Available via license: CC BY 4.0
Content may be subject to copyright.
Received April 13, 2022, accepted April 25, 2022, date of publication April 29, 2022, date of current version May 9, 2022.
Digital Object Identifier 10.1109/ACCESS.2022.3171261
Safety-Related Availability in the
Power Supply Domain
PHILIPP KILIAN 1, OLIVER KOLLER2, PATRICK VAN BERGEN 1,
CARSTEN GEBAUER3, AND MARTIN DAZER 4
1Cross-Domain Computing Solutions, Product Area Integrating Devices–Engineering Vehicle Systems (XC-AN/EPI1), Robert Bosch GmbH, 70499 Stuttgart,
Germany
2Cross-Domain Computing Solutions, Product Area Integrating Devices–Powernet Strategy (XC-AN/PAI), Robert Bosch GmbH, 70499 Stuttgart, Germany
3Systems Engineering, Bosch Center of Competence Vehicle Safety (M/ENG-CVS), Robert Bosch GmbH, 71636 Ludwigsburg, Germany
4Institute of Machine Components, University of Stuttgart, 70569 Stuttgart, Germany
Corresponding author: Philipp Kilian (philipp.kilian@de.bosch.com)
ABSTRACT The automotive industry is currently driven by the megatrends electrification, automated
driving and connectivity. To cope with these trends, new functionalities and electrical and/or electronic (E/E)
systems need to be developed and deployed. Independent of the implementation of E/E systems, their power
input shall be ensured by the power supply system as a shared resource – leading to increased functional
safety requirements for power supply systems. If the loss of an item’s functionality can lead to a hazardous
event, a safety goal (SG) specifying a safety-related availability (SaRA) requirement is derived. Thereby,
switching to passive mode typically cannot be considered a safe state. To address an SG specifying a SaRA
requirement, fault avoidance, fault forecasting and/or fault tolerance measures can be applied. In the case of
fault tolerance measures implemented by redundancy, which leads to fail-active behavior, the performance
of the backup system during nominal operation and after the first fault can be further refined. In this study,
SaRA in the context of ISO 26262 is evaluated in detail and mapped to an example of the power supply
domain.
INDEX TERMS Automotive electronics, automotive engineering, functional safety, ISO 26262, power
supplies, reliability, requirements engineering, vehicle safety.
I. INTRODUCTION
The relevance of safety applications within the automotive
industry is continuously increasing, particularly driven by the
megatrends electrification, automated driving and connec-
tivity. In general, the ISO 26262 series of standards – pub-
lished by the international organization for standardization
(ISO) – shall be applied to ensure the functional safety of
safety-related electrical and/or electronic (E/E) systems in the
automotive industry. Compliance with ISO 26262 may cur-
rently be argued as state-of-the-art development for product
liability; however, it is mandatory for homologation in China
since 2022 [1], [2]. The power supply system is essential
because it ensures the power supply of several safety-related
E/E systems. Without power, E/E systems typically cannot
provide their specified function. If the loss of a specified
function can lead to a hazardous event, so called safety-
related availability (SaRA) requirements are allocated to the
power supply system. In this case, the power supply system
The associate editor coordinating the review of this manuscript and
approving it for publication was Paolo Giangrande .
is required to be available to ensure a safe vehicle behavior.
Thus, it shall be either designed sufficiently robust or pro-
vide its specified function even in the presence of a fault.
Among others, this results in the necessity of analyzing the
system behavior under various fault scenarios to ensure ISO
26262 compliance. In the past, functional safety and avail-
ability may have been seen as contradicting goals; however,
functional safety and availability must coincide to ensure
upcoming and innovative vehicle functions.
To standardize the safety process and improve its appli-
cability in the power supply domain, interpretations and
recommendations for the practical application of SaRA are
discussed within this paper. Thereby, it is differentiated
between SaRA requirements, fail-passive behavior and fail-
active behavior.
A. ORGANIZATION OF THE ARTICLE
In Section I, the general aspects of functional safety in the
power supply domain are discussed. Afterwards, the most
relevant terms related to SaRA are introduced and discussed
VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ 47869
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
in Section II. In Section III, SaRA in the context of ISO
26262 is mapped to an example of the power supply domain.
Thereby, several interpretations and guidelines for the prac-
tical application of SaRA requirements are discussed for an
exemplary power supply architecture. In Section IV, a sum-
mary of SaRA in general and its specific application in the
power supply domain is provided.
B. OBJECTIVE
The commonalities and differences between SaRA, fail-
passive behavior and fail-active behavior have not yet been
discussed in detail in the power supply domain. The objective
of this paper is to standardize the use of these terms and
to provide measures to comply with SaRA requirements.
Although the objective of this paper is to provide a consis-
tent framework for the power supply domain, the framework
presented in Section II is also transferable to other domains
in the automotive industry. Additionally, there is no standard
approach in the power supply domain to apply SaRA require-
ments during the development. To fill this gap, possible safety
measures to comply with a safety goal (SG) specifying a
SaRA requirement are discussed for an exemplary power
supply architecture.
C. POWER SUPPLY SYSTEM AS A SHARED RESSOURCE
Power supply systems are within the scope of ISO 26262 and
must be functional safety compliant for homologations since
2022 [1], [2]. The main tasks of the power supply system
are to provide a safe power feed and power distribution [1].
Because a fault in the power supply system may affect several
other elements and systems, it represents a shared resource.
In general, a ‘‘software, hardware [(HW)], or system ele-
ment’’ is considered a shared resource if the same ‘‘instance is
used by two [or more] elements, which are therefore affected
by the failure or unavailability of that shared resource’’ [3].
Vice versa, (safety) requirements are allocated to the power
supply system by multiple E/E systems respectively vehicle
functions.
In general, the relevance of failures in E/E systems is
reinforced by the fact that they caused more than 50 % of
all vehicle breakdowns in 2020 [4]. The portion of elec-
tric faults increased by about 15 percentage points within
the last decade [1], [4]. All these faults potentially result
in a hazardous event and thus, in a violation of an SG
[1], [5]. Safety measures shall be applied to prevent and/or
control these faults in order to prevent hazardous events
from occurring. A detailed evaluation of functional safety
in the context of power supply systems development is
presented in [1].
II. SAFETY-RELATED AVAILABILITY IN GENERAL
One of the most generic definitions of availability is provided
in IEC 60050 by the international electrotechnical commis-
sion (IEC). In IEC 60050-192, availability is defined as the
‘‘ability to be in a state to perform as required’’ [6]. This
definition is made more concrete in ISO 26262 as ‘‘capability
of a product to provide a stated function if demanded, under
given conditions over its defined lifetime’’ [7]. Thus, the
conditions are explicitly mentioned when a specified function
shall be provided. Generally, availability can be considered
a quality attribute. However, availability becomes safety-
related – which is referred to as SaRA – if a ‘‘loss of a certain
functionality can lead to a hazardous event’’ [8]. In this case,
availability becomes a safety attribute and thus, a so-called
SG specifying a SaRA requirement is defined according to
ISO 26262-10:2018, 12.1 [8]. This necessitates to provide
evidence regarding the availability in a functional safety-
compliant manner.
To provide this evidence, the safety requirements con-
cerning systematic faults and random HW faults shall be
fulfilled – dependent on the assigned automotive safety
integrity level (ASIL) [8]. ASIL describes ‘‘one of four lev-
els to specify the item’s or element’s necessary ISO 26262
requirements and safety measures to apply for avoiding an
unreasonable risk’’ [7]. Besides the four ASILs, quality man-
agement (QM) integrity can be specified to refer to activities
with regard to quality [7].
