Abstract Today's Automotive ECU development is a global engineering exercise. It requires efficient planning, design and implementation. Time to market, innovative customer functions and cost effective design are key to success. Not only the technical realization with compressed time schedules and frequent change requests, but also the documentation, and the proof of compliance to ISO-26262 requires efficient solutions to be applied. Key to successful ECU development of complex safety critical systems inside a global team is a systematic approach to identify the ideal realization out of multiple design alternatives. This is why TRW Electronics Engineering for its Braking ECU products decided to design the new product generation with the help of Model Based System Engineering methods (MBSE). With these methods the team is realizing the opportunities provided by top-down driven development considering Requirements Engineering, Semi-formal Architecture Description, and early support to create evidence to conform to ASIL D in accordance to ISO 26262. This is seen as an approach consistent with the state-of-the-Art of automotive engineering by allowing early proof of concept, and realizing efficient evaluation of design solutions. Also, it supports design engineers in their necessary tasks like interface definition, requirements allocation, testing etc. as needed for global development teams. Beside this it supports safety evidence generation which is needed to assure high quality and to satisfy customers and internal safety auditors, who need to be convinced of safe and ISO compliant design solutions (safety case). Traditionally in many companies safety may still be in “its own world”, with dedicated safety specialists and safety tools. This leads to significant effort in alignment between safety investigations and system design, as it evolves. The main aspect of the presented TRW approach is to use the design information (system structure and behaviour) from the ECU SysML model also for the development of the ECU safety concept. This integration ensures that changes in design can be reanalyzed with high efficiency. As safety aspects are linked directly into their system models, the design engineers become immediately aware of functional safety needs, and they can support the necessary safety analyses more efficiently. Further benefits come from fewer issues with inconsistencies, due to the possibility to perform automated traceability checks, as well as other consistency- and completeness-checks on the model. The paper evaluates key success factors in comparison to legacy development process, reflects our experience in this field, and gives outlook to further future improvements: • Interface management (System / OEM / Suppliers / Software) • Requirements Engineering • Design and Alternatives Evaluation • Test, Verification, and Validation • Safety Management and Safety Analysis • Assessment and Audit Support • Change Management The paper concludes with a summary of advantages and achievements and discussion of remaining challenges and outlook to possible future solutions. Introduction to MBSE EBC460 is TRW's latest generation slip control system, which is part of a modular family that offers a variety of products for vehicle manufacturers, including integration options and regenerative braking capabilities. It covers the modular product family: • ABS • ESC-Standard and Value Line SysML as Backbone for Engineering and Safety - Practical Experience with TRW Braking ECU2014-01-0212 Published 04/01/2014 Tomislav Lovric, Manuel Schneider-Scheyer, and Samir Sarkic TRW Automotive GmbH CITATION: Lovric, T., Schneider-Scheyer, M., and Sarkic , S., "SysML as Backbone for Engineering and Safety - Practical Experience with TRW Braking ECU," SAE Technical Paper 2014-01-0212, 2014, doi:10.4271/2014-01-0212. Copyright © 2014 SAE InternationalDownloaded from SAE International by University of British C