1 min read
What is Tailoring in Functional Safety?
What is Tailoring in Functional Safety? The international standard that governs functional safety is ISO 26262-2:2018, “Road vehicles — Functional...
9 min read
Ashutosh Chandel : Mar 20, 2023 9:53:21 AM
Safety is one of the primary influences in the development of modern road vehicles. This influence is defined by a term with a specific meaning, functional safety. Simply put, functional safety can be thought of as a series of systems that protect the user from the technology, and the technology from the user, but its primary purpose is to protect the user from harm. But how do you know when you have accomplished it? To achieve functional safety in an efficient and logical manner that can be measured and evaluated with consistency, international standards are utilized to guide and manage this work. However, functional safety activities are not one-size-fits-all. Each vehicle design is unique and brings to the table different concepts, technologies, capabilities, and challenges. The same can also be said for the organizations themselves that contribute to the design and manufacture of the vehicle.
To address all of these variations in a consistent and trustworthy manner, ISO 26262:2018 Road vehicles - Functional safety, was created by the International Organization for Standardization (ISO). This standard provides a reliable reference during the whole of the automotive safety lifecycle, while remaining flexible enough to adapt to the unique requirements of each instance. This flexibility is achieved in large part through the competent management of functional safety activities, and the efficiencies that can be found in the customization that is offered by a project-dependent safety management approach. This technique enables the conduct of only the necessary safety activities, based on the unique needs of a given vehicle’s design.
To place the role of project-dependent safety management in perspective, it is helpful to take a step back and review how project-dependent safety management fits into the bigger picture of functional safety activities. To accomplish this, let’s start at the top of the standards hierarchy and drill down to the project level.
We have established that ISO 26262 is the overarching body of work that guides an organization through the achievement of functional safety by providing a reference for organizations to follow during the automotive safety lifecycle. But what, exactly, is the “automotive safety lifecycle?”
The automotive safety lifecycle consists of a series of activities that occur in a logical order:
The ISO 26262 series of standards consists of nine parts that are relevant to automotive:
Note: Three additional parts of ISO 26262 are related to other technical realms. While they may not be directly tied to automotive, it is useful to be aware of them:
Within the nine parts of ISO 26262 that are relevant to automotive, Part 2: Management of functional safety, is scoped to address possible hazards caused by electrical and electronic safety-related systems that malfunction, including the interaction of these systems with each other, and other systems in the vehicle. It describes a framework upon which functional safety activities can be structured and implemented to develop safety-related electrical and electronic systems.
Within Part 2, there are a series of seven numbered chapters, referred to as Clauses. They include:
Part 2 also includes a series of informative annexes:
To work through all of the automotive safety lifecycle activities and generate results that make sense and are actionable, we need a way of analyzing, labeling, measuring, and classifying these safety considerations and what we learn from them, as the needed activities are identified and conducted. This work is fundamental, yet very important. It quantifies diverse requirements and enables us to measure their effectiveness in a consistent and relevant manner as we compare these results against each other. This is where Automotive Safety Integrity Levels (ASILs) come into play.
The ASIL process is an automotive-specific risk-based approach that classifies risks in a manner that is consistent and actionable. It studies the severity, exposure, and controllability of each vehicle operating scenario, and then applies risk analysis processes to these potential hazards to assign an ASIL classification to each risk.
These ASIL classifications, which are simply referred to as ASILs in common usage, are then used to specify which of the requirements of ISO 26262 are applicable to avoid unreasonable residual risk. They provide the requirements for functional safety management, design, implementation, verification, validation, and confirmation measures. And, they provide the requirements for relations between customers and suppliers.
It is typically not necessary to complete every conceivable activity in the standard, or every step in a given activity, every single time, for every component or system. The keyword here is relevance. The activities that need to be completed, and the steps therein that are relevant, are dependent on the nature of the project itself.
For example, if an organization supplies brake system components, there may be no reason to require them to test headlight controls, but the correlation of their components to the brake light system could be quite relevant. On the other hand, if the organization is the one building and selling the vehicle, both of these systems and many more would have to be addressed.
