HARDWARE MONITORING CONCEPT LEVEL 3 Agenda Overview 2

HARDWARE MONITORING CONCEPT LEVEL 3

Agenda Overview 2 1 Overview: 3 -Level Concept 2 Mo. CADC: Analog Digital Converter Monitoring 3 Overview: µC 1 Safety Features 4 Mo. CSCC: Safety feature Configuration Check 5 Mo. CPC: Peripheral Core Monitoring 6 Mo. CEMM: Errorpin Handler 7 Mo. XEMM: Diagnosis Function for EMM-Module 8 Mo. CGTM: Generic Timer Module Monitoring 9 Mo. CPFC: Program Flow Check Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Agenda Overview 10 Mo. CMem: Cyclic Memory Test 11 Mo. CSOP: Shut Off Path test 12 Mo. CCom: Query-/ Response Communication 13 OCWDA: Operation conditions WDA/ABE-shut off 3 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: 3 -Level Concept 4 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Agenda Overview: 3 -Level Concept Input. Signals Level 1 Enable Driving Functions Power stages Level 2 Lockstep. Core (LC) Functional Monitoring Program Flow Check Level 3 LC Memory test of level 2, 3 Check of Hardware-Configuration reg. Safety Check of add. HW-Modules µC HW incl. Monitoring module 5 Query Monitoring Module LC LC PFClink HWMemory test (ECC) Hardware. Error. Management. Module (EMM) CAN Flex. Ray Errorpin Enable Response Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Enable

Overview: 3 -Level Concept Level 1: Properties and Description è All engine control functions è Component diagnosis w Pedal-travel sensors w Throttle-position sensors, throttle actuator w Air-mass sensor w Cruise-control operating lever, brake signals w Vehicle-speed sensor, engine-speed sensor w CAN input signals w è 6 … Limp-home functions in case of component failure Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: 3 -Level Concept Level 2: Properties and Description Modules with individual RAM and ROM sections tested by a program flow check è è 7 w Separate path for recognition of driver demand w Actual engine torque calculated using actual engine state quantities w Continuous plausibility check of the driver‘s demand the actual engine torque w Separate disabling-path by activation of Errorpin All Level 2 modules contribute to query / response communication Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: 3 -Level Concept Level 3: Properties and Description è Aim of HW monitoring (HW safety features and Level 3 SW): è Provide Safe Execution Platform for level 2 monitoring functions. è Self test of the function controller w w w w è ADC-Monitoring Instruction test by Lockstep Core Safety mechanisms of µC 1 and Error Management Module EMM e. g. Error correction code (ECC). . Check of µC configurations regarding safety relevance Check of the Generic Timer Module (GTM) Program flow check of Level 2 (and parts of Level 3) Cyclical RAM- and ROM-checks Test of shut off paths from function controller and monitoring module Monitoring module w Is used as the external watchdog for the function controller w Random query / response communication w Separate disabling-path (WDA) Continuous and mutual test of function controller and monitoring module (timing and computation data) based on query/response communication Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 8 ESS 2019_SAF_003 © Robertof the function controller and the monitoring module Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. è

Overview: 3 -Level Concept Example for a Level 3 Monitoring Package in SDOM 9 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CADC: Analog Digital Converter Monitoring 10 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CADC: Analog Digital Converter Monitoring ADC Monitoring with “Null Load Test Pulse” (NTP) Method joined with Testvoltage check Principle circuit diagramm Hardware requirements for standard NTP application: • No external ADC for plausibility checks available CY 32 x G 1_5 V G 2_3/5 V G 3_3/5 V VDD 5 VDD 3 5 V • Sensors supplied by 5 V • ADC with 5 V reference voltage Uin 1 Uin 2 0. . 5 V • ADC channel with force low for NTP APM 0. . 5 V • Voltage divider and APP 1, 2 connected Testvoltage AN 03 AN 04 AN 05 • 11 Practical for active and passive analog APM sensors Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Uref AN 06 AN 07 5 V - ADC µC 1

