So often, we in functional safety (FS) get caught up in completing work products and aren’t thinking about what comes next. So much detailed work goes into completing a HARA, FMEDA, requirements definitions, FTA, safety analysis, and the like, that we have to have laser-sharp focus on them just to get them done.
Throughout the safety life cycle, confirmation measures or verification reviews, are required for many of the required work products. These reviews help to ensure that we have not veered off track from our intended path for safety. Confirmation measures can take the form of confirmation reviews, functional safety audits and functional safety assessments. Each of these formats concentrate on slightly different aspects of the functional safety case.
The ISO 26262 standard specifies in Part 2, clause 6.2 that these three confirmation measures shall cover the aspects of the safety case in the following ways:
- Confirmation Reviews: Check the compliance of the work product to the corresponding requirements of the standard;
- FS Audits: Evaluate the implementation of the required processes;
- FS Assessments: Evaluates that FS has been achieved by the item
Verification reviews and confirmation reviews may at first glance appear to be similar, but there is an important distinction that should be noted. Both of these reviews are similar in that they are required for a number of work products. The difference comes from what they are designed to examine. Confirmation reviews assess how well the work product adheres to the standard whereas verification reviews examine how well the work product covers the requirements of the project’s safety concept.
With this focus on safety concept requirements, a verification review may more closely resemble the FS Assessment rather than a confirmation review. The difference between assessments and verification reviews comes from their scopes. Again, verification reviews zero-in on work products, while the assessments look at how well the safety concept is supported within the item itself.
With regards to FS audits, it may be important to point out that a wide range of processes may be included in the scope of this review. Audits shall cover the necessary processes for ASIL rated items, but the QM process must also be adhered to, and are fair game, for an audit review. Many organizations have engineering processes defined that play into the concept of Quality Management, or best practices for handling general engineering activities. Many of these practices have been conceived or derived from lessons learned from previous implementations of similar projects. If these practices are not implemented correctly, they could lead to systematic malfunctions.
Confirmation measures are required by the ISO standard for the following work products (See table 1 of Part 2):
- Hazard analysis and risk assessment (HARA)
- Safety plan
- Item integration and testing plan
- Validation plan
- Safety analysis
- Software tool criteria
- Proven in use arguments
- Completeness of the safety case
- Functional safety audit
- Functional safety assessment
It is interesting to note that the draft version of the second edition of ISO 26262 adds a confirmation review for the impact analysis, the functional safety concept (FSC), and the technical safety concept (TSC). It requires reviews of HARAs for QM items with I3 independence. The reviews of the software tool criteria and proven in use arguments have been removed.
Independence requirements for the reviewers are also included in table 1. Classification for the reviewers range from (I0) to separate management, resources and release authority (I3). The level of independence generally follows the ASIL goal. It is noteworthy that the second edition has changed a number of the independence requirements for ASIL A items to a higher level of independence.
By keeping in mind that reviews are next while working on certain work products, it will help us to ensure that the reviews go smoothly. This exercise will help us to remember the importance of processes in addition to content as we build our safety case.