LHP Blog and Technical Articles

What is Tailoring in Functional Safety?

Written by Ashutosh Chandel | Feb 15, 2023 7:24:45 PM

What is Tailoring in Functional Safety?

The international standard that governs functional safety is ISO 26262-2:2018, “Road vehicles — Functional safety — Part 2: Management of functional safety”. It is a comprehensive and detailed document that applies to all of the available activities of safety-related systems during the safety lifecycle. But not every system is so broad and complex that every part of ISO 26262 can be applied to it. Some organizations build products that are subsystems intended to be installed as part of a greater system, and what they create is less complex than the systems their products are going into. Or some systems are simply less complex than others and do not contain all of the features and capabilities that the standard addresses. How does an organization comply with a standard, when the standard itself is broader in complexity and scope than the product that the organization is manufacturing? The answer lies in customizing the safety requirements to the needs of the system, using a process called tailoring. Much like a clothing tailor can trim and customize an article of clothing to provide the best fit for the unique needs of a specific person, the list of processes prescribed by ISO 26262 can be customized to meet the unique needs of a given system. But the role of tailoring in functional safety must be fulfilled according to strict rules. There is more than one way that tailoring can be applied, and the impacts can be far-reaching.


 

What is the definition of tailoring?

Let’s get a clearer understanding of what we mean by the word “tailoring”.

Simply put, tailoring is an act of customization for the purpose of providing the best solution for a given situation. According to ISO 26262-2:2018, Clause 6.4.5.1., the safety activities for a specific item under development may be tailored to meet the needs of that item and the types of situations in which it will be used. This allowance for deviation can result in the safety activities being omitted or performed in a manner that is different than what has been prescribed in the broader reference ISO 26262 lifecycle.

But why would we bother? Isn’t all this tailoring work a big and complex hassle? Why not just apply every conceivable procedure in every instance, the old belt-and-suspenders approach, to be as safe as possible?

Because that wouldn’t be safer.

There is an old adage that says, “If the only tool in your toolbox is a hammer, everything becomes a nail.” Attempting to apply a single identical process to every situation regardless of actual need, would at best only provide a false illusion of greater safety that would only fool the under-informed. And it would be unsustainably wasteful to the point of being unaffordable. You don’t reduce risk or save money by trying to apply irrelevant measures for the sake of grandstanding. And besides, in most instances, it is impossible. You can’t reduce risk further if there was no real risk in that consideration in the first place.

So, tailoring uses customization to zero in on quantified risks to reduce those risks in the most efficient manner possible.

The scope of tailoring

For a given application, the organization may tailor the safety lifecycle across items or elements, but only if this tailoring is confined to:

  • splitting or combining sub-phases, activities, or tasks,
  • performing a task or an activity in a different phase or sub-phase,
  • performing an activity or task to a phase or sub-phase that has been added,
  • iterating the phases or sub-phases,
  • performing safety activities concurrently with the safety activities of other phases or sub-phases (provided that the work complies with Clause 6.4.7.1), or
  • omitting a phase or sub-phase that does not apply to the project or organization, based on a rationale.

Sub-phases can also be combined if the method being used makes it difficult to clearly distinguish between the individual sub-phases. In other words, if the act of tailoring pares down two sub-phases to the point that it is difficult for them to continue standing on their own, but it makes sense to combine them, that is allowed. For example, computer-aided development tools can support the activities of several sub-phases within one step.

How do you document the rationale for tailoring?

Very specific steps must be taken to ensure proper documentation. In particular:

  • The tailoring must be defined in the Safety Plan; and,
  • a rationale must be presented as to why the tailoring is appropriate and sufficient to still achieve functional safety.

Several items are produced during this work. They include:

  • Organization-specific rules and processes for functional safety, resulting from completing these processes:
    • Clause 5.4.2 Safety Culture.
    • Clause 5.4.3 Management of safety anomalies regarding functional safety.
    • Clause 5.4.4 Competence management.
    • Clause 5.4.5 Quality management system.
    • Clause 5.4.6 Project-independent tailoring of the safety lifecycle.
  • Evidence of competence management, resulting from completing this process:
    • Clause 5.4.4 Competence management.
  • Evidence of a quality management system, resulting from completing these processes:
    • Clause 5.4.5 Quality management system.
    • Clause 5.4.6 Project-independent tailoring of the safety lifecycle.
  • Identified safety anomaly reports, if applicable, resulting from completing this process:
    • Clause 5.4.3 Management of safety anomalies regarding functional safety.

