Assessment of functional safety according to ISO 26262:2018

The objective of a functional safety assessment is to judge the functional safety of an electrical or electronic product. In the case of a car manufacturer, this is the item - that is, the function on vehicle level. In the case of its suppliers, an assessment focuses on contributions to the functional safety of a vehicle made by the systems or components they supply.

The assessment looks at whether the objectives of ISO 26262 have been achieved. To do this, ISO 26262 requirements are used. State-of-the-art technology at the time of development is taken into account. Please note that state-of-the-art technology evolves continuously, independent of ISO 26262 itself.

If ASIL C or ASIL D are the highest ASILs of requirements, every electrical/electronic product for installation in road vehicles requires a positive functional safety assessment report for each release for production. The positive assessment report is recommended for ASIL B. Remember that justification is required if you do not follow an ISO 26262 recommendation. For ASIL A, no assessment is required.

Assessors must be independent of the development team. For ASIL C, the assessor must come from a different team. For ASIL D, the assessor must come from another department or from outside the company. Appointed assessors must not be given instructions. They must be free to make their own judgements. It is permitted for assistants to support the assessor, even if they are not independent.

However, the assessor always remains solely responsible for the assessment result.

An assessment must be planned at the beginning of system development – at the latest. More about planning later in this white paper.

Assessors must have access to all relevant information for the assessment. They must be supported by the development team on request.

Assessors must consider the following in particular for the assessment:

• the safety plan and the required work products
• the processes required for functional safety
• safety measures, in particular the safety mechanisms in the product
• the safety case with its arguments
• the results of confirmation reviews and functional safety audits

As an assessor, you must have a sufficient level of skills, competence, and qualification, although ISO does not specify this further. In particular, no specific certificate is required for the assessor. The assessor’s company does not need to be accredited either. However, you can assume that only assessors who have mastered the multitude of technical and other topics will ultimately be accepted.

The assessor must compile an assessment report. I will say a few more things about this below.

This covers everything that ISO 26262 contains and demands.

ISO 26262 recommends that assessments of functional safety are carried out progressively in parallel with development. This is a very important piece of advice that you should definitely implement. But how?

I would like to distinguish between different cases.

Development of a new product

I advise vehicle manufacturers to make their first interim assessment after the hazard analysis and risk assessment and the preparation of the safety plan. A supplier should make the first interim assessment after the first version of the safety plan. An alternative to this would be confirmation reviews of the hazard analysis and risk assessment and the safety plan. A second interim assessment would be useful after the safety concept has been drawn up so that a completely different approach does not have to be taken later. I would recommend a third interim assessment at a time when the ECUs are already installed in pre-series vehicles, which is typically equivalent to an assessment of the C-sample. The final assessment evaluates the product as it is to be manufactured in series, i.e. the release for production.

Functional modification of existing product

If the safety concept remains unchanged, then one or two interim assessments and a final assessment are sufficient.

Simplest case, for example, only the calibration of a product to a new vehicle is carried out

In this case, a single final assessment is sufficient.

What do we learn from this?

Assessment planning depends strongly on how new a product is. Think carefully about how high the risk is if you involve an assessor later rather than earlier, or if you make fewer interim assessments.

Try to conduct an interim assessment if consequences of feedback given by the assessor later on down the line would be costly.

One goal when commissioning a functional safety assessment must be achieved before an assessment is considered to be firmly agreed between the client and the assessor: both parties must have a common understanding of the assessment.

However, this understanding is not usually arrived at by a simple sequence of tender, offer, and commissioning the assessment. If a number of issues are not clarified together, this is not a good foundation for professional implementation to the satisfaction of both parties. People need to be clear about each other’s intentions. In particular, the following issues must be clarified:

• Even if clients ask for a functional safety assessment, it may not be certain that they actually mean the same thing as the assessor. As an assessor, clarify whether the client means a gap analysis, a functional safety audit, one or more confirmation reviews of work products, an interim assessment, a final assessment, or any combination of these. I have often experienced that a request was meant differently than was stated in writing.
• Clarify who the main stakeholders are, especially in international setups.
• What expectations does the client have? Should the process end with a confirmation of functional safety? Or should existing deficits be pointed out? Or should only partial results be assessed?
• Clarify the phase of the project that the project has now reached.
• To determine which parts and clauses of the ISO must be checked against, it is essential to know how much reuse, modification or new development is taking place – and which technology is in the client’s area of responsibility. I refer to this as the technical scope of the development.
• As an assessor, you have to decide, for example, whether to check against the ’change management’ clause, or whether an impact analysis is available, which requires large parts of ISO 26262 to be run through. To plan properly, you need to know the ISO scope.
• You should know the highest ASIL of the requirements.
• Try to get a rough overview of the evidence that will be presented to you – and what status this evidence has reached. For example, is the safety case only in draft, already reviewed, or already confirmed by an independent person?
• Which process should the assessment follow? That of the client or that of the assessor?
• How will the process be carried out? Are there any documents in advance? At which locations must the assessment be carried out? How many days are necessary on site? What are the milestones?
• What should be delivered and checked in advance?
• Regarding financials: The client and the assessor should agree on the price and criteria for payment. In any case, payment must not depend on a positive assessment report.
• Clarify whether the assignment and the price include updates to the assessment after minor corrections.

