Concept phase in functional safety (ISO 26262, part 3)
Do you need to understand what the concept phase of automotive functional safety expects from you? Then let's have a closer look on Part 3 of ISO 26262. Here you'll find a quick overview of this topic, including a video and our free white paper.
Back to Functional Safety
Interested in a brief summary on the concept phase in functional safety? Our free white paper provides you with a summary of all key information, including figures showing the talked about part 3 of the ISO 26262 – ideal reading for anyone new to the topic of process improvements.
What needs to be done in terms of functional safety at the beginning of the development or adaptation of an electronic product for vehicles? No matter whether you are an employee of a carmaker or a supplier. The mistake is often made of not properly classifying a risk posed to health or human life by an electric and/or electronic feature in a vehicle. Or of not having clearly defined the goals for functional safety. If you make this mistake, you lack the basis for decisions during the further technical development to achieve functional safety. That’s why you need to begin early in the development process, as required in ISO 26262.
ISO 26262 refers to the early phase of product development as the “concept phase”, and mainly describes it in part 3. The concept phase also includes an impact analysis, for which requirements are contained in part 2. And for use in the development of motorcycles, part 12 has more specific information on risk assessment.
In the concept phase, the following four topics have to be implemented.
- Item definition
- Impact analysis at the item level
- Hazard analysis and risk assessment
- Functional safety concept
I will now explain them in more detail to you and I will work out the key lessons for you.
Image
The structure of ISO 26262:2018
At the beginning, the “item definition” is about clearly defining and delimiting the subject of development. If a predecessor product exists, an “impact analysis” comes into play. Using a method that is specific to Automotive, hazardous events are assessed and the necessary automotive safety integrity level, or “ASIL”, is determined and this defines how development should be performed. A “functional safety concept” specifies on a vehicle level how safety goals should be achieved by getting systems to interact.
The term “item” denotes the subject of development, your product. These are one or more interacting electrical and/or electronic systems that implement the desired function. Examples of items are automatic cruise control systems, airbags or electrical components as simple as a car window mechanism, which for example can trap an arm or head. Developing the item means that different kinds of requirements and boundary conditions have to be put together, be they functional requirements, normative references or the performance of the involved actuators in the vehicle. It is also important that you agree on what lies outside the item, that is to know the boundary.
The subject of development, the item, must be defined and its boundaries determined.
Let us continue with the impact analysis. This is our second topic. An impact analysis shows how the lifecycle should be adjusted, tailored, and which safety activities are necessary. It must be known whether the item is a new development, a modification or just the use of a previously developed item in a modified environment, for example an airbag in a new vehicle variant. Now, in the safety lifecycle, this primarily refers to the carmaker and the vehicle level, but all suppliers should carry out an impact analysis for their area of responsibility.
In order to be able to determine the necessary safety activities, an impact analysis must first be made.
Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.
Steffen Herrmann and the sales team
Our third topic is about understanding the risks posed by our product. The risk to human life, which is in our item, has to be estimated. Note that this is typically an activity to be performed by the carmaker. Depending on this risk assessment, more and sometimes less must be done technically and in organisational terms. The “hazard analysis and risk assessment” (“HARA”) begins with a description of operational situations and operating modes, for example “driving on a highway”. The hazards that arise in the event of faults in our item are determined. For instance, a lane-keeping assist system could accidentally steer the vehicle onto the other side of the road. The “automotive safety integrity level”, or “ASIL”, is then determined for the relevant hazardous events. This ASIL has a significant influence on development activities and the product.
To do this, you determine the “Severity” of harm, the probability of “Exposure” to the operational situation and the “Controllability”, or ability to avoid harm. Once you have done that, you determine the ASIL.
For example, faulty steering by the lane-keeping assist system – into the oncoming lane – could be classified as ASIL D, as this can lead to serious injury. In contrast, incorrectly displaying a recognised traffic sign is less critical, because by itself, a traffic sign recognition system does not interfere with vehicle operation and the driver generally reacts appropriately. Once you have carried out these assessments, you write down “safety goals” for further development. Safety goals are high-level safety requirements that are suitable for mitigating hazardous events.
The item is subjected to a hazard analysis and risk assessment, in order to scale safety activities.
Safety goals are formulated.
The fourth topic in the concept phase is the “functional safety concept”. It is about deriving functional safety requirements (“FSRs”) from the safety goals. This is where requirements for avoiding, detecting, and controlling faults are developed. A “safe state” is defined, into which the system changes in the event of an error, or which degraded state should be entered if the safe state cannot be reached immediately. Driver warnings are defined, to be displayed in the event of an error.
Requirements must be assigned so that they either get implemented in the system architecture or get implemented by external measures. The functional safety concept must be verified to determine whether it’s suitable to adequately mitigate the hazards.
The functional safety requirements are assigned to systems for implementation.
A functional safety concept describes, in a comprehensive way, how the hazards should be mitigated.
We’re proud that we have been one of the pioneers of functional safety since 2008 and that this has given us the opportunity to leverage our experience in developing the ISO 26262 safety standard.
Functional safety in automotive electronics? We’re the experts!
We have a wealth of experience in functional safety according to ISO 26262, having conducted over 700 projects with more than 100 clients worldwide.
Functional safety in automotive electronics? We’re the experts!
To date, we have trained more than 100 specialists under the TÜV Rheinland Functional Safety (Automotive) certification scheme.
Functional safety in automotive electronics? We’re the experts!
We already have 18 experts certified under the TÜV Rheinland Functional Safety (Automotive) scheme, or privately approved as official trainers.
Functional safety in automotive electronics? We’re the experts!
If we add up the experience of our experts in the field of functional safety, it comes to no less than 250 years.
Functional safety in automotive electronics? We’re the experts!
Who wrote the classic manual on Functional Safety in Practice, or Functional Safety Essentials? We did.
Functional safety in automotive electronics? We’re the experts!
The section above was a walk through the concept phase according to ISO 26262. Here is my summary of what I think you really should learn about this phase and take to heart.
- As for every development project, the subject of development, which we call the item here, must be defined and its boundaries determined.
- In all cases where we are developing on the basis of some existing system, an impact analysis must be made in order to be able to determine the necessary safety activities.
- The item is subjected to a hazard analysis and risk assessment to scale the safety activities. A method specific to the Automotive industry is used for this purpose, which is based on an assessment of the risk of relevant hazardous events. ASIL D indicates the highest risk and therefore requires the most rigorous application of the requirements of ISO 26262.
- Safety goals are formulated, which are detailed in the form of functional safety requirements (FSRs) on a vehicle level.
- The FSRs are, in turn, assigned to systems for implementation.
- A functional safety concept includes FSRs and describes in a comprehensive way how hazards should be mitigated.
- Improving your processes to keep them up to date with the latest safety standards – also so you can develop and sell reliable, available, maintainable and functional products
- Designing and rolling out safety management systems
- Conducting safety audits to confirm that your safety management fulfils relevant requirements
- Knowing for certain if a supplier really can provide you with the right components
- Building the capability to assess the functional safety of electronic systems and components
- Building the capability to provide staff training on all aspects of functional safety