Concerning random HW faults, especially the target values
regarding the probabilistic metric for random hardware fail-
ures (PMHF), single-point fault metric (SPFM), and latent-
fault metric (LFM) are of interest, as listed in Table 1. For
SGs specifying a SaRA requirement, the same target val-
ues shall be achieved as for SGs not specifying a SaRA
requirement. The unit of the PMHF is failures in time
(FIT) [9]. One FIT is defined as one failure per 109oper-
ational hours [7]. Further details about the PMHF, SPFM
and LFM are provided in [1] and [9]. To evaluate these
target values, fault tree analysis (FTA) and failure modes,
effects and diagnostic analysis (FMEDA) can be conducted
[1], [10]. An approach to evaluate the PMHF based on an
FTA in the case of a SaRA requirement was presented in [11].
However, such a quantitative evaluation is not within the
scope of this paper. Instead, the scope of this paper is on
basic terms in the context of SaRA in general and measures
to comply with SaRA requirements from a systematic point
of view.
In the following sections, the concept of SaRA according
to ISO 26262 is introduced and its relation to fail-passive and
fail-active behavior is evaluated. Although the objective is to
provide a consistent framework for the power supply domain,
the following framework is also transferable to other domains
in the automotive industry. Subsequently, potential measures
are differentiated based on the evaluation of whether a loss of
functionality can lead to a hazardous event.
TABLE 1. Quantitative target values dependent on safety integrity in the
case of an SG specifying a SaRA requirement [9].
47870 VOLUME 10, 2022
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
A. CONCEPT DEFINTION OF SAFETY-RELATED
AVAI LABILIT Y IN THE CONTEXT OF ISO 26262
As introduced previously, SaRA is of concern if the ‘‘loss of
a certain functionality can lead to a hazardous event’’ [8].
This is evaluated in the hazard analysis and risk assess-
ment (HARA) [8]. In general, the HARA is completed to
identify and categorize ‘‘hazardous events caused by mal-
functioning behavior of the item’’ [12]. Therefore, a SaRA
requirement is initially derived for an item because the
HARA is generally conducted on item level [8], [12]. Further
details regarding the application of a HARA are provided
in [1] and [7]. In the case of an SG specifying a SaRA
requirement, generally, the item shall maintain the speci-
fied vehicle function until a defined minimal risk condition,
i.e. operating mode without an unreasonable risk, is reached.
In the case of failure, this operating mode is defined as safe
state [7].
If the availability of a vehicle function is considered safety-
related, it depends mainly on the vehicle operating state
(VOS). VOS is defined as the ‘‘operating mode in combi-
nation with the operational situation’’ [7]. It is defined ‘‘by
the currently provided performance of the specified func-
tionality [– operating mode –] within the current driving
situation’’ [7] – operational situation. In addition to the oper-
ational situation, the operating mode, e.g. depending on the
vehicle speed, may affect the severity of the hazardous event
and therefore, the ASIL of the SG.
According to [1], ‘‘SaRA requirements request the avail-
ability of a function with the corresponding ASIL rating of
the SG or requirement’’. In other words: As long as a VOS
requires SaRA, a ‘‘never give up strategy’’ shall be applied;
thus, the functionality shall not transition to the passive mode.
Therefore, SaRA requirements generally contradict to fail-
passive behavior. However, SaRA requirements are not nec-
essarily equal to fail-active behavior:
1) SaRA: represents a requirement, which shall be ful-
filled by the implementation. This requires the avail-
ability of a function without specifying any potential
solutions. According to [8] and [13], the following
safety measures can be applied as potential solutions:
fault avoidance,fault forecasting and/or fault tolerance
measures;
2) Fail-active behavior: represents a characteristic of
a specific implementation instead of a requirement.
It implicitly requires a solution based on fault tolerance
measures because only in this case, a (sub-) system
can fail while another (sub-) system ensures operation
with full performance (fail-operational) or degraded
performance (fail-degraded). In addition, the perfor-
mance of the backup system during nominal operation
shall be differentiated, e.g., into cold, warm or hot
redundancy.
A common misunderstanding in the automotive industry
is that fail-active or fail-operational behavior is explic-
itly required by ISO 26262 for highly available systems,
e.g. for systems implementing automated driving features
with high SAE levels [14]. The SAE levels – provided by
SAE International, formerly called the society of automotive
engineers – can be applied to describe the degree of driv-
ing automation [14]. In general, SaRA is required by ISO
26262, whereby fail-active or fail-operational behavior is
only a subset of the solution space. Nevertheless, redundancy
and thus, fail-active or fail-operational behavior, is explicitly
required by technical recommendations and regulations. For
example, in [15] ‘‘at least two completely independent energy
reserves, each provided with its own transmission, likewise
independent;’’ are required for homologation if ‘‘the service
braking force and transmission depend exclusively on the use
[. . .] of an energy reserve’’ [15].
In Fig. 1, the previously in italic written terms are sum-
marized in the context of SaRA. Thereby, it is schematically
shown how an SG specifying a SaRA requirement is derived
and how this leads to different safe states – if applicable. Note:
A safe state can only be defined ‘‘in the case of failure’’ [7].
Nominal respectively failure-free operation ‘‘can be consid-
ered safe’’ [7]; however, it is not a safe state in the context of
ISO 26262.
FIGURE 1. Basic terms in the context of SaRA.
VOLUME 10, 2022 47871
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
Since the basic terms in the context of SaRA appear in
all kinds of variations in scientific publications, they are
described in the following in a consistent manner and their
correlation to SaRA is evaluated in detail. The terms and
measures are evaluated according to the process shown in
Fig. 1. Therefore, each path in Fig. 1 is assigned with a
blue tag referring to the corresponding section. As introduced
previously, fail-passive behavior can only be targeted if the
loss of a vehicle function cannot lead to a hazardous event
(Fig. 1, ‘‘S.II-B’’). However, if a loss of a vehicle function
can lead to a hazardous event (Fig. 1, ‘‘S.II-C’’), safety
measures based on fault avoidance (Fig. 1, ‘‘S.II-C 1)’’),
fault forecasting (Fig. 1, ‘‘S.II-C 2)’’), and/or fault toler-
ance (Fig. 1, ‘‘S.II-C 3)’’), are applicable. Fault tolerance
measures generally lead to fail-active behavior. Thereby,
an emergency operation (EO) may be entered after the first
fault in the system until a safe state is reached, see also
Section II-C 3b) [8].
B. LOSS OF VEHICLE FUNCTION CANNOT LEAD TO
HAZARDOUS EVENT
As shown in Fig. 1 ‘‘S.II-B’’, fail-passive behavior of an
item – also referred to as fail-silent behavior – is typically
implemented if it is identified within the HARA that the
loss of a vehicle function cannot lead to a hazardous event.
In this case, a ‘‘safe state can be achieved by switching off
the functionality in the case of a malfunction within the
system’’ [8]. In the automotive context, this is also referred
to as fail-safe. According to [16], a ‘‘system is fail-safe in
the presence of a fault combination if it ceases its specified
functionality and transitions to a well-defined condition to
maintain a safe state’’. In summary, fail-passive behavior of
an item is typically implemented ‘‘for items with no [SaRA]
requirements’’ [17].
Fail-passive behavior represents a characteristic of a
specific implementation – analogous to fail-active behav-
ior – whereas SaRA represents a requirement. If no SaRA
requirement is specified, ‘‘the typical fault reaction is the
deactivation of the item’’ [17] in the case of malfunctioning
behavior. If the malfunction of the specified functionality
can cause an ASIL-rated risk, the safety mechanism (SM)
to deactivate the function shall be implemented with the
identified ASIL – if no measures are applied to avoid the
fault causing the malfunction in the first place. An SM is
a ‘‘technical solution implemented by E/E functions or ele-
ments, or by other technologies, to detect and mitigate or
tolerate faults or control or avoid failures in order to maintain
intended functionality or achieve or maintain a safe state’’ [7].
