Addressing functional safety in automotive human machine interfaces

Kishore Kumar Sukumar, Dr. Martin Oberkönig, Sivaguru Noopuran, Cypress,

May 29, 2019

Kishore Kumar Sukumar, Dr. Martin Oberkönig, Sivaguru Noopuran, Cypress,May 29, 2019

The automotive industry is changing rapidly, and vehicles are becoming more advanced, autonomous, and comfortable. The number of processors, sensors, memories, and other electronic components in today’s automotive applications is increasing, which will ultimately make transportation less dangerous. These automotive subsystems utilize connectivity and self-driving technology to increase driver safety, but can only achieve this if they operate reliably and predictably.

Inside the automotive cabin, human machine interfaces (HMI) are advancing in concert with new capabilities and infotainment systems. Capacitive sensing buttons and touchscreens are common, for example, to play/pause a song or to select an AM/FM channel. They are also increasingly used in safety-critical functions such as engine start/stop buttons and cruise control.

Beyond the automotive industry, there are many application sectors where failure is not an option because it can lead to physical injury and/or property damage. Critical systems in nuclear power plants, some types of industrial machinery, and airplanes are obvious examples. Even everyday appliances such as microwave ovens or washing machines can harm people in case of a malfunction. Systems that have the potential to harm people need mitigation measures, and the goal of any functional safety program is to minimize the risk of physical harm, property damage, and liability.

This article examines the role of functional safety as it pertains to automotive HMI systems, but the concepts are applicable to a broad range of applications and industries. We place more and more of our trust in systems to perform our everyday tasks, and these systems need to earn our trust by delivering on safety and reliability.

Functional safety
Whenever we rely on the correct operation of a system, we need to take care of the functional safety to minimize the risk to people in case of a malfunction. Two aspects must be addressed to achieve functional safety:

Prevention : A preventive measure avoids or at least reduces systematic failures during the development phase of a system. If something is specified, designed, or implemented incorrectly, the system may fail. The higher the quality, the less risk remains for a failure of the system.

Detection : The second class of failures are random hardware failures. These are failures that happen during the operation of the system. These failures are observed after production and any outgoing quality checks. The source of a random hardware failure could be, for example, the environment such as temperature, pressure, vibration, radiation, pollution, or aging. The nature of such failures can be permanent or transient, which means they can either only be fixed by repair or replacement of a device or in the case of transients, they will disappear after some time like with a bit flip in a memory. Any system can break at a certain time and measures are required to detect or control such a failure and prevent the system from endangering people.






≥ 90%

≥ 97%

≥ 99%


≥ 60%

≥ 80%

≥ 90%


< 10 -7 / h

(< 100 FIT)

< 10 -7 / h

(< 100 FIT)

< 10 -8 / h

(< 10 FIT)

Standards exist for functional safety in different application sectors. These standards provide guidelines and allow the comparison of different systems.

IEC 61508, first released in 1998, is a central standard for electrical, electronic, and programmable electronic safety-related systems (E/E/PE). This standard can be seen as the parent standard from which other standards have been derived for many specific applications. These standards have been published and give guidelines on how to address functional safety within a certain application sector.

ISO 26262 is an international functional safety standard specifically designed for the application sector of electric and/or electronic systems (E/E) within road vehicles. It is intended to be applied to safety-related electric and electronic systems that are installed in series-production passenger cars with a maximum gross vehicle mass up to 3,500 kg. The ISO 26262 was first published in 2011, with a second edition in 2018. This is the standard which is applicable to automotive HMI systems.

“How much safety” is required for a system depends on the automotive safety integrity level (ASIL). This ASIL is determined through a hazard analysis and risk assessment and considers the severity, exposure, and controllability of a hazardous situation.

ISO 26262 recommends three key metrics:

1. Single point fault metric (SPFM): One fault leads directly to the violation of the safety goal. Example: A fault in the injection coil could block the engine directly and could stall the car, causing severe injuries to the driver.

2. Latent fault metric (LFM): Multiple-point faults caused by a combination of independent faults whose presence is not detected by a safety mechanism nor perceived by the driver within the multiple-point fault detection interval. Example: Loss of a single low/high beam light wouldn’t cause a hazardous situation for the driver because as a safety mechanism the non-working light could be replaced by the working light. However, if both the beams are not working, then it could lead to a major accident.

3. Probabilistic metric for random hardware failures (PMHF): The failures in time (FIT) are the probability of a hardware failure. FIT is the number of failures per billion hours of operation.

The below table shows the ISO 26262 metrics for different classes of ASIL:

Figure 1: ASIL and Residual Risk.


>> Continue reading page two of this article originally published on our sister site, EE Times: "Functional Safety for Automotive HMI Systems."

Loading comments...