Training Competent Functional Safety Assessor

The training seminar “Functional Safety Assessor” contains the detailed preparation for successfully completing the tasks of a Safety Assessor in accordance with ISO 26262:2018. These are the confirmation measures that cumulate to the functional safety assessment report.

The functional safety assessor is familiar with all the areas of safety management, systems engineering, hardware engineering and software engineering. In addition, he knows the detailed approaches to conformity assessments and the framework of auditing and assessing.

Next to the detailed knowledge on the core documents of the safety management, like the safety plan, the safety case and the confirmation measures, the upcoming safety assessor receives an overview of the four development phases according to ISO 26262:2018: The Concept Phase, the System Development Phase, the Hardware Development Phase and the Software Development Phase.

The extensive group work exercise covers core documents for demonstrating safety such as the safety plan and the safety concept. Additionally, the upcoming functional safety assessors are crating central work products of the functional safety assessment, such as the assessment plan, confirmation reviews and the functional safety assessment report.

Theory (Level 1)

1. Theoretical Content

The theoretical part contains both the expectations from the ISO 26262:2018 towards the project and organization, as well as a self-check with training questions in the style of the examination. The online training is spread over four training sprints and one examination sprint. Each sprint has the theoretical elements available as online content that can be viewed, suspended, resumed, and repeated at any time. In addition, there are dedicated time slots each sprint for asking the training questions that arise during the theoretical part. 

2. Theoretical Examination

The knowledge achieved on functional safety is tested in a multiple-choice examination. As the examination is designed as an on-demand online examination, you can take your time to prepare and select your favorite time to take the exam. Upon successful completion of the theoretical examination, the first certification level, the "Certified Functional Safety Assessor" is achieved.

‍

Practical (Level 2)

3. Practical Exercise

The practical part is designed synchronously with the theoretical part and puts an equal focus on practical exercises that allow the trainees to gain vital understanding on how to achieve work products compliant with ISO 26262:2018. The practical exercise sends the group to create typical work products for a safety related development according to ISO 26262:2018. Within the group, discussions and exchange of experience enhances the learning experience, being supplemented with trainer meetings as part of the practical examination.

4. Practical Examination

The practical exercise is accompanied with the practical examination, where the trainer is providing feedback to the created content with the rigor that will be encountered in functional safety assessments. The respective examination record is shared with the team each sprint and rates the degree of conformity with review questions answered by the trainer. This allows the trainer to provide detailed feedback on the actual competence presented and prepares the team for any upcoming functional safety assessment. Upon successful completion of the theoretical and practical examination, the second certification level, the "Certified Competent Functional Safety Assessor" is achieved.

‍

‍

Training Sprint 1: Overall Safety Management

Introduction to ISO 26262 (ISO 26262:2018−2, Clause 4)
Introduction to functional safety and core aspects for achieving this. The ISO 26262 is introduced and explained, including how to read this standard.

Quality Management Basics (ISO 9000; ISO 9001)
A nutshell summary of quality management that is essential for starting a safety related development. It explains the concept of processes and their aggregation to a complete management system. It briefly turns towards the topics of quality policy and quality objectvies before diving into the achievement of conformity.

Overall Safety Management (ISO 26262:2018−2, Clause 5)
The corporate topics of safety management, that must be addressed before starting a safety development project and continued after the safety development project is concluded. The topics of this module consider the expectations on organizations than are hosting the projects which are developing safety relevant products.

Configuration Management (ISO 26262:2018−8, Clause 7)
Configuration Management is one of the three key supporting processes that keep our documentation clean, available, and unwavering. We discuss technical expectations, the document state model, and baselining.

Documentation Management (ISO 26262:2018−8, Clause 10)
This module explains the definition and handling of the documentation that is the basis for the Safety Case and the Release for Production. It discusses the differences between work products and documents, as well as expected document properties and attributes.

Training Sprint 2: Project Safety Management

Project Safety Management (ISO 26262:2018−2, Clause 6)
This module covers the entire safety management that is performed throughout an entire safety related project. It starts from the role definitions of project manager and safety manager, continuing with the required safety planning. The process reference model is explained, touching all the different topics that you come across during the safety planning. The module concludes with detailing the final evidence of the development part of the safety lifecycle: the safety case.

