Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP

B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.

Functional Safety Director

Dr. Franck Galtié

Making It Real—The ISO 26262 Functional Safety Standard Takes Safety Centre Stage

November 2019 | EUF-AUT-T3871

COMPANY PUBLIC 1COMPANY PUBLIC 1

• Introduction

• ISO 26262:2018 Edition 2

• Functional Safety @ NXP

• Example of a System Safety Solution:

Power Inverter Module (PIM)

Agenda

COMPANY PUBLIC 2

AutonomySaving lives:

90% of accidents caused by human error

ElectrificationZero emission:

increasing global regulations

ConnectivityEnjoying the ride:

One h per day spent in the car

Safe and Secure Mobility - More than tripling the semi value per car

Global Megatrends

COMPANY PUBLIC 3

Automated

DrivingEvolving Vehicle

Architecture

SENSE THINK ACT

Connectivity Domain

Controller

Connectivity

Infotainment and

In-Vehicle

Experience

ADAS & Highly

Automated Driving

Body & Comfort

Powertrain &

Vehicle Dynamics

Camera

Lidar

Ultrasonic

Cockpit Domain

Controller

PowertrainDomain

Controller

Touch Displays

BodyDomain

Controller

Voice Recognition

Radar

HVAC, Interior Lighting

Doors, seats, steering wheel,

mirrors, wipers, sunroof

eCockpit

Amplifiers

Switch Panels

Motion & Pressure

Speed

Steering

Airbag

Suspension

Cellular

WiFi, BT, GNSS, NFC

V2X

Audio

Smart Car Access

Sensor Fusion& Planning

Domain Controller

PowertrainDomain

Controller

BodyDomain

Controller

eCockpitDomain

Controller

Ne

two

rk G

ate

wa

y

Engine

Transmission

Brake

Battery Cell Management

Temp, Light, Humidity

Broadcast Radio

COMPANY PUBLIC 4

Functional SafetyZero accidents due to

system failures

Cyber SecurityZero accidents due to

system hacks

Device ReliabilityZero accidents due

to device defects

Vehicle SafetyZero accidents due to

human error

Requirements for a Safe System

COMPANY PUBLIC 5

Why Safety Is Important

Legal – knowing who is responsible

Trust – knowing the car will do what

it’s meant to do

Standardization – consolidating

platforms and harmonizing systems

COMPANY PUBLIC 6

>25

Vehicle hacks

published since 2015

1.4M

Vehicles recalled

in the largest

incident to date

Why now?

Wireless Interfaces

enable scalable attacks

250M connected

vehicles on the

road in 2020

Why is it possible?

High System Complexity

implies high vulnerability

Up to 150 ECUs per car,

up to 200M lines of

software code

Why hacking?

Valuable Data

attracts hackers

Car-generated data

may become a 750B

USD market by 2030

Safety and Security Are Closely Linked

COMPANY PUBLIC 7

ISO 26262: 2018 Edition 2

PUBLIC 8

What is Functional Safety?

Functional safety is the absence of

unreasonable risk due to hazards caused

by malfunctioning behavior of electrical or

electronic systems

Mitigation or control of risk

Available Standard : ISO26262 : 2018

COMPANY PUBLIC 9

Quantify a Risk: Automotive Safety Integrity Level

S=SeverityWhat is the level of injury?

E= ExposureHow often is it likely to happen?

C=ControllabilityCan the hazard be controlled?

COMPANY PUBLIC 10

Automotive Functional Safety Standards

• Indicator of industry maturity

2011-

11

ISO PAS SOTIF

21448ISO 26262 1st Ed

2016-

072018-

12IS Pub

PAS ISO 26262 2nd Ed

2019WD review

• Evolving to address the challenges of Autonomous, but not there yet

COMPANY PUBLIC 11

ISO 26262: 2018 - What’s New Compared to Edition 1

ISO 26262 Deliverables

Impact Analysis

Safety Analysis- DFA

Safety Anlysis-

FMEDA

Fault Injection

Confirmation

Measures

Safety Analysis- FTA

IP Management

20

18

Ed

ition

2

Reinforced

Improved

Improved

Reinforced

Improved

Reinforced

New

COMPANY PUBLIC 12

Functional Safety @ NXP

COMPANY PUBLIC 13

NXP BCAM7 Process Development

Applying CMMi

maturity stagesAutomotive BCaM7

IATF 16949 ISO 26262

Roles & Resp.PoliciesTemplates

Checklists

Improving

efficiency & quality

Automotive

SPICE

ToolsProcedures

COMPANY PUBLIC 14

Functional Safety Deliverables

ISO 26262 : 2018 – NXP Tailoring

Safety

Plan

Functional Safety

Development Types

Application Specific (ASIC)

