The international standard that governs functional safety is ISO 26262-2:2018, “Road vehicles — Functional safety — Part 2: Management of functional safety”. It is a comprehensive and detailed document that applies to all of the available activities of safety-related systems during the safety lifecycle. But not every system is so broad and complex that every part of ISO 26262 can be applied to it. Some organizations build products that are subsystems intended to be installed as part of a greater system, and what they create is less complex than the systems their products are going into. Or some systems are simply less complex than others and do not contain all of the features and capabilities that the standard addresses. How does an organization comply with a standard, when the standard itself is broader in complexity and scope than the product that the organization is manufacturing? The answer lies in customizing the safety requirements to the needs of the system, using a process called tailoring. Much like a clothing tailor can trim and customize an article of clothing to provide the best fit for the unique needs of a specific person, the list of processes prescribed by ISO 26262 can be customized to meet the unique needs of a given system. But the role of tailoring in functional safety must be fulfilled according to strict rules. There is more than one way that tailoring can be applied, and the impacts can be far-reaching.
Let’s get a clearer understanding of what we mean by the word “tailoring”.
Simply put, tailoring is an act of customization for the purpose of providing the best solution for a given situation. According to ISO 26262-2:2018, Clause 6.4.5.1., the safety activities for a specific item under development may be tailored to meet the needs of that item and the types of situations in which it will be used. This allowance for deviation can result in the safety activities being omitted or performed in a manner that is different than what has been prescribed in the broader reference ISO 26262 lifecycle.
But why would we bother? Isn’t all this tailoring work a big and complex hassle? Why not just apply every conceivable procedure in every instance, the old belt-and-suspenders approach, to be as safe as possible?
Because that wouldn’t be safer.
There is an old adage that says, “If the only tool in your toolbox is a hammer, everything becomes a nail.” Attempting to apply a single identical process to every situation regardless of actual need, would at best only provide a false illusion of greater safety that would only fool the under-informed. And it would be unsustainably wasteful to the point of being unaffordable. You don’t reduce risk or save money by trying to apply irrelevant measures for the sake of grandstanding. And besides, in most instances, it is impossible. You can’t reduce risk further if there was no real risk in that consideration in the first place.
So, tailoring uses customization to zero in on quantified risks to reduce those risks in the most efficient manner possible.
For a given application, the organization may tailor the safety lifecycle across items or elements, but only if this tailoring is confined to:
Sub-phases can also be combined if the method being used makes it difficult to clearly distinguish between the individual sub-phases. In other words, if the act of tailoring pares down two sub-phases to the point that it is difficult for them to continue standing on their own, but it makes sense to combine them, that is allowed. For example, computer-aided development tools can support the activities of several sub-phases within one step.
Very specific steps must be taken to ensure proper documentation. In particular:
Several items are produced during this work. They include:
Before you can begin to document the rationale for tailoring, you must first determine whether tailoring is needed in the first place. This decision is based on how much of a threat the malfunction of a particular component might pose under a variety of conditions. ISO 26262 defines a process for determining these risks with consistency, so they can be weighed individually and compared to each other.
The Automotive Safety Integrity Level (ASIL) is the risk classification system defined in ISO 26262. ASIL classifications are used to contextually signify the level of risk reduction that is required to prevent a specific hazard.
In this system, risks are classified and weighed to score their criticality to safety. At the beginning of the safety lifecycle, a variety of hazard analysis and risk assessment practices are utilized to ascertain the appropriate ASIL level. Each hazardous event is classified according to the severity of the injuries that it can be expected to cause. This makes it practical to weigh one risk against another, even when vastly different technologies are in play.
The ASIL assessment process factors in the severity of a hazardous event, the likelihood of it happening, and the ability to control the event. The criticality of the risk determines the priority for addressing it and how it must be addressed. In turn, this information helps to determine whether any form of tailoring is needed and if so, what kind.
So, the ASILs are classified in a consistent manner that makes it practical to compare them against each other. But as the rationale for tailoring the safety requirements is identified and documented, the impact of these ASILs on tailoring depends on whether the tailoring is going to be applied:
For tailoring that applies to a specific item, the ASILs of the corresponding requirements must be taken into consideration. The rationale for the tailoring must be included in the Safety Plan and this rationale is reviewed, either during the confirmation review of the Safety Plan or during the functional safety assessment.
In contrast, for tailoring that applies across everything that an organization creates, only the criteria for project-independent tailoring of the safety lifecycle applies.
There are specific conditions under which tailoring may take place. The rationale takes into account the ASILs of the corresponding requirements. It is then included in the safety plan and is either reviewed during the confirmation review of the safety plan or during the functional safety assessment.
While Clause 6 Project dependent safety management, is not strictly a part of the tailoring clauses, it can be enlightening to briefly look downstream and examine the “next step” activities that can be impacted by tailoring, to help put the tailoring process itself into context.
Clause 6.4.6.5 details the various considerations around the planning of the activities and the procedures for achieving functional safety, all of which need to be defined in the Safety Plan. These include:
These necessary considerations can consume a great deal of time and resources. But they can also be impacted greatly by tailoring. This circles back to the earlier point about how tailoring uses customization to zero in on quantified risks with efficiency. Look at that list again and think about all the work that would not have to be performed if tailoring is properly implemented upstream. And this is only one example; there are many others in ISO 26262.
Use the ASIL system to classify the risks. Use tailoring to focus on the risks that need to be addressed, and don’t waste time and resources on items that are below the risk threshold. This is the power of tailoring, making the most of our limited time and resources to enable the greatest impact on functional safety in the most efficient manner possible.