Keynote

Understanding Embedded System Safety

Watch Now

01:27:59

EOC 2025

Login to Watch

Philip Koopman

Prof. Philip Koopman is an internationally recognized expert on Autonomous Vehicle (AV) safety whose work in that area spans over 25 years. He is also actively involved with AV policy and standards as well as more general embedded system design and software quality. His pioneering research work includes software robustness testing and run time monitoring of autonomous systems to identify how they break and how to fix them. He has extensive experience in software safety and software quality across numerous transportation, industrial, and defense application domains including conventional automotive software and hardware systems. He originated the UL 4600 standard for autonomous system safety issued in 2020. He is a faculty member of the Carnegie Mellon University ECE department where he teaches software skills for mission-critical systems. In 2018 he was awarded the highly selective IEEE-SSIT Carl Barus Award for outstanding service in the public interest for his work in promoting automotive computer-based system safety. In 2022 he was named to the National Safety Council's Mobility Safety Advisory Group. In 2023 he was named the International System Safety Society's Educator of the Year. He is the author of the books: Better Embedded System Software (2010), How Safe is Safe Enough: measuring and predicting autonomous vehicle safety (2022), and The UL 4600 Guidebook (2022).

View full profile

Topics Covered

High Reliability Software Design Cycle

Keynote

Understanding Embedded System Safety

Philip Koopman

01:27:59 EOC 2025

Philip Koopman

01:27:59

Most embedded systems have some aspect of safety or mission criticality involved in their design. All embedded developers need to know the safety basics. But this is not a typical safety talk that crawls through the various parts of some specific safety standard. Instead, we will discuss what makes safety engineering processes different from other types of engineering activities, how to think about safety when the loss event is less dramatic than an airplane falling out of the sky, and how to determine how much and what kind of safety engineering you need for your system.

This approach will give attendees a robust framework for thinking about safety without getting caught up in the details of any particular safety standard.

1 / 5

Please log in or create an account to test your knowledge and see the answers.

What is the main reason Philip Koopman states that testing alone does not prove safety?

A Testing is a part of safety engineering but cannot prove safety on complex systems.

B Testing can always ensure a system works under all conditions.

C If a system has been tested, it is guaranteed to be safe in all scenarios.

D Testing is only necessary for low-risk systems, not high-risk ones.

E Testing only focuses on performance metrics, ignoring safety requirements.

Which of the following best describes the purpose of a safety engineering process according to Philip Koopman?

A To complete required paperwork to show compliance with safety standards.

B To identify and mitigate hazards while ensuring safety is designed in from the start.

C To ensure that performance metrics are optimized before safety is considered.

D To test systems until they are proven to be safe for user acceptance.

E To establish a strict protocol for coding standards that guarantees safety.

What approach does Philip Koopman recommend for managing risks in safety engineering processes?

A Avoid risk mitigation altogether for minor hazards.

B Always transfer risks to users and rely on them for safe operation.

C Strictly ignore low-probability, high-severity events during risk assessment.

D Mitigate risks based on their severity and probability, focusing resources on high-risk areas.

E Ensure all risks are eliminated to guarantee safety in every situation.

Why does Philip Koopman highlight the importance of safety culture in safety engineering?

A It allows for fewer regulations and oversight for engineers.

B It promotes ignoring minor hazards to focus on more critical issues.

C It ensures open communication about safety concerns without fear of reprisal.

D It dictates that all safety decisions must come from upper management alone.

E It emphasizes that engineers do not need to assess risk if management decides otherwise.

What does Philip Koopman mean by saying that high-severity, low-probability incidents require special attention in safety engineering?

A They represent no significant risk because of their low frequency.

B They are easy to predict and thus require minimal effort to manage.

C They can lead to catastrophic consequences and necessitate careful risk assessment and mitigation planning.

D They should be ignored if the incidents are uncommon and unreported.

E They only matter if they happen repeatedly in the field.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
code	surround text with `backticks`
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

ash

Score: 0 | 8 months ago | 1 reply

Recently I came across Netflix documentary Titen (The oceangate submersible). I could draw lots of parallels with what you have explained in this keynote. Their carbon fiber hull validation showed signs of failure at each dive, and it was carrying passengers in deep sea ==> it was a High Risk situation.
Also when their employees tried to raise this issue, they faced lot of reprisals. In its last dive the same hull imploded (single point of failure). only safety concept that I could see was a real time acoustics monitoring system, which would record bang and cracking sounds and inform pilot, in order to return to surface. That complete product was lacking any safety oversight.
You have explained safety in such simple manner that it will stay with me and help me as I move forward in embedded software industry.
Thank you very much for this informative keynote..!

pkoopmanSpeaker

Score: 0 | 8 months ago | no reply

Ash,
Indeed the Titan implosion is a classic case in poor safety culture.
This web page has pointers to several longer articles on the topic for those interested, as well as a list of other mishaps we should understand and learn from:
https://safeautonomy.blogspot.com/p/safe-autonomy.html

Mohammad

Score: 0 | 9 months ago | 1 reply

Always the best
I really like you what you always present regarding safety.
I enjoyed the Toyota investigation
, you book Better Embedded Systems "and now this session.

pkoopmanSpeaker

Score: 0 | 9 months ago | no reply

Thanks Mohammad, this really made my day!

Gunjan Vora

Score: 0 | 10 months ago | 1 reply

I work in Automotive and have attended one day workshop and seminars related to Functional Safety. Many times I've got lost understanding the terminologies and jargons. But the way you've described each part of safety engineering is truly amazing! Thank you!

pkoopmanSpeaker

Score: 0 | 10 months ago | no reply

Thanks Gunjan, that really makes my day! I've heard that about such seminars many times, and providing clarity on the big picture was precisely the goal for this talk. I'm really glad to hear that this helped.

Joffrey

Score: 1 | 10 months ago | 1 reply

Clear, concise and practical guidance on safety engeineering, thank you.

pkoopmanSpeaker

Score: 0 | 10 months ago | no reply

Thanks for the kind words. Glad it hit the target. You're very welcome!

Partners & Sponsors

CodeSecure

atym

embedd.it

IAR

Become a Sponsor