Embedded & ic - fs risk analysis

1,569 views

Published on

La presentazione fatta da Enrico Silani

Published in: Education

Embedded & ic - fs risk analysis

  1. 1. © CEFRIEL 2013; FOR DISCUSSION PURPOSES ONLY: ANY OTHER USE OF THIS PRESENTATION- INCLUDING REPRODUCTION FOR PURPOSESOTHER THAN NOTED ABOVE, MODIFICATION OR DISTRIBUTION - WITHOUT THE PRIOR WRITTEN PERMISSION OF CEFRIEL IS PROHIBITEDFunctional SafetyHazard & Risk AnalysisMILANO - April, 23rd 2013Embedded - IC & Automation Fortronic
  2. 2. This presentation was prepared exclusively for the benefit and internal use of the customer and does not carry any right ofpublication or disclosure to any other party.No right to publish or distribute this document is neither expressly nor implicitly allowed to third party.The present original document was produced by CEFRIEL and no third party may claim any right or paternity on it.No part of this document may be reproduced. The entire document or part of it may not be used for any personal interestwithout any previous written authorization from CEFRIEL.© copyright CEFRIEL - Milan, Italy - 2013. All rights reserved in accordance with rule of law and international agreements.Disclaimer© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  3. 3. CEFRIEL OVERVIEWDecember 2011© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  4. 4. Center of excellence for research, innovation and education inWhat is CEFRIEL?Independent, super-partes and not-for-profit organizationInformation & Communication TechnologiesEstablished in 1988© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  5. 5. Bridging the gap between industries and academiato boost innovationOur missionResearch Innovation Market DeliveryLowMediumMediumHighHighLowCEFRIELAcademic universitiesIndustrial companiesCEFRIEL UniqueValue Proposition© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  6. 6. Our activitiesEducationKnowledge and IP SharingInnovationKnowledge and IP ApplicationResearchKnowledge and IP Creation© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  7. 7. FUNCTIONAL SAFETY: (Brief) IntroductionDecember 2011© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  8. 8. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyIntroduction to Functional SafetyWhat is Functional Safety? What is Functional Safety about?• IEC 61508 Definition:• Safety is the freedom from unacceptable risk of physical injury or of damage to the health ofpeople, either directly, or indirectly as a result of damage to property or to the environment.• Risk is a combination of the probability of occurrence of harm and the severity of that harm.• Functional Safety is part of the overall safety that depends on a system or equipmentoperating correctly (i.e. perform a safety function) in response to its inputs.• Functional Safety is thus about achieving “absence of unreasonable risk due to hazards (potentialsource of harm) caused by malfunctioning behavior of the electrical/electronic/programmableelectronic (E/E/PE) systems”.• Failures are the main impairment to safety:• Systematic Failures: failure related in a deterministic way to a certain cause that can only beeliminated by a change of the design or of the manufacturing process, operationalprocedures, documentation or other relevant factors  ROBUST PROCESS• Random HW Failures: failure that can occur unpredictably during the lifetime of a hardwareelement and that follow a probability distribution  ROBUST DESIGNApril 23, 2013
  9. 9. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyFunctional Safety standardsINDUSTRIALAUTOMATION[IEC 61508]MEDICAL[IEC 60601, IEC 62304]PROCESSINDUSTRY[IEC 61511]TRANSPORTATION[EN 50126. EN 50128,EN 50129]MACHINERY[IEC 62061]NUCLEAR[IEC 61513, IEC 60880,IEC 60987, IEC 61226]AUTOMOTIVE[ISO 26262]Introduction to Functional SafetyApril 23, 2013
