Training Competent Functional Safety Engineer

The training seminar “Safety Engineer” prepares for the overall oversight over a safety related item development in compliance with ISO 26262:2018. It contains all the content that is covered by the courses to the three individual disciplines of systems development, hardware development, and software development.

The journey of the safety engineer starts with the management of functional safety at the organizational level, including required supporting processes within a project. It continues with the concept phase that is defining the item and assesses the risk level with the hazard analysis and risk assessment (HARA), leading to the functional safety concept.

The functional safety concept is picked up by the training sprints focusing on the system development, hardware development, and software development, each detailing the different expectations from the ISO 26262. The concepts of the V development model are detailed, leading to the sprints addressing the verification of the hardware, software, and, finally, the system level. 

The Journey concludes with production related topics, as well as the tool evaluation as one of the supporting activities.

The respective competence is established by applying this knowledge to a small sample system in a group work exercise. In this exercise, central work products for the functional safety are created, including the HARA, Functional Safety Concept, Technical Safety Concept, architectures, designs, testing, and safety analyses.Theory (Level 1)

1. Theoretical Content

The theoretical part contains both the expectations from the ISO 26262:2018 towards the project and organization, as well as a self-check with training questions in the style of the examination. The online training is spread over four training sprints and one examination sprint. Each sprint has the theoretical elements available as online content that can be viewed, suspended, resumed, and repeated at any time. In addition, there are dedicated time slots each sprint for asking the training questions that arise during the theoretical part. 

2. Theoretical Examination

The knowledge achieved on functional safety is tested in a multiple-choice examination. As the examination is designed as an on-demand online examination, you can take your time to prepare and select your favorite time to take the exam. Upon successful completion of the theoretical examination, the first certification level, the "Certified Safety Engineer" is achieved.

‍

Practical (Level 2)

3. Practical Exercise

The practical part is designed synchronously with the theoretical part and puts an equal focus on practical exercises that allow the trainees to gain vital understanding on how to achieve work products compliant with ISO 26262:2018. The practical exercise sends the group to create typical work products for a safety related development according to ISO 26262:2018. Within the group, discussions and exchange of experience enhances the learning experience, being supplemented with trainer meetings as part of the practical examination.

4. Practical Examination

The practical exercise is accompanied with the practical examination, where the trainer is providing feedback to the created content with the rigor that will be encountered in functional safety assessments. The respective examination record is shared with the team each sprint and rates the degree of conformity with review questions answered by the trainer. This allows the trainer to provide detailed feedback on the actual competence presented and prepares the team for any upcoming functional safety assessment. Upon successful completion of the theoretical and practical examination, the second certification level, the "Certified Competent Safety Engineer" is achieved.

‍

Training Sprint 1: Safety Management

Introduction to ISO 26262 (ISO 26262:2018−2, Clause 4)
Introduction to functional safety and core aspects for achieving this. The ISO 26262 is introduced and explained, including how to read this standard.

Quality Management Basics (ISO 9000; ISO 9001)
A nutshell summary of quality management that is essential for starting a safety related development. It explains the concept of processes and their aggregation to a complete management system. It briefly turns towards the topics of quality policy and quality objectvies before diving into the achievement of conformity.

Overall Safety Management (ISO 26262:2018−2, Clause 5)
The corporate topics of safety management, that must be addressed before starting a safety development project and continued after the safety development project is concluded. The topics of this module consider the expectations on organizations than are hosting the projects which are developing safety relevant products.

Configuration Management (ISO 26262:2018−8, Clause 7)
Configuration Management is one of the three key supporting processes that keep our documentation clean, available, and unwavering. We discuss technical expectations, the document state model, and baselining.

Documentation Management (ISO 26262:2018−8, Clause 10)
This module explains the definition and handling of the documentation that is the basis for the Safety Case and the Release for Production. It discusses the differences between work products and documents, as well as expected document properties and attributes.

Training Sprint 2: Concept Phase

Requirements Management (ISO 26262:2018−8, Clause 6)
The hierarchical structure of the safety requirements are explained as well as their proper notation. Both expectations on individual requirements as well as the entire set of requirements are explained. This module finishes with a detailed discussion on requirement verification and a short explanation of ASIL tailoring. 

