Assessments of functional safety in the automotive sector assessments evaluate the functional safety of electronic products before road vehicles go into serial production. Learn more about this mission critical assessment method in our YouTube tutorial.Back to funktional safety
It’s either mandatory or common practice for safety-related electronic elements to be assessed by an independent body before they can be installed in road vehicles. Why this is necessary is obvious: confidence in the safety of vehicles should be increased by having an independent person confirm safety according to certain criteria. By the way, my company, Kugler Maag Cie, is officially accredited for such assessments by Germany’s accreditation body DAkkS.
The topics covered below are relevant both for developers because they have to prove their products are safe and also for assessors because they are the ones who carry out the assessments. They are accountable for assessment results. So you’ll benefit from reading this paper whether you’re an assessor or a developer.
Objectives, requirements, and guidelines for functional safety assessments can be found in part 2 of ISO 26262, which is also the basis for this white paper. In this paper I will first summarize the contents of the ISO standard. Afterwards, I will discuss particularly interesting aspects in detail. These are
My aim throughout is to provide you with insights that will help you in tangible terms. In this way, I will also formulate some key lessons that you should take with you for your work.
Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.
Steffen Herrmann and the sales team
The objective of a functional safety assessment is to judge the functional safety of an electrical or electronic product. In the case of a car manufacturer, this is the item - that is, the function on vehicle level. In the case of its suppliers, an assessment focuses on contributions to the functional safety of a vehicle made by the systems or components they supply.
The assessment looks at whether the objectives of ISO 26262 have been achieved. To do this, ISO 26262 requirements are used. State-of-the-art technology at the time of development is taken into account. Please note that state-of-the-art technology evolves continuously, independent of ISO 26262 itself.
If ASIL C or ASIL D are the highest ASILs of requirements, every electrical/electronic product for installation in road vehicles requires a positive functional safety assessment report for each release for production. The positive assessment report is recommended for ASIL B. Remember that justification is required if you do not follow an ISO 26262 recommendation. For ASIL A, no assessment is required.
Assessors must be independent of the development team. For ASIL C, the assessor must come from a different team. For ASIL D, the assessor must come from another department or from outside the company. Appointed assessors must not be given instructions. They must be free to make their own judgements. It is permitted for assistants to support the assessor, even if they are not independent.
However, the assessor always remains solely responsible for the assessment result.
An assessment must be planned at the beginning of system development – at the latest. More about planning later in this white paper.
Assessors must have access to all relevant information for the assessment. They must be supported by the development team on request.
Assessors must consider the following in particular for the assessment:
As an assessor, you must have a sufficient level of skills, competence, and qualification, although ISO does not specify this further. In particular, no specific certificate is required for the assessor. The assessor’s company does not need to be accredited either. However, you can assume that only assessors who have mastered the multitude of technical and other topics will ultimately be accepted.
The assessor must compile an assessment report. I will say a few more things about this below.
This covers everything that ISO 26262 contains and demands.
ISO 26262 recommends that assessments of functional safety are carried out progressively in parallel with development. This is a very important piece of advice that you should definitely implement. But how?
I would like to distinguish between different cases.
Development of a new product
I advise vehicle manufacturers to make their first interim assessment after the hazard analysis and risk assessment and the preparation of the safety plan. A supplier should make the first interim assessment after the first version of the safety plan. An alternative to this would be confirmation reviews of the hazard analysis and risk assessment and the safety plan. A second interim assessment would be useful after the safety concept has been drawn up so that a completely different approach does not have to be taken later. I would recommend a third interim assessment at a time when the ECUs are already installed in pre-series vehicles, which is typically equivalent to an assessment of the C-sample. The final assessment evaluates the product as it is to be manufactured in series, i.e. the release for production.
Functional modification of existing product
If the safety concept remains unchanged, then one or two interim assessments and a final assessment are sufficient.
Simplest case, for example, only the calibration of a product to a new vehicle is carried out
In this case, a single final assessment is sufficient.
