The automotive industry has always developed products for the end user in view of observing safety.
Industries such as transportation, medical, home equipment, and machinery that directly impact human life have incorporated safety regulations and measures for safe design. Vehicle safety regulations such as FMVSS and UNECE have existed to define restrictions and regulations for design and performance of vehicle systems and components. However, no safety standards have existed until very recently to address malfunctions in vehicle system design that could cause harm to the user or their surrounding environment. Although, even without such functional safety standards, organizations have implemented safe designs through years of experience, sound engineering judgement and robust techniques.
So, when you are asked by a client to implement functional safety and adhere to ISO 26262, or if the organization you work for plans to roll out functional safety norms, what changes then? A couple of years ago, when I was attending a conference for automotive safety, a gentleman asked a question, “If my organization adheres to all the ‘shall’ statements of the ISO 26262 functional safety standard, do I become compliant?” To answer it simply, I say YES. However, we need to dig a little deeper to understand what it means to achieve these “shall” statements. Do we need to do it, or more importantly how do we do it?
As stated in Jody Nelson’s earlier blog Is Ignorance Really Bliss, the ISO 26262 standard is not a regulation or a directive to comply for road legality, but simply a set of recommended guidelines to achieve product safety. The organization may choose to follow its own sets of methods and practices as long as it intends to follow the core guidelines of safety. The standard follows the same essential principles of functional safety as the IEC 61508 standard which was intended to apply to all types of industries such as Rail, Machinery, Automotive and Nuclear. Therefore, the traditional V- model for system development is followed, including detailed hazard based analysis of design, decomposition and traceability of requirements at various levels, and appropriate testing and validation at each phase of development.
The ISO 26262 standard is divided into various parts for defining such requirements and methods to achieve functional safety at different levels of product development. However, we can simply associate these parts into two categories: Functional Safety Management and Functional Safety Development.
Now the question arises, if my organization has been using best safety practices over the years then why do I need to follow ISO 26262, especially when it is only a voluntary standard and carries no legal obligation?
It is true that by adopting ISO 26262, my organization would be utilizing more resources, increasing development costs, adding more documentation, improving design processes, defining more traceable arguments and so on? In the long run these overhead costs on development and process improvements can lead to greater benefits. Following ISO 26262 would initially establish a robust quality management process, then increase the possibility for developing diverse design techniques and finally create a working safety culture within the organization.
Below I have listed out some of the key ingredients for developing a good “Safety Culture “within the organization:
- Proactive attitude towards safety: Dedicate resources for functional safety skill development and promote better safety development processes. Ensure safety development is at par with functional development.
- Ensure Independency during safety development: For example, the engineer developing safety code should be different from the one developing functional code.
- Ensure Independency during safety reviews: During reviews of safety relevant work products, the reviewer has to be someone who has minimal contribution or holds no stake on the product.
- Safety over cost: Everyone would agree that it would be pointless to spend a fortune to safety proof your car if you cannot even profit from it. However, human life cannot be compromised over cost! The ISO 26262 standard provides us the balance between these competing priorities, telling us what degree of assurance is required. Other industries have similar guidance provided in different ways. For example the principle of ALARP “As low as reasonably practically” can be used to a set a balance between cost over overall benefit in process and power industries: http://www.hse.gov.uk/risk/theory/alarpglance.htm. Another common approach is to perform a safety analysis for each component and identify if already available safety measures can be utilized to protect from any harm.
- Avoid Single point failures: A fundamental principle of safe design is to ensure the system or component is diagnosable or protected with appropriate detection and control measures for every failure mode originating from it that can cause harm. If a single point failure cannot be avoided, then appropriate justification needs to be provided such as rarity of the fault mode, test and validation criteria to show improbable occurrence etc.
- Encouragement of documented work products: Apart from documents generated during development of safety work products, it is highly recommended to have Records of meetings, Record findings, lessons learned etc.
- Accountability and Authority: Appoint responsible person(s) within the group to lead safety relevant activities during various development stages.
To conclude, achieving functional safety is about more than just meeting the criteria for each “shall” statement in the standard. Safety means abiding by the fundamental principles of safe design, and having a proactive attitude towards safety.