  10. 10. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyRisk ReductionIntroduction to Functional Safety• The risk emerging from the EUC (Equipment Under Control) is classified according to its tolerability• A risk is at a tolerable level, if the involved persons (the society) can accept it• Standards and rules describe methods to determine the limits of acceptance• If such a risk is not tolerable, it must be reduced by means of suitable measures (standards andrules describe measures to reduce risk to an accepted level):• E/E/PE measures• Other technology measures (e.g., mechanic, hydraulic, …)• External risk reduction measures or facilities (e.g., instructions, labels, safety fences, …)Rising RiskNecessary risk reductionActual risk reductionNon tolerable riskResidual risk Tolerable riskPartial risk covered byother technologyPartial risk covered byE/E/PE measuresPartial risk covered byexternal measuresRisk reduction achieved by all safety-relatedsystems and external risk reduction facilitiesApril 23, 2013
  11. 11. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyRisk Reduction - ExampleIntroduction to Functional SafetyRising RiskNecessary risk reductionActual risk reductionNon tolerable riskResidual risk Tolerable riskPartial risk covered byother technologyPartial risk covered byexternal measuresPartial risk covered byother technologyPartial risk covered byE/E/PE measuresPartial risk covered byexternal measuresPartial risk covered byE/E/PE measuresPartial risk covered byexternal measuresSYSTEMCONVENTIONALBRAKE(mechanics, hydraulics)ELECTROHYDRAULIC BRAKE(hydraulic backup)ELECTROMECHANIC BRAKE(no hydraulic backup)April 23, 2013
  12. 12. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalySafety Function vs Safety IntegrityIntroduction to Functional Safety• Key Concepts in IEC 61508 standard are RISK and SAFETY FUNCTION• Risk is a function of frequency (or likelihood) of the hazardous event and the eventconsequence severity• Risk is reduced to a tolerable level by applying safety function.• The SIL (Safety Integrity Level) is the measure of the “risk reduction level” of the SafetyFunction.SAFETY FUNCTION SAFETY INTEGRITYFunction, which is intended to achieve or maintain asafe state for the equipment under control (EUC) inrespect to a specific hazardous event.• Probability of a safety-related system satisfactorilyperforming the required safety function under allstated conditions within a stated period of time(process safety time)• Four Level of safety integrity (SIL 1 to 4)• Consider all causes of failures (random HW faults andsystematic failures) which lead to an unsafe stateSAFETY-RELATED SYSTEMDesignated system that both:• Implements the required safety functions necessary to achieve and maintain a safe state for the EUC• Is intended to achieve, on its own or with other E/E/PE safety-related systems, other technology safety-relatedsystems or external risk reduction facilities, the necessary safety integrity for the required safety functionsApril 23, 2013
  13. 13. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalySafety Integrity LevelIntroduction to Functional Safety• According to IEC 61508:• The Safety Integrity Level describes the level for the required risk reduction• Scale with 4 levels (SIL 1 to SIL 4): SIL 1 = low, SIL 4 = high• Identification by approved measures (Risk analysis)• Derivation of requirements and measures for the risk reduction depending on the SIL• According to ISO 26262:• The Automotive Safety Integrity Level describes the level for the required risk reduction• Scale with 4 levels (ASIL A to ASIL D): SIL A = low, SIL D = high• Identification by the method proposed in the standardIEC 61508 ISO 26262- QMSIL 1 ASIL ASIL 2 ASIL BSIL 3ASIL CASIL DSIL 4April 23, 2013
  14. 14. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyDevelopment of Safety FunctionIntroduction to Functional Safety• The development of Safety Functions requires the following main steps:• Identify and analyze the risks• Determine the tolerability of each risks• Determine the risk reduction necessary for each intolerable risk• Specify the safety requirements for each risk reduction, including their Safety Integrity Level• Design the Safety Functions to meet the safety requirements• Implement the safety functions• Validate the safety function• The safety lifecycle specifies all aspects related to the development processof safety related systems• Management of the process itself• Definition of system• Specification of the system and sub-systems• Documentation and configuration management• Architectural design• Hardware & software design• Hardware & software development• Test & validation planning• Operation, maintenance and decommissioning planningApril 23, 2013