Item Definition (ISO 26262:2018−3, Clause 5)
The item definition is a central specification for all safety-related development in the context of the whole vehicle. It not only defines the scope of the safety lifecycle and is the basis for all development activities, but also serves as the central synchronisation document between this item and the other items of the vehicle.

Hazard Analysis and Risk Assessment (ISO 26262:2018−3, Clause 6)
The Hazard Analysis and Risk Assessment is determining the technical risk emanating from the vehicle in the different operating scenarios and classifies this risk into the ASIL. Based on this ASIL that has been determined for a representative set of operational scearios, the Safety Goals are defined as top-level safety requirements for the item. This module explains this whole evaluation procedure step-by-step.

Functional Safety Concept (ISO 26262:2018−3, Clause 7)
The Functional Safety Concept sets the path for achieving safety for the item at vehicle level. It includes functional degradation, user interactions, and requirement from and to other items.

Verification (ISO 26262:2018−8, Clause 9)
This module covers the generic approach to verification used throughout the safety lifecycle. The three main pillars of verification are introduced: Verification, Testing and Analysis. Their interactions are explained and the generic safety verification process is detailed.

Training Sprint 3: System Development

Technical Safety Concept (ISO 26262:2018−4, Clause 6)
This module addresses the systems level design activities. The iterative nature of the system level and its boundaries are explained, followed by a detailed discussion on the definition of the technical safety concept and its technical safety requirements. The iteration loop of achieving functional safety is explained as well as its exit criteria: the hardware metrics.

Architectural Design (−)
Generic introduction to the concept of architectures that can be applied in any discipline - system, hardware, or software. We discuss the iterative nature of architectural design and discuss what an architectural design process is all about. This modules concludes with the expected verification activities.

System Architectural Design (ISO 26262:2018−4, Clause 6)
System architecture in compliance with ISO 26262. This module covers the system breakdown structure required, the architectural desig process at system level as well as the ASIL allocation methodology. The core architectural concepts are explained using a small example.

Problem and Change Management (ISO 26262:2018−2, Clause 5.4.3; ISO 26262:2018−8, Clause 8)
Problem and Change Management is about keeping track of problems found and changes made during the safety lifecycle. While considered two separate processes, we see them as so interdependent that we cover both in one module.

Training Sprint 4: Hardware Development

Hardware Safety Requirements (ISO 26262:2018−5, Clause 6)
This module details the generic guidance for safety requirements to the hardware safety requirements. We also discuss the role of the technical safety concept in relation to the hardware safety requirements and to the hardware-software interface document. This module finishes with the design phase verification activities and their relationship to the overall verification.

Hardware Architectural Design (ISO 26262:2018−5, Clause 7.4.1)
This module explains where hardware architectural design is located in the overall technical system breakdown structure and how it differs from hardware detailed design. The principles of hardware architectural design and the verification activities of the design phase are discussed in detail.

Hardware Detailed Design (ISO 26262:2018−5, Clauses 7.4.2, 7.4.4, 7.4.5)
This module explains the design of hardware units and what is expected by ISO 26262. Some typical additional safety-related tasks are discussed, as well as the design phase verification activities required for hardware detailed design.

Reusing Components (ISO 26262−2, Clauses 6.4.4, 6.4.6.7)
Avoiding to reinvent the wheel is one of the key approaches to efficiency. The ISO 26262 does not stand in our way, yet, the key concepts for re-using elements in accordance with ISO 26262 must be understood. This module explains the basic reuse flow, the different categories of component sources, as well as the interesting topic of trusting release collaterals.

Sourcing of Hardware Components (ISO 26262:2018−8, Clause 13)
This module focuses on hardware-reuse by sourcing hardware components. Building confidence in those components is essential for their subsequent use in safety-related designs. Firstly, the general procurement process is considered. Component classification is then introduced, leading to various activities such as basic automotive qualification, hardware component evaluation and additional measures. 

Reusing Hardware (ISO 26262:2018−8, Clause 13)
This module provides the hardware-specific guidelines for generic component reuse. It considers the differences between reuse and configurability, and discusses the different levels of abstraction for hardware reuse.