What do we learn from this?
Assessment planning depends strongly on how new a product is. Think carefully about how high the risk is if you involve an assessor later rather than earlier, or if you make fewer interim assessments.
Try to conduct an interim assessment if consequences of feedback given by the assessor later on down the line would be costly.
One goal when commissioning a functional safety assessment must be achieved before an assessment is considered to be firmly agreed between the client and the assessor: both parties must have a common understanding of the assessment.
However, this understanding is not usually arrived at by a simple sequence of tender, offer, and commissioning the assessment. If a number of issues are not clarified together, this is not a good foundation for professional implementation to the satisfaction of both parties. People need to be clear about each other’s intentions. In particular, the following issues must be clarified:
I would advise you to write a checklist with all of these points. Once filled out this list can be attached as an appendix to the assessment contract.
The process distinguishes between the preparation phase, implementation, reporting, and optional corrections. However, I do not want to discuss the process in detail at this point.
I recommend that you create a number of useful templates and checklists for the process. These could include:
Now to answer the question of how the assessment can be carried out in practice.
I recommend checking key work products offline before an on-site phase. This would include the safety plan, development interface agreements, impact analyses, the safety concept, and the safety case.
For the onsite phase, I recommend a series of interviews on the individual parts of ISO 26262. In the interviews, the assessor can ask for explanations on how ISO 26262 was met. Evidence is discussed. My role as an assessor is to work out relevant points for the assessment by talking to the stakeholders. If deficits are identified, ideally these are captured together. This creates acceptance of the results of the assessment. If necessary, the assessor may also invest time in reviewing documents in detail after interviews.
In terms of the procedure followed for the final assessment, I would recommend that the safety case is discussed successively. After all, by this time the safety case should be available. And the assessor’s task is to understand how the developers justify safety aspects. Note that it is not the assessor’s job to provide safety arguments. That is the job of development. The assessor’s task is to evaluate those arguments.
In my view, the most important difference between a functional safety audit and a functional safety assessment is that with an assessment, the technical solution for mitigating systematic faults and random hardware faults must be understood and evaluated by the assessor. Ideally, the confirmation reviews of key work products and the audit report on the processes are available for the final assessment. Then the assessor only has to run formal checks and is freed up to concentrate on safety measures. It is also quite common with assessments for the assessor to also carry out confirmation reviews. This is because assessors have the required degree of independence. In such cases, more time will be needed.
Everyone in the process must be clear about one thing: assessors cannot check work products and software as carefully, and according to all criteria, as should be done for reviews and tests during development. They are not product specialists and cannot replace the quality assurance processes of development during an assessment.
It’s important to understand the status of any evidence provided. Are some documents still only draft? If they are, what use are they? Have documents been reviewed and approved? Is there any review documentation? Have the correct review criteria been applied? Were the right people involved, and were they properly involved? Is there perhaps even a confirmation review by an independent person?
Companies often have major problems managing different versions and configurations properly. For a final release for production assessment, your role as an assessor is to check that different versions are consistent. Does the submitted confirmation review actually refer to the released version of the safety case? Do the positive test results actually refer to the software and calibration data contained in the release for production baseline?
If, for example, it is not possible to conduct assessments at the development site due to travel restrictions, video sessions can be organized instead. In this case, you should plan them quite differently. Keep the interviews shorter and take longer breaks. Overall, the assessment will take longer.
The assessment report should state how you proceeded as an assessor. The assessment criteria should be explained. Describe what you have examined. Which documents were submitted to you in which version? This makes it clear what your assessment is based on. You must formulate key statements on the individual criteria of ISO 26262. It must be clear to the reader of the report whether a sentence is a comment, an agreement, or a deviation from the criterion.
The final assessment report must state one of three possible results:
Every electrical and/or electronic product for installation in road vehicles requires a positive assessment report on functional safety for each production release, provided that the highest ASIL of the requirements is ASIL C or ASIL D. For ASIL B this is not a requirement but a recommendation of ISO 26262.