Automotive Functional Safety is the proper implementation of protective functions that safeguard people from unacceptable risk or injury from the use of a product or system. It is the achievement of specific criteria through the correct performance of formal processes defined in certain international standards.
Functional safety management details how the functional safety standards and methods are invoked throughout the three Functional Safety Life Cycle phases. If ISO 26262 defines the standard for achieving functional safety, then functional safety management governs all the activities and processes necessary to fulfill the requirements. The focus of the effort of managing the program, from initiation through the full developmental lifecycle, is to make sure that conflicts do not arise at the last minute and to make sure that everything is planned for and incorporated into the project plan.
The need for functional safety arises from the way our technology has increased in complexity and taken us forward into an expanded realm of opportunities and risks. We need to be able to anticipate problems before they occur and decide what to do. Electronic systems fail, almost with inevitability. We need to have a good understanding and some preparedness around what is likely to happen when those failures materialize.
There are different types of failures, or faults that that can occur for different reasons:
We need to understand ahead of time, how a system would react when this type of failure occurs. Part of the analysis of safety-critical systems is to anticipate those types of issues and assume they will happen. And since the analysis process assumes that they will happen, a couple of things need to be in place.
One is that we need to have a good understanding of how the system will behave, and that understanding must be deterministic. We need to understand the behavior in time, the responses, and how the results of the responses propagate to different systems. If one system fails, will that affect another system? And ultimately, how will the vehicle dynamics be affected?
For example, we need to know that if the vehicle comes to a halting stop, is it going to run away from us? Am I going to be able to control it? How is the public going to react to those types of scenarios? Will the vehicle remain controllable by not only a trained or expert driver but also will it remain controllable when being operated by people with slower reflexes? Will it remain controllable in different weather conditions, or varied environments such as a busy crowded urban environment or the challenging geography of mountainous terrain?
To turn those considerations (and many more) into useful work that creates a functionally safe product or system, they must be processed and managed using the methodical, thorough, and repeatable process defined in International Standards IEC 61508 / IED 61511 – Functional Safety Management (FSM), and ISO 26262 – Automotive Functional Safety Management (A-FSM).
Safety characteristics and behavior must be specified, and then designed into the product or system. The Functional Safety Life Cycle plays a critical role in defining how functional safety is to be implemented and accomplished. It consists of three phases:
The management of functional safety is overseen by the safety manager. However, implementing the management of safety is not just a separate thing that “somebody else” is doing over in the corner, with the safety manager off to the side, doing their own thing. No, the management of functional safety needs to be integrated into the entire project plan, from top to bottom, from start to finish. And, it is the job of the safety manager and the objective of functional safety, to make sure that is happening.
Right from the start, the rest of the team needs to be aware of, respect, and acknowledge, the independence and authority of the safety manager. A safety manager is critical in these types of projects because you want someone in the role who is free and independent from the pressures of accounting for other aspects of the project, such as budget, schedule, or resources. Their sole focus is the safety of the product. Sometimes people want to take shortcuts. There are customer milestones that need to be adhered to, such as making the target date of the startup of production. When it comes to the safety objectives and safety managers, all that is irrelevant. If it's safe, it's safe; if it's not, the safety manager needs to speak up about it. He or she needs to raise the flag to the right people to make sure that functional safety is not compromised. In essence, that is the main purpose of a safety manager.
The safety manager may not own control of the resources; nonetheless, it is the responsibility of the safety manager to ensure that adequate resources are in place. For example, these can include adequate knowledge, expertise, time, and availability. In theory, the safety manager should be working closely with the program manager or the project manager to ensure that they are achieving synergy in all the decisions that are being made and that safety is appropriately considered. All the leaders must recognize that everybody else at that table has a reason for being there.
Part of the planning and execution of the safety measures is to ensure that, yes, everything is progressing as planned, all the steps are being adhered to, and no shortcuts are being taken. That is all part of monitoring. Because in real life, when you get a program rolling, deadlines get tight. Sometimes they slip and there can be a lot of pressure to take shortcuts.
The functional safety manager must focus on functional safety from now until the product is delivered, and beyond. That focus and attention to detail continues throughout the process, it never ends. Also, there must be steps in the process after the system is released; the job is not done once the vehicle is deployed. How is the safety of that vehicle or product going to be monitored once it hits production? Once feedback is received from the public, if any issues become known, how are they communicated back to the engineering team and corrected? How is it ensured that identical or similar errors are not propagated into similar designs? In our type of industry, a lot of vehicles are designed based upon past vehicles that continue to be improved. It is something we pay very close attention to. Ownership of safety doesn't end when the product is delivered.
Typically, we have found that either customers are used to designing things in a certain manner using legacy processes where functional safety wasn't taken into consideration, or they have been implementing part of the standard but not all of it, or their customers begin to mandate functional safety. In response, they must change the way they do business with both their customers and their suppliers and change how they do things internally. However, change is difficult, especially for large organizations. It doesn't happen overnight, and their corporate culture needs to adapt.
We try to focus on methodically introducing change. We don't change everything overnight. Instead, change is introduced little by little, with a focus on the high-priority items. We educate as we go, so our customers understand the reason for a change before it is implemented, and how it will improve the overall process.
Slowly, we start introducing the proper changes in the proper order, not only at the company level but also at the product level. Typically, products that are being developed now, or were developed in the past, are going to be the baseline for the next iteration. You rarely have a design that is starting from scratch, because doing so is expensive.
The safety goals are not necessarily created by the safety manager. The safety manager is the person responsible for overseeing all the work and making sure that it is performed to, and adhering to the standard. Safety managers bring different levels of experience and knowledge. Some safety managers are more technical than others, and some might be more program management-oriented.
It is important for safety managers to understand their core knowledge and core expertise, but it is also their responsibility to bring in people who can provide guidance whenever there is an area that they are not familiar with, or even to outsource an activity if needed. If a safety manager is responsible for reviewing a particular safety concept, and they don't know the product from a technical perspective, they need to bring in someone with expertise to act as a liaison for the technical activities. However, it is critical that the liaison be independent from that project.
The importance of the safety manager cannot be exaggerated. They cannot be shy about speaking up. They must be respected from the highest levels downward and included in all the meetings and activities in which they should be playing a role. They must have the freedom to speak up in defense of safety, in the face of significant business pressures. They must know the limits of their technical knowledge and not be hesitant to ask for outside independent counsel on technical matters. A good safety manager, properly supported, is one of the best investments a company can make.
For functional safety to be achieved, the functional safety standards must be properly applied in an accurate and complete manner. However, that goal can be achieved in realistic and manageable steps. The cyclical nature of the automotive industry, with its annual new model releases, reliance upon legacy products, and tendency toward an institutional resistance to change, applies a unique combination of pressures not often seen in other industries. It is of paramount importance to have a properly supported safety manager and pool of experts who are outside the pressures and obligations of schedules and budgets. With these assets in place, and full buy-in at every level, the goal of achieving true functional safety is attainable by any organization that is willing to take the proper steps and stay the course.
How are safety goals developed for functional safety management