I would advise you to write a checklist with all of these points. Once filled out this list can be attached as an appendix to the assessment contract.

The process distinguishes between the preparation phase, implementation, reporting, and optional corrections. However, I do not want to discuss the process in detail at this point.

I recommend that you create a number of useful templates and checklists for the process. These could include:

• Assessment process description in a tailorable template
• Tailoring guideline
• Order template
• Assessment readiness checklist
• Schedule template
• Invitation email template
• Assessment criteria in a tool useable during the assessment to collect evidences
• Team briefing template
• Kick-off presentation template
• Result presentation template
• Assessment report template
• Certificate template
• Lessons learned template
• Tool for managing corrective actions

Now to answer the question of how the assessment can be carried out in practice.

I recommend checking key work products offline before an on-site phase. This would include the safety plan, development interface agreements, impact analyses, the safety concept, and the safety case.

For the onsite phase, I recommend a series of interviews on the individual parts of ISO 26262. In the interviews, the assessor can ask for explanations on how ISO 26262 was met. Evidence is discussed. My role as an assessor is to work out relevant points for the assessment by talking to the stakeholders. If deficits are identified, ideally these are captured together. This creates acceptance of the results of the assessment. If necessary, the assessor may also invest time in reviewing documents in detail after interviews.

In terms of the procedure followed for the final assessment, I would recommend that the safety case is discussed successively. After all, by this time the safety case should be available. And the assessor’s task is to understand how the developers justify safety aspects. Note that it is not the assessor’s job to provide safety arguments. That is the job of development. The assessor’s task is to evaluate those arguments.

In my view, the most important difference between a functional safety audit and a functional safety assessment is that with an assessment, the technical solution for mitigating systematic faults and random hardware faults must be understood and evaluated by the assessor. Ideally, the confirmation reviews of key work products and the audit report on the processes are available for the final assessment. Then the assessor only has to run formal checks and is freed up to concentrate on safety measures. It is also quite common with assessments for the assessor to also carry out confirmation reviews. This is because assessors have the required degree of independence. In such cases, more time will be needed.

Everyone in the process must be clear about one thing: assessors cannot check work products and software as carefully, and according to all criteria, as should be done for reviews and tests during development. They are not product specialists and cannot replace the quality assurance processes of development during an assessment.

It’s important to understand the status of any evidence provided. Are some documents still only draft? If they are, what use are they? Have documents been reviewed and approved? Is there any review documentation? Have the correct review criteria been applied? Were the right people involved, and were they properly involved? Is there perhaps even a confirmation review by an independent person?

Companies often have major problems managing different versions and configurations properly. For a final release for production assessment, your role as an assessor is to check that different versions are consistent. Does the submitted confirmation review actually refer to the released version of the safety case? Do the positive test results actually refer to the software and calibration data contained in the release for production baseline?

If, for example, it is not possible to conduct assessments at the development site due to travel restrictions, video sessions can be organized instead. In this case, you should plan them quite differently. Keep the interviews shorter and take longer breaks. Overall, the assessment will take longer.

The assessment report should state how you proceeded as an assessor. The assessment criteria should be explained. Describe what you have examined. Which documents were submitted to you in which version? This makes it clear what your assessment is based on. You must formulate key statements on the individual criteria of ISO 26262. It must be clear to the reader of the report whether a sentence is a comment, an agreement, or a deviation from the criterion.

The final assessment report must state one of three possible results:

• If the objectives of ISO 26262 are met unconditionally, the report recommends that functional safety is accepted.
• If assessors believe that the product is functionally safe, but they only say this under certain provisos, then only conditional acceptance is recommended.
• If, on the other hand, assessors are not convinced that a product is safe, the result of the assessment will be a rejection. The organization developing the product will then be asked to make amendments and repeat the assessment.