  15. 15. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalySafety Lifecycle according to IEC 61508Introduction to Functional SafetyConceptOverall scope definitionHazard and risk analysisOverall safety requirementsSafety requirements allocationRealisationE/E/PESafetylifecycleSoftwaresafetylifecycleOveralloperation andmaintenanceplanningOverallsafetyvalidationplanningOverallinstallation andcommissioningplanningOverall planningOverall installation and commissioningOverall safety validationOverall operation, maintenence and repairDecommissioning or disposalOverall modification and retrofitSafety related systemsOther technologyRealisationExternal risk reductionfacilitiesRealisation123456 7 89Safety related systemsE/E/PE10 111213141615April 23, 2013
  16. 16. © copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 29, 2013Safety Lifecycle according to ISO 26262Introduction to Functional Safety2.5 Overall safety management 2.6 Safety management during item development 2.6 Safety management after release for production1. Vocabulary2. Management of functional safety3. Concept phase 4. Product development: system level5. Product development: hardware level 5. Product development: software level7. Production and operation8. Supporting processes9. ASIL-oriented and safety-oriented analyses10. Guidelins on ISO 26262 (Informative)3.5 Item definition3.6 Initiation of the safetylifecycle3.7 Hazard analyses and riskassesment3.8 Functional safety concept5.5 Initiation of productdevelopment at hardware level5.6 Specification of hardwaresafety requirements5.8 Hardware architetcural metrics5.7 Hardware design5.9 Evaluation of violation of the safety goaldue to hardware random failures8.5 Interfaces within distributed developments6.5 Initiation of product development atsoftware level6.6 Specification of software safetyrequirements6.7 Software architectural design6.8 Software unit design and implementation6.9 Software unit testing6.10 Software integration and testing6.11 Verification of software safety requirements7.5 Production7.6 Operation, service anddecommiissioning4.5 Initiation of productdevelopment at systemlevel4.6 Specification of the technicalsafety requirements4.7 System design 4.8 System integration and testing4.9 Safety validation4.11 Release for production4.10 Functioanl safety assesment9.5 Requirement decomposition with respect to ASIL tailoring9.6 Criteria for coexistence of elements9.7 Analysis of dependent failures9.9 Safety analyses8.9 Verification 8.12 Qualification of software components8.6 Specification & management of safety requirements 8.10 Documentation 8.13 Qualification of hardware components8.7 Configuration management 8.11 Qualification of software tools 8.14 Proven in use argument8.8 Change management
  17. 17. FUNCTIONAL SAFETY: Hazard & Risk AnalysisDecember 2011© copyright CEFRIEL 2013| All rights reserved | Milano, Italy April 23, 2013
  18. 18. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHazard AnalysisHazard & Risk Analysis• In order to perform a risk assessment• The hazards (potential source of harm) of the EUC shall be determinedsystematically, as well as the event sequences leading to them• Techniques can be used for the extraction of hazards at system level:• Brainstorming• Checklists• Quality history• FMEA• Fault Tree Analysis (FTA)• Event Tree Analysis (ETA)• Product metrics• Field studies• For each identified hazard, risks shall be determined and assessed• If a risk is not tolerable, necessary risk reduction must be evaluated.April 23, 2013
  19. 19. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyRisk AssessmentHazard & Risk Analysis• In order to determine the necessary level of risk reduction (expressed as SIL, ASIL, …)• Two reference risk levels must be estimated• The EUC risk associated with the Equipment Under Control• The level of risk considered tolerable• Risk assessment is the procedure to evaluate the EUC risk• Risk assessment can be summarized in answering the question: “How likely is the EUC to failand if it does fail, what is the outcome?”  Frequency x Consequence• The EUC risk must be assessed independently from the measures adopted to reduce it• The EUC risk must be assessed separately for each determined hazardous event• Risk assessment techniques can be• Qualitative: provides qualitative risk assessment (used mainly in early risk assessment phase)• Semi-quantitative (semi-qualitative): provides discrete risk "levels"• Quantitative: provides quantitative risk estimates based on formal mathematical models• Several techniques can be adopted• ALARP Model• Risk Graph / Calibrated Risk Graph• Hazardous Event Severity Matrix• Layer of protection analysis (LOPA)April 23, 2013