In other words: Fail-passive behavior is implemented with
the ASIL of the hazardous event which shall be avoided.
A safe state is reached as soon as the vehicle function is
deactivated. Therefore, fail-passive behavior typically can-
not be applied if SaRA requirements are allocated to the
system. However, there are examples where deactivating the
vehicle function in certain VOSs can still be considered
acceptable, e.g. if the transition into the passive state is
necessary in order to prevent the violation of a non-SaRA
requirement with a higher ASIL rating than the SaRA
requirement.
Typical applications of fail-passive behavior include
advanced driver assistance systems (ADASs) up to SAE
Level 2 [14], e.g. a lane-keeping assist. If a fault within the
ADAS is detected, it is switched off, and the driver is notified
about the loss and must be able to control the vehicle with
the deactivated ADAS instantly. Thus, a safe state is achieved
by switching the ADAS in the passive mode and notifying
the driver about the loss. Deactivation can be completed in
a short period of time because no restrictions concerning
the VOS need to be considered, i.e. the deactivation can be
completed as soon as the fault occurs because the driver
always needs to monitor the vehicle behavior according to
the SAE definitions [14].
In contrast to fail-passive behavior, in systems with fail-
active behavior resulting from SaRA requirements, a time
buffer must be retained for fail-active behavior to transition
into a VOS without SaRA requirements before the affected
vehicle function can be deactivated, see Section II-C. For
example, in the case of a fault in the steering assist during
driving, the deactivation of the steering function can only
be completed after entering a VOS in which the loss of the
steering assist function is no longer safety-relevant, e.g. after
parking the vehicle in a safe area.
If fail-passive behavior is applicable, functional safety and
availability can be considered contradicting goals. As shown
in the previous example regarding the ADAS function, com-
pliance with functional safety is achieved by the unavailabil-
ity of the vehicle function. Functional safety can only be
threatened in the case of a malfunctioning behavior during
activated function. However, functional safety and availabil-
ity must coincide to ensure upcoming and innovative vehicle
functions.
In the following, the previously mentioned safety mea-
sures for realizing SaRA requirements are discussed. The
focus is on fault avoidance, fault forecasting, and fault tol-
erance measures. Note: If no SaRA requirement is derived
and fail-passive behavior is implemented, additionally, fault
avoidance, fault forecasting and/or fault tolerance measures
can be applied to increase the availability and thus, e.g., the
customer satisfaction. However, in this case, the application
of these measures is not driven by functional safety.
C. LOSS OF VEHICLE FUNCTION CAN LEAD TO A
HAZARDOUS EVENT
As shown in Fig. 1 ‘‘S.II-C’’, safety measures based on
fault avoidance, fault forecasting and/or fault tolerance are
of particular interest if a loss of a vehicle function can lead to
a hazardous event.
1) FAULT AVOIDANCE MEASURES
Fault avoidance measures – also referred to as fault pre-
vention measures – increase the robustness of a system and
thus, are applicable to comply with SaRA requirements, see
Fig. 1 ‘‘S.II-C 1)’’. The main idea is to use ‘‘techniques
and procedures that aim to avoid the introduction of faults
47872 VOLUME 10, 2022
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
during any phase of the safety lifecycle of the safety-related
system’’ [18]. Therefore, the target is to build a fault-free
item. The guided development process according to ISO
26262 shall be applied as a minimum requirement to avoid
systematic failures. To reduce random HW failures to a rea-
sonable level of risk by fault avoidance measures, dedicated
measures may be implemented as introduced in [9], e.g.:
1) ‘‘design features such as [HW] part over-design’’ or
‘‘physical separation’’;
2) ‘‘special sample test of incoming material’’;
3) ‘‘assignment of safety-related special characteristics’’.
Dedicated measures are typically applied in practical appli-
cations to meet the requirements regarding single-point
faults (SPFs) and residual faults (RFs) as required in ISO
26262-5:2018, 9.4.1.2 and 9.4.1.3 for ASIL C and ASIL D
use cases, see Table 2:
TABLE 2. FIT rate targets of SPF and RF for HW parts [9].
Note: These target values shall be achieved for the resulting
SPF or RF failure rate of a HW part – not for each fail-
ure mode of the HW part individually. Thus, the resulting
diagnostic coverage (DC) for the respective HW part shall
be derived from the different failure mode coverages of each
failure mode.
The nominal operation is maintained for all VOS because
a fault potentially violating the SG shall not occur at all, i.e.
no safe state needs to be defined. The specified functionality
shall always be provided with full performance.
2) FAULT FORECASTING MEASURES
Fault forecasting measures – also referred to as fault pre-
diction measures – focus on the ‘‘capability to detect a
fault or degradation before it can lead to a failure’’ [8] and
thus, are applicable to comply with SaRA requirements, see
Fig. 1 ‘‘S.II-C 2)’’. These measures target to ‘‘estimate or
[predict] conditions and events [. . .] based on information
and knowledge available at the time of the forecast’’ [19].
Typically, the prediction is based on continuous monitoring
and extrapolation of critical system state parameters, e.g. state
observation for critical physical parameters using simplified
circuit diagrams.
The occurrence of a fault is predicted, and the potential
malfunction behavior of the item is prevented by timely
transition to a VOS or by maintaining a VOS where the
fault cannot lead to a safety-relevant failure causing an SG
violation. Alternatively, the faulty parts can be exchanged
before a critical failure occurs using predictive maintenance
methods, or the operational strategy can be adapted such
that the critical parameter does not deteriorate further [20].
In other words: Fault forecasting is achieved by detecting
imminent failures to prevent entering a safety-relevant VOS
or leaving it before a failure occurs [13]. Thus, no critical
failure causing an SG violation shall occur.
Similar to fault avoidance measures, the specified func-
tionality is provided with the minimum performance nec-
essary to prevent an SG violation as long as it is required
for a safety-relevant VOS. Entering the VOS in which the
functionality is no longer safety-relevant, strictly speaking,
cannot be called entering the safe state because a safe state is,
by definition, an operating mode in the case of a failure [7].
However, the definition of safe state may also be interpreted
differently. Because an SM controls a fault – or at least an
imminent fault, depending on the definition of the relevant
thresholds – by transitioning to a minimal risk condition
before the occurrence of the safety-relevant failure, this min-
imal risk condition may also be interpreted as a safe state.
Thereby, the occurrence of the hazardous event is prevented.
Nevertheless, a failure is not necessarily present in this state.
Besides the application of fault forecasting measures to
ensure functional safety, fault forecasting measures can also
contribute ‘‘to establish accurate maintenance support plan
[and] reduce maintenance support cost’’ [21].
3) FAULT TOLERANCE MEASURES LEADING TO FAIL-ACTIVE
Fault tolerance measures lead to fail-active behavior by
implementing redundancy, see Fig. 1 ‘‘S.II-C 3)’’. In contrast
to fault avoidance and fault forecasting measures, fault toler-
ance measures ensure ‘‘a specified functionality even in the
presence of one or more faults’’ [7]. Thereby, the performance
of the backup system during nominal operation as well as
its performance after the first fault shall be further refined,
see Section II-C 3a) respectively Fig. 1 ‘‘S.II-C 3a)’’ and
Section II-C 3b) respectively Fig. 1 ‘‘S.II-C 3b)’’.
Redundancy can be either homogenous or heterogenous/
diverse [22]:
1) Homogenous redundancy: ‘‘simply replicating the
same elements [. . .] is used to cope with random HW
failures’’;
2) Heterogenous/diverse redundancy: ‘‘refers to different
solutions to fulfill the same requirement [. . .] applied to
cope with systematic’’ [22] and random HW failures.