Mo. CADC: Analog Digital Converter Monitoring ADC alive check by „Null load Test“ NTP check: APP 2 signal is pulled down cyclically every 320 ms Internal μC port switch is used for generating NTP ADC converts the value during active test pulse Repetition of the check all 20 ms in case of error Error reaction: Injection Cut Off (ICO) => Detection of errors with loss update of ADC values and offset errors 12 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CADC: Analog Digital Converter Monitoring Testvoltage check • Converting of a defined fix voltage, generated by voltage divider at Uref • Failure detection in case of deviation greater than tolerance range • Execution cyclic in 10 ms task • Failure reaction: Injection Cut Off (ICO) => Detection of ADC offset and amplifier errors 13 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: µC 1 Safety Concept 14 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: µC 1 Safety Features Error Pin Concept Error Pin is set to low by the Error Management Module (EMM) of the µC in case of a severe fault • Error signaling to the µC external world • Configurable which error events lead to an Errorpin event • very fast shut-off path Errorpin µC 15 Powerstages e. g. injection. . . Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: µC 1 Safety Features Error Management Module EMM (1/3) Central module for error signal collection (HW/SW) Configurable reaction for each error signal • (1) Errorpin activation • (2) Interrupt • (3) Non maskable interrupt (NMI) • (4) Reset § 16 Moreover the activation of the Errorpin (1) is combinable with the faultreactions (2), (3) and (4) Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: µC 1 Safety Features Error Management Module EMM (2/3) 17 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: µC 1 Safety Features Detection of instruction failures Standard method via dual core lockstep mode and comparator New in MDG 1, replaces MEDC 17 instruction test Measures against common cause failures: checker-core is two cycles delayed to master-core master and checker core on different lakes of silicon Lockstep comparator is checked Failure of comparator or comparison are defined as input for error management module (EMM); =>Error reaction: Errorpin activation 18 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Overview: µC 1 Safety Features 19 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CCom: Query-/ Response Communication 20 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CCom: Query/Response Communication Query/Response-Communication (CY 32 x) 21 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CCom: Query/Response Communication MM Error counter resulting by CY 327 plausibility check 22 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CCom: Query/Response Communication 23 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSCC: Safety feature Configuration Check 24 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSCC: Safety feature Configuration Check Motivation For all relevant safety features there are registers which represent the current configuration. These registers should be checked at least every 40 ms and any deviation from the required settings should lead to a reaction from external watchdog: => shutoff of safety relevant power stages and safety relevant communication (CAN/Flex. Ray) 25 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSCC: Safety feature Configuration Check 26 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CPC: Peripheral Core Monitoring 27 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CPC: Peripheral Core Monitoring Motivation In current MDG 1 µC only one Lockstep-Dualcore is available, the Lockstep-Core is not the Boot. Core(In 40 nm Boot core is also Lockstepped – This module is not applicable) Boot software, parts of monitoring and parts of BSW are scheduled on Peripheral Core (Boot. Core) Those software parts are not covered by Lockstep mechanism Instruction test for Boot. Core necessary to secure monitoring code executed at early stage of initialization, like EMM error handling 28 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CEMM: Errorpin Handler 29 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CEMM: Errorpin Handler Functionalities of Mo. CEMM Service functionalities Errorpin handler used by software to activate and deactivate the Errorpin Startup functionalities Check for ECC errors Check for memory errors, detected by Mo. CMem Perform a full memory check in case of memory fault Clear previous EMM events Robustness measure Cyclical functionalities Errorpin plausibility check 30 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CEMM: Errorpin Handler Service functionalities – Errorpin handler 31 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. XEMM: Diagnosis Function for EMM-Module 32 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. XEMM: Diagnosis Function for EMM-Module EMM error tracking sequence Reset NMI routine Write Fix RAM - EMM Status Read Start[] Pre. Init Mo. XEMM Init EMM active Clear Mo. CEMM Init 1 2 address tracking on NV RAM - DFC Status 33 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. Drive Post Drive Write

Mo. CGTM: Generic Timer Module Monitoring 34 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CGTM: Generic Timer Module Monitoring Overview 35 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CGTM: Generic Timer Module Monitoring Overview The Generic Timer Module (GTM) was designed as an IP module for integration into microcontroller environments for monitoring and control of embedded systems. It consists of submodules which can work independently. These different submodules can be configured to work together and realize functions. To protect against unwanted effects like erroneous timing behavior in EPM or injection, monitoring has to check the GTM submodules on correct working. Checksum validation of MCS code area Cyclical Check of Monitoring variables in MCS local RAM Monitoring of GTM Clock Monitoring 36 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CPFC: Program Flow Check 37 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CPFC: Program Flow Check 38 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CMem: Cyclic Memory Test 39 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Memory Checks Overview Memory Diagnostic and Error Reactions ECU switch on / reset Init states Cycle states Boot Init Predrive Drive Shutdown state Postdrive Shutdown Single Check RAM (SOP/COM) Cyc RAM Slow Stack & CSA Cpl Check RAM Cyc CS ROM Fast Cyc CS ROM Slow Complete CS GTM ROM Cyc RAM GTM (Variable) Complete CS ROM Complete RAM IFA 9 ECC RAM Correctable 1*) ECC RAM Uncorrectable ECC ROM Correctable 1*) ECC ROM Uncorrectable Request Complete CS ROM Request Complete RAM IFA 9 Request Reset + ERRORPIN X X X 1*) Unlimted single bit correction, no error reaction. 40 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights. X X X ECU off

