An Introduction to Project-Dependent Safety Management
Safety is one of the primary influences in the development of modern road vehicles. This influence is defined by a term with a specific meaning, functional safety. Simply put, functional safety can be thought of as a series of systems that protect the user from the technology, and the technology from the user, but its primary purpose is to protect the user from harm. But how do you know when you have accomplished it? To achieve functional safety in an efficient and logical manner that can be measured and evaluated with consistency, international standards are utilized to guide and manage this work. However, functional safety activities are not one-size-fits-all. Each vehicle design is unique and brings to the table different concepts, technologies, capabilities, and challenges. The same can also be said for the organizations themselves that contribute to the design and manufacture of the vehicle.
To address all of these variations in a consistent and trustworthy manner, ISO 26262:2018 Road vehicles - Functional safety, was created by the International Organization for Standardization (ISO). This standard provides a reliable reference during the whole of the automotive safety lifecycle, while remaining flexible enough to adapt to the unique requirements of each instance. This flexibility is achieved in large part through the competent management of functional safety activities, and the efficiencies that can be found in the customization that is offered by a project-dependent safety management approach. This technique enables the conduct of only the necessary safety activities, based on the unique needs of a given vehicle’s design.
To place the role of project-dependent safety management in perspective, it is helpful to take a step back and review how project-dependent safety management fits into the bigger picture of functional safety activities. To accomplish this, let’s start at the top of the standards hierarchy and drill down to the project level.
Table of Contents
- Breaking it down: A brief review of the relationship between functional safety, the automotive safety lifecycle, ISO 26262, and its Clauses
- Exploring Clause 6: Project-dependent safety management
- How is the project managed and conducted?
- What are the inputs to Clause 6?
- Intermediate summary, and next steps
Breaking it down: A brief review of the relationship between functional safety, the automotive safety lifecycle, ISO 26262, and its Clauses
The automotive safety lifecycle
We have established that ISO 26262 is the overarching body of work that guides an organization through the achievement of functional safety by providing a reference for organizations to follow during the automotive safety lifecycle. But what, exactly, is the “automotive safety lifecycle?”
The automotive safety lifecycle consists of a series of activities that occur in a logical order:
- First, the vehicle design is developed, tested, and validated.
- Then, the vehicle is placed into production.
- The built vehicles are placed into operation out in the real world.
- During their operational lifecycle, the vehicles are serviced as required.
- When the design reaches the end of its useful life, decommissioning occurs. This phase helps ensure that the safety considerations of the remaining vehicles in operation are properly addressed.
The ISO 26262 series of standards
The ISO 26262 series of standards consists of nine parts that are relevant to automotive:
- Part 1: Vocabulary
- Part 2: Management of functional safety
- Part 3: Concept phase
- Part 4: Product development at the system level
- Part 5: Product development at the hardware level
- Part 6: Product development at the software level
- Part 7: Production, operation, service and decommissioning
- Part 8: Supporting processes
- Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses
Note: Three additional parts of ISO 26262 are related to other technical realms. While they may not be directly tied to automotive, it is useful to be aware of them:
- Part 10: Guidelines on ISO26262
- Part 11: Guidelines on application of ISO26262 to semiconductors
- Part 12: Adaptation of ISO26262 for motorcycles
Part 2: Management of functional safety
Within the nine parts of ISO 26262 that are relevant to automotive, Part 2: Management of functional safety, is scoped to address possible hazards caused by electrical and electronic safety-related systems that malfunction, including the interaction of these systems with each other, and other systems in the vehicle. It describes a framework upon which functional safety activities can be structured and implemented to develop safety-related electrical and electronic systems.
Within Part 2, there are a series of seven numbered chapters, referred to as Clauses. They include:
- Clause 1: Scope
- Clause 2: Normative references
- Clause 3: Terms and definitions
- Clause 4: Requirements for compliance
- Clause 5: Overall safety management
- Clause 6: Project-dependent safety management
- Clause 7: Safety management regarding production, operation, service and decommissioning
Part 2 also includes a series of informative annexes:
- Annex A: Overview of and workflow of functional safety management
- Annex B: Safety Culture
- Annex C: Guidance on potential interaction of functional safety with cybersecurity
Classifying risks using Automotive Safety Integrity Levels (ASILs)
To work through all of the automotive safety lifecycle activities and generate results that make sense and are actionable, we need a way of analyzing, labeling, measuring, and classifying these safety considerations and what we learn from them, as the needed activities are identified and conducted. This work is fundamental, yet very important. It quantifies diverse requirements and enables us to measure their effectiveness in a consistent and relevant manner as we compare these results against each other. This is where Automotive Safety Integrity Levels (ASILs) come into play.
