety
SafeAssure Community
Customer support for Functional Safety
COMPANY PUBLIC 33
nxp.com/SafeAssure
COMPANY PUBLIC 34
Top Related