RAISING THE LIMIT:
THE DESIGN OR
THE DESIGNER?
Stephen Norton
Global Competence Center Functional Safety
SGS-TÜV Saar
© 2011 SGS-TÜV GmbH – All rights reserved 2 www.sgs-tuv-saar.com/fs
AGENDA
1. 12 month Review of Safety
2. The disconnect between the Designer
and the Operator
3. Improving Safety Culture
4. Conclusions – The future
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 3 www.sgs-tuv-saar.com/fs
AGENDA
1. 12 month Review of Safety
Airline Industry
• Tu-154 power loss
• Crash Recorder Data from AF447
Automotive Industry
• NASA engineers found no electronic flaws
• Recalls: ECU software & Cruise Control
Rail Industry
• Shanghai Subway Crash September 2011
2. The disconnect between the Designer
and the Operator
3. Improving Safety Culture
4. Conclusions – The future
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 4 www.sgs-tuv-saar.com/fs
TU-154 POWER LOSS
Tu-154 crew battled power loss after
switching off fuel pump
Fuel-flow fluctuations in all 3 engines
Flame-out in engines 1 & 3
The crew did not identify the mistake
Thrust was not restored in engines 1 & 3
Emergency landing overrun led to break-up
2 fatalities and 78 injured
Similar errors have occurred in the past
Is the design robust to human failure?
What can we learn from this incident?
Functional Safety - Raising the Limit: The Design or the Designer?
Sources: aviation-safety.net/database/record.php?id=20101204-0
Source: © Pavel Adzhigildaev www.airliners.net/photo/South-East-Airlines/Tupolev-Tu-154M/1644319/L/
© 2011 SGS-TÜV GmbH – All rights reserved 5 www.sgs-tuv-saar.com/fs
AF447 CRASH: A330-203
Aircraft F-GZCP crashed 1st June 2009
228 killed
Wreckage found 3rd April 2011
Data from Flight recorders 15th May 2011
The crew did not identify the stall
Pitch-down inputs led to stall-warning
On pitch-up input, stall-warning stopped
Angle of Attack (when valid) > 35°
After 4 minutes the aircraft hit the ocean
Groundspeed 107kt
Vertical Speed -10912 ft/min
Functional Safety - Raising the Limit: The Design or the Designer?
Source: www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp090601e3.en.pdf
Source: © Pawel Kierzkowski http://en.wikipedia.org/wiki/File:PKIERZKOWSKI_070328_FGZCP_CDG.jpg
© 2011 SGS-TÜV GmbH – All rights reserved 6 www.sgs-tuv-saar.com/fs
NASA FOUND NO ELECTRONIC FLAWS
NASA Engineering and Safety Center
Technical Assessment Report
“…the testing and analysis described in this
report did NOT find that […] electronics are
a likely cause of the large throttle openings
as described…”
Functional Safety focus on E/E systems
Mechanical failures not considered
Driver error not considered
Functional Safety - Raising the Limit: The Design or the Designer?
Source: www.nhtsa.gov
© 2011 SGS-TÜV GmbH – All rights reserved 7 www.sgs-tuv-saar.com/fs
RECOMMENDATIONS BY NHTSA
Propose rules to
require brake override systems
standardize operation of keyless ignition
systems
require the installation of event data
recorders in all passenger vehicles
Begin broad research on the reliability and
security of electronic control systems
Research the placement and design of
accelerator and brake pedals, as well as
driver usage of pedals, to determine
whether design and placement can be
improved to reduce pedal misapplication
Functional Safety - Raising the Limit: The Design or the Designer?
Source: www.nhtsa.gov
© 2011 SGS-TÜV GmbH – All rights reserved 8 www.sgs-tuv-saar.com/fs
RECALL: ECU SOFTWARE
Engine ECU could cause unexpected
vehicle movement
engine stall while the brake pedal is not
pressed
engine control unit (ECU) software may
cause the electric motor of the hybrid
system to move the vehicle unexpectedly in
the OPPOSITE direction of the selected
gear
Functional Safety - Raising the Limit: The Design or the Designer?
