Dipl.-Inf. · System & SW Architect · Functional Safety
System and software architecture for safety-critical embedded systems — from ISO 26262 to ASIL-D, from AUTOSAR to AI-assisted traceability.
In the automotive field since 1998 — in key roles on projects that went into series production. Focus: functional safety (ISO 26262 up to ASIL-D), system and SW architecture, AUTOSAR (Classic & Adaptive) and Automotive SPICE. Since November 2025 an additional focus on AI-assisted engineering tools: deterministic knowledge graphs with local LLMs for traceability, assessment preparation and test generation — auditable, not generative.
Experience
in automotive since 1998
Specialty
Functional safety up to ASIL-D
Current focus
AI-assisted safety engineering (since 11/2025)
Based in
Plochingen, Germany
ISO 26262ASIL-DAUTOSARAutomotive SPICESW ArchitectureFunctional SafetySOTIFKnowledge GraphLocal AI
01
Core Competencies
Functional Safety (ISO 26262)
From the functional safety concept through the technical safety concept to the safety architecture. Signal and control-flow analyses, freedom from interference, timing protection, partitioning/decomposition and assessment of integrity violations — demonstrated up to ASIL-D, all the way to series release.
System & SW Architecture
Deriving safe architectures from the safety concept, layered and hierarchical, with high cohesion and low coupling. Reverse engineering and documentation of existing systems, load balancing and reuse — end-to-end traceability from system level down to unit design.
AUTOSAR Classic & Adaptive
Deep experience at requirements and implementation level: diagnostics (UDS/DCM), memory services (NVM, FEE, FLS), operating system (OSEK/MICROSAR), Ethernet stack (TCP/IP, SOME/IP, DoIP), flash bootloader, BSW (SecOC, E2E, WdgM) and MCAL on Infineon AURIX.
Automotive SPICE & Process
ASPICE v3/v4 in safety assessments, coaching of projects and definition of processes. Applying the base practices from SYS.2/SYS.3 and SWE.1 through SWE.6 — including setting up requirements engineering, golden samples and training entire teams.
AI-assisted Engineering
Since 11/2025: deterministic knowledge graphs combined with local LLMs (air-gapped, no cloud). Applications: auditable traceability, ASPICE assessment preparation, test derivation from AST/call graph and SIL validation — the AI proposes, the engine validates deterministically.
Team & Project Leadership
Technical steering and coaching of distributed teams (up to ~30 people), work-package and release planning, supplier management and customer communication — repeatedly took over and restructured running projects through to release.
02
Skills
Functional Safety Expert Level
ISO 26262 (up to ASIL-D, FailSilent & FailOperational)
Functional & Technical Safety Concept
Signal/control-flow analysis, critical path
Freedom from Interference, Timing Protection
Partitioning & decomposition
SOTIF (ISO 21448), cybersecurity (ISO 21434)
FMEA / FMEDA, safety assessments
SW Architecture & Method Expert Level
Safety architecture derived from the TSC
Design patterns, high cohesion / low coupling
MBSE: SysML / UML, RFLP approach
Reverse engineering & architecture documentation
Load balancing (thread/core), reuse
Traceability from system to unit design
AUTOSAR & Basic Software Expert Level
Diagnostics (UDS, DCM), DEM fault memory
Memory services: NVM, FEE, FLS (FEE patent share)
Operating system (OSEK, MICROSAR), multi-core/-ECU
since 11/2025Own R&D / sensified· AI-assisted Safety Engineering● current
Knowledge Graph · Local LLMs · Compliance
Role
Architect & Developer
Contribution
Building a family of tools that connect engineering artifacts (requirements, tests, source code, norms) in a deterministic knowledge graph and enrich them with local LLMs — auditable, reproducible and fully air-gapped. The AI proposes links, the engine validates them deterministically; no LLM runs in the evidence path.
Activities
Deterministic traceability engine (norm clause → requirement → element → test → code)
Local LLM pipelines (Qwen via Ollama/MLX/Metal), RAG without cloud
Source-code analysis via libclang AST and LLVM IR (code-to-requirement linking)
ASPICE v4 assessment workbench (CL2 preparation), gap detection
SIL validation of safety-relevant AI sensing (CARLA/ROS2, ISO 10218-2)
Result: Deterministic gap reports and traceability in minutes instead of weeks — auditable, not generative.
since 2025Joynext· RTCU – ASPICE Assessment & Test GenerationClient: Stellantis
ASPICE CL2 · SWE.4/SWE.5 · AUTOSAR integration
Role
ASPICE / Engineering Consultant & Tool Developer
Contribution
Tool-assisted preparation of the ASPICE Capability Level 2 assessment and deterministic generation of SWE.4/SWE.5 test cases from AST and architecture — no LLM in the evidence path. In parallel, SW integration at MCU level.