The ASIL process is an automotive-specific risk-based approach that classifies risks in a manner that is consistent and actionable. It studies the severity, exposure, and controllability of each vehicle operating scenario, and then applies risk analysis processes to these potential hazards to assign an ASIL classification to each risk.
These ASIL classifications, which are simply referred to as ASILs in common usage, are then used to specify which of the requirements of ISO 26262 are applicable to avoid unreasonable residual risk. They provide the requirements for functional safety management, design, implementation, verification, validation, and confirmation measures. And, they provide the requirements for relations between customers and suppliers.
The relationship between project-independent tailoring and project dependence
It is typically not necessary to complete every conceivable activity in the standard, or every step in a given activity, every single time, for every component or system. The keyword here is relevance. The activities that need to be completed, and the steps therein that are relevant, are dependent on the nature of the project itself.
For example, if an organization supplies brake system components, there may be no reason to require them to test headlight controls, but the correlation of their components to the brake light system could be quite relevant. On the other hand, if the organization is the one building and selling the vehicle, both of these systems and many more would have to be addressed.
Every combination of systems and scenarios is different. To address the unique characteristics of these systems and the components being tested, the ISO 26262 series of standards accommodate the need for customization by supporting the tailoring of the activities that need to be performed during the various lifecycle phases of the vehicle. Although the scope of the tailoring depends on the nature of the project and its influence can ripple through any of the parts of the ISO 26262 series, the planning activities for defining and implementing tailoring can be found in Clause 5.4.6 Project-Independent tailoring of the safety lifecycle. This clause addresses the tailoring of the safety lifecycle across items or elements at the phase, sub-phase, activity, or task level.
Once the tailoring activities are completed, the scope of the work is pretty much defined. It is only after the work in Clause 5 is completed, that Clause 6 Project-dependent safety management then comes into play. By performing these clauses in their proper order, effort is not wasted on planning safety management activities for considerations that end up being out of the scope of the project. Tailor first, then plan your management of the required safety work.
Exploring Clause 6: Project dependent safety management
Now that we have established the hierarchy of the elements within the standard and have a better understanding of their relative scopes and how they nest within each other, let’s examine in detail Clause 6: Project dependent safety management.
What are the objectives of project-dependent safety management?
Clause 6 is focused on organizations that are in either the concept phase or the development phase of their project. It applies to projects at the system, hardware, or software level.
Objective 1: Establish definitions and assignments
The proper implementation of Clause 6 shall:
- Define the roles within safety activities, and
- assign the roles and responsibilities within safety activities.
This helps to ensure that everyone involved with the project clearly understands who is doing what, and what each person is responsible for.
Objective 2: Guide the conduct of analyses
Clause 6 drives a series of analyses:
- Impact analysis at the item level: This activity identifies whether an item is:
- a new item,
- a modification of an existing item, or
- an existing item with a modified environment.
- Analysis of the implications of modifications on functional safety:
- Applies to either one modification or multiple modifications.
- Impact analysis at the element level:
- Applies when an existing element is reused.
- Evaluates whether the reused element is capable of complying with the safety requirements that have been allocated to that element.
- Takes into consideration the operational context in which the element is reused.
Objective 3: Define the safety activities
Clause 6 is employed as a planning tool throughout the safety lifecycle. It is used to:
- Define tailored safety activities:
- Provides the rationales for tailoring.
- Structures reviews of the rationales.
- Provide the structure for planning safety activities:
- Directs the planning of safety activities.
- Coordinates and tracks the progress of the safety activities in accordance with the safety plan.
- Plans the distributed developments defined in ISO 26262-8:2018, Clause 5 Interfaces within distributed developments.
- Helps ensure that safety activities proceed in the correct order.
- Helps ensure that safety activities progress at an appropriate pace.
Objective 4: Validate the achievement of functional safety
Clause 6 is used to structure judgment processes to confirm whether functional safety has been achieved. It is used to:
- Capture and structure a safety case:
- Provides the argument that functional safety has been achieved, in a manner that can be readily comprehended.
- Employ a functional safety assessment:
- Helps to determine whether the item has achieved functional safety.
In the instance of a supplier who conducts their own functional safety assessment activities upon an element, the overall achievement of functional safety is assessed by judging the contributions of the activities applied to that element. A confirmation review is employed to assess work products.