Source: www-odi.nhtsa.dot.gov/recalls/recallsearch.cfm
© 2011 SGS-TÜV GmbH – All rights reserved 9 www.sgs-tuv-saar.com/fs
RECALL: CRUISE CONTROL
Cruise Control cannot be disengaged
Jaguar X-type
> 17000 vehicles affected
Diesel engines from 2006-2010
Software code error
Engine must be switched off to cancel!
Cruise Control not deactivated by pressing
brake pedal
Brake switch failure – MB Australia
Detection of brake pedal – Spartan USA
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 10 www.sgs-tuv-saar.com/fs
SHANGHAI SUBWAY CRASH
September 2011
Maintenance works on the line
Signalling system lost power
Trains continued to be operated
Directed by telephone
Signaller made a mistake
One train was directed into another
Hundreds injured
Fail-Safe?
Functional Safety - Raising the Limit: The Design or the Designer?
Source: © Baycrest – License CC-BY-SA-2.5 en.wikipedia.org/wiki/
File:Shanghai_metro_line_2_people%27s_square_station.jpg
© 2011 SGS-TÜV GmbH – All rights reserved 11 www.sgs-tuv-saar.com/fs
AGENDA
1. 12 month Review of Safety
2. The disconnect between the Designer
and the Operator
Sao Paulo A320 Crash:
7 seconds between life and death
How do we change ourselves?
3. Improving Safety Culture
4. Conclusions – The future
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 12 www.sgs-tuv-saar.com/fs
SAO PAULO A320 CRASH
Aircraft PR-MBK crashed 17th July 2007
187 onboard and 12 on the ground killed
7 seconds between life and death
Time from touch-down to inevitable crash
Spoilers did not deploy
No reverse thrust
No “auto-brake” wheel braking
Pilots focused on loss of braking
Did not initiate a go-around
Could not stop the aircraft
The reason:
Incorrect position of one of the throttles
Functional Safety - Raising the Limit: The Design or the Designer?
Source: © Luis Argerich de.wikipedia.org/wiki/Datei:TAM_Airbus_A320.jpg
Source: www.cenipa.aer.mil.br/cenipa/paginas/relatorios/pdf/3054ing.pdf
© 2011 SGS-TÜV GmbH – All rights reserved 13 www.sgs-tuv-saar.com/fs
SAO PAULO A320 CRASH
Operator Error - Old View:
Operator error is cause of incidents
Increase automation
Create more rules and procedures
Operator Error - Nancy Leveson:
“To do something about error, must look at
system in which people work or operate
machines:
– Design of equipment
– Usefulness of procedures
– Existence of goal conflicts and production
pressures”
Functional Safety - Raising the Limit: The Design or the Designer?
Source” A Systems Approach to Safety Engineering”, Nancy G. Leveson
Source: © Luis Argerich de.wikipedia.org/wiki/Datei:TAM_Airbus_A320.jpg
© 2011 SGS-TÜV GmbH – All rights reserved 14 www.sgs-tuv-saar.com/fs
OPERATOR ERROR - MY VIEW
Automation has contributed to a massive
improvement in flight safety
Automation is now past the “human” limit
Accidents caused by pilot error due to
“misunderstanding” the automation are
increasing
Design environment at Tier N suppliers
The electronic engineer analyses hardware
and system failures relative to the
specification
Supplier considers what pilot “should” do
The designer has no feel for what pilots
intuitively or actually do in emergencies
Functional Safety - Raising the Limit: The Design or the Designer?
Source: www.cenipa.aer.mil.br/cenipa/paginas/relatorios/pdf/3054ing.pdf
Source: © Airbus www.airbus.com/galleries/photo-gallery/
© 2011 SGS-TÜV GmbH – All rights reserved 15 www.sgs-tuv-saar.com/fs
TRENDS IN MODERN COCKPIT DESIGN
FAA recognises automation issues
Human Factors Team
The Interfaces Between Flightcrews and
Modern Flight Deck Systems
How many Engineers at Suppliers have
studied Human Factors?