Activities
ASPICE v4 assessment preparation (CL2) with an in-house tool (PROVE/SOLVE)
Deterministic SWE.4 (unit) / SWE.5 (integration) test-case generation from AST/architecture
Integration of ALM sources (Polarion, DOORS NG, Jira) and traceability/coverage reports
AUTOSAR integration on AURIX MCU (Vector stack), tooling: CANoe, A2L
since 2026NEURA Robotics· OmniSensor – SIL Validation
Cognitive robotics · safety sensing · SIL
Role
SIL / Safety Engineer
Contribution
Built a software-in-the-loop test system for an AI-based safety sensor (person detection) — deterministic, reproducible validation in a photorealistic factory environment to close the audit evidence gap.
Activities
SIL test system based on CARLA + ROS2 (Humble)
Scenario-based validation of person detection (reaction time, occlusion)
Auditable SIL test reports (open instead of black box)
ISO 10218-2ROS2 (Humble)CARLAYOLOv8 / VLMPythonKnowledge Graph
SIL monitor: safety zones, top-down LiDAR and person detection in a photorealistic factory (CARLA + ROS2).
since 2025BMW· HIP – Hardware-in-the-Loop / SIL & ASPICEASIL-D
Automated Driving / AAOS · SIL · ASPICE SWE.1–SWE.6
Role
SW Architect & Safety / ASPICE Consultant
Contribution
Built a SIL/simulation environment and an end-to-end ASPICE implementation (SWE.1–SWE.6) including automatic generation of the Enterprise Architect models and an SWE.6 DoIP server; functional-safety coaching up to ASIL-D in the RFQ context.
Driving scenario of the SIL environment — basis for OpenSCENARIO replay and HiL/SiL validation.
2025Brusa· H7 / ICS2P
Power electronics (inverter/charger) – SW-FMEA
Role
SW Safety Analyst / Architecture
Contribution
Software FMEA and architecture analysis of the power-electronics software based on the EA architecture model.
Activities
Conducting the SW-FMEA (Loss of Diagnostic / LOD)
Analysis of the SW architecture (Enterprise Architect)
SW-FMEAEnterprise Architect (Sparx)ISO 26262
2025BMW· PeCU / DC/DC (PenthouseECU)
DC/DC converter – safety & SW requirements
Role
Safety / SW Requirements Engineer
Contribution
Authoring of SW requirements (system/module level) as well as safety concept and safety analysis for a DC/DC / Penthouse ECU.
Activities
Definition of SW requirements (system/module)
Safety concept and safety analysis
Documentation tooling (Markdown/HTML export)
ISO 26262SW requirementsSafety analysis
2024 – 2025BMW· IP Fahren – Sheer Driving PleasureASIL-D (FailOperational)
Automated Driving
Role
Coaching & Program Management (team ~10 FTE)
Contribution
Technical guidance of the project team in ASPICE, SysML/UML and SW architecture, plus responsibility for functional safety (SEooC/Item, system and SW architecture).
Activities
Analysis of system and SW requirements
Review of the technical safety concept
Reverse engineering of system and SW architecture from development artifacts
Program management of a team of domain experts
ISO 26262ASPICESysML / UMLCodebeamerMagicDrawEnterprise ArchitectC / C++ / Python
2024BMW· IKS 25 – Interior Camera SystemASIL-B (FailSilent)
Interior camera / SOTIF
Role
System & SW Architect
Contribution
Definition of an ASIL-B compliant system and SW architecture for an interior camera system, including SOTIF considerations and coaching on requirements authoring.
Activities
Definition of the ASIL-B system and SW architecture
Review of requirements, architecture and plans (ASPICE)
Coaching on requirements authoring at SYS.x / SWE.x
SOTIF — definition and requirements
ISO 26262SOTIF (ISO 21448)ASPICESysML / UMLEnterprise Architect
2024Porsche· BMS 12 VASIL-C (FailSilent)
Battery management
Role
SW Architect & Team Lead (5 architects)
Contribution
Support of the SW architecture and definition of the logical program flow for application and BSW on Infineon AURIX TC3xx; process work at the intersection of Agile and ASPICE.
