What is Functional Safety Management in Automotive?
Functional safety is the proper implementation of protective functions that safeguard people from unacceptable risk or injury from the use of a product or system. It is the achievement of specific criteria through the correct performance of formal processes defined in certain international standards.
Functional safety management details how the functional safety standards and methods are invoked throughout the three Functional Safety Life Cycle phases. If ISO 26262 defines the standard for achieving functional safety, then functional safety management governs all the activities and processes necessary to fulfill the requirements. The focus of the effort of managing the program, from initiation through the full developmental lifecycle, is to make sure that conflicts do not arise at the last minute and to make sure that everything is planned for and incorporated into the project plan.
Why do we need functional safety?
The need for functional safety arises from the way our technology has increased in complexity and taken us forward into an expanded realm of opportunities and risks. We need to be able to anticipate problems before they occur and decide what to do. Electronic systems fail, almost with inevitability. We need to have a good understanding and some preparedness around what is likely to happen when those failures materialize.
Systemic failures versus random errors
There are different types of failures, or faults that that can occur for different reasons:
- Systemic failures can be due to some degree of negligence on the engineering side. Perhaps proper attention wasn’t paid as a system or component was designed, something that should have been analyzed more thoroughly. And so, we ask the question: have things been done correctly in a theoretical sense? Theoretically, if the system or component is designed top-down in a very structural manner, there would be no software bugs, no errors introduced by the design. There are steps and a process recommended by Functional Safety Standard ISO26262 to make sure some or most of those errors are caught before the product is released into production.
- Random errors occur even if things are done perfectly and are designed perfectly. Hardware is hardware, and hardware fails. There is wear and tear on components and batteries that may die. There are things that may inherently go wrong just because there are physical items under the control or influence of hardware that is functioning properly right now but will cause an issue as soon as one or more components fail.
We need to understand ahead of time, how a system would react when this type of failure occurs. Part of the analysis of safety-critical systems is to anticipate those types of issues and assume they will happen. And since the analysis process assumes that they will happen, a couple of things need to be in place.
One is that we need to have a good understanding of how the system will behave, and that understanding must be deterministic. We need to understand the behavior in time, the responses, and how the results of the responses propagate to different systems. If one system fails, will that affect another system? And ultimately, how will the vehicle dynamics be affected?
For example, we need to know that if the vehicle comes to a halting stop, is it going to run away from us? Am I going to be able to control it? How is the public going to react to those types of scenarios? Will the vehicle remain controllable by not only a trained or expert driver, but also will it remain controllable when being operated by people with slower reflexes? Will it remain controllable in different weather conditions, or varied environments such as a busy crowded urban environment or in the challenging geography of mountainous terrain?
To turn those considerations (and many more) into useful work that creates a functionally safe product or system, they must be processed and managed using the methodical, thorough, and repeatable process defined in International Standards IEC 61508 / IED 61511 – Functional Safety Management (FSM), and ISO 26262 – Automotive Functional Safety Management (A-FSM).
What is the Functional Safety Life Cycle?
Safety characteristics and behavior must be specified, and then designed into the product or system. The Functional Safety Life Cycle plays a critical role in defining how functional safety is to be implemented and accomplished. It consists of three phases:
- Analysis: Hazards are identified, risk is assessed, and measures are identified for reducing risk. Then, an Automotive Safety Integrity Level (ASIL) is assigned to each hazard based on those three values. The ASIL defines the necessary steps that must then be taken during the development of the product or system, and after the start of production.
- Implementation: The risk reduction steps become inputs that are engineered into the design, constructed, and installed. The functional safety requirements remain traceable back to the documented items that verify them. In turn, they are broken down into technical safety requirements. Personnel are trained on the proper execution of the risk reduction measures. They ensure that all requirements are properly addressed during development, and they are educated on the hazards that the steps are designed to protect against.
Next comes verification and validation, a complex series of planning, specification, and execution procedures. The verification process asks the question: “Was the system built right?” The validation process asks the question: “Was the right system built?” During these processes, the hardware and software components are tested and then integrated together into systems, which in turn are integrated into the vehicle.
- Operation: Personnel analyze the safe operation of the component or system, conduct inspections, perform testing and maintenance, and receive continuous training. They also implement safe modifications and perform end-of-life decommissioning.
What are the roles and responsibilities in functional safety management?
The management of functional safety is overseen by the safety manager. However, implementing the management of safety is not just a separate thing that “somebody else” is doing over in the corner, with the safety manager off to the side, doing their own thing. No, the management of functional safety needs to be integrated into the entire project plan, top to bottom, start to finish. And, it is the job of the safety manager and the objective of functional safety, to make sure that is happening.