How many Engineers at Suppliers have
studied Cockpit Design?
How many Engineers at Suppliers have
actually talked to a real pilot about their
work?
Functional Safety - Raising the Limit: The Design or the Designer?
Source: © Airbus www.airbus.com/galleries/photo-gallery/
Source: www.flightdeckautomation.com/fdai.aspx
© 2011 SGS-TÜV GmbH – All rights reserved 16 www.sgs-tuv-saar.com/fs
HOW DO WE CHANGE OURSELVES?
Feedback after production
Engineering teams at suppliers disbanded
Disconnect between operational
experience and product design
Example: Tailstrike protection
Engineer assumption is low usage:
– low probability of failure during take-off
– pilot controls aircraft to avoid tailstrike
Pilot training for certain runways:
– always pull-back stick to limit
– rely on tailstrike-protection for every take-off
Latent System failure will always lead to
tail-strike
– Severity increased by pilot reliance on
automation
Functional Safety - Raising the Limit: The Design or the Designer?
Source: © Airbus www.airbus.com/galleries/photo-gallery/
© 2011 SGS-TÜV GmbH – All rights reserved 17 www.sgs-tuv-saar.com/fs
CAN WE EXPLAIN OURSELVES?
Can you explain your job to your children?
Can you explain a (client) system to
someone unrelated?
In what level of complexity?
Communication Theory
Important is what is received,
not what is sent
Understanding complex systems
Important is what knowledge can be
applied under stress conditions,
not what is provided in the classroom
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 18 www.sgs-tuv-saar.com/fs
WHO ARE THE STAKEHOLDERS?
Operator
Driver, Pilot, Co-pilot, (Flight Engineer)
Passengers
Company / airline
Operations / Training / Maintenance
Sales / Marketing / Management
Aircraft / car / train manufacturer (OEM)
Sales / Marketing / Management
Design / Engineering
Suppliers (Tier 1 … Tier N)
Sales / Marketing / Management
Design / Engineering
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 19 www.sgs-tuv-saar.com/fs
DIFFERENCE BETWEEN SALES /
ENGINEERS, OEM AND SUPPLIERS
Who talks to the Customer (Airline)?
The OEM Sales Team
Who talks to the Pilots?
The Trainers (Airline)
OEM
Who talks to the Engineers?
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 20 www.sgs-tuv-saar.com/fs
AGENDA
1. 12 month Review of Safety
2. The disconnect between the Designer
and the Operator
3. Improving Safety Culture
Example: Automotive Standard ISO 26262 Challenging previous business practices
Demonstration of Competence
Improving the Safety Culture along the supply
chain
The impact of legal practice relating to product
liability
Lessons-Learned: Liability Risk
Working across International boundaries
The consequences of Non-Disclosure-Agreements
4. Conclusions – The future
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 21 www.sgs-tuv-saar.com/fs
NEW AUTOMOTIVE STANDARD:
ISO 26262
Safety-relevant systems
one or several E/E systems
production passenger cars (up to 3,500kg)
excluding vehicles for disabled persons
Deals with possible risks
emanating from the malfunction of E/E
systems
caused by the respective E/E system itself
Commercial vehicles and motorcycles
have not (yet) been included in the scope
but have not been explicitly excluded
either
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 22 www.sgs-tuv-saar.com/fs
CHALLENGING PREVIOUS BUSINESS
PRACTICES
ISO 26262 is
an automotive industry application standard
based on IEC 61508
applicable world-wide
affects all OEMs and Suppliers
the new “state-of-the-art”
ISO 26262 requires
demonstration of competence
new organisational structures to manage
functional safety (independence)
Development Interface Agreements (DIA)
Functional Safety Assessment to verify that
products are “functionally safe”
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 23 www.sgs-tuv-saar.com/fs
DEMONSTRATION OF COMPETENCE
Suppliers have to demonstrate their
competence to the OEMs
OEMs have to formally confirm the
competence of the Suppliers
Suppliers have to formally confirm the
competence of Sub-Suppliers
Competence is to be assured in
accordance with the corresponding
responsibility
Training, education
Qualification programmes are
recommended
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 24 www.sgs-tuv-saar.com/fs
IMPROVING THE SAFETY CULTURE
ALONG THE SUPPLY CHAIN
Functional Safety - Raising the Limit: The Design or the Designer?
