Management of Functional Safety: Part 2 of ISO 26262

Your free white paper

Interested in a brief summary on functional safety according ISO 26262? Our free white paper provides you with a summary of all key information, including figures showing the talked about part or clause of the ISO – ideal reading for anyone new to the topic of process improvements.

Download

It is a common belief that functional safety is just one of many issues that the project manager must coordinate when developing electronics for vehicles.

In other words, those who can do project management can also do functional safety management. Be careful: Experience shows that this belief leads to massive problems towards the end of the project. Why? Because the safety of the product cannot be proven. This is only possible if the organisation has made arrangements, and a number of things are considered over the development period. There is no functional safety if you don’t manage functional safety.

Having a look into ISO 26262 we see that part 2 is specifically dedicated to the management aspect of the whole safety lifecycle. Part 2 in particular says how to manage the topic of functional safety.

Image The structure of ISO 26262:2018

Management of Functional Safety

You’ll find 3 clauses with requirements in part 2. The first of these relates to the development organisation. The second is relevant to each development project and the third relates to the post-development phase.

In a number of other clauses of ISO 26262 there are further requirements that are closely related to managing functional safety. For example, in the corresponding parts of ISO 26262 there are certain lifecycles for hardware and software development. And for instance, it’s required that certain coding guidelines must be defined and applied.

Throughout the remainder of this white paper I will explain the most important points and you will take the key lessons with you to avoid problems in time.

For functional safety in automotive, a so-called safety lifecycle has been defined, as seen in the figure below. Related to that, lifecycle management is addressed in three areas.

We see that there are

overall safety management,
project-dependent safety management and
post-release safety management.

Let me slightly reformulate this and please keep this in mind as a first key lesson.

Management of functional safety needs to be addressed

on an organisational level,
on a project level and
for the time after release for production.

Overall safety management

Overall safety management requires that your company must have defined and applied procedures for electronics development.

For example, this includes procedures

to define a company-specific lifecycle,
to define which tools to use,
how to organise configuration management and
which kinds of safety analyses to perform.

A quality management system must be set up. This aspect is strongly supported by the Automotive SPICE standard as well. Automotive SPICE supports the implementation of ISO 26262. Let me refer to our Automotive SPICE tutorials, for more information.

Additionally, ISO 26262 requires that you are qualified for the work assigned to you. This means that there must be active competence management in your organisation.

Functional safety requires that you have a process in place to ensure that safety anomalies are identified, communicated, and resolved.

Overall, the term people use for this is a ‘culture of safety’ – which every company should have. This also includes, for example, that resources that are required for functional safety are actually made available by management.

Safety culture and processes

An organisation that develops electronic products for cars must have a safety culture and processes for functional safety.

Functional safety management at the project level

The various activities must be carried out by people. This requires roles to be defined and people to be assigned. In particular, it must be clear who is responsible for the functional safety of the product.

An impact analysis shows what needs to be done in the course of product development. Because in the rarest of cases, a company starts a development from scratch. There is usually a previous version of the product. The result of the impact analysis is used

to tailor the lifecycle and
to plan the necessary safety activities.

Logically, functional safety management also includes continual monitoring of progress against the plan and, if necessary, revising the plan. All of these are the tasks of a so-called safety manager.

Safety manager and safety planning

Each safety-related electronics project has a safety manager responsible for that area and tailored safety planning.

We're here for you

Need support with a key project? We’re your first port of call when it comes to management consulting and improvement programmes in electronics development.

Steffen Herrmann and the sales team

Documenting evidence of safety

One of the key work products you have to develop is a sound argumentation for the product being safe. This is called the safety case. It includes a suitable strategy to achieve safety. It includes evidence that this strategy was actually followed. And it includes pieces of evidence, the work products produced during development.

Safety case

A key output of each project is a safety case: it contains the argumentation for the product being safe.

Building trust

Functional safety also means preventing a project from misinterpreting ISO 26262 and cheating. This is to be ensured through confirmation measures carried out by independent parties.

There are three types of confirmation measures.

Confirmation reviews related to key work products like the safety plan or safety concepts. They need confirmation from an independent person.
For a functional safety audit, it has to be checked whether the project actually implements the necessary and defined procedures. The audit therefore relates to compliance with the processes.
For a release for production, it's necessary to get an evaluation from an independent person of the achieved safety. This is called a functional safety assessment. It's necessary for products requiring high safety integrity, like for example adaptive cruise control.

A development result may only be released for production

if there is a safety case,
if functional safety is confirmed independently, and
if the development result is baselined under configuration control.

Independent confirmation

Independent confirmation measures should prevent development teams from misinterpreting ISO 26262 and cheating.

Management of functional safety in production and the after-market

If your development result was made safe using such safety management procedures, you must then ensure that the product is also produced correctly and remains safe over the lifetime of the vehicles.

ISO 26262 requires that the companies involved name the people who are responsible for production and field monitoring, and that the necessary activities for functional safety are planned and initiated.

Appropriate procedures must also be in place for this. These are, for example, certain control steps in production, such as reading out flashed software, to ensure that there are no bit errors on the control units. The field observation process must ensure that field returns are examined for violations of safety goals. Finally, functional safety requires that software or hardware in the vehicles be replaced if necessary, using a formalised change process.

Field monitoring and change of spare parts

To safeguard functional safety not just during component and vehicle production, but also over the whole vehicle lifetime, suitable planning is necessary, including a field monitoring process and change management.

Please keep in mind

Managing functional safety needs to be addressed
- on an organisational level,
- on a per project level and
- for the time after release for production.
Your development organisation must have a safety culture and processes that support functional safety.
Each safety-related electronics project has a safety manager responsible for this area and tailored safety planning.
When we go through the other parts of ISO 26262, you will find that there are many topics that go beyond usual project management and require specific know-how on functional safety.
A key result of each project is a safety case containing the argumentation for the product being safe.
Three kinds of independent confirmation measures should prevent development teams from misinterpreting ISO 26262 and cheating:
- Confirmation reviews of key work products, like for example of the safety concept and safety case
- At least one functional safety process audit, ensuring that you follow the necessary process steps
- A functional safety assessment to judge and confirm the achievement of functional safety by an independent person
To ensure functional safety is met during component and vehicle production, as well as over the whole vehicle lifetime, suitable planning is necessary. This includes a field monitoring process (that detects violations of safety goals) and change management.

WE CAN SUPPORT YOU WITH…

Improving your processes to keep them up to date with the latest safety standards – also so you can develop and sell reliable, available, maintainable and functional products
Designing and rolling out safety management systems
Conducting safety audits to confirm that your safety management fulfils relevant requirements
Knowing for certain if a supplier really can provide you with the right components
Building the capability to assess the functional safety of electronic systems and components
Building the capability to provide staff training on all aspects of functional safety

Management of Functional Safety (ISO 26262)

Download Report

Automotive Systems Engineering

Automotive integrated Development

Management of Functional Safety (ISO 26262)