Right from the start, the rest of the team needs to be aware of, respect, and acknowledge, the independence and authority of the safety manager. A safety manager is critical in these types of projects because you want someone in the role who is free and independent from the pressures of accounting for other aspects of the project, such as budget, schedule, or resources. Their sole focus is the safety of the product. Sometimes people want to take shortcuts. There are customer milestones that need to be adhered to, such as making the target date of the startup of production. When it comes to the safety objectives and safety managers, all that is irrelevant. If it's safe, it's safe; if it's not, the safety manager needs to speak up about it. He or she needs to raise the flag to the right people to make sure that functional safety is not compromised. In essence, that is the main purpose of a safety manager.
The safety manager may not own control of the resources; nonetheless, it is the responsibility of the safety manager to ensure that adequate resources are in place. For example, these can include adequate knowledge, expertise, time, and availability. In theory, the safety manager should be working closely with the program manager or the project manager to ensure that they are achieving synergy in all the decisions that are being made, and that safety is appropriately considered. All the leaders must recognize that everybody else at that table has a reason for being there.
Part of the planning and execution of the safety measures is to ensure that, yes, everything is progressing as planned, all the steps are being adhered to, and no shortcuts are being taken. That is all part of monitoring. Because in real life, when you get a program rolling, deadlines get tight. Sometimes they slip and there can be a lot of pressure to take shortcuts.
The functional safety manager must focus on functional safety from now until the product is delivered, and beyond. That focus and attention to detail continues throughout the process, it never ends. Also, there must be steps in the process for after the system is released; the job is not done once the vehicle is deployed. How is the safety of that vehicle or product going to be monitored once it hits production? Once feedback is received from the public, if any issues become known, how are they communicated back to the engineering team and corrected? How is it ensured that identical or similar errors are not propagated into similar designs? In our type of industry, a lot of vehicles are designed based upon past vehicles that continue to be improved. It is something we pay very close attention to. Ownership of safety doesn't end when the product is delivered.
What happens when an engineering manager or safety manager realizes that they haven't been implementing functional safety?
Typically, we have found that either customers are used to designing things in a certain manner using legacy processes where functional safety wasn't taken into consideration, or they have been implementing part of the standard but not all of it, or their customers begin to mandate functional safety. In response, they must change the way they do business with both their customers and their suppliers and change how they do things internally. However, change is difficult, especially for large organizations. It doesn't happen overnight, and their corporate culture needs to adapt.
We try to focus on methodically introducing change. We don't change everything overnight. Instead, change is introduced little by little, with a focus on the high priority items. We educate as we go, so our customers understand the reason for a change before it is implemented, and how it will improve the overall process.
Slowly, we start introducing the proper changes in the proper order, not only at the company level, but also at the product level. Because typically, products that are being developed now, or were developed in the past, are going to be the baseline for the next iteration. It is very rare that you have a design that is starting from scratch, because doing so is expensive.
Does the functional safety manager create the functional safety goals, or is that a team effort?
The safety goals are not necessarily created by the safety manager. The safety manager is the person responsible for overseeing all the work and making sure that it is performed to, and adhering to, the standard. Safety managers bring different levels of experience and knowledge. Some safety managers are more technical than others, and some might be more program management oriented.
It is important for safety managers to understand their core knowledge and core expertise, but it is also their responsibility to bring in people who can provide guidance whenever there is an area that they are not familiar with, or even to outsource an activity if needed. If a safety manager is responsible for reviewing a particular safety concept, and they don't know the product from a technical perspective, they need to bring in someone with expertise to act as a liaison for the technical activities. However, it is critical that the liaison be independent from that project.
The importance of the safety manager cannot be exaggerated. They cannot be shy about speaking up. They must be respected from the highest levels downward and included in all the meetings and activities in which they should be playing a role. They must have the freedom to speak up in defense of safety, in the face of significant business pressures. They must know the limits of their technical knowledge and not be hesitant to ask for outside independent council on technical matters. A good safety manager, properly supported, is one of the best investments a company can make.
For functional safety to be achieved, the functional safety standards must be properly applied in an accurate and complete manner. However, that goal can be achieved in realistic and manageable steps. The cyclical nature of the automotive industry, with its annual new model releases, reliance upon legacy products, and tendency toward an institutional resistance to change, applies a unique combination of pressures not often seen in other industries. It is of paramount importance to have a properly supported safety manager and pool of experts that are outside the pressures and obligations of schedules and budgets. With these assets in place, and full buy-in at every level, the goal of achieving true functional safety is attainable by any organization that is willing to take the proper steps and stay the course.