Abstraction
level Vehicle
E/E
Total system
E/E
sub-system HW SW
Development
phase
Concept
(part 3)
System
(part 4)
System
(part 4)
Hardware
(part 5)
Software
(part 6)
Information flow • Safety
objectives
• ASIL
• Funct. safety
concept
• Funct. safety
requirements
• Techn. safety
Concept
• Techn. safety
requirements
• Techn. safety
concept
• Techn. safety
requirements
• HW design
• HW safety
requirements
• SW design
• SW safety
requirements
Typically
responsible
OEM OEM
or
Tier1
Tier1
or
Tier 2..n
HW supplier (complex
function,
e.g. µC or ECU)
SW supplier (application)
© 2011 SGS-TÜV GmbH – All rights reserved 25 www.sgs-tuv-saar.com/fs
CREATING THE COMPANY SAFETY
CULTURE
Functional safety as a company objective
Company-specific policies and processes
Introduction of a generic safety process
Process descriptions for safety
management and development activities
Introduction of a safety management
organisational structure
Safety managers and their task profiles
Authority of safety managers (veto rights!)
Resource management
Continuous Improvement Process
Escalation process for Functional Safety
Functional Safety - Raising the Limit: The Design or the Designer?
Reference: ISO 26262-2, §5.4.2
© 2011 SGS-TÜV GmbH – All rights reserved 26 www.sgs-tuv-saar.com/fs
CREATING THE COMPANY SAFETY
CULTURE
Poor examples
Accountability is not
traceable
Cost and schedule
always take precedence
over safety and quality
Passive attitude towards
safety
Heavy dependence on
testing at the end of the
product development
cycle
Management reacts only
when there is a problem
in the field
Good examples
The process assures that
accountability for
decisions related to
functional safety is
traceable
Safety is the highest
priority
Proactive attitude
towards safety
Safety and quality issues
are discovered and
resolved from the earliest
stage in the product
lifecycle
Functional Safety - Raising the Limit: The Design or the Designer?
Source: ISO 26262-2, Annex B
© 2011 SGS-TÜV GmbH – All rights reserved 27 www.sgs-tuv-saar.com/fs
THE IMPACT OF LEGAL PRACTICE
RELATING TO PRODUCT LIABILITY
ISO 26262 is applicable as of the date of
its publication, particularly since ISO
standards do not provide for an explicit
transition period
Therefore, implementation is required as
of 2011, meaning that all products put
into circulation as of this point in time
must implement ISO 26262!
It is not enough to only start implementing
ISO 26262 as of the date of its publication
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 28 www.sgs-tuv-saar.com/fs
LESSONS-LEARNED:
LIABILITY RISK
What is the position of European OEMs?
Some OEMs have been trying to keep the
assessments in-house
Some OEMs have already started requiring
suppliers to have assessments performed
by an ISO/IEC 17025 accredited body
What is the conclusion by legal experts?
With respect to the obligation of exercising
due care, the performance of the
“Assessment of Functional Safety“
portion of the product validation by testing
bodies accredited for this purpose
according to ISO/IEC 17025 (or ISO/IEC
17020) is to be regarded as the [current]
state of the art in science & technology
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 29 www.sgs-tuv-saar.com/fs
WORKING ACROSS INTERNATIONAL
BOUNDARIES
International Supply Chain
Demonstration of competence
Proof of compliance
How can you be sure?