In general, redundancy ‘‘always denotes an additional mean
to the means that would be necessary for the intended func-
tion’’ [22]. In other words: It is accompanied by overdesign
of the system as long as no fault occurs. Thus, if reason-
able, it may be intended to prevent redundant structures to
avoid a negative impact on system costs, packaging, and
weight by applying fault avoidance and optional fault fore-
casting instead of fault tolerance measures. However, the
implementation of redundancy can also be required to fulfill
the most current state of science or enable homologation
as explained in Section II-A. Additionally, redundancy can
be a consequence of the necessity to meet the HW-metric
requirement according to ISO 26262 even though redundancy
is not explicitly required by the standard. Redundancy is the
most obvious and efficient measure to increase the availabil-
ity of a system [23]. It can compose two redundant systems,
i.e. whereby only 1-out-of-2 systems must work to ensure
VOLUME 10, 2022 47873
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
functionality, or several redundant systems, i.e. whereby
n-out-of-m systems must work.
In the case of redundancy, ASIL decomposition can be
applied to lower the ASIL for each redundant system and
thus, enabling a less stringent development process according
to ISO 26262. It is defined as ‘‘apportioning of redundant
safety requirements to elements, with sufficient indepen-
dence, conducing to the same [SG]’’ [7]. Several require-
ments shall be considered regarding ASIL decomposition,
e.g. [3]:
1) ‘‘apply ASIL decomposition according to permitted
ASIL decomposition schemas’’;
2) ‘‘evidence for sufficient independence of the elements
after decomposition shall be made available’’;
3) ‘‘Each decomposed safety requirement shall comply
with the initial safety requirement by itself’’.
If ASIL decomposition is applied to comply with an SG
specifying a SaRA requirement, the single elements can be
fail-passive as far as their reaction to random HW faults
is concerned. However, systematic faults with the potential
to violate the decomposed SaRA requirement must still be
prevented in compliance with the decomposed ASIL. This
is particularly relevant in the case a single element contains
portions with a lower ASIL capability than required. In this
case, the coexistence criteria shall be met [3], ensuring that
the lower ASIL portion cannot violate the SaRA requirement
allocated to a single element.
A further common misunderstanding within the automo-
tive industry is the assumption, that requirements assigned
with QM integrity are intrinsically non-safety-relevant and
thus, completely out of the scope of ISO 26262. In gen-
eral, QM ‘‘denotes no requirement to comply with ISO
26262’’ [12]. However, if ‘‘the corresponding hazardous
event can have consequences with regards to safety [. . .]
safety requirements can be formulated’’ [12]. A consequence
with regard to safety is present if the ‘‘absence of unrea-
sonable risk’’ [7] is not fulfilled. Thereby, an unreasonable
risk is present if the risk is ‘‘judged to be unacceptable in a
certain context’’ [7]. Risk is defined as a ‘‘combination of the
probability of occurrence of harm and the severity [(S)] of that
harm’’ [7]. The probability of occurrence of harm depends
on the controllability (C) – ‘‘to avoid a specified harm’’ [7] –
and the exposure (E) – ‘‘being in an operational situation that
can be hazardous if coincident with the failure mode’’ [7].
Therefore, no risk is present only if at least one of the param-
eters S, E, or C is rated as zero, i.e. S0, E0 or C0. If this is
not the case and a hazard is identified as QM in the HARA,
at least standard quality processes shall be applied to manage
the identified risk. No further requirement to comply with
ISO 26262 shall be considered in addition to the completion
of the item definition, HARA and traceability from the SG
to the applied quality processes. Thus, an SG specifying a
SaRA requirement rated with QM is also possible, whereby
availability shall be ensured by applying sufficient quality
processes. This includes measures to ensure that the system is
reasonably free from systematic faults that can lead to a loss
of the availability.
Depending on the criticality identified during QM pro-
cesses, additional QM measures may need to be implemented
to reduce the risk to a reasonable level. This procedure is
illustrated in Fig. 2 as a deep dive for the decision symbol
‘‘Loss of vehicle function can lead to hazardous event’’ from
Fig. 1. To identify criticality during QM processes, e.g. the
risk priority number can be derived in a failure mode and
effects analysis (FMEA) [10]. FMEA can be seen as the
‘‘most commonly used and well-known qualitative reliability
method’’ which is applied ‘‘to analyse and modify com-
ponents in the light of experience to achieve an optimum
criterion of reliability assessment’’ [10].
FIGURE 2. Deep dive ‘‘Loss of vehicle function can lead to hazardous
event’’ from Fig. 1.
If QM integrity is a result of a decomposition, additionally,
a dependent failure analysis shall be conducted to ensure
sufficient independence between the element implementing
the QM(X) safety requirement and the element implementing
the ASIL X(X) safety requirement [3].
Even in the case of fault tolerance measures to comply
with an SG specifying a SaRA requirement, fault avoidance
and optional fault forecasting measures shall be applied at
the lowest level. However, the requirements to ensure fault
47874 VOLUME 10, 2022
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
avoidance and optional fault forecasting can be reduced for
each redundant system if ASIL decomposition is applied.
a: PERFORMANCE OF BACKUP SYSTEM DURING NOMINAL
OPERATION: COLD REDUNDANCY VS. WARM
REDUNDANCY VS. HOT REDUNDANCY
In general, the performance of a backup system during fault-
free operation can be integrated into the nominal mode in dif-
ferent ways. According to IEC 61508, the following options
are possible [18]:
1) Stand-by redundancy: ‘‘only one of the redundant item
working at the same time’’;
2) Mixed redundancy: ‘‘one or several items running and
one or several items in stand-by at the same time’’;
3) Active redundancy: ‘‘all redundant item running at the
same time’’.
Even if the term ‘‘item’’ is used in the definitions of IEC
61508 to define the different variants of redundancy, the
application is not limited to the item level. These redun-
dancy concepts are also applicable at lower level, e.g. sys-
tem level, subsystem level or component level as defined
in ISO 26262. The definition of cold redundancy according
to Birolini [24] is similar to that of stand-by redundancy
as defined in IEC 61508. However, Birolini refines active
redundancy into warm and hot redundancy [24]:
1) Cold redundancy: ‘‘Redundant elements are subjected
to no load until they become operating; load sharing is
possible for operating elements, but not considered in
the case of independent elements, and the failure rate
in reserve (standby) state is assumed to be zero’’.
2) Warm redundancy: ‘‘Redundant elements are subjected
to a lower load until they become operating; load
sharing is possible, but not considered in the case
of independent elements’’; failure rate ‘‘is somewhere
between active and standby’’.
3) Hot redundancy: ‘‘Redundant elements are subjected
from the beginning to the same load as operating ele-
ments; load sharing is possible, but not considered in
the case of independent elements’’.
In the case of a cold redundancy, actions such as activating
or switching to the backup system are required. In the case of
a warm or hot redundancy, no action to activate the backup
is necessarily required because the backup system is already
active during nominal operation.
During the design process, warm and hot redundancies
shall be differentiated, e.g. when designing diagnostic func-
tions. Regarding warm redundant systems – operated with
a lower load during nominal operation – the capability to
operate at full load after a first fault must be predicted
based on partially loaded operation. Thus, it is usually more
difficult to apply diagnostics to prevent faults from being
latent because the fully loaded operating mode may not be
testable. In general, it becomes more difficult to diagnose the
loss of the corresponding capability the more the partially
loaded operation deviates from the fully loaded operation.
This may lead to lower diagnostic coverage and thus, poten-
tially more latent faults.
