What exactly is the failure mode that your Failure Mode and Effects Analysis (FMEA) is supposed to describe when a neural network in an Advanced Driver Assistance System (ADAS) detects a pedestrian? In which form does it appear? Many development programs today leave this question unanswered.
Machine learning (ML) has arrived in series production. At the same time, the regulatory landscape has become more complex. UN R155 and R156 have been relevant for the type approval of all new vehicles since July 2024. ISO/SAE 21434 serves as the central standard for their implementation. ASPICE 4.0 includes a dedicated process group for ML engineering. The industry, which has reliably validated deterministic hardware for decades, is now expected to ensure the safety of probabilistic components.
The classic FMEA (Failure Mode and Effects Analysis) addresses random hardware failures and systematic software failures. However, this falls short for ML components. Neural networks do not malfunction in the same way as transistors. Rather, they deliver results with a level of confidence that depends on the training distribution, input quality, and operating conditions.
SOTIF (Safety of the Intended Functionality, ISO 21448) introduces a second level of reasoning by considering functional inadequacies, or risks without classical failures.
TARA (Threat Analysis and Risk Assessment), originating from the field of cybersecurity, provides a third perspective by addressing targeted threats, such as adversarial attacks or training data manipulation.
In many development programs, these three analyses run in parallel using different tools, separate reports, and unrelated vocabularies. In the Safety-FMEA, an ML perception model appears as a black box, whereas TARA requires adversarial robustness for the same model. These two fields speak different languages. Audit findings arise precisely at these points of disconnection.
Methodological fragmentation manifests as concrete project risks.
The most expensive scenario is late findings shortly before production starts. In quality assurance, the rule of ten states that errors discovered only in the field cost many times more than those identified during the design phase. When safety, security, and SOTIF risks only converge during the audit, rework becomes unavoidable.
Added to this is the duplicate maintenance of risk artifacts. Three separate analyses generate effort without providing additional insight. A “failure mode” in the FMEA is a “threat scenario” in the TARA and a “functional inadequacy” in the SOTIF analysis. The content overlaps, but the formats do not.
Meanwhile, regulatory pressure continues to mount. UN R155 and R156 have been mandatory for all new vehicles since July 2024. Starting August 2, 2027, the high-risk requirements of the EU AI Act for AI as a safety component will take effect, carrying penalties of up to 35 million euros or seven percent of global annual turnover. Those who build their engineering foundation only under this pressure will pay twice.
Safe AI in vehicles is not achieved by replacing proven methods, but rather by consistently building on them. Three building blocks form the core of an integrated engineering model:
It is crucial to consider these building blocks together from the beginning, not as an afterthought shortly before the assessment.
Three properly maintained individual artifacts do not solve the fundamental problem. The failure modes overlap, the assessments are not aligned, and traceability ends at the documents' boundaries. A harmonized FMEA establishes a consistent evaluation framework and streamlines maintenance efforts.
Published in December 2024, ISO/PAS 8800:2024 is the first standard to formulate safety requirements specifically for machine learning in road vehicles. It supplements, but does not replace, ISO 26262. ISO 26262 remains the overarching framework for functional safety.
UN R155 and R156 address cybersecurity and software updates, yet they do not fully cover the AI-specific requirements of the EU AI Act. Starting in August 2027, high-risk AI will be subject to additional obligations regarding risk management, data quality, technical documentation, and post-market monitoring.
Yes, the harmonized FMEA uses existing processes and tools, but it also includes AI-specific failure modes, TARA results, and SOTIF-relevant deficiencies. The important thing is not a new tool, but an interdisciplinary analysis process.
Firstname:
Lastname:
E-Mail Address:
Phone:
Subject:
Your message:
Yes, I consent to my personal data being collected and stored electronically. My data will only be used for the purpose of responding to my inquiry. I have taken note of the privacy policy.
You are currently viewing a placeholder content from OpenStreetMap. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
You are currently viewing a placeholder content from Google Maps. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.