Training Sprint 3: Advanced Processes & Planning

Process Management (ISO 9001:2015, ISO 26262:2018)
This module covers the meaning and purpose of processes. We begin by explaining what processes actually are and how they relate to activities. We discuss in detail what is expected of processes, including how they are combined to form process landscapes. Finally, we explain the different types of processes and how to manage them.

Competence Management (ISO 26262:2018−2, Clause 5.4.4; ISO 9001:2015, Clause 7.2)
This module explains the source of competence requirements in the organization and how to meet these requirements. It also addresses the vital part of any project management for ensuring that all the necessary competencies are on board the project.

Safety Planning (ISO 26262:2018−2, Clause 6)
Safety planning ensures that functional safety is achieved by the project. This module delves into all aspects of this planning.

Safety Case (ISO 26262:2018−2, Clause 6)
The safety case is the final output of the safety-related development process and reassures everyone that a safe product is being released for production.

Training Sprint 4: Concept Phase

Requirements Management (ISO 26262:2018−8, Clause 6)
The hierarchical structure of the safety requirements are explained as well as their proper notation. Both expectations on individual requirements as well as the entire set of requirements are explained. This module finishes with a detailed discussion on requirement verification and a short explanation of ASIL tailoring. 

Item Definition (ISO 26262:2018−3, Clause 5)
The item definition is a central specification for all safety-related development in the context of the whole vehicle. It not only defines the scope of the safety lifecycle and is the basis for all development activities, but also serves as the central synchronisation document between this item and the other items of the vehicle.

Hazard Analysis and Risk Assessment (ISO 26262:2018−3, Clause 6)
The Hazard Analysis and Risk Assessment is determining the technical risk emanating from the vehicle in the different operating scenarios and classifies this risk into the ASIL. Based on this ASIL that has been determined for a representative set of operational scearios, the Safety Goals are defined as top-level safety requirements for the item. This module explains this whole evaluation procedure step-by-step.

Functional Safety Concept (ISO 26262:2018−3, Clause 7)
The Functional Safety Concept sets the path for achieving safety for the item at vehicle level. It includes functional degradation, user interactions, and requirement from and to other items.

Verification (ISO 26262:2018−8, Clause 9)
This module covers the generic approach to verification used throughout the safety lifecycle. The three main pillars of verification are introduced: Verification, Testing and Analysis. Their interactions are explained and the generic safety verification process is detailed.

Training Sprint 5: Systems Development

Technical Safety Concept (ISO 26262:2018−4, Clause 6)
This module addresses the systems level design activities. The iterative nature of the system level and its boundaries are explained, followed by a detailed discussion on the definition of the technical safety concept and its technical safety requirements. The iteration loop of achieving functional safety is explained as well as its exit criteria: the hardware metrics.

Architectural Design (−)
Generic introduction to the concept of architectures that can be applied in any discipline - system, hardware, or software. We discuss the iterative nature of architectural design and discuss what an architectural design process is all about. This modules concludes with the expected verification activities.

System Architectural Design (ISO 26262:2018−4, Clause 6)
System architecture in compliance with ISO 26262. This module covers the system breakdown structure required, the architectural desig process at system level as well as the ASIL allocation methodology. The core architectural concepts are explained using a small example.

Managing Distributed Developments (ISO 26262:2018−8, Clause 5)
How to correctly handle organizational interfaces in a joint development. This is the only part of the ISO 26262 that deals with the fact that different organizations are involved in a development effort. This interface is examined from different angles and the corresponding DIA is introduced.

Training Sprint 6: Confirmation Measures

Audit and Assessment (ISO 26262:2016−2, Clause 6.4.9)
This is the introductory module to audits and assessments and explains their role in the product life cycle. It explains the differences between an audit and an assessment and presents the overall safety confirmation with its required independence. Finally, the principles of auditing and the expected personality of an assessor are explained.

Functional Safety Assessment (ISO 26262:2016−2, Clause 6.4.12)
This module explains the functional safety assessment in detail. The judgement made in the assessment is put into context with its use in the release procedure and the information provided throughout a distributed development chain. The assessment procedure is detailed, and the technical sampling that supports the argument for a safe product is highlighted. The module concludes with a detailed discussion of the contents of an assessment report.