Objective 5: Validate release for production
Clause 6 is utilized at the end of the development process, to determine whether the item or element(s) can be released for production. This determination is based upon sufficient evidence being presented to justify confidence that functional safety has been achieved.
How is the project managed and conducted?
What are the steps in managing project-dependent safety?
In general, the following steps are performed, in order:
- The roles and responsibilities are defined and assigned.
- An impact analysis is performed at the item level. This identifies whether the item in question is a new item, an existing item that has been modified, or an existing item that has been placed in a modified environment:
- If there have been modifications, the ramifications to functional safety are analyzed.
- If an existing element is being reused, an impact analysis is performed at the element level that takes into consideration the operational context in which the element is being reused.
- Safety management plans and coordinates the safety activities:
- They track the progress of the safety activities against the plan.
- They describe and justify any tailored safety activities.
- The safety planning is thoroughly documented. In a distributed development, the documentation references the development interface agreements with the other parties.
- Based on the applicable ASIL, confirmation measures are performed and granted sufficient independence regarding the available resources, management, and release authority. These can include:
- Confirmation reviews: Intended to determine whether the key work products provide satisfactory evidence that they contribute to functional safety.
- A functional safety audit: Assesses the implementation of the processes that are required by the safety activities.
- A functional safety assessment: Determines whether the item has achieved functional safety; In the case of an element, it assesses whether the development of the element has contributed to the achievement of functional safety.
- Verification activities are also performed. They confirm that the associated work products fulfill both the project requirements and the technical requirements. Particular attention is given to use cases and failure modes.
- The person who is responsible for the release of the item, or the elements of the item, determines whether the item or element(s) are ready for series production and operation. This is based on the evidence, which must support confidence that functional safety has been achieved.
What are the confirmation measures?
Clause 6.4.9. Table 1 is an extensive table that details the following:
- Confirmation measures.
- The level of independence that can be applied to ASIL A, B, C, and D.
- The scope of each confirmation measure.
This table is detailed and specific. It includes, but is not limited to, the following measures:
- Confirmation review of the impact analysis at the item level.
- Confirmation review of the hazard analysis and risk assessment.
- Confirmation review of the safety plan.
- Confirmation review of the Functional Safety Concept.
- Confirmation review of the Technical Safety Concept.
- Confirmation review of the integration and test strategy.
- Confirmation review of the safety validation specification.
- Confirmation review of the safety analyses and the dependent failure analyses.
- Confirmation review of the safety case.
- Functional safety audit.
- Functional safety assessment.
What are the inputs to Clause 6?
We have explored the kind of activities that Clause 6 drives forward. But what are the inputs that feed into Clause 6? Select information serves as inputs, including prerequisites and further supporting information.
Prerequisites can include:
- Organization-specific rules and processes for functional safety.
- Evidence of competence management.
- Evidence of a quality management system.
Further supporting information can also be considered if it is applicable:
- Project plans from external sources.
- Considerations that are dependent on other activities, including other safety activities.
- Other existing information may prove useful in the conduct of an impact analysis.
Examples can include product concepts, requests for modifications, implementation planning, or proven-in-use arguments.
Intermediate summary, and next steps
Clause 6: Project-dependent safety management is a large segment of Part 2 of the standard, too vast to encapsulate it all in one article. Let’s recap what we have covered and lay out the roadmap for the next steps in our journey.
This article has covered foundational information that details the hierarchy and relationship between functional safety, the automotive safety lifecycle, ISO 26262, and its Clauses. We have begun our exploration of the details of Clause 6, examined how the project is managed and conducted, and identified the inputs that feed into Clause 6.
But our journey is only beginning. The next step is to examine in detail the requirements and recommendations of Clause 6, and the roles and responsibilities of the safety management team. We will compare and contrast the impact analysis at the item level, the reuse of existing elements, the tailoring of the safety activities, the planning and coordination of the safety activities, and the progression of the safety lifecycle.
We will examine the case for safety and confirmation measures. We will explore the processes for conducting confirmation reviews, functional safety audits, and functional safety assessments. We will conclude by examining the steps necessary to approve the item as released for production and summarize the work products that all of Clause 6 produces.
Project-dependent safety management allows an organization to tailor its safety activities to the unique considerations of both the organization and the items they produce and utilize. It safeguards necessary activities while keeping the focus on only those activities that are truly relevant. This balance of standardization and customization empowers organizations to maximize the most efficient and effective project designs in their pursuit of functional safety.