Mo. CMem: Cyclic Memory Test Overview In MDG 1 cyclic memory check over Level 2/3 memory ranges is executed Complete Stack-/CSA-memory check is included in Mo. CMem Functions for single check of RAM cell check is supported è 41 Complete memory check (RAM and ROM) is executed in next startup triggered by Mo. CEMM if one of the following errors occur in previous driving cycle: Uncorrectable ECC error Error in cyclical memory check Error in Stack/CSA check Complement error Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSOP: Shut Off Path test 42 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSOP: Shut Off Path Test Overview: Shutt off path test The function controller checks the shut off paths of the monitoring module (WDA), the function controller (error pin) and the voltage monitoring ASIC (ABE) before each engine start. The shut off path test is divided up into 3 parts: - Flex. Ray test (executed in Core 1_main) - CAN test (executed in Core 1_main) - Power stage test (started in Drive) Failure reaction: Reset or Injection Cut Off (ICO) After successful test query /response communication is controlled by Mo. CCom 43 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSOP: Shut Off Path Test Schematic view of shut of paths 44 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Mo. CSOP: Shut Off Path Test - Powerstages Powerstage shut off path test sequence 1. Positive Test -> “WDA, Errorpin and ABE inactive” 2. Negative Test -> MM “WDA active” 3. Negative Test -> FC “Errorpin active” 4. Overvoltage Test -> PVMT ASIC “ABE active” 45 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

OCWDA: Operation conditions WDA/ABE-shut off 46 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

OCWDA: Operation conditions WDA/ABE-shut off èAn activation of the Errorpin leads to an activation of WDA and ABE è An activation of WDA leads to an activation of Errorpin and ABE è An activation of ABE does NOT lead to an activation of Errorpin and WDA § 47 ABE might be activated by overvoltage or component defects (e. g. short circuit) Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

OCWDA: Operation conditions WDA/ABE-shut off Function overview Level 2 Level 3 Errorpin Ext. WDT WDA Overvoltage ABE short circuit ABE any DFC Errorpin OCWDA DFC ABE Overvoltage DFC ABE Reset Ø Only one DFC can be active, which displays error cause of Shut. Off. Path lines (remind: Errorpin, WDA, ABE error lines activate each other) Ø Availability Reset for the case of error healing can be Applied in order to reinitialize power stages and power stage algorithms 48 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Training Monitoring Concept Level 3 Thank you for your attention 49 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Training Monitoring Concept Level 3 DOORS system function <–>FC mapping èDOORS 50 System function Included FC’s SF_Adc. Mon. Sfty Mo. CADC_Co SF_Sop. Diag. Sfty OCWDA_Co SF_Sop. Tst. Sfty Mo. CSOP_Co SF_Com. Wdg. Mon. Sfty Mo. CCom_Co SF_Err. Pin. Hndlr. Sfty Mo. CEMM_Co, Mo. XEMM_Co SF_Mem. Mon. Sfty Mo. CMem_Co SF_Tpu. Mon. Sfty Mo. CGTM_Co SF_Instr. Tst. Sfty Mo. CCPU_Co, Mo. CPC_Co SF_Prgm. Flow. Chk. Sfty Mo. CPFC_Co, Mo. CPFCExtd. Tsk_Co, Mo. CIWDH_Co SF_Cfg. Chk. Sfty Mo. CSCC_Co SF_Hw. Logic. Test. Sfty Mo. CHw. Logic. Test_Co SF_Ecu. Hw. Sfty. Sw. Dsgn Mo. Cfg. Gen_Co -> SC_Ecu. Hw. Sfty Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Training Monitoring Concept Level 3 Links è Safety @ PS-EC Level 3 è MDG 1 Safety Wiki è Dependencies MDG 1 Level 3 - HW, BSW and SW èConfiguration 51 Checklist Level 3 Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Functional safety - Overview ISO 26262 ASIL - Classification Severity: S 0 no injuries and <10% probability of injuries S 1 > 10% probability of moderate injuries but not S 2 or S 3 S 2 > 10% probability of severe injuries (life threatening, survival probable) S 3 > 10% probability of critical (life threatening, survival uncertain) or fatal injuries Controllability: C 0 controllable in general C 1 >=99% of drivers or other traffic participants are usually able to avoid harm C 2 >=90% of drivers or other traffic participants are usually able to avoid harm C 3 <90% of drivers or other traffic participants are usually able, or barely able, to avoid harm Exposure: E 0 incredible, not considered, no ASIL assigned E 1 very low probability E 2 <1% of average operating time, low probability E 3 1 -10% of average operating time, medium probability E 4 >10% of average operating time, high probability Internal | DGS-EC/ESS 1 -Vogel | 18/01/2019 ESS 2019_SAF_003 © Robert Bosch Gmb. H 2017. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.