The M560/M580 has been certified by TÜV SÜD against ISO 26262-2018 as a safety element out of context up to ASIL D. The Electronic Control Units (ECU) are industry proven with features tailored for integrated Vehicle Control Unit (VCU) and Vehicle Charge Control Unit (VCCU) 12-volt and 24-volt applications, along with Dana’s OpenECU-FS platform software.
The certification process verified achievement of functional safety to ISO 26262 across all aspects of the development lifecycle including:
Functional safety management, safety lifecycle, and supporting processes (ISO 26262 parts 2, 8)
- Safety culture
The certification included a review of the Dana culture, including staff qualifications and training records to verify our focus on functional safety and quality.
- Quality management system
The certification reviewed and verified the Dana commitment to maintain a world-class quality management system through its ISO 9001:2015 Business Management System. This includes documented and audited processes for project management, change management, documentation management, configuration management, and more.
- Safety management
The certification reviewed the safety plan for the M560/M580 ECU development.
- Tool Qualification
The certification covers the tool qualification of the tools used in the development of the M560/M580 and OpenECU-FS software as well as the guidance provided in the safety manual for application developers to stay within the qualification assumptions.
Product development at the system level (ISO 26262 parts 4, 10)
- Element Definition
Since the M560/M580 and OpenECU-FS software are safety elements out of context, the element definition including the assumed operating environment and the designated safety functions, including fault handling time intervals, were specified and approved.
- Technical Safety Concept
The certification verified the technical safety concept, including the overall module architecture and safety mechanism definition. The safety mechanisms provided by the platform and those required to be implemented by application software are all defined in the M560/M580 functional safety manual. This also covers the element-level FMEA and FTA safety analyses.
- Element Integration Verification
The certification reviewed the verification plan for the element against its defined safety functions and assumed the operating environment. This also covers the actual conducted DV/PV testing, as well as functional-safety, focused verification of the M560/M580 safety mechanisms with the hardware and OpenECU-FS platform software.
Hardware and software safety mechanisms (ISO 26262 parts 5, 8, 9)
- Hardware Design
The certification covers the hardware design, including both the 12-volt M560 and 24-volt M580 variants.
- Safety Analyses (Hardware)
The certification covered the hardware component-level DFMEA, FMEDA, and dependent failure analyses.
The certification covers the DV and PV testing, evaluation of hardware components, functional testing, and fault insertion testing.
Product development at the Software Level (ISO 26262 parts 6, 8, 9)
- Software Design
The certification covers the design documentation for the OpenECU-FS platform software for both the primary and secondary microcontrollers, including traceability from software safety requirements to design and verification.
- Safety Analyses (Software)
The certification covers the safety analysis of the software architecture per ISO 26262-6:2018 annex E; using techniques such as FMEA and HAZOP applied to software.
The certification covers the evaluation of all OpenECU-FS verification, including coverage metrics, unit testing, and on-target integration testing.
Quality assurance in production (parts 7)
- Certification includes an audit of our manufacturing partner and verification of processes for maintaining functional safety post-production.
To see how the M560/M580 and OpenECU-FS platform software can enable your production development for safety-related vehicle control, charging control, or other applications, contact Dana for the detailed safety manual and technical specification documentation.
In addition to the certification for the specific out-of-context safety functions, Dana has the complete design information and rationale for design decisions for the M560/M580. This information and understanding of the design of all the functions of the module can be used to help you use the module in your specific application, even beyond the explicit assumptions of use.