However, the differentiation between warm and hot redun-
dancies can be ambiguous. Assuming the example provided
in the ISO 26262, whereas an ‘‘item is composed of two
systems each of which is capable of providing 50 % of
the maximum specified output’’ [8]. The backup system is
assumed to boost only the superior output performance if
more than 50 % of the output performance is required. Addi-
tionally, a hazardous event is assumed ‘‘if the item output
performance drops below 50 % of its specified maximum out-
put’’ [8]. Regarding the maximum output performance, this
represents a hot redundancy because even the backup system
may need to provide its full output performance, i.e. 50 %
of the item output performance, during nominal operation.
However, the average load of the backup system is, typically,
far below 50 %; thus, the item can be considered warm
redundancy. In general, if most of the operating modes require
only reduced backup system performance, the corresponding
architecture shall be considered warm redundancy.
b: PERFORMANCE OF BACKUP SYSTEM AFTER FIRST FAULT:
FAIL-DEGRADED VS. FAIL-OPERATIONAL
The performance of the backup system is an essential
design parameter. Fail-active behavior can be refined into
fail-degraded or fail-operational. They are differentiated as
follows:
1) Fail-degraded: ‘‘Provide functionality with reduced
performance’’ [17], i.e. ‘‘if it can provide its specified
functionality with below nominal performance’’ [16];
2) Fail-operational: ‘‘Provide functionality with nominal
performance’’ [17] – in some use cases it may be even
required to ‘‘provide its specified functionality with at
least nominal performance’’ [16].
If a SaRA requirement is specified, typically, a safe
state cannot be reached within the fault tolerant time inter-
val (FTTI) after the first fault in the main system. The FTTI
is defined as the ‘‘minimum time-span from the occurrence
of a fault in an item to a possible occurrence of a hazardous
event’’ [7]. After such a fault, the ASIL capability of the
item is usually lower than the ASIL rating of the possible
hazard – even if fail-operational is implemented, i.e. full
performance after a first fault. In this case, an EO may be
entered after switching to the backup system until a safe state
is reached [8]. The EO is still considered to be free from
unreasonable risk because ‘‘the operating time in this state
is limited, such that it is unlikely that an additional fault
occurs, which leads to a violation of the [SG]’’ [8]. However,
the EO is not a safe state – EO is a temporary operating
mode to provide safety, i.e. ‘‘defined and verified to be safe’’
[8], whereas a safe state is in general not timely limited.
A safe state may be a VOS without any SaRA requirement,
i.e. a VOS in which the loss of the corresponding functionality
is not safety-relevant.
III. APPLICATION OF SAFETY-RELATED AVAILABILITY IN
THE POWER SUPPLY DOMAIN
In this section, the previously described definitions are
mapped to an example of the power supply domain. First,
VOLUME 10, 2022 47875
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
an exemplary use case focusing on steering assistance by the
electrical power steering (EPS) is introduced. Subsequently,
the SaRA requirements for the power supply system are
discussed, focusing on safe power feed.
A. USE CASE: ELECTRICAL STEERING ASSIST
The same hazardous event and the same SG as introduced
in [1] are assumed, see Table 3. In contrast to [1], whereby the
power supply system is considered a system below an item,
in this paper the power supply system is considered an item
below the entity steering. In Section III-A 1) and 2), further
details about the definition of the power supply system as an
item and the use case in Table 3 – including relevant generic
safety requirements – are provided. A potential power supply
system architecture to comply with the SG is introduced in
Section III-A 3).
TABLE 3. Exemplarily evaluation of hazard ‘‘sudden loss of steering
assist’’ [1].
1) POWER SUPPLY SYSTEM AS AN ITEM
An item is defined as ‘‘system or combination of systems, to
which ISO 26262 is applied, that implements a function or
part of a function at the vehicle level’’ [7]. According to this
definition, the power supply system can be defined as item
because from functional point of view it implements a part of
several vehicle functions, e.g., steering or braking, by provid-
ing necessary power. Additionally, the power supply system
meets the requirement of a system, i.e. it ‘‘relates at least a
sensor, a controller and an actuator with one another’’ [7].
In the presented example, the focus is on the item ‘‘EPS’’
and the item ‘‘power supply system’’. Both combined are
considered part of a superior entity – in this case the entity
steering. The entity concept in general is described in [17].
Therefore, a HARA is performed on entity level as well
as for each of these items separately. Whereas the HARA on
entity level mainly focuses on the vehicle function, e.g. steer-
ing functionality, the HARA for each item focuses on their
specific features. In the HARA for the steering entity, the
prevention of the sudden loss of steering assist is determined
as ASIL C rated SG with an FTTIEntity of 100 ms, see Table 3.
Because the unavailability of the steering functionality can
lead to a hazardous event while driving, the derived SG spec-
ifies a SaRA requirement. In general, if a HARA is conducted
on entity level, a SaRA requirement can also be initially
derived for an entity; thus, in addition to Section II-A, a SaRA
requirement is initially derived either for an entity or an item.
The SaRA requirement of the steering entity including its
ASIL rating is allocated to the item EPS and the item power
supply system.
Functional dependencies between items are defined as
conditions of use. At least the number of interfaces and the
corresponding ASIL to ensure a safe power supply are of
interest for the item power supply system. This includes
the definition of the relevant voltage-time-limits and current
profiles derived from different driving maneuvers with the
corresponding ASIL rating, i.e. the energy and power that
is required to perform the safety relevant driving maneuvers.
The SG for the power supply system is derived as ‘‘Prevent
sudden loss of steering assist due to failure in power supply –
i.e., ensure power supply stays within defined voltage-time-
limits’’ rated with ASIL C.
The identified hazard can be prevented if the input-voltage
at the EPS is not below 8 V for longer than 100 ms – premise:
the safety-relevant driving maneuvers, including the minimal
risk maneuver, is fully supported as long as the EPS voltage
is not below 8 V. In the HARA for the item power supply
system, the relevant FTTIPSS is derived based on the voltage-
time-limits of the EPS – addressed to the power supply system
as condition of use. For example, after a HW reset of the
EPS caused by an insufficient power supply (e.g., U <6 V
for t >100 µs), the period to restart and ramp up the EPS
is considerably longer than the FTTIEPS of the item EPS.
Therefore, such a reset must be prevented in the first place,
leading to an FTTIPSS of 100 µs for the power supply system.
Each safety-relevant voltage-time-limit results in a differ-
ent voltage-dependent FTTIPSS. In other words: Depending
on the voltage-time-limits of the EPS, the relevant voltage-
FTTI-combinations are derived for the power supply sys-
tem. Additionally, further E/E systems may allocate stricter
voltage-FTTI-limits to the power supply system. In total,
the most stringent voltage-FTTI-limits – considering all E/E
systems – shall be taken into account with the corresponding
ASIL for the power supply systems development. However,
only the shortest FTTIPSS of 100 µs for the power supply
system is considered in this paper. The voltage-time-limits
shall be achieved for specified current profiles. Instead of
allocating the timing properties as conditions of use from the
item EPS to the item power supply system, the EPS and the
power supply system can be considered systems below the
item steering [1]. Both approaches result in similar safety
requirements for power supply systems.
Because the FTTI is a ‘‘relevant attribute for [SGs]’’ [7]
and thus, defined on item respectively entity level, it shall
be refined for the element level as maximum fault handling
time interval (FHTImax) to ‘‘support the functional safety con-
cept’’ [7]. In this paper, it is explicitly differentiated between
the FHTImax as a requirement and the fault handling time
interval (FHTI) as an actual characteristic of a SM [1]. In con-
trast to [1], the FTTIPSS is equal to the FHTImax at a lower
level because the dependency of the EPS-availability onto the
voltage-time-limits is already considered in the HARA for
the power supply system. Therefore, a reset is avoided which
47876 VOLUME 10, 2022
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
would lead to unavailability of the steering item for longer
than the FTTIEntity [1].
Due to the ASIL C-rating of the SG, the corresponding
HW-metric targets for the power supply system are defined
as follows [9]:
1) PMHFPSS:<100 FIT;
2) SPFMPSS:≥97 %;
3) LFMPSS:≥80 %.