Functional Safety Audit (ISO 26262:2016−2, Clause 6.4.11)
This module explains functional safety auditing in detail. After clarifying some terminology, the hierarchy of processes introduced by quality standards is reviewed and related to functional safety audit activities. After discussing the different types of audit and inspection bodies, the entire audit process is explained step by step, including a detailed discussion of the audit report. The module concludes by explaining the concept of interviews.

Confirmation Review (ISO 26262:2016−2, Clause 6.4.10)
This module explains how to carry out the confirmation reviews required by ISO 26262. The confirmation reviews required by the standard are placed on a timeline and their repetition is discussed. After detailing the review record and the sources of the confirmation review questions, the detailed confirmation review procedure is introduced.

Certification and Accreditation (ISO 17020)
This module explains what certification is all about and what the differences are between a report and a certificate. The accreditation as a system of trust is introduced before explaining its relation to the automotive regulations.

Training Sprint 7: Hardware  Development

Hardware Safety Requirements (ISO 26262:2018−5, Clause 6)
This module details the generic guidance for safety requirements to the hardware safety requirements. We also discuss the role of the technical safety concept in relation to the hardware safety requirements and to the hardware-software interface document. This module finishes with the design phase verification activities and their relationship to the overall verification.

Hardware Architectural Design (ISO 26262:2018−5, Clause 7.4.1)
This module explains where hardware architectural design is located in the overall technical system breakdown structure and how it differs from hardware detailed design. The principles of hardware architectural design and the verification activities of the design phase are discussed in detail.

Hardware Detailed Design (ISO 26262:2018−5, Clauses 7.4.2, 7.4.4, 7.4.5)
This module explains the design of hardware units and what is expected by ISO 26262. Some typical additional safety-related tasks are discussed, as well as the design phase verification activities required for hardware detailed design.

Reusing Components (ISO 26262−2, Clauses 6.4.4, 6.4.6.7)
Avoiding to reinvent the wheel is one of the key approaches to efficiency. The ISO 26262 does not stand in our way, yet, the key concepts for re-using elements in accordance with ISO 26262 must be understood. This module explains the basic reuse flow, the different categories of component sources, as well as the interesting topic of trusting release collaterals.

Sourcing of Hardware Components (ISO 26262:2018−8, Clause 13)
This module focuses on hardware-reuse by sourcing hardware components. Building confidence in those components is essential for their subsequent use in safety-related designs. Firstly, the general procurement process is considered. Component classification is then introduced, leading to various activities such as basic automotive qualification, hardware component evaluation and additional measures. 

Reusing Hardware (ISO 26262:2018−8, Clause 13)
This module provides the hardware-specific guidelines for generic component reuse. It considers the differences between reuse and configurability, and discusses the different levels of abstraction for hardware reuse.

Training Sprint 8: Software  Development

General Software Topics (ISO 26262:2018−6, Clause 5)
Before any safety-related software development can begin, the development processes must be in place. This module explains what this means, focusing not so much on the general idea of processes, but on the actual expectations on software development processes. It therefore covers specific expectations on the programming language and programming guidelines. It concludes with the importance of guidelines and how to demonstrate compliance.

Software Safety Requirements (ISO 26262:2018−6, Clause 6)
Based on the generic guidance on safety requirements, this module focuses on the software safety requirements. It explains the different aspects that need to be considered and details on the expected design phase verification activities.

Software Architectural Design (ISO 26262:2018−6, Clause 7)
This module is about understanding the safety perspective during designing a software architecture. The architectural characteristics and their manifestation in the guidelines are discussed before considering the design principles for safety software architectures. Practical topics such as ASIL allocation, smart and risky safety approaches, and  verification of the software architecture during the design phase are also discussed.

Software Unit Design and Implementation (ISO 26262:2018−6, Clause 8)
Both software unit design and software unit implementation are detailed in this module. The expected software properties and the software design principles to be followed are discussed, as well as the mechanisms for applying and verifying compliance. The concept of ""requirement"" is reviewed to highlight the differences between design and implementation and the expectations of the assessors. This module concludes with the discussion of objective metrics for defining the appropriate size of software units.

Reusing Software (ISO 26262:2018−8, Clause 12)
Software reuse is one of the core paradigms in software development. Based on the generic reuse concepts, this module focuses on the different reuse paths available for software. The different black-box or white-box activities that make these concepts work are explained. The concept of software qualification is explained with the complete qualification flow, highlighting the requirements for the qualification specification and qualification documents by ISO 26262.

