BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013.

All rights reserved, also regarding any disposal, exploitation,

reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview ISO 25119

Bosch Engineering GmbH
1
Agenda
Introduction
Historical examples Challenges in safety
Standards and product liability
Terminology
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
2
What does the history teach?
Experiences Aerospace
Events and conditions involved in the accidents appear to be very
different from what can be expected from an ground vehicle domain
and personal safety
A detailed analysis of the systemic factors, however, reveals striking
similarities with ground vehicle development
Main reasons
Safety culture
Management and organizational problems
Technical deficiencies
Process flaws (incapability)
Insufficient verification and Validation
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
3
Mars Climate Orbiter (MCO) 1999
Challenge 1 Risk and safety management
Cultivating the safety culture
Escalating Risks
Assigning Responsibilities
Safety, Quality, System, SW, HW
Change management
Meeting priorities

BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
4
Mars Climate Orbiter (MCO) 1999
Spacecraft lost when to fire its main engine to
achieve an elliptical orbit
Root cause: failure to use metric units in a
ground software file
Neglecting warning signs of software flaws
Multiple file format errors and incorrect
spacecraft attitude data specifications
Safety Culture (lack of) was a major reason
Orbiting Mars was routine!
Risk management flawed
Project management teams appeared primarily focused on meeting
missions cost and schedule objectives
"Take off your engineering hat and put on your management hat" was the
advice given to one wavering worker
Did not have a mission assurance manager
http://www.jamesoberg.com/08312003precolumcrit_col.html
Source: NASA
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
5
Mars Polar Lander (MPL) 1999
Challenge 2 Requirements engineering
Traceability of requirements
Understanding of requirements
Information Rationale of requirements
Source: NASA (artists depiction)
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
6
Mars Polar Lander (MPL) 1999
Failure occurred during the entry
Descent engines to shut down 50 ms after
touchdown to avoid overturning
Vibrations, caused by the deployment of the
stowed legs, were interpreted as touchdown
(if a signal persisted for 2 reading cycles)
Flight software should have ignored premature
sensor signals
Why?
The software requirements did not specifically describe these
events, consequently the software designers did not account for
them fell 40 meters, impact velocity 22 m/s.
Traceability of requirements
ftp://ftp.hq.nasa.gov/pub/pao/reports/2000/2000_mpl_report_1.pdf
Source: NASA (artists depiction)
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
7
Ariane 5 June 4, 1996, maiden flight
Challenge 3 integration and reuse
Integrating already existing software
(e.g. software libraries)
How to put right requirements on the supplier
How to test and integrate
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
8
Ariane 5 June 4, 1996, maiden flight
Complete loss of guidance and attitude information
37s after start of the main engine ignition sequence
The loss of information was due to
Specification errors of the software
Design errors in the inertial reference system software
Why?
Software was reused from old Ariane 4
Horizontal bias variable was not overflow protected because it was
"physically limited or there was a large margin of safety".
Ariane 5 had different trajectory Assumption no longer valid
Resulting diagnostic bit pattern was interpreted as flight data
The faulty module served no purpose once airborne
Design only took random HW faults into account no software faults
redundant systems SRI 1 and 2 failed synchronously
Root cause: manager decision to skip important system testing activities
http://esamultimedia.esa.int/docs/esa-x-1819eng.pdf
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
9
Titan IV / Centaur / Milstar-3, 1999
Challenge 4 testing/verification
Identifying Hazards
Suitable software development processes
Testing of software/hardware interactions
Requalification of COTS
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
10
Titan IV / Centaur / Milstar-3, 1999
Put satellite in geosynchronous orbit
An incorrect roll rate filter constantly zeroed
the roll rate data loss of roll axis control and
then yaw and pitch control
Excessive firings of the reaction control system,
subsequent fuel depletion
Why?
Wrong manual entry of roll rate filter constant
Value was not checked for validity, no formal
process existed
Inadequate software development, testing and
quality assurance process for the centaur
upper stage
Old COTS not re-qualified
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
11
Conclusion of Accidents
Insufficient safety culture
Various aspects and degrees of self-righteousness
Discounting or misunderstanding of the risks associated with software
Engineering process insufficient
System engineering resources insufficient to meet the needs of the project
Software processes were declared to have been adequate when the
evidence shows they were not
No appropriate techniques for handling design errors
Poor specification practices
Unnecessary complexity and software functions
Software reuse without appropriate safety analysis
Quality management flawed
Inefficient reviews of processes, tools and specifications
BEG-PT/ESB-Johannes Schild | 06/02/2013 | Bosch Engineering GmbH 2013. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Functional Safety Overview