2) GENERIC SAFETY REQUIREMENTS FOR THE POWER
SUPPLY SYSTEM
The generic functional safety concept for an ASIL
C-compliant single-channel connected EPS is reused from [1]
and adapted to the nomenclature of this paper. It is based
on the three generic safety requirements for power supply
systems [1]:
1) ensure safe power feed;
2) ensure safe power distribution;
3) ensure freedom from interference.
Besides the safety requirements to ensure a safe power
feed by an energy source and/or storage and distributing
it to the safety-relevant loads via the wiring harness, free-
dom from interference shall be considered [1]. Freedom
from interference is of particular relevance in the power
supply domain because the power supply system is also a
connection between several non-safety-related and safety-
related components. Therefore, a ‘‘non-safety-related sub-
element and safety-related sub-elements coexist in the same
element’’ [3]. Faults potentially propagate from non-safety-
related elements to safety-related ones and thus, potentially
‘‘directly or indirectly, violate any safety requirement’’ [3].
In other words: A short circuit to ground in a QM consumer
may affect the SaRA requirement of the EPS. Freedom from
interference is defined as the ‘‘absence of cascading fail-
ures between two or more elements that could lead to the
violation of a safety requirement’’ [7]. Therefore, if non-
safety-related elements or safety-related elements with a
lower ASIL have the potential to violate any safety require-
ment of another coexisting element with a higher ASIL,
safety measures shall be applied to ensure compliance with
ISO 26262.
3) PRELIMINARY ARCHITECTURAL ASSUMPTIONS
In the early development phases, preliminary architectural
assumptions are used ‘‘to handle immature architectural
information’’ [7]. An exemplary architecture for the power
supply system to comply with the SG introduced in Table 3
is shown in Fig. 3.
The power supply system is assumed to comprise two
redundant terminals, i.e. Terminal 30_q (T.30_q) and Termi-
nal 30_s (T.30_s). The terms T.30_s and T 30_q are defined
as follows [25]:
1) T.30_s: Represents a terminal, that fulfills safety
requirements with a certain ASIL concerning system-
atic faults by itself.
2) T.30_q: Represents a terminal, that does not or not
completely fulfill safety requirements with a certain
ASIL concerning systematic faults. Thus, no consumer
that requires power supply availability with a certain
ASIL shall be allocated to this terminal.
FIGURE 3. Preliminary architectural assumptions of an exemplary power
supply system.
An electronic battery sensor (EBS) is used to monitor the bat-
tery. The smart safety switch is implemented as a centralized
safety measure to, e.g.:
1) separate faults in QM consumers to prevent interfer-
ence for several safety relevant loads;
2) monitor the wiring harness from the smart safety switch
to a safety relevant load;
3) perform a plausibility check for the battery monitoring.
B. DEEP DIVE: SAFE POWER FEED IN THE CONTEXT OF
SAFETY-RELATED AVAILABILITY
The focus of this section is on the redundant power feed
by the DC/DC converter and the lead battery. Additionally,
several fault avoidance and fault forecasting measures shall
be implemented to ensure the safety of the single-channel
connection from the smart safety switch to the EPS
(C.1 in Fig. 3). One major issue regarding power distribution
in general is the lack of a complete set of standardized failure
rates for automotive wiring harness components [1]. To fill
this gap, a technical guideline was published by the ‘‘Verband
der Elektro- und Digitalindustrie’’ (ZVEI) [26]. To meet the
SG specifying a SaRA requirement for the entity steering,
the EPS itself shall also fulfill a SaRA requirement with
ASIL C.
1) DECOMPOSED POWER FEED
The power feed is decomposed according to [1] into the
power feed by the DC/DC converter – rated with QM(C) –
and power feed by the battery – rated with ASIL C(C).
This decomposition scheme is chosen to avoid more strin-
gent safety requirements on the DC/DC converter and
high-voltage (HV) system, including, e.g., the HV-battery.
An extensive evaluation of the general application of decom-
position between the power feed by the DC/DC converter and
the battery is presented in [1].
Because each ‘‘decomposed safety requirement shall
comply with the initial safety requirement by itself’’, each
redundant power feed implementing a decomposed safety
VOLUME 10, 2022 47877
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
requirement also inherits the SaRA requirement and the
FHTImax from the superior requirement. Thus, faults poten-
tially leading to a loss of either power feed shall be prevented
and/or controlled within the FHTImax with the decomposed
ASIL. To argue the fulfillment of the SaRA requirement
for power feed by a battery, its faults can be distinguished
between gradual and sudden faults [1]:
1) Gradual faults: can be pre-detected before a critical
failure occurs, i.e. mainly to be handled by fault fore-
casting measures;
2) Sudden faults: can only be post-detected after a critical
failure occurs and thus, to be handled by fault avoid-
ance measures.
Because the power feed is considered to be a safety-relevant
function in the safety concept, the power feed by the battery
needs to be considered due to its electrical interfaces – even
though it is an electro-chemical element [1], [12]. Thereby,
battery faults shall be considered in the quantitative safety
evaluation since they can lead to a random HW fault due to,
e.g., insufficient safety measures or systematic measurement
deviations in control function at production [1]. A method-
ology for determining battery failure rates from field data is
presented in [27]. Field data of battery failures is published,
e.g. by the battery council international every five years [28].
However, the failure rates of the battery are not within the
scope of this paper. Instead, the focus is on safety measures
to ensure systematic integrity of the power feed by the battery.
Gradual faults of the battery cannot be excluded by design
because of unavoidable systematic root causes, e.g. ageing
or low temperature of the battery [1]. Because gradual faults
can be considered slowly evolving faults, fault forecasting
measures are typically applied based on enhanced battery
monitoring, e.g. implemented in the EBS [1]. Additionally,
unfavorable battery conditions, such as a low state-of-charge,
can be prevented by adapting the operational strategy with
intelligent energy management [1]. In the most simplified
way, fault forecasting measures are applied by defining the
minimum required battery charge to ensure at least a mini-
mal risk maneuver. If the actual battery charge reaches this
threshold, a transition to a minimal risk condition, i.e. the
execution of the minimal risk maneuver, shall be triggered.
Additionally, fault avoidance measures, e.g. battery overde-
sign, can be applied to increase the time until a critical
discharge occurs. The SMs implemented to handle gradual
battery faults before they cause a loss of power feed by the
battery shall be implemented with ASIL C(C). The relatively
short FHTImax is not critical for gradual faults due to fault
forecasting. Thus, a gradual battery fault shall not even occur
in a safety-relevant VOS, respectively it is controlled before it
can lead to a failure that potentially violates the corresponding
safety requirement.
On the other side, sudden faults ‘‘cannot be detected before
their occurrence’’ [1] and thus, applying only fault forecast-
ing measures is not sufficient to handle all battery faults.
Sudden faults ‘‘are caused by systematic or random HW
faults, e.g. rupture of terminal shafts’’ [1]. Therefore, fault
avoidance measures shall be applied accordingly. They are
considered by allocation to other technology [1], [12] and
’’shall be handled in the development and manufacturing
process by the battery manufacturer’’ [1]. Similar to gradual
faults, FHTImax is not critical for sudden faults addressed by
fault avoidance measures.
FHTImax is essential for sudden faults that are not suffi-
ciently addressed by fault avoidance measures. For example,
faults caused by QM consumers, with the potential to inter-
fere with the safety-relevant power supply, shall be handled
within FHTImax with the corresponding ASIL in order to
ensure the required freedom from interference, i.e. to meet
the criteria of coexistence. Otherwise, no SaRA requirement
can be fulfilled with a certain ASIL.