  20. 20. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyALARP ModelHazard & Risk Analysis• According to this model, risks canbe classified into three classes• The risk is so great that it cannotbe justified in any ordinarycircumstance• The risk is, or has been made,so small as to be insignificant• The risk falls between the twoprevious classes and has beenreduced to the lowest practicablelevel• When the risk falls in the lastclass, then it must be reduced toa level which is "ALARP", i.e.• "As Low As Reasonably Practicable"Intolerable regionALARP region:Risk is undertakenonly if a benefit isdesiredBroadly acceptedregionRisk cannot be acceptedexcept in extraordinarycircumstancesRisk is tolerable only iffurther risk redusctionis impracticable ordisproportionate to thebenefits obtainedThe more the risk isreduced, the less must bespent to reduce it furtherto satisfy ALARPNegligible riskApril 23, 2013
  21. 21. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyALARP ModelHazard & Risk Analysis• According to this model, risks canbe classified into three classes• The risk is so great that it cannotbe justified in any ordinarycircumstance• The risk is, or has been made,so small as to be insignificant• The risk falls between the twoprevious classes and has beenreduced to the lowest practicablelevel• When the risk falls in the lastclass, then it must be reduced toa level which is "ALARP", i.e.• "As Low As Reasonably Practicable"Intolerable regionALARP region:Risk is undertakenonly if a benefit isdesiredBroadly acceptedregionRisk cannot be acceptedexcept in extraordinarycircumstancesRisk is tolerable only iffurther risk redusctionis impracticable ordisproportionate to thebenefits obtainedThe more the risk isreduced, the less must bespent to reduce it furtherto satisfy ALARPNegligible riskApril 23, 2013
  22. 22. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyALARP Model - ExampleHazard & Risk Analysis As an example consider the following table where risk classes are– I (lowest risk), II, III, IV (highest risk) The interpretation of risk classes in terms of the ALARP model might be:FrequencyConsequenceCatastrophic Critical Marginal NegligibleFrequent IV IV IV IIIProbable IV IV III IIOccasional IV III II IIRemote III II II IImprobable II II I IIncredible I I I IRisk class ALARP InterpretationI Negligible riskII Tolerable risk if the cost of risk reduction would exceed the improvement gainedIII Undesirable risk. Tolerable only if risk reduction is impracticable or if the costs aregrossly disproportionate to the improvement gained.IV Intolerable riskApril 23, 2013
  23. 23. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyRisk Graph MethodHazard & Risk Analysis• The risk graph method is based on the following equation• R = function of f, C• Where• R is the risk with no safety-related systems in place• f is the frequency of the hazardous event with no safety-related systems in place• C is the consequence of the hazardous event• The frequency is in turn influenced by• Frequency and exposure time in the hazardous zone• Possibility of avoiding the hazardous event• Probability of the hazardous event taking place with no safety-related measures inplace but with other risk reduction facilities (probability of unwanted occurrence)• This extends the number of parameters to be considered to four• C = Consequence of the hazardous event  S = Severity• F = Frequency and exposure time in the hazardous zone  E = Exposure• P = Possibility of failing to avoid the hazardous event  C = Controllability• W = Probability of the unwanted occurrence  ---ISO 26262April 23, 2013