Safety Element out of Context

(SEooC)

Safety

Case

Safety

Assess

ment

Safety

ConceptSafety

AnalysisSafety

Manual

Process

Safety deliverables integrated in

AMD

Safety processes integrated in

BCAM7

Safety review integrated in AMC

Roles

Functional Safety Architect

Project Functional Safety

Manager

Functional Safety Assessor

Organization Functional Safety

Manager

HW & SW developped as Safety

Element Out Of Context (SEooC)

COMPANY PUBLIC 15

- QM or ASILx

- Impact Analysis

- CR Impact Analysis

- Assessment plan - Safety concept

(Requirements

& Architecture)

- Safety plan

- SW tool criteria Evaluation

- Verification Plan (inc. safety)

- Confirmation review Safety Plan

- CR technical safety concept

- Safety analysis (FTA, DFA, FMEDA)

- Confirmation review Safety Analysis

- Functional Safety design assessment

NXP Auto BCaM7 Process Fully Compliant with ISO 26262

2018

- Safety Case

- Safety Manual

- Functional Safety Release assessment

- Confirmation review Safety case

COMPANY PUBLIC 16

E-Learning courses

Standard Trainign Library

Soft Skills

Functional Safety Competence Management

Technical Skills

COMPANY PUBLIC 17

System Safety Solution

Example of Power Inverter Module

COMPANY PUBLIC 18

0%

5%

10%

15%

20%

25%

30%

Source: IHS, ABI, and NXP Internal

Automotive Systems Growth 17-22

The car is evolving to a sophisticated

electronic system that

senses, thinks, connects,

and acts and is ‘always on’

Internal combustion engines are

replaced or complemented by

electric propulsion

Key Growth Areas of Automotive

Electronic Systems

COMPANY PUBLIC 19

Electric Vehicles: Base Architecture Components

Major Components

Motor control

(HV inverters)

DC/DC voltage

domain converter

On-board charger

AC/DC converter

Battery management

system

48 V eMachine

(BSG, ISG, HVAC)

Hybrid Control Unit(Torque/Energy Management & Optimisation)

PUBLIC

COMPANY PUBLIC 20

Managing Complexity of System & IP Perspectives

Verification &

ValidationSafe Development

Process

ISO 26262 &

SOTIFUse Cases

System perspective

IP perspective

SW IP

(SEooC)HW IP

(SEooC)Safety Design

Requirements

Management

System Safety

Concept

Safety

VerificationSafety Analysis

COMPANY PUBLIC 21

System Safety Enablement

• NXP Safety value proposal:

- Help customer on their safety architecture

- Reduce engineering time (~6 months -1year)

- Methodology for start-ups and new OEM

- More than a standard demo board

(~ A or B samples) (Not a “T1 certified”)

• Support customer on:

- Customization

- Safety Analysis & Metrics

- Safety Process

- Interaction with certification agencies

Customer

COMPANY PUBLIC 22

Power Module Inverter Example

Leadership ASIL-D

Certified MCUs

Smart, flexible

Fail-safe SBCs

FS65

Traction Motor

Inverter Systems

Advanced Si IGBT

Power module

Integrated Isolated HV

IGBT gate driver

Customer Partner

COMPANY PUBLIC 23

Functional Safety ISO 26262 - 2018 Applies

Part 1: Vocabulary

Part 2: Management of Functional Safety

Part 3: Concept Phase

Part 4: Product development at system level

Part 5: Product development at HW level

Part 6: Product development at SW level

Part 7: Production and operation

Part 8: Supporting processes

Part 9: Automotive Safety Integrity Level (ASIL) oriented and safety oriented analyses