The loss of both redundant power feeds is considered
as second-order multiple point failure at the item level,
i.e. power feed by the DC/DC converter and battery must fail
to cause an SG violation. Thus, a multiple point fault detec-
tion time interval (MPFDTI) can be considered additionally
for SMs that are only implemented to prevent a multiple-
point fault from being latent. In general, only ‘‘random [HW]
faults which are multiple-point faults have the potential to
be latent’’ [29]. The MPFDTI is, typically, far longer than
the FHTImax. SMs implemented only to prevent a multiple-
point fault from being latent can be applied with a reduced
ASIL capability according to ISO 26262-4:2018, 6.4.2.5 [29].
However, the application of MPFDTI and the reduced ASIL
capability of the SM are only valid for avoiding latent faults
that are already prevented and/or controlled by the decom-
posed ASIL to not violate the safety requirement of a redun-
dant power feed. For example, such SMs are post-detection
mechanisms implemented to prevent a sudden battery fault
from being latent.
To ensure ‘‘sufficient independence of the elements after
decomposition’’ [3], i.e. between the battery and the DC/DC
converter, a dependent failure analysis shall be conducted.
Thereby, the DC/DC converter is considered within the
guided development process according to ISO 26262 as part
of the dependent failure analysis, even if it is rated with QM
concerning the systematic development process. In general,
a power feed from an energy storage is not independent of
its energy source due to a cascading failure, i.e. discharge of
the battery without recharging as the effect of a fault of the
energy source [1]. This leads to an insufficient power feed
by the battery [1]. Thus, fault avoidance and optional fault
forecasting measures with the initial ASIL C shall be imple-
mented to ensure SaRA by preventing and/or controlling such
cascading failures. Analogous to gradual battery faults, the
discharge of the battery as a result of insufficient power feed
by the DC/DC converter is considered to be a slowly evolving
fault. Therefore, fault forecasting measures shall be applied.
The most relevant properties to ensure an available and safe
power feed by the battery are summarized in Table 4.
2) POWER FEED DURING NOMINAL OPERATION: WARM
REDUNDANCY
In nominal operation, power is mainly provided by the
DC/DC converter, whereas the battery is only used to buffer
high transients; thus, it is only temporarily stressed. Most
47878 VOLUME 10, 2022
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
TABLE 4. Summary: safety measures to ensure SaRA of a battery.
operating modes require only reduced battery performance.
After a fault in the DC/DC converter leading to a loss of
power feed by DC/DC converter, the power feed for the
entire power supply system is instantly provided solely by the
battery. Thereby, the battery is exposed to a harsher mission
profile leading to a potentially fully stressed battery. The
mission profile represents all the relevant static and dynamic
load conditions. Because no switching is required between
the redundant power feeds by either the battery or DC/DC
converter and the backup system is only partially loaded
during nominal operation, it is recommended to consider the
presented architecture as warm redundancy.
3) POWER FEED AFTER FIRST FAULT: FAIL-OPERATIONAL
As discussed in Sections II-C 3) and III-B 1), system-
atic faults with the potential to violate the decomposed
SaRA requirement shall be prevented in compliance with
the decomposed ASIL within FHTImax. Thus, the elements
implementing each decomposed requirement – this includes
the DC/DC converter and battery – shall be available. How-
ever, a random HW fault may cause the loss of either redun-
dant power feed, e.g. a short circuit to ground in an HV
base load may cause the loss of power feed by the DC/DC
converter. After the loss of the redundant system, the vehicle
function respectively a part of it, i.e. the power supply, is pro-
vided with a lower ASIL capability. This is typically the case
if redundancy is implemented because in most cases, neither
redundant system itself fulfills the safety requirements on the
ASIL of the initial possible hazard as far as systematic faults
and/or random HW faults are concerned. In our example, the
following is assumed:
1) Power feed by battery with ASIL C(C): ensures an
ASIL C-compliant safe power supply only regarding
systematic faults but not regarding random HW faults
by itself;
2) Power feed by DC/DC converter with QM(C): ensures
neither an ASIL C-compliant safe power supply regard-
ing systematic faults nor regarding random HW faults
by itself.
Nevertheless, the battery and DC/DC have the necessary
power feed capability by itself – this is a prerequisite for
the applied ASIL decomposition. The power feed only by
the battery is limited in time due to electrical discharging
without recharging. Therefore, a safe state shall be achieved
within a feasible time. A safe state can be a VOS where no
SaRA requirement is specified for the power supply system,
e.g. vehicle standstill.
IV. CONCLUSION
To standardize the safety process and improve its applica-
bility in the power supply domain, one of the remaining
challenges is the fulfillment of SaRA requirements for power
supply systems. In this paper, the commonalities and differ-
ences between SaRA requirements, fail-passive behavior and
fail-active behavior are evaluated. In general, SaRA require-
ments cannot be fulfilled only by fault tolerance measures
leading to fail-active behavior. In addition, fault avoidance
and fault forecasting measures are possible solutions. In the
case of fault tolerance measures, power supply systems are
typically considered warm redundancy, i.e. the backup system
is not fully loaded during nominal operation and no switching
between the redundant systems is required.
If redundancy is implemented to comply with an SG
specifying a SaRA requirement and ASIL decomposition
is applied, systematic faults with the potential to violate
the decomposed requirement shall be prevented in compli-
ance with the decomposed ASIL, i.e. the elements imple-
menting each decomposed requirement shall be available.
Thus, fault avoidance and optional fault forecasting measures
are required even for redundant elements to ensure SaRA.
By applying ASIL decomposition, the requirements can be
reduced for each redundant element. However, the reaction to
random HW faults may lead to fail-passive behavior of these
elements.
This paper contributes to further standardization of func-
tional safety in the power supply domain by clearly differen-
tiating between relevant terms in the case of an SG specifying
a SaRA requirement. Because EO is widely discussed in the
context of SaRA requirements, further research is necessary
to evaluate the application of EO in the context of power
supply systems.
ACKNOWLEDGMENT
The authors would like to thank David Linden,
Frederic Heidinger, and especially Markus Wörz for the
inspiring discussions about the applicability of the provided
definitions and interpretations.
REFERENCES
[1] P. Kilian, A. Köhler, P. Van Bergen, C. Gebauer, B. Pfeufer, O. Koller,
and B. Bertsche, ‘‘Principle guidelines for safe power supply systems
development,’’ IEEE Access, vol. 9, pp. 107751–107766, 2021, doi:
10.1109/ACCESS.2021.3100711.
[2] Steering System of Motor Vehicles. Basic Requirements, document GB
17675-2021, 2021.
[3] Road Vehicles—Functional Safety—Part 9: Automotive Safety Integrity
Level (ASIL)-Oriented and Safety-Oriented Analyses, document ISO
26262-9:2018(E), 2018.
[4] ADAC, Pannenstatistik 2021: Die Zuverlässigkeits-Hitliste. Accessed:
Apr. 25, 2022. [Online]. Available: https://www.adac.de/rund-ums-
fahrzeug/unfall-schaden-panne/adac-pannenstatistik/
VOLUME 10, 2022 47879
P. Kilian et al.: Safety-Related Availability in Power Supply Domain
[5] A. Koehler and B. Bertsche, ‘‘An approach of fail operational power supply
for next generation vehicle powernet architectures,’’ in Proc. 30th Eur.
Saf. Rel. Conf. 15th Probabilistic Saf. Assessment Manage. Conf. (ESREL-
PSAM), Venice, Italy, Nov. 2020, pp. 60–67, doi: 10.3850/978-981-14-
8593-0_5731-cd.
[6] International Electrotechnical Vocabulary—Part 192: Dependability, doc-
ument IEC 60050-192, 2015.
[7] Road Vehicles Functional Safety—Part 1: Vocabulary, document ISO
26262-1:2018(E), 2018.