Every combination of systems and scenarios is different. To address the unique characteristics of these systems and the components being tested, the ISO 26262 series of standards accommodate the need for customization by supporting the tailoring of the activities that need to be performed during the various lifecycle phases of the vehicle. Although the scope of the tailoring depends on the nature of the project and its influence can ripple through any of the parts of the ISO 26262 series, the planning activities for defining and implementing tailoring can be found in Clause 5.4.6 Project-Independent tailoring of the safety lifecycle. This clause addresses the tailoring of the safety lifecycle across items or elements at the phase, sub-phase, activity, or task level.
Once the tailoring activities are completed, the scope of the work is pretty much defined. It is only after the work in Clause 5 is completed, that Clause 6 Project-dependent safety management then comes into play. By performing these clauses in their proper order, effort is not wasted on planning safety management activities for considerations that end up being out of the scope of the project. Tailor first, then plan your management of the required safety work.
Now that we have established the hierarchy of the elements within the standard and have a better understanding of their relative scopes and how they nest within each other, let’s examine in detail Clause 6: Project dependent safety management.
Clause 6 is focused on organizations that are in either the concept phase or the development phase of their project. It applies to projects at the system, hardware, or software level.
The proper implementation of Clause 6 shall:
This helps to ensure that everyone involved with the project clearly understands who is doing what, and what each person is responsible for.
Clause 6 drives a series of analyses:
Clause 6 is employed as a planning tool throughout the safety lifecycle. It is used to:
Clause 6 is used to structure judgment processes to confirm whether functional safety has been achieved. It is used to:
In the instance of a supplier who conducts their own functional safety assessment activities upon an element, the overall achievement of functional safety is assessed by judging the contributions of the activities applied to that element. A confirmation review is employed to assess work products.
Clause 6 is utilized at the end of the development process, to determine whether the item or element(s) can be released for production. This determination is based upon sufficient evidence being presented to justify confidence that functional safety has been achieved.
In general, the following steps are performed, in order:
Clause 6.4.9. Table 1 is an extensive table that details the following:
This table is detailed and specific. It includes, but is not limited to, the following measures:
We have explored the kind of activities that Clause 6 drives forward. But what are the inputs that feed into Clause 6? Select information serves as inputs, including prerequisites and further supporting information.
Prerequisites can include:
Further supporting information can also be considered if it is applicable:
Examples can include product concepts, requests for modifications, implementation planning, or proven-in-use arguments.
Clause 6: Project-dependent safety management is a large segment of Part 2 of the standard, too vast to encapsulate it all in one article. Let’s recap what we have covered and lay out the roadmap for the next steps in our journey.
This article has covered foundational information that details the hierarchy and relationship between functional safety, the automotive safety lifecycle, ISO 26262, and its Clauses. We have begun our exploration of the details of Clause 6, examined how the project is managed and conducted, and identified the inputs that feed into Clause 6.
But our journey is only beginning. The next step is to examine in detail the requirements and recommendations of Clause 6, and the roles and responsibilities of the safety management team. We will compare and contrast the impact analysis at the item level, the reuse of existing elements, the tailoring of the safety activities, the planning and coordination of the safety activities, and the progression of the safety lifecycle.
We will examine the case for safety and confirmation measures. We will explore the processes for conducting confirmation reviews, functional safety audits, and functional safety assessments. We will conclude by examining the steps necessary to approve the item as released for production and summarize the work products that all of Clause 6 produces.
Project-dependent safety management allows an organization to tailor its safety activities to the unique considerations of both the organization and the items they produce and utilize. It safeguards necessary activities while keeping the focus on only those activities that are truly relevant. This balance of standardization and customization empowers organizations to maximize the most efficient and effective project designs in their pursuit of functional safety.
1 min read
What is Tailoring in Functional Safety? The international standard that governs functional safety is ISO 26262-2:2018, “Road vehicles — Functional...
The question: When looking at functional safety, what is the difference between being ISO 26262 compliant and being ISO 26262 certified?
Why is Safety at the Core of Software-Defined Vehicles? Creating technology can be a complicated and time-consuming process. At LHP Engineering...