Training Sprint 5: Software Development

General Software Topics (ISO 26262:2018−6, Clause 5)
Before any safety-related software development can begin, the development processes must be in place. This module explains what this means, focusing not so much on the general idea of processes, but on the actual expectations on software development processes. It therefore covers specific expectations on the programming language and programming guidelines. It concludes with the importance of guidelines and how to demonstrate compliance.

Software Safety Requirements (ISO 26262:2018−6, Clause 6)
Based on the generic guidance on safety requirements, this module focuses on the software safety requirements. It explains the different aspects that need to be considered and details on the expected design phase verification activities.

Software Architectural Design (ISO 26262:2018−6, Clause 7)
This module is about understanding the safety perspective during designing a software architecture. The architectural characteristics and their manifestation in the guidelines are discussed before considering the design principles for safety software architectures. Practical topics such as ASIL allocation, smart and risky safety approaches, and  verification of the software architecture during the design phase are also discussed.

Software Unit Design and Implementation (ISO 26262:2018−6, Clause 8)
Both software unit design and software unit implementation are detailed in this module. The expected software properties and the software design principles to be followed are discussed, as well as the mechanisms for applying and verifying compliance. The concept of ""requirement"" is reviewed to highlight the differences between design and implementation and the expectations of the assessors. This module concludes with the discussion of objective metrics for defining the appropriate size of software units.

Reusing Software (ISO 26262:2018−8, Clause 12)
Software reuse is one of the core paradigms in software development. Based on the generic reuse concepts, this module focuses on the different reuse paths available for software. The different black-box or white-box activities that make these concepts work are explained. The concept of software qualification is explained with the complete qualification flow, highlighting the requirements for the qualification specification and qualification documents by ISO 26262.

Reviews (−)
A detailed explanation for one of the three main pillars of verification: the review. It starts with explaining the conduct of a review, then relating the review to the change management. Subsequently, this module covers different review methods that you may come across, deep diving into the review method ""inspection"".

Training Sprint 6: Hardware Verification

Testing (ISO 26262:2018−8, Clause 9)
This module covers the expectations for the tests performed in a safety lifecycle. The testing process is explained in detail with all the expected work products. This is followed by a discussion of the two main categories of testing: functional testing and robustness testing. Finally, some specific test environments are considered.

Hardware Integration and Testing (ISO 26262:2018−5, Clause 10)
This module examines what integration means for hardware design. The different test methods and methods for deriving test cases are explained.

Testing the Hardware (ISO 26262:2018−5, Clause 10)
Based on the generic guidance on verification and testing, this module details the expectations for hardware testing. The various sources of requirements in ISO 26262 are detailed and the requirements for test methods and the methods for deriving test cases are shown.

Fault Classification (ISO 26262:2018−5, Clause 7.4.3.2 and Annex C)
One of the key concepts in functional safety is the forecast of the technical risk. This general module introduces important general considerations regarding faults and failures. It fist discusses the distiction between random and systematic, faults and failures, and soft and hard faults. The core failure concepts of single point faults and latent faults are then discussed in detail. To give a complete picture, the faults are related to the safety mechanisms installed, and how the safety mechanisms affect the classification of a fault.

Safety Analysis (ISO 26262:2018−9, Clause 8)
The concepts explained in this module are core to any safety analysis required for safety related elements. The role of the safety analysis is explained as well as the procedure for conducting this analysis. The different types of safety analyses are discussed and the methods explained before this is illustrated with a small and simple example.

Hardware Safety Analysis (ISO 26262:2018−5, Clause 7.4.3)
This module covers one of the core topics of a safety lifecycle: the evaluation of technical risk within the hardware design. This is done through safety analysis, which is explained in detail and related to the hardware design activities. The analyses produce the rating achieved by the design for the SPFM, LFM, and PMHF. The meaning of these metrics is discussed in detail and visualized in a practical example. This module also briefly covers the EEC concept, which is an alternative to the PMHF.