Assessment
Self-Assessment by Supplier?
Fly-in Assessment by OEM?
Independent Assessment?
– Local assessment reduces cost
– Accredited bodies
– Dealing with different interpretations
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 30 www.sgs-tuv-saar.com/fs
THE CONSEQUENCES OF
NON-DISCLOSURE-AGREEMENTS
OEMs do not disclose fully to Suppliers
Suppliers only admit as much as they
absolutely must to their customers
Typical Example:
OEM selects Tier 1 for valve actuation
Tier 1 is already preferred supplier
Tier 1 experience is mechanical systems
New requirement – “SMART” actuator
Tier 1 sub-contracts electronics to Tier 2
– Tier 2 contractually cannot talk to OEM
– Electronics Interface (HW & SW) is
OEM Tier 2
Development Interface Agreement needed
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 31 www.sgs-tuv-saar.com/fs
AGENDA
1. 12 month Review of Safety
2. The disconnect between the Designer
and the Operator
3. Improving Safety Culture
4. Conclusions – The future
AF447 inquiry recommends use of cockpit
image recorders
The role of professional institutions and
accreditation bodies
Better Communication is necessary
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 32 www.sgs-tuv-saar.com/fs
AF447 INQUIRY RECOMMENDS USE OF
COCKPIT IMAGE RECORDERS
BEA recommends
that ICAO require that aircraft undertaking
public transport flights with passengers be
equipped with an image recorder that
makes it possible to observe the whole of
the instrument panel
that at the same time, ICAO establish very
strict rules for the readout of such
recordings in order to guarantee the
confidentiality of the recordings.
Functional Safety - Raising the Limit: The Design or the Designer?
Source: © Airbus www.airbus.com/galleries/photo-gallery/
Source: www.bea.aero/docspa/2009/f-cp090601e3.en/pdf/f-cp090601e3.en.pdf
© 2011 SGS-TÜV GmbH – All rights reserved 33 www.sgs-tuv-saar.com/fs
THE ROLE OF PROFESSIONAL
INSTITUTIONS & ACCREDITATION
BODIES
What happens to the Engineer after
University?
Engineers can obtain professional
qualifications such as “Chartered
Engineer”
Each country has a different solution
Value of qualification is not promoted
Most qualifications are valid for life
Project Managers can get qualified
Project Management Institute (PMI)
Safety Managers can get qualified
Industry Functional Safety Expert
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 34 www.sgs-tuv-saar.com/fs
BETTER COMMUNICATION IS
NECESSARY
Communication is 2-way
We need to get design understanding from
Engineers to the end user (pilot, driver)
We need timely feedback from the end user
to reach the responsible Engineers
Communication is multi-layered
We need to respect NDAs and promote
Development Interface Agreements
Develop a safety culture throughout the
supply chain
What counts is what is received, not what
was transmitted
Safety is multi-disciplinary and requires
active participation by ALL stakeholders
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 35 www.sgs-tuv-saar.com/fs
TOP 10 TIPS
1. Contact certification company during
development to be aware of requirements
– no nasty surprises!
2. Perform a GAP-Analysis to prioritise the
implementation of functional safety – you
can’t do it all at once
3. Train your engineers to ensure their
competence in the functional safety
requirements
4. Be aware of your legal responsibilities
5. Introduce safety analysis as natural part
of your development
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 36 www.sgs-tuv-saar.com/fs
TOP 10 TIPS
6. Optimise communication, especially with
suppliers / OEMs
7. Specify the functional safety
requirements for your suppliers
8. Update your documentation during and
not only at the end of development
9. Processes you have documented, should
be applied
10. Use feasible tools, adequate methods
and techniques
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 37 www.sgs-tuv-saar.com/fs
Thank you for your attention!
