Series Editor's Foreword ixPreface xiAbbreviations xv1 Safety Expectations for Consumers, OEMs, and Tier 1 Suppliers 1Trustworthiness 1Consumer Expectations 3OEM Expectations 4Supplier Expectations 62 Safety Organizations 11The Need for a System Safety Organization 11Functions of a Safety Organization 12Critical Criteria for Organizational Success 13Talent to Perform the Safety Tasks 14Integral to Product Engineering 14Career Path for Safety Personnel 15Safety Process Owned by Program Management 15Executive Review 16Pillars of a Safety Process 18Alternatives, Advantages, and Disadvantages 263 System Safety vs. Functional Safety in Automotive Applications 41Safety Terminology 41Functional Safety Standards vs. System Safety 42Background 42Application of Functional Safety Standards 42Safety of the Intended Function (e.g. SOTIF, ISO PAS 21448) 44Triggering Event Analyses 45Background 45Systematic Analyses 46Validation 49Validation Targets 49Requirements Verification 50Release for Production 53Integration of SOTIF and Functional Safety and Other Considerations 55Background 55Analyses and Verification 57Validation 584 Safety Audits and Assessments 61Background 61Audits 61Audit Format 63Use of External Auditors 65Assessments 67System Safety Assessment 67Work Product Assessment 675 Safety Culture 71Background 71Characteristics of a Safety Culture 71Central Safety Organization 72Safety Managers 74Joint Development 75Enterprise Leadership 75Liability 75Customers 77Safety Culture vs. Organization 776 Safety Lifecycle 79Background 79Concept Phase Safety 80Preliminary Hazard Analysis 80Preliminary Architecture 81Requirements 83Design Phase Safety 84Design-Level Safety Requirements 84Verification 86ManufacturingPhase Safety 86Safety in Use 87Safety in Maintenance 88Safety in Disposal 907 Determining Risk in Automotive Applications 91Analyze What the Actuator Can Do 91Analyze Communication Sent and Received 93Determine Potential for Harm in Different Situations and Quantify 94Exposure 95Priority 96Consider Fire, Smoke, and Toxicity 978 Risk Reduction for Automotive Applications 99History 99Analysis of Architecture 99System Interfaces 100Internal Interfaces 101Requirements Elicitation and Management 102Three Sources of Requirements 102Cascading Requirements 104Conflicts with Cybersecurity 105Determination of Timing Risks in an Automotive Application 106Milestones 106Samples 107Program Management 108Design and Verification 109Sample Evaluation 109Verification 1119 Other Discussion and Disclaimer 113Background 113Three Causes of Automotive Safety Recalls - Never "Random" Failures 114Failure Rates 114Recalls Due to Random Hardware Failures 115Causes of Recalls 116Completeness of Requirements 117Timing Risk 118"But It's Not in the 'Standard'" 118Competing Priorities 119Audits and Assessments 120Disclaimer and Motivation for Continuous Improvement 121Policy Statement 122Governance 122Metrics 123Process Documentation 124Tiered Metric Reporting 125Use of Metrics 12610 Summary and Conclusions 131Background 131System Safety is More than Functional Safety 131Safety Requirements 132Safety Process 133Five Criteria for a Successful Safety Organization are Key 134Auditing and the Use of Metrics 135Auditing 135Metrics 135Future Considerations for SOTIF 137Machine Learning 138Appendix A IEC 51508 Compared to Typical Automotive Practices 139Appendix B ISO 26262 - Notes on Automotive Implementation 167References 215Index 217

JOSEPH D. MILLER of J. D. Miller Consulting, Inc, USA, was Chief Engineer of System Safety where he established and directed the system safety process for TRW Automotive worldwide. He led the US Technical Advisory Committee (USTAG) for Functional Safety (ISO26262) for 12 years and served as an ISO expert voting the US position. He also led the US delegation for the Safety of the Intended Function (SOTIF) ISO PAS 21448.