Activities
Definition of the logical program flow (application & BSW)
Technical leadership of 5 architects
Architecture and safety work on AURIX TC3xx
ISO 26262AURIX TC3xxASPICE / AgileEnterprise Architect
2023 – 2024BMW· IP Next – ADASASIL-D (FailOperational)
Driver assistance
Role
Coaching, Functional Safety & Requirements
Contribution
Support of the project team in system/SW architecture and functional safety (SEooC/Item, system engineering), authoring the technical safety concept; reference SW development in Adaptive AUTOSAR.
Activities
Analysis of system and SW requirements
Authoring the technical safety concept
Support in ASPICE, SysML, UML and SW architecture
Requirements engineering incl. assumptions of use (Codebeamer)
ISO 26262SOTIFAdaptive AUTOSARC++14 / MISRABazelGoogleTestCodebeamerQNX
2023Delta Electronics· OneBox – On-Board Charger
Charging / power distribution – SW architecture
Role
SW Architect
Contribution
Conception and documentation of the SW architecture of the OneBox platform (safe compute / safe storage / safe communication) via MBSE.
Activities
Definition and documentation of the SW architecture (Enterprise Architect)
Preparation of features, system structure and system architecture
MBSEEnterprise Architect (Sparx)ISO 26262
2023Schaeffler· OneBox – Cybersecurity
Cybersecurity (ISO 21434)
Role
Cybersecurity Engineer
Contribution
Development of a cybersecurity work-package breakdown in the OneBox context.
Activities
Definition and structuring of cybersecurity work packages
ISO 21434Cybersecurity
2023Eberspächer· PFC / 12V BMS – Program Flow Control
Functional safety / timing analysis
Role
Safety Analyst
Contribution
Analysis of program flow control and timing of the SW architecture (functional-safety context) based on the EA model.
Activities
Program-flow and timing analysis
Architecture analysis (Enterprise Architect)
ISO 26262Enterprise Architect (Sparx)Timing analysis
2023Valeo· PDC – Park Distance ControlClient: PPE / PPC
ADAS / parking – system architecture & diagnostics
Role
System / SW Architect
Contribution
Preparation of the system architecture and requirements mapping as well as consideration of self-test diagnostics.
Activities
System architecture (Enterprise Architect)
Requirements mapping (customer/system)
Self-test / diagnostics consideration
Enterprise Architect (Sparx)DOORSISO 26262
2023Hella· FHEV – Battery Management SystemClient: Ford
Battery management safety
Role
BMS SW / Safety Architect
Contribution
Preparation of the BMS feature and component architecture (ASIL-C/A/QM partitioning) via MBSE.
Activities
Architecture of the BMS features and components
Structuring by ASIL classes (C / A / QM)
ISO 26262MBSE / PlantUMLAUTOSAR
2024Cariad· Active Safety – MBSE Method
Method / single source of truth
Role
MBSE / Method Consultant
Contribution
Development of an MBSE method (RFLP approach, ASPICE, single source of truth) for active-safety development.
Conception and definition of the SW architecture for a universal platform that can be used generically across various internal and external application projects.
Activities
Communication with system stakeholders
Analysis of system and SW requirements
Authoring of SW requirements and SW architecture
Platform evaluation TI TDA4x / J721E (Edge-AI / Linux SDK)
ISO 26262DOORS NGEnterprise Architect (SysML/UML)RhapsodyPTC IntegrityAdaptive AUTOSARQNXTI TDA4x / J721EC / C++
Conception and definition of the safety SW architecture of a battery management system through to series readiness of several HW variants, plus the concept for upgrading from ASIL-B to ASIL-C.
Activities
Analysis of system and SW requirements
Definition of SW safety mechanisms
Identification of gaps in system requirements
Authoring the technical safety concept (ASIL-B → ASIL-C)
Took over a running project from the predecessor supplier with incomplete documentation. Rebuilt the process landscape per ISO 26262, set up requirements engineering and the safety architecture. Identified and resolved several potential show-stoppers.
