Is watchdog always mandatory in the functional safety project?

Generally, a watchdog in system design seems to be considered as design for the purpose of safety. What do you think? Is it essential?

Assume that tester1 performs testing for 100 days, and tester2 performs testing for 10 days. They tested same product. Then can you determine that tester1 is better than tester2?

You will say “No”, because test criteria should be considered when evaluating quality of test.

It is similar. Is a system design with watchdog safer than system design without watchdog?

Why watchdog is required? Is it a problem if a system do not have a watchdog?

It surely helps for you to feel that it is safe. It is no more than that.

Before adapting watchdog, please consider what is safe state in your system. If a watchdog is necessary to enter safe state when something is wrong, it is mandatory. If not, it is a psychological remedy.

“Doing Nothing” is better than “Doing Wrong”


If I were in the OEM’s side, I’ll manage functional safety project as follows

Management of functional safety process is so important not only in the supplier’s side but also in the OEM’s side.

In the standard, there is two type of faults. One is systematic fault and the other is random hardware fault. While random hardware fault is engineering aspect and can be treated by engineering decision, but systematic fault is not in just engineering aspect.

Let’s assume that a OEM auditor finds that supplier has random hardware faults and systematic faults. After audit, what corrective actions needs to be done?

To eliminate random hardware fault, supplier has to design and implement again. But sometimes it need not take too much time compared to the systematic fault.

To treat systematic fault, what are required?

What do you think?

Ideally speaking, all work products cannot be trusted and all activities are required to do again from beginning. But I’m not sure such an extreme approach can be happened in the automotive industry. It surely impact to lag project timing.

Then, supplier’s risk is moved to OEM’s side.

In order not to happen in this undesirable situations, what OEM have to do?

Let assume that there are two options to conduct audit.

  1. Audit once at the end of the project.
  2. Audit multiple times at the important timings.


It would not be difficult problem. You already know the answer, and may understand what my point is.

Let me simplify my point; Bothering supplier multiple times will help not only OEM but also supplier. To do this, OEM has to be diligent.

Is it hard to defense against functional safety audit?

In general, plan for functional safety audit is sent to supplier. In the plan, checklist is open. Then what supplier has to do is to prepare how to answer this question and what to produce evidences. So, it is like acting according to the written script. But there seem to be hard to defense against it. Why ?

In order for drama to be successfully, all actors have to keep in mind their script and be ready how to act. If your organization has a trouble with defensing against functional safety process audit, it can be a cause for many people involved in the project don’t know what to do, how to do it.

In fact, it is required to continuous process activity in order to be considered as a process compliant. It cannot be done just at once. Have you ever written a one-month diary within two days? Can you keep a consistency in that diary? The weather is really correct? It is similar.

Everything should be recorded, and the recording can be supported as a process evidence. It is a kinds of drama for showing. You have to really be reborn as a actor.

For functional safety manager, the person should be director, not a actor. He or she has to see overall scope not a specific scope. And it is necessary to be a director to do this. It might not be easy to handle this as a actor.

Audit plan is open, so as a director consider it deeply what can impress on auditor. It needs to be considered what activities and what evidence can be regarded as process compliance.

By the way, do you know this consideration(plans) shall be done prior to start project? It sounds common sense in the drama. But what about engineering? Are we the masters of impromptu acting? Absolutely not. That is why many project have failed.

Don’t feel negative because of my expression “acting”. I don’t intend “cheating”. I believe that performance of “Showing” is a really indicator of process compliance. It is quite different to make fraud.



ISO26262, DO-178C, DO-278A