Functional Safety, as defined basically in IEC 61508 and in ISO 26262 for automotive systems, clearly describes actions to take, methods to perform to develop a safe system. Safe actually can include the presence of faults and bugs. This implies the detection of malfunctions and taking proper actions before any harm is done. So it's all about timing: Before a hazard occurs, the system has to get itself in time into a safe state involving automated mechanisms and the driver.
Precisely defining the safety requirements, including time spans the system has to respond to faults, is mandatory. And it is crucial for project success to evaluate early in the development process if these requirements are met. We will introduce the reader to the timing aspects of functional safety. A model based methodology based on a matured tool suite will be described to help design embedded systems having the correct dynamic behavior and showing robustness to changes and unexpected system states.
During validation the manufacturer of the system has to prove the combined properties and functions of the system comprised of mechanical, electrical and electronic components controlled by software and the user are able to avoid the hazards in time. “Absence of unacceptable risk due to hazards caused by mal-functional behavior of E/E systems”, as stated in the ISO 26262 .
Many functional aspects like voltage levels or mechanical robustness are quite static and can be designed with sufficient safety margins. The dynamic behavior and reaction times on the contrary are very dependent on the interactions and interferences with all system components. Predicting and ensuring them to fulfill the timing requirements by design requires a good specification and proper design of the dynamic behavior starting in early design phases.
Modeling the real-time behavior of embedded systems enables engineering to describe the timing properties and interactions of software and hardware. By simulating and validating the model, the reaction, performance and