Configurable Software (ISO 26262:2018−6, Annex C)
Since software configurability and calibration are essential for its reuse or component-specific adaptation, this module covers the additional requirements that must be met when using software configuration and calibration. First, a distinction is made between configuration and calibration, including a mapping of each to the different phases of the safety software lifecycle. Key safety management aspects of configuration and calibration are discussed before both the configuration and calibration process are explained in detail.

Training Sprint 9: Verification

Functional Safety in Entire Vehicles (−)
This module considers the approach to functional safety from a whole vehicle perspective. Firstly, the applicaility of ISO 26262 to vehicle components is discussed. The complete vehicle structure is shown with its network of items. The minimum set of activities applicable at the vehicle level is shown and the content of an item definition is related to the functional specification.

Reviews (−)
A detailed explanation for one of the three main pillars of verification: the review. It starts with explaining the conduct of a review, then relating the review to the change management. Subsequently, this module covers different review methods that you may come across, deep diving into the review method ""inspection"".

Testing (ISO 26262:2018−8, Clause 9)
This module covers the expectations for the tests performed in a safety lifecycle. The testing process is explained in detail with all the expected work products. This is followed by a discussion of the two main categories of testing: functional testing and robustness testing. Finally, some specific test environments are considered.

Problem and Change Management (ISO 26262:2018−2, Clause 5.4.3; ISO 26262:2018−8, Clause 8)
Problem and Change Management is about keeping track of problems found and changes made during the safety lifecycle. While considered two separate processes, we see them as so interdependent that we cover both in one module.

Training Sprint 10: Safety Analyses

Safety Analysis (ISO 26262:2018−9, Clause 8)
The concepts explained in this module are core to any safety analysis required for safety related elements. The role of the safety analysis is explained as well as the procedure for conducting this analysis. The different types of safety analyses are discussed and the methods explained before this is illustrated with a small and simple example.

Hardware Safety Analysis (ISO 26262:2018−5, Clause 7.4.3)
This module covers one of the core topics of a safety lifecycle: the evaluation of technical risk within the hardware design. This is done through safety analysis, which is explained in detail and related to the hardware design activities. The analyses produce the rating achieved by the design for the SPFM, LFM, and PMHF. The meaning of these metrics is discussed in detail and visualized in a practical example. This module also briefly covers the EEC concept, which is an alternative to the PMHF.

Software Safety Analysis (ISO 26262:2018−4, Clause 7.4.10)
Beyond the general principles and guidelines for safety analysis, ISO 26262 provides little guidance for software safety analysis. However, this module addresses the core paradigms that will lead to a successful software safety analysis, highlighting which parts within the software breakdown structure should be subject to software safety analysis and which methods could be applied.

Dependent Failure Analysis (ISO 26262:2018−9, Clauses 6, 7)
This module introduces dependent failures with both common cause and cascading failures. After discussing the various sources of dependent failures, the procedure for dependent failure analysis is explained. Finally, the dependent failure initiators are discussed one by one with some examples.

Certificates and External Evidence (−)
When performing an assessment, you will typically encounter evidence from assessment activities that you did not perform. This module discusses the relationship between safety cases and assessment reports and explains the types of evidence that may be encountered and their sources. A detailed procedure for accepting evidence is proposed.

Training Sprint 11: Hardware & Software Verification

Fault Classification (ISO 26262:2018−5, Clause 7.4.3.2 and Annex C)
One of the key concepts in functional safety is the forecast of the technical risk. This general module introduces important general considerations regarding faults and failures. It fist discusses the distiction between random and systematic, faults and failures, and soft and hard faults. The core failure concepts of single point faults and latent faults are then discussed in detail. To give a complete picture, the faults are related to the safety mechanisms installed, and how the safety mechanisms affect the classification of a fault.

Hardware Integration and Testing (ISO 26262:2018−5, Clause 10)
This module examines what integration means for hardware design. The different test methods and methods for deriving test cases are explained.

Testing the Hardware (ISO 26262:2018−5, Clause 10)
Based on the generic guidance on verification and testing, this module details the expectations for hardware testing. The various sources of requirements in ISO 26262 are detailed and the requirements for test methods and the methods for deriving test cases are shown.