Bosch Engineering GmbH
12
Thoughts about safety
Safety shall not be validated afterwards to get a stamp SAFE
Danger in certification
Safety shall be achieved through a thoughtful design
Not tested to become safe
Safety shall be reproducible and predictable
Save all design documentation
Claims shall be verificable
Give the reasons why a statement is given
Requirements must be defined and met, no more no less
Consider random failures and systematic failures
What is safe? Accepted risk
Accepted
risks
Not accepted
risks
Functional Safety
BEG-PT/ESB5 | 29.01.2013 | Bosch Engineering GmbH 2009. Alle Rechte vorbehalten, auch bzgl. jeder Verfgung, Verwertung,
Reproduktion, Bearbeitung, Weitergabe sowie fr den Fall von Schutzrechtsanmeldungen.
Bosch Engineering GmbH
Hazard
probability
of
occurrence
14
What is safe? Example drive-by-wire (I)
Functional Safety
BEG-PT/ESB5 | 29.01.2013 | Bosch Engineering GmbH 2009. Alle Rechte vorbehalten, auch bzgl. jeder Verfgung, Verwertung,
Reproduktion, Bearbeitung, Weitergabe sowie fr den Fall von Schutzrechtsanmeldungen.
Bosch Engineering GmbH
Hazard
probability
of
occurrence
Established system: Gas pedal mechanically connected to the engine.
Only root cause is mechanical failure Low failure rate.
15
What is safe? Example drive-by-wire (II)
Functional Safety
BEG-PT/ESB5 | 29.01.2013 | Bosch Engineering GmbH 2009. Alle Rechte vorbehalten, auch bzgl. jeder Verfgung, Verwertung,
Reproduktion, Bearbeitung, Weitergabe sowie fr den Fall von Schutzrechtsanmeldungen.
Bosch Engineering GmbH
Hazard
probability
of
occurrence
16
New system: Drive-by-wire without
mechanical connection from pedal to
engine
Potential additional hazard caused by
electronic failures socially not acceptable
What is safe? Example drive-by-wire (II)
Functional Safety
BEG-PT/ESB5 | 29.01.2013 | Bosch Engineering GmbH 2009. Alle Rechte vorbehalten, auch bzgl. jeder Verfgung, Verwertung,
Reproduktion, Bearbeitung, Weitergabe sowie fr den Fall von Schutzrechtsanmeldungen.
Bosch Engineering GmbH
Hazard
Safety
concept
probability
of
occurrence
17
New system: Drive-by-wire without
mechanical connection from pedal to
engine
Potential additional hazard caused by
electronic failures socially not acceptable
Functional Safety: EGAS-Concept
Today this function is standard in all EGAS
systems
Definition Functional Safety
Functional Safety adresses malfunctions of safety related control systems
Machine shall not move from standstill without demand
Shovel shall move on demand only
No brake actuation without user demand
No unintended steering of hydraulic steering
No hydraulic actuation without or against user demand


Functional Safety does not adress hazards caused by a correctly functioning
system
Injury by moving parts which move according to the defined strategy
Definition of nominal system performance (e.g. sufficient brake force)
BEG-CD/ECF Maigler | 14.04.2011 | Bosch Engineering GmbH 2009. Alle Rechte vorbehalten, auch bzgl. jeder Verfgung, Verwertung,
Reproduktion, Bearbeitung, Weitergabe sowie fr den Fall von Schutzrechtsanmeldungen.
Bosch Engineering GmbH
Functional Safety
18
Achieving Goals of Functional Safety
Functional Safety
BEG-CD/ECF | 14.04.2011 | Bosch Engineering GmbH 2009. Alle Rechte vorbehalten, auch bzgl. jeder Verfgung, Verwertung, Reproduktion,
Bearbeitung, Weitergabe sowie fr den Fall von Schutzrechtsanmeldungen.
Bosch Engineering GmbH
dangerous
fault
systematical
HW/SW-error
incidental
HW-error
documentation
organisational
measures
technical
measures
preventive
quality management
probabilistic
approach
19