 

How do you determine if any tailoring is needed?

Before you can begin to document the rationale for tailoring, you must first determine whether tailoring is needed in the first place. This decision is based on how much of a threat the malfunction of a particular component might pose under a variety of conditions. ISO 26262 defines a process for determining these risks with consistency, so they can be weighed individually and compared to each other.

The Automotive Safety Integrity Level (ASIL) is the risk classification system defined in ISO 26262. ASIL classifications are used to contextually signify the level of risk reduction that is required to prevent a specific hazard.

In this system, risks are classified and weighed to score their criticality to safety. At the beginning of the safety lifecycle, a variety of hazard analysis and risk assessment practices are utilized to ascertain the appropriate ASIL level. Each hazardous event is classified according to the severity of the injuries that it can be expected to cause. This makes it practical to weigh one risk against another, even when vastly different technologies are in play.

What is the impact of the ASILs on tailoring?

The ASIL assessment process factors in the severity of a hazardous event, the likelihood of it happening, and the ability to control the event. The criticality of the risk determines the priority for addressing it and how it must be addressed. In turn, this information helps to determine whether any form of tailoring is needed and if so, what kind.

So, the ASILs are classified in a consistent manner that makes it practical to compare them against each other. But as the rationale for tailoring the safety requirements is identified and documented, the impact of these ASILs on tailoring depends on whether the tailoring is going to be applied:

  • across the entire organization (a company that only makes less-complex systems), or
  • only to some of the items the organization creates (a company that makes a variety of systems that vary in complexity).

For tailoring that applies to a specific item, the ASILs of the corresponding requirements must be taken into consideration. The rationale for the tailoring must be included in the Safety Plan and this rationale is reviewed, either during the confirmation review of the Safety Plan or during the functional safety assessment.

In contrast, for tailoring that applies across everything that an organization creates, only the criteria for project-independent tailoring of the safety lifecycle applies.

When is tailoring allowed?

There are specific conditions under which tailoring may take place. The rationale takes into account the ASILs of the corresponding requirements. It is then included in the safety plan and is either reviewed during the confirmation review of the safety plan or during the functional safety assessment.

Postscript: Defining the tailoring within the Safety Plan

While Clause 6 Project dependent safety management, is not strictly a part of the tailoring clauses, it can be enlightening to briefly look downstream and examine the “next step” activities that can be impacted by tailoring, to help put the tailoring process itself into context.

Clause 6.4.6.5 details the various considerations around the planning of the activities and the procedures for achieving functional safety, all of which need to be defined in the Safety Plan. These include:

  • The definition of the tailored activities.
  • How the project-independent safety activities will be implemented. There must be a plan for the safety activities that demonstrates compliance with the requirements of ISO26262-3, ISO 26262-4, ISO 26262-5, and ISO 26262-6.
  • A plan for the supporting processes, such as Development Interface Agreements (DIAs), which define the interface of this safety plan with the safety plans of other organizations within a distributed development environment.
  • The planning of integration and verification activities.
  • The planning of safety validation activities.
  • The scheduling of the confirmation reviews.
  • The scheduling of the functional safety audit.
  • The scheduling of the functional safety assessment.
  • The degree of independence that will be given to a person carrying out a confirmation measure. The Safety Manager is responsible for scheduling the confirmation measures, but the details of the confirmation measure are the responsibility of the person assigned to completing that measure.
  • The planning of the analysis of dependent failures, if any.
  • The definition of all required safety analyses; their objectives and scopes will depend on their respective sub-phases and their context.
  • The provisions for the proven-in-use arguments for each candidate, if applicable.
  • The provisions for establishing the level of confidence in using each software tool, if applicable.

These necessary considerations can consume a great deal of time and resources. But they can also be impacted greatly by tailoring. This circles back to the earlier point about how tailoring uses customization to zero in on quantified risks with efficiency. Look at that list again and think about all the work that would not have to be performed if tailoring is properly implemented upstream. And this is only one example; there are many others in ISO 26262.

Use the ASIL system to classify the risks. Use tailoring to focus on the risks that need to be addressed, and don’t waste time and resources on items that are below the risk threshold. This is the power of tailoring, making the most of our limited time and resources to enable the greatest impact on functional safety in the most efficient manner possible.

Interested in learning more about Functional Safety for your organization? Contact our team today!