Training Sprint 7: Software Verification

Software Unit Verification (ISO 26262:2018−6, Clause 9)
This module covers both design phase verification and unit testing as defined in ISO 26262. The different verification activities are shown in the flow from the requirements assigned to the software unit to the software unit executable. The methods for deriving the unit test specification and measuring the structural code coverage of these tests are explained. Finally, some additional considerations for good testing are given.

Software Integration and Testing (ISO 26262:2018−6, Clause 10)
Software integration builds the test object for software integration testing. The scope of this integration is shown and the objectives of software integration testing are explained. The methods for deriving the test cases and the metrics for measuring their completeness are discussed.

Testing of the Embedded Software (ISO 26262:2018−6, Clause 11)
Testing the fully integrated software is the demonstration of compliance with the requirements. This module explains the expected test methods, test environments, and methods for defining test cases. It also loops back to other activities that may produce test cases, ultimately demonstrating completeness in testing.

Software Safety Analysis (ISO 26262:2018−4, Clause 7.4.10)
Beyond the general principles and guidelines for safety analysis, ISO 26262 provides little guidance for software safety analysis. However, this module addresses the core paradigms that will lead to a successful software safety analysis, highlighting which parts within the software breakdown structure should be subject to software safety analysis and which methods could be applied.

Configurable Software (ISO 26262:2018−6, Annex C)
Since software configurability and calibration are essential for its reuse or component-specific adaptation, this module covers the additional requirements that must be met when using software configuration and calibration. First, a distinction is made between configuration and calibration, including a mapping of each to the different phases of the safety software lifecycle. Key safety management aspects of configuration and calibration are discussed before both the configuration and calibration process are explained in detail.

Dependent Failure Analysis (ISO 26262:2018−9, Clauses 6, 7)
This module introduces dependent failures with both common cause and cascading failures. After discussing the various sources of dependent failures, the procedure for dependent failure analysis is explained. Finally, the dependent failure initiators are discussed one by one with some examples.

Training Sprint 8: System Verification

Hardware-Software integration (ISO 26262:2018−4, Clause 7)
A general Introduction to the system integration, followed by the requirements on the first integration step: the hardware-software integration.

System and Item Integration (ISO 26262:2018−4, Clause 7)
The requirements on the intermediate integration steps of a vehicle from the lowest system level up to the item.

Vehicle Integration (ISO 26262:2018−4, Clause 7)
How to integrate and test the integrated item into the vehicle.

Safety Validation (ISO 26262:2018−4, Clause 8)
How to demonstrate that the item is safe when used within the vehicle. The validation is the counter-part of the concept phase on the right leg of the V development cycle.

Reusing Systems (ISO 26262:2018−2, Clauses 6.4.3 and 6.4.4; ISO 26262:2018−8, Clauses 14 through 16)
This module focuses on eth system level reuse, discussing internal reuse and reuse management, followed by considering off-the-shelf reuse that may come with safety evidence from other safety standards.

Training Sprint 9: Production

Production (ISO 26262:2018−7, Clause 5)
This module covers the topics relevant to the production of safety-related components. It includes the requirements for production planning. The production control plan includes the activities to ensure compliance and is supported by the production analysis, typically the process FMEA, which is designed to anticipate the production related risks. The module continues with the synchronization between the development team and the production plant and addresses the issue of ensuring a safe product already during production.

Operation, Service, and Decommissioning (ISO 26262:2018−7, Clause 6)
This module focuses on resolving problems that may occur in the field and how to report them back to the development team. It also briefly discusses actions to ensure safe operation in the field.

Software Tools (ISO 26262:2018−8, Clause 11)
Tools are our small or large helpers that facilitate our engineering work. Whereas they support us systematically, we should be aware of the risk that comes from the level of trust we put into these tools. This module covers how to justify the trust we put into the software tools that are used throughout the safety lifecycle.

Assessment Briefing (−) A brief introduction to the assessment and audit activities for the project team. The core elements of the functional safety assessment are briefly explained, followed by a discussion of the sampling approach used in the assessment. The module concludes with an explanation of what to expect and the do's and don'ts during the interviews and assessment.

Training Sprint 10: Examination

Time to prepare for the exam with practice questions and Q&A with the instructor.

‍