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 38 www.sgs-tuv-saar.com/fs
YOUR PARTNER FOR FUNCTIONAL
SAFETY
SGS-TÜV Saar
Global Competence Center
Functional Safety
Hofmannstrasse 50
D-81379 Muenchen
Germany
www.sgs-tuv-saar.com/fs
Stephen Norton
Head of Automotive & Aerospace Division
E-mail: [email protected]
Telephone: +49 89 787 475 -280
Mobile: +49 152 0922 0522
Fax: +49 89 787 475 -217
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 39 www.sgs-tuv-saar.com/fs
Addition Information regarding our Services
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 40 www.sgs-tuv-saar.com/fs
HOW ARE WE HELPING
SGS-TÜV Saar experts have very many
years of experience in Functional Safety
Co-initiator of the ISO 26262 standard
Active in standardisation committees
Respected voice in the Industry
We are providing
Consulting on Functional Safety
ISO 26262 Roll-out
Review of processes, tools, templates
Guidance in creation of “work products”
Training and personal qualification
Assessments, audits and certification
according to ISO 26262
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 41 www.sgs-tuv-saar.com/fs
OUR SERVICES (1)
AEROSPACE
Training / Personal
qualification
Consulting
Analytics
Testing / Certification
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 42 www.sgs-tuv-saar.com/fs
OUR SERVICES (2)
Generic or basic training
Standards including
– ISO 26262, IEC 61508
– SAE ARP4761
– RTCA/DO-254
– RTCA/DO-178C, RTCA/DO-278
– RTCA/DO-160F
– EUROCAE ED-125
Risk analysis
System design and analysis
FMEDA / FTA
Safety relevant Software
Individual training courses
Tailored to company-specific content
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 43 www.sgs-tuv-saar.com/fs
OUR SERVICES (3)
Professional Qualification
Automotive Functional Safety Professional
Industry Functional Safety Professional
5-day training and exam
Competence confirmed by SGS-TÜV Seal
Expert Qualification
Automotive Functional Safety Expert
Industry Functional Safety Expert
Audit by SGS-TÜV Examining board
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 44 www.sgs-tuv-saar.com/fs
OUR SERVICES (4)
Functional Safety Management (FSM)
Expert monitoring of customer projects
Functional Safety Management
Assessments
Creation of Safety Cases
Support as Safety Manager
Preparation of documentation concepts
Moderation of Hazard Analysis and Risk
Assessment
Interface management between OEM and
supplier
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 45 www.sgs-tuv-saar.com/fs
OUR SERVICES (5)
Functional Safety Analytics
Hazard analysis and risk assessments
FMEA & FMEDA
FTA
Markov Analysis
Functional Safety of Software
Control system assessments
Assessment of software
Tool qualification
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 46 www.sgs-tuv-saar.com/fs
OUR SERVICES (6)
Testing
Evaluation of systems
Risk analysis (ASIL / SIL / PL / DAL)
Review of specifications and requirements
Concept and design analysis
Verification and validation
Auditing and certification of safety
processes
Functional Safety Assessments and Audits
Certification of components and systems
Functional Safety - Raising the Limit: The Design or the Designer?
© 2011 SGS-TÜV GmbH – All rights reserved 47 www.sgs-tuv-saar.com/fs
YOUR INTERNATIONAL CONTACTS
Germany (Headquarters)
SGS-TÜV GmbH
Functional Safety
Hofmannstrasse 50
D-81379 Munich
Gr. China
SGS Taiwan Ltd.
134, Wu Kung Road, Wu Ku Industrial Zone
New Taipei City
24866 Taipei
Japan
SGS Japan Inc.
2-2-1, Minatomirai, Nishi-ku
The Landmark Tower Yokohama 38F
220-8138 Yokohama
Korea
SGS Korea Co., Ltd.
398-1, Gomae-dong,
Giheung-gu, Yongin-si
Gyeonggi-do, 446-901
Phone +49 98 787475-270
www.sgs-tuv-saar.com/fs
Phone + 886 2 2299 3279 3660
Phone +81 45 330 5040
Phone + 82 31 240-6611
Functional Safety - Raising the Limit: The Design or the Designer?