  24. 24. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyRisk Graph Method - ExampleHazard & Risk Analysis• The implementation of a risk graph requires• Defining values / levels for each parameter• Defining the relations between parameters and their levels• The values / levels of the parameters, expressed qualitatively or quantitatively as number, must be:• Justified on a rigorous and widely accepted basis• Agreed with all the parties involvedStartCACBCCCDFAFBFAFBFAFBPAPBPAPBPAPBPAPBX1X2X3X4X5X6aSIL 1SIL 2SIL 3SIL 4baSIL 1SIL 2SIL 3SIL 4------aSIL 1SIL 2SIL 3W3 W2 W1--- No safety requirementsa No special safety requirementsb Single E/E/PE system not sufficientUsing different integrity scales, e.g. W1, W2 and W3• Allows accounting explicitly for other risk reduction measures• From one scale to another there is an integrity level "shift"C: CA < CB < CC < CDF: FA < FBP: PA < PBW: WA < WB < WCApril 23, 2013
  25. 25. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHRA acc. to ISO 26262 - SEVERITYHazard & Risk AnalysisClass S0 S1 S2 S3Reference forsingle injuries(from AIS scale)Maximum AIS 0Damage that cannot beclassified safety-related,e.g. bumps with roadsideinfrastructureMaximum AIS 1-2more than 10%probability ofAIS 1-6 (and not S2or S3)Maximum AIS 3-4more than 10%probability ofAIS 3-6 (and not S3)Maximum AIS 5-6more than 10%probability ofAIS 5-6AIS (Abbreviated Injury Scale): The AIS represents a classification of the severity of injuries and isissued by AAAM (Association for the Advancement of Automotive Medicine):• AIS 0: no injuries.• AIS 1: light injuries such as skin-deep wounds, muscle pains, whiplash etc.• AIS 2: moderate injuries such as deep flesh wounds, concussion with up to 15 minutes of unconsciousness, …• AIS 3: severe but not life-threatening injuries such as skull fractures without brain injury, spinal dislocationsbelow the fourth cervical vertebra without damage to the spinal cord, …• AIS 4: severe injuries (life-threatening, survival probable) such as concussion with or without skull fractures withup to 12 hours of unconsciousness, paradoxical breathing.• AIS 5: critical injuries (life-threatening, survival uncertain) such as spinal fractures below the fourth cervicalvertebra with damage to the spinal cord, more than 12 hours of unconsciousness including intracranial bleeding,…• AIS 6: extremely critical or fatal injuries such as fractures of the cervical vertebrae above the third cervicalvertebra with damage to the spinal cord, extremely critical open wounds of body cavities (thoracic and abdominalcavities),…April 23, 2013
  26. 26. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHRA acc. to ISO 26262 – SEVERITY (Informative examples)Hazard & Risk AnalysisClass S0 S1 S2 S3Informative examples• Pushing over roadsideinfrastructure• Light collision• Light grazing damage• Damage while entering orleaving a parking space• Leaving the road withoutcollision or rolloverSide collision, e.g.crashing into a treeΔv <15km/h 15 < Δv <25 km/h Δv >25 km/hSide collision with apassenger carΔv <15km/h 15 < Δv <35 km/h Δv >35 km/hRear/front collisionbetween twopassenger carsΔv <20km/h 20 < Δv <40 km/h Δv >40 km/hOther collisionsScrape collision withlittle vehicle to vehicleoverlapRoof or sidecollision withconsiderabledeformationUnder riding a truckWithout deformationof the passenger cellWith deformation ofthe passenger cellPedestrian/bicycleaccidentE.g. during a turningmanoeuver insidebuilt-up areaOutside built-up areaApril 23, 2013
  27. 27. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHRA acc. to ISO 26262 – EXPOSUREHazard & Risk AnalysisClass E0 E1 E2 E3Description Very low probability Low probability Medium probability High probabilityDefinition of duration/ probability ofexposureNot specified< 1% of averageoperatingtime1% - 10% ofaverage operatingtime> 10% of averageoperating timeInformative examples -• Pulling a trailer• Driving with roof rack• Driving on a mountainpass with unsecuredsteep slope• Snow and ice• Driving backwards• Fuelling• Overtaking• Car wash• Tunnels• Hill hold• Night driving on roadswithout streetlights• Wet roads• Congestion• Accelerating• Braking• Steering• Parking• Driving on highways• Driving on secondaryroads• City drivingClasses of probability of exposure regarding duration/probability of exposure in initial situationsApril 23, 2013