Activities
Technical steering of a team of 4 architects
Definition of the safety architecture and level-3 safety monitors
Signal-flow analyses incl. golden sample, timing protection, FFI
Provision of ASIL-C for Infineon MCAL
Definition & rollout of all ISO 26262 work products, team training
Result: Level-3 and level-4 release for the production start (G08) achieved successfully.
Upgrading the ASIL level from B to C: defining the approach, identifying all affected SW components based on requirements and signal-flow analyses, and implementing the necessary changes.
Activities
Definition of the safety architecture and level-3 safety monitors
Reworking the OS scheduling (non-preemptive → preemptive), load balancing
Result: Release successfully delivered to the client and deployed at the customer.
ISO 26262Enterprise Architect (UML)AURIX / Infineon MCALCANoeDaVinci Configurator / DevelopervTestStudio
2018Audi· HCP4 / ELVIS – Flash BootloaderClient: Bosch
Hypervisor & bootloader integration
Role
SW Integrator
Contribution
Commissioning an Ethernet flash bootloader (Vector SIP) from a non-functional baseline: fault analysis and fixes in the TCP/IP stack, diagnostics and the hypervisor; adapting the flash process to the hypervisor architecture.
Activities
Commissioning & debugging of the ETAS hypervisor
Configuration of the bootloader modules (DaVinci Configurator)
Implementation of FBL APIs, FBL updater, DID handling
SBC/SPI and external watchdog, integration with the application
Result: On-time delivery to Audi, very well received in the presentation; follow-up project ELVIS commissioned successfully on new hardware.
Took over the project from the predecessor supplier with incomplete documentation. Defined processes for requirements, implementation and test; documented the code base via reverse engineering and qualified it through signal/control-flow analysis.
Activities
Definition of the approach, training and execution
Definition of the safety architecture and safety monitors
Assessment of integrity violations
Coordination of a team of 7 developers (requirements, FuSa, test, diagnostics)
Result: Level-3 release per ISO 26262 achieved in a safety assessment; system deployed in the MQB platform.
ISO 26262AUTOSARRTE / OSEKDOORSEnterprise ArchitectClearCase / ClearQuest
2015Audi· zFAS – central driver assistanceClient: ValeoASIL-B
Technical safety concept / safety architecture
Role
SW Safety Architect
Contribution
Authoring the technical safety concept together with the functional safety manager: analysis of system interrelations, assessment against safety criteria and building the safety architecture.
Activities
Authoring and analysis of the safety architecture per ISO 26262
ISO 26262AUTOSARRTE / OSEKDOORSEnterprise Architect
Authoring the SW architecture per ISO 26262 (ASIL-B), assessing and resolving integrity violations, customer communication and ensuring product availability; ensuring series readiness in the VW context.
Activities
Coaching and coordination of a team of 6 developers
Integration of the Toyota CAN stack, E2E protection, watchdog integration
Resource planning, ticket assessment and customer communication
Result: Product deployed successfully in platforms 560A, 488B, 795A as well as MQB / MLB-Evo B.
ISO 26262AUTOSARRTE / OSEKCANoeDOORSMISRA / QACFlexray / CAN
Ensured series readiness for Parkman as lead integrator and architect; later sub-project lead of the AUTOSAR V4 integration (Scala 2) for an internationally distributed team of ~30 developers and product release management.
Activities
Definition and implementation of the SW architecture, bug-fixing around load issues
Review/rework of requirements and SW components
Supplier steering, release planning and documentation
Integration of SIPs, K-matrices, diagnostic updates and security topics
Result: Several releases delivered successfully to Daimler; systems deployed in platforms BR222, BR212, BR213.
ISO 26262AUTOSARRTE / OSEKCANoeDOORSMISRA / QACFlexray / CAN
Concept, architecture and implementation of a data-driven menu description language as an AUTOSAR component to minimize the effort for changes and extensions; used worldwide to implement customer requirements.
Activities
Conception, architecture and implementation of the system
Definition of the tool landscape and process chain
Windows tool to manage and generate embedded resources
Application modules: ACC, lane departure warning, diagnostics, head-up display simulation
Result: Daimler KIG1 successfully went into series production (sports line).
C / C++AUTOSARRTE / OSEKCANoeClearCaseDOORSMISRA / QACMFC / Win32
For confidentiality reasons no project-internal details (people, confidential specifics) are disclosed. End customers and project codenames are stated where permitted.