[8] Road Vehicles Functional Safety—Part 10: Guidelines on ISO 26262,
document ISO 26262-10:2018(E), 2018.
[9] Road Vehicles Functional Safety—Part 5: Product Development at the
Hardware Level, document ISO 26262-5:2018(E), 2018.
[10] B. Bertsche, Reliability in Automotive and Mechanical Engineering.
Berlin, Germany: Springer, 2008, doi: 10.1007/978-3-540-34282-3.
[11] P. Kilian, A. Köhler, M. Schneider, T. Tomanic, and M. Dazer, ‘‘Advanced
Modelling of diagnostics in an FTA,’’ presented at the Safetronic, Stuttgart,
Germany, Nov. 2021.
[12] Road Vehicles Functional Safety—Part 3: Concept Phase, document ISO
26262-3:2018(E), 2018.
[13] C. Gebauer, ‘‘Fail operational and ISO 26262 2nd edition,’’ presented at
the Safetronic, Stuttgart, Germany, Nov. 2018.
[14] Taxonomy and Definitions for Terms Related to Driving Automation Sys-
tems for on-Road Motor Vehicles, document SAE J 3016, 2018.
[15] Regulation, no. 13-H of the Economic Commission for Europe of the
United Nations (UN/ECE) Uniform Provisions Concerning the Approval
of Passenger Cars With Regard to Braking, document ECE R 13-H, 2015.
[16] T. Stolte, S. Ackermann, R. Graubohm, I. Jatzkowski, B. Klamann,
H. Winner, and M. Maurer, ‘‘A taxonomy to unify fault tolerance
regimes for automotive systems: Defining fail-operational, fail-degraded,
and fail-safe,’’ IEEE Trans. Intell. Vehicles, early access, Nov. 23, doi:
10.1109/TIV.2021.3129933.
[17] C. Gebauer, ‘‘Item definition & PMHF budgeting for automated driving
functions,’’ presented at the Safetronic, Stuttgart, Germany, Nov. 2018.
[18] Functional Safety of Electrical/Electronic/Programmable Electronic
Safety-Related Systems—Part 4: Definitions and Abbreviations, document
IEC 61508-4 2010, 2010.
[19] ISO/IEC/IEEE International Standard Systems and Software Engineering–
Vocabulary, document ISO/IEC/IEEE 24765:2017(E), 2017.
[20] M. Stohrer, S. Kemmler, O. Koller, P. Zeiler, and B. Bertsche, ‘‘Zuverläs-
sigkeitsorientierte online-optimierung von Betriebsstrategien mechatronis-
cher Produkte,’’ in Proc. Stuttgarter Symp. Für Produktentwicklung, 2013,
p. 17, doi: 10.13140/2.1.2162.8161.
[21] T. Xu, J. Zhao, Y. Liu, and J. Yang, ‘‘Fault forecasting of missile equip-
ment based on improved UGM (1, m, w) model,’’ in Proc. Int. Conf.
Qual., Rel., Risk, Maintenance, Saf. Eng., Jun. 2012, pp. 747–750, doi:
10.1109/ICQR2MSE.2012.6246337.
[22] A. Schnellbach, ‘‘Fail-operational automotive systems,’’ M.S. tiesis, Dept.
Adam Schnellbach, Inst. Automot. Eng., TU Graz Univ. Technol., Graz,
Austria, 2016.
[23] Bundesamt Für Sicherheit in der Informationstechnik. Redundanz
Modularität Skalierbarkeit. Accessed: Apr. 25, 2022. [Online].
Available: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-
Organisationen/Informationen-und-Empfehlungen/Empfehlungen-
nach-Angriffszielen/Hochverfuegbarkeit/Redundanz-Modularitaet-
Skalierbarkeit/Redundanz-Modularitaet-Skalierbarkeit_node.html
[24] A. Birolini, Reliability Engineering: Theory and Practice, 12th ed.
New York, NY, USA: Springer, 2017, doi: 10.1007/978-3-662-54209-5.
[25] VDA Empfehlung Für Einen Mindestsicherheitsstandard Der Energiever-
sorgung Und Deren Elemente im Rahmen der ISO 26262, document VDA
450, draft, 2022.
[26] ZVEI E.V. Ausfallraten Für Bordnetz-Komponenten im Automobil
Erwartungswerte und Bedingungen. Technical Guideline. Accessed:
Apr. 25, 2022. [Online]: Available: https://www.bayern-innovativ.de/
services/asset/pdf-dokumente/cluster-automotive/zvei-bi-tlf-ausfallraten-
bordnetzkomponenten-ausgabe1-oktober2021.pdf
[27] R. Conradt, F. Heidinger, and P. Birke, ‘‘Methodology for determining
time-dependent lead battery failure rates from field data,’’ Batteries, vol. 7,
no. 2, p. 39, 2021, doi: 10.3390/batteries7020039.
[28] D. Knauer, Report on Battery Failure Modes. Chicago, IL, USA: Battery
Council International, 2020.
[29] Road Vehicles Functional Safety—Part 4: Product Development at the
System Level, document ISO 26262-4:2018(E), 2018.
PHILIPP KILIAN was born in Göppingen,
Germany, in 1995. He received the M.S. degree
in mechanical engineering from the University of
Stuttgart, in 2020, where he is currently pursuing
the Ph.D. degree with focus on modular and scal-
able safety concepts in cooperation with Robert
Bosch GmbH and the Reliability Engineering
Department, Institute of Machine Components.
He is working as a Doctoral Student in the
field of functional safety in the area of automotive
electronics–power supply systems.
OLIVER KOLLER was born in Stuttgart, Germany,
in 1985. He received the Diploma degree in electri-
cal engineering and information technology from
the University of Stuttgart, in 2011, and the Ph.D.
degree in the field of reliability engineering of
48 V mild hybrid systems from Robert Bosch
GmbH in cooperation with the Reliability Engi-
neering Department, Institute of Machine Com-
ponents, University of Stuttgart, in 2016. He is
currently a senior expert for cross-components and
cross-domain development of power supply architectures, and a part of the
VDA 450 group ‘‘power supply systems for automated driving,’’ since 2019.
PATRICK VAN BERGEN was born in Waiblingen,
Germany, in 1989. He received the M.S. degree in
mechanical engineering from Reutlingen Univer-
sity and the University of Stuttgart, in 2015.
He was working in the field of functional safety
for automotive electronics–power supply system at
the Reliability Engineering Department, Institute
of Machine Components, University of Stuttgart.
He has been with Robert Bosch GmbH, since
2018, and is currently coordinating the functional
safety topics in the power supply system area.
CARSTEN GEBAUER joined at Robert Bosch
GmbH, in 2000, where he has been working in
the field of safety, since 2004. In 2009, he become
a member of the ISO/TC 22/SC 32/WG 8, the
working group tasked with the compilation of ISO
26262 next to other automotive safety standards.
MARTIN DAZER received the B.Sc. degree in
mechanical engineering from Baden-Württemberg
Cooperative State University (DHBW), in 2011,
and the M.Sc. degree in mechanical engineering
and the Dr.-Ing. degree in reliability engineering
from the University of Stuttgart, in 2015 and 2019,
respectively.
From 2015 to 2018, he was a Research Assistant
at the Institute of Machine Components, Univer-
sity of Stuttgart, where he is currently the Head
of the Reliability and Drive Technology Department. His research interest
includes multitude of aspects of reliability engineering with its main focus
on life testing.
Dr. Dazer is founder and consultant of RelTest-Solutions with the TTI
GmbH Stuttgart, Germany. He is a member of the Technical Committee
of Reliability Management, Verein Deutscher Ingenieure (VDI), and the
Advisory Board of Safety and Reliability, VDI, Germany.
47880 VOLUME 10, 2022