Software Unit Verification (ISO 26262:2018−6, Clause 9)
This module covers both design phase verification and unit testing as defined in ISO 26262. The different verification activities are shown in the flow from the requirements assigned to the software unit to the software unit executable. The methods for deriving the unit test specification and measuring the structural code coverage of these tests are explained. Finally, some additional considerations for good testing are given.

Software Integration and Testing (ISO 26262:2018−6, Clause 10)
Software integration builds the test object for software integration testing. The scope of this integration is shown and the objectives of software integration testing are explained. The methods for deriving the test cases and the metrics for measuring their completeness are discussed.

Testing of the Embedded Software (ISO 26262:2018−6, Clause 11)
Testing the fully integrated software is the demonstration of compliance with the requirements. This module explains the expected test methods, test environments, and methods for defining test cases. It also loops back to other activities that may produce test cases, ultimately demonstrating completeness in testing.

Assessment Briefing (−)
A brief introduction to the assessment and audit activities for the project team. The core elements of the functional safety assessment are briefly explained, followed by a discussion of the sampling approach used in the assessment. The module concludes with an explanation of what to expect and the do's and don'ts during the interviews and assessment.

Training Sprint 12: System Integration & Verification

Hardware-Software integration (ISO 26262:2018−4, Clause 7)
A general Introduction to the system integration, followed by the requirements on the first integration step: the hardware-software integration.

System and Item Integration (ISO 26262:2018−4, Clause 7)
The requirements on the intermediate integration steps of a vehicle from the lowest system level up to the item.

Vehicle Integration (ISO 26262:2018−4, Clause 7)
How to integrate and test the integrated item into the vehicle.

Safety Validation (ISO 26262:2018−4, Clause 8)
How to demonstrate that the item is safe when used within the vehicle. The validation is the counter-part of the concept phase on the right leg of the V development cycle.

Reusing Systems (ISO 26262:2018−2, Clauses 6.4.3 and 6.4.4; ISO 26262:2018−8, Clauses 14 through 16)
This module focuses on eth system level reuse, discussing internal reuse and reuse management, followed by considering off-the-shelf reuse that may come with safety evidence from other safety standards.

Training Sprint 13: Production & Development Tools

Production (ISO 26262:2018−7, Clause 5)
This module covers the topics relevant to the production of safety-related components. It includes the requirements for production planning. The production control plan includes the activities to ensure compliance and is supported by the production analysis, typically the process FMEA, which is designed to anticipate the production related risks. The module continues with the synchronization between the development team and the production plant and addresses the issue of ensuring a safe product already during production.

Operation, Service, and Decommissioning (ISO 26262:2018−7, Clause 6)
This module focuses on resolving problems that may occur in the field and how to report them back to the development team. It also briefly discusses actions to ensure safe operation in the field.

Software Tools (ISO 26262:2018−8, Clause 11)
Tools are our small or large helpers that facilitate our engineering work. Whereas they support us systematically, we should be aware of the risk that comes from the level of trust we put into these tools. This module covers how to justify the trust we put into the software tools that are used throughout the safety lifecycle.

Redundancy (ISO 26262:2018−9, Clause 5)
Explaining the basic concepts of redundancy (MooN) and considerations for lowering the ASIL of the individual redundant implementations.

Training Sprint 14: Modern Development

Functional Safety meets Automotive SPICE (Automotive SPICE 3.1)
This module discusses the overlap and the differences between Automotive SPICE and functional safety. First highligting the objectives of the functional safety audit and the concept of Automotive SPICE, this module explores the strengths and weaknesses of each and performs an analysis of the capability levels required for functional safety projects.

Functional Safety meets Cybersecurity (−)
This module discusses the relationship between functional safety and cybersecurity. We begin by explaining the differences between functional safety, safety of the intended function, and cybersecurity. Once this is clarified, we will compare cybersecurity and safety activities throughout the product lifecycle, showing that there are many common paradigms that manifest differently due to the different mission of each discipline.

Safety meets Agile (−)
Discussion on the development of a safety related product using the agile mindset. We will first walk through the agile manifest and the agile principles and relate them to the safety expectations. After that we'll dive into the aspects needed for a safe agile development.

Assessing Agile Teams (−)
This module includes some practical advice of how to plan and perform assessment activities for agile developments.

Training Sprint 15: Examination

Time to prepare for the exam with practice questions and Q&A with the instructor.

‍

‍