Part 10: Guideline on ISO 26262

Part 11: Guideline for Semiconductors

NXP

COMPANY PUBLIC 24

Item, HaRa and Safety Goals

Safety Goals ASIL

SG1: Avoid unintended acceleration while in stop D

SG2: Avoid unintended acceleration , torque lock or over

acceleration torque while drivingB

SG3: Avoid reverse torque D

SG4: Avoid sudden loss of acceleration torque B

SG5: Avoid self-braking torque while driving at high speed D

SG6: Avoid self-braking torque while driving at low speed B

Unintended self

acceleration

Unintended reverse

accelerationUnintended loss of

acceleration

ASIL D ASIL D ASIL B

Hazard analysis and Risk assessment

Assumptions:

• Powertrain inverteur HighVoltage (>350V)

• No clutch between Electrical motor and Vehicle

Wheels

• Gas and Brake Pedals command from driver to

VCU

• Inverter Torque request from VCU

• 3 phases Motor up to 80kW

COMPANY PUBLIC 25

Simplified Functional Safety Concept

FSR1: “We need to

guarantee the received

command is correct and

the communication alive.”

FSR2: “We need to guarantee

the sensors measurements are

correct.”

FSR3: “We monitor the torque to

detect a fault of torque

processing.”

FSR5: : “When a fault of

communication, sensors or control

is detected we need to go to the

appropriate safe state”.

FSR4: : “We need to guarantee the

information we send to VCU, and

report fault”.

COMPANY PUBLIC 26

Extract of Functional Block Safety Requirements

Example for function Command

− Define FR and FSR

− Decompose Functional Safety Requirement

− Documentation

COMPANY PUBLIC 27

Extract of Technical Safety Concept

− Technical requirements

− Technical safety requirements

− Diagnostic & reaction

− Documentation

Function Current Sensing

Technical Safety Requirements

COMPANY PUBLIC 28

System Failure Matrix & System Safety Mechanism

Safety Mechanism

Library

Safety Manager

Library

SW requirements

for Safety managerHW / SW requirements

for Safety Mechanism

System Fault System Safety Mechanism to detect the Fault

Detection definition

(HW & SW) FDTI

Reaction definition

(Safe State) FRTI

System Re-activation

definiton

COMPANY PUBLIC 29

NXP Safety Enablement Deliverables

HW Safety Architecture

SW Safety Architecture

• NXP System Safety Concept

documentation (FSC, TSC architecture)

• NXP System Failure matrix

• NXP Prepared System FMEDA (with IC system FMs)

• NXP SDK SW (with system safety mechanism)

• NXP Functional Safety support

• NXP ICs datasheet

• NXP ICs Safety manuel

• NXP ICs Safety analysis report

• NXP ICs Assessment report

• NXP ICs expert support

COMPANY PUBLIC 30

SafeAssure Program

SafeAssure Community

COMPANY PUBLIC 31

NXP’s Safe Assure Program

• Launched SafeAssure initiative in September

2011 focusing on NXP’s functional safety

solutions

• Since 2013 NXP’s Development Processes

are aligned with ISO 26262 across product lines

− BCaM7 deployment will align at BU Auto level

• 100+ Products being developed to target ISO

26262:

▪ Aug 2012 AMP HW – Leopard (MPC564xL) 32-bit MCU –

Certified by Exida

▪ 2013 AMP SW – First release of Safety MCAL (sMCAL)

▪ 2014 AAA HW – Analog – PowerSBC

▪ Many more products are in the development pipeline and

will come to completion in the years to come

NXP Quality Foundation

Functional Safety Standards

Safety

Support

Safety

Process

Safety

Hardware

Safety

Software

Automotive

ISO 26262

Industrial

IEC 61508

COMPANY PUBLIC 32

SafeAssure Community Public Space for knowledge

distribution and industry-wide news

here

SafeAssure NDAPrivate NDA space for customer to

access safety documentation

here

SupportSafety Expert Group composed of

Safety Managers and Architects, Field

and Application Engineers

Self SufficientCommunity users find answers to their questions an safety documentation requests

SAFEASSURE COMMUNITIESCustomer Support for Functional Safety

SafeAssure Community

Customer support for Functional Safety

COMPANY PUBLIC 33

nxp.com/SafeAssure

COMPANY PUBLIC 34