As a Safety Manager, I receive quite a few inquiries relating to whether a clause that is “only recommended” for a particular ASIL by ISO 26262 is necessary to complete a particular project. I thought this to be an interesting topic to address, as I provide a similar response regardless of what particular clause is being discussed.
In cases where the standard “recommends”, as opposed to “requires”, a subclause (if an ASIL is given in parentheses in ISO 26262, the corresponding subclause shall be considered as a recommendation rather than a requirement for this ASIL):
- In general, we have to consider all of the requirements that are recommended for each program.
- We can tailor our Safety Plan based on these and since some of the subclauses are only recommended, we can identify that we will not consider them within that tailored Safety Plan, however:
- We should first evaluate for the program whether this clause should be considered out of good engineering practice* (should we perform the recommended actions based on the fact that this is a new product, or can we identify that the execution of the subclause does not provide a significant benefit based on the effort).
- E.g. should we perform an FTA on an ASIL B program?
- If it is not a new product, only a new application, this may not be necessary because we have actual data on previous programs of failure modes, best practices or lessons learned that have provided adequate requirements that we are employing in our technical solution, etc.;
- However, if we feel that since this is a new product, we are not certain we have completely and correctly identified all of our requirements, this additional analysis would likely be beneficial and in good engineering practice*.
- E.g. should we perform an FTA on an ASIL B program?
- If we determine that we are not going to consider the recommended subclause, we should identify why this is the case.
- We would identify our reasoning (and document this reasoning);
- And if we are a supplier, confirm agreement by the customer that they do not require that particular subclause for the program (given our reasoning).
- As a Safety Manager, I cannot approve a justification of “it is only recommended for this ASIL, so we are not going to consider it”, especially if the reason is “we are not sure we will meet the requirement, so that is why we don’t want to consider it”.
- We should first evaluate for the program whether this clause should be considered out of good engineering practice* (should we perform the recommended actions based on the fact that this is a new product, or can we identify that the execution of the subclause does not provide a significant benefit based on the effort).
My perspective is that good engineering practice, if adhered to throughout development, would not have required the publication of ISO 26262 or the new section added to IATF 16949 regarding Product Safety. If good engineering practice is followed, it is not about whether we meet the requirement for the sake of “checking the box” but have we ensured, to the best or our knowledge and engineering ability (since we are the experts), that our design is acceptable based on any potential safety (and performance or functional) requirements or concerns.