  28. 28. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHRA acc. to ISO 26262 – EXPOSUREHazard & Risk AnalysisClass E0 E1 E2 E3Description Extremely low probability Low probability Medium probability High probabilityDefinition offrequency ofexposureSituations that occur lessoften than once a year forthe great majority of driversSituations that occura few time a year forthe great majority ofdriversSituations that occuronce a month ormore often for anaverage driverAll situations thatoccur during almostevery drive onaverageInformativeexamples• Stop at railway crossing, whichrequires start of engine• Towing• Jump start• Pulling a trailer, drivingwith roof rack• Driving on a mountainpass with unsecuredsteep slope• Driving situation withdeviation from desiredpath• Snow and ice• Fuelling• Overtaking• Tunnels• Hill hold• Car wash• Wet roads• Congestion• Starting• Shifting gears• Accelerating• Braking• Steering• Using indicators• Parking• Driving backwardsClasses of probability of exposure regarding frequency in initial situationsApril 23, 2013
  29. 29. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHRA acc. to ISO 26262 – CONTROLLABILITYHazard & Risk AnalysisClass C0 C1 C2 C3DescriptionControllablein generalSimplycontrollableNormally controllableDifficult to control oruncontrollableDefinitionControllable ingeneral99% or more of alldrivers or other trafficparticipants areusually able to avoid aspecific harm90% or more of all drivers orother traffic participants areusually able to avoid aspecific harmLess than 90% of alldrivers or other trafficparticipants are usuallyable, or barely able, toavoid a specific harm.Informativeexamples• Unexpectedincrease in radiovolume• Situations thatare considereddistracting• Unavailability ofa driver assistingsystem• When starting thevehicle with a lockedsteering column, the carcan be brought to stopby almost all driversearly enough to avoid aspecific harm to personsnearby.• Faulty adjustment ofseats while driving canbe controlled by almostall drivers by bringingthe vehicle to a stop.• Avoid departing from the lanein case of a failure of ABSduring emergency braking.• Avoid departing from the lanein case of a motor failure athigh lateral acceleration(motorway exit).• Bring the vehicle to a stop incase of a total lighting failure atmedium or high speed on anunlighted country road withoutdeparting from the lane in anuncontrolled manner.• Avoid hitting an unlit vehicle onan unlit country road.• Wrong steering with highangular speed at medium orhigh vehicle speed can hardlybe controlled by the driver.• Cannot avoid departing fromthe lane on snow or ice on abend in case of a failure of ABSduring emergency braking.• Cannot bring the vehicle to astop if a total loss of brakingperformance occurs.• In the case of faulty airbagrelease at high or moderatevehicle speed, the driverusually cannot prevent vehiclefrom departing from the lane.April 23, 2013
  30. 30. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyHRA acc. to ISO 26262 – RISK MATRIXHazard & Risk AnalysisNote: If a hazard is assigned to a Severity class S0 or Controllability class C0, orExposure class E0, no ASIL (SIL) assignment is required.April 23, 2013
  31. 31. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyWhen the required SIL is assessed?Hazard & Risk Analysis Based on the required Safety Integrity Level– Different requirement on the design and the process apply– Different techniques and measures should be used Requirements to the integrity of HW Requirements to the integrity of SW– Requirements to SW design and development (architecture, support tools,programming language, code implementation, testing,…)– Requirements to SW diagnostics to achieve the required HW integritySIL Low Demand Mode of Operation(PFD probability of failure on demand)e.g., airbagHigh Demand Mode of Operation(PFH probability of failure per hour)e.g., brake / steer by wire1 10–2  PFD < 10–1 10–6  PFH < 10–5 1.000  FIT< 10.0002 10–3  PFD < 10–2 10–7  PFH < 10–6 100  FIT < 1.0003 10–4  PFD < 10–3 10–8  PFH < 10–7 10  FIT < 1004 10–5  PFD < 10–4 10–9  PFH < 10–8 1  FIT < 10April 23, 2013
  32. 32. © copyright CEFRIEL 2013| All rights reserved | Milano, ItalyTraining Course: An introduction to Functional Safety• Basic course on Functional Safety (2 days)• Info:• Web: www.cefriel.it• Mail: dk@cefriel.it• Tel: 02.239541For any request related to Functional Safety area:• ENRICO SILANI• Mail: enrico.silani@cefriel.comApril 23, 2013

×