Functional Safety in the development of commercial vehicles and modern machinery
Published HANSER Mobile Automation 1/2014
The number of reciprocally interconnected components in vehicles and other systems has increased immensely, which can lead to unexpected errors as side effects. This can give rise to new dangers and risks against which measures need to be taken. This creates the opportunity for more advanced and complex systems and also more security.
But what does security mean in this context? The safe use of vehicles and machinery, in order to minimise the risks of personal injury and damage to property, is paramount. The risk of a person suffering injury due to the systematic errors and random hardware failure in a system shall, in the words of various standards, be reduced to socially acceptable levels. We all know safety features which can serve in this way, such as the beeping of a reversing fork-lift truck.
There are several influencing factors that are driving developments in this area forward, such as the growing number of assistance systems through to complete automation. Thus, the human risk factor can be minimised. If, however, an error does occur in an assistance system, it can quickly lead to injury. The driver or operator could be distracted by additional information, the vehicle or system could respond unexpectedly or it could even lead directly to serious harm. Who is to blame if the assistance system intervenes in the steering of a vehicle and thereby causes a collision?
Access through telematics can cause comparable damage when protection functions or safety-critical functions are turned off or disabled by remote diagnostics. The growing network of systems will also lead to a stronger coupling of safety and security topics: for example, a hacker could deliberately try to cause harm via the network connection of a system. Figure 1 simply illustrates the difference between safety and security.
As a consultant in the field of functional safety, ServiceXpert Gesellschaft für Service-Informationssysteme mbH distinguishes between two different tasks:
• Experienced ServiceXpert engineers help to adapt existing processes regarding functional safety.
• ServiceXpert supports functional safety activities, e.g., hazard analyses and risk assessments, required reviews or failure mode and effect analyses (FMEA).
Functional safety is a cross-functional issue that needs to be practiced throughout all business sectors. It cannot be entirely delegated to external consultants. Instead everyone, especially the individuals working in the development process, must be involved, from manager to developer. External service providers such as ServiceXpert provide support through company-neutral process evaluation and their expertise with regard to functional safety.
The requirements of the particular standard or standards must consequently be aligned with the development processes of the vehicle and system manufacturers, which can also lead in some cases to a development process having to be redesigned.
Continuous requirements management is an essential prerequisite for the management of functional safety. Quality assurance is equally indispensable. An appropriate quality management system must be established if it does not already exist. These requirements largely match assessment models such as Automotive SPICE® or quality standards such as ISO/TS 16949.
These are two central examples of sets of requirements when it comes to attributing the necessary importance to functional safety. The standards offer a guiding principle that exists for various market segments.
The international standard IEC / EN 61508 forms the basis for the development of electrical systems in compliance with the requirements of functional safety. As an umbrella standard, it relates generally to safety-related electrical, electronic and programmable electronic systems. The so-called sector standards, such as ISO 26262 ("Road Vehicles - Functional Safety") for safety-related electrical / electronic systems in motor vehicles, the ISO 25119 for agricultural vehicles or the ISO 13849 for machines and controls replace or supplement the IEC / EN 61508. The procedure models represented in the standards need to be adapted to the real circumstances. Figure 2 shows the usual top-down approach to the development of safety-critical systems.
The management of functional safety, however, is not concluded with the end of the development of a product: The functional safety life cycle ranges from concept design to out-of-service-status of the product.
In all process models the first step is to consider all dangers originating from the system and to assess the risk involved. ISO 26262 does this via a “Hazard Analysis and Risk Assessment”. An important outcome of this step is the classification of the system with respect to its critical safety risk in connection with security objectives and protection functions. Depending on the scope, there are varying levels of abstraction here. In ISO 26262 we speak, for example, of ASIL ("Automotive System Integrity Level"), in the IEC 61508 of SIL ("System Integrity Level") and in ISO 13849 of PL ("Performance Level"). Standards, such as failure rates or quality assurance measures in development, are connected to the classification.
So how much Functional safety is now necessary? Legally, there is no compulsion to apply any standards, but manufacturers do have a duty of care. This includes the requirement that the industry must always provide the latest developments in science and engineering for safety. Thus the application of the standards alone is not sufficient - rather they form the basis of a good foundation for pursuing the targets of functional safety in an appropriate way. In addition to product liability we must not ignore the individual liability for gross negligence. This can affect both the manager and the developer. In product and vehicle development, the producers and OEMs also pass on their functional safety requirements to suppliers and external development service providers and again, in turn, they must satisfy and suitably document the fulfilment of these standards.
It is clear that the embodiment of functional safety in this way can generate additional costs. In the end a company will have to perform a cost-benefit analysis and their line of reasoning must be well documented. Those who fail to do this, give away personal security as well as that of the company. The topic of functional Safety will remain with us in the coming years. In order to give rise to and demonstrate functional safety, companies must establish a consistent quality and safety culture, from top management to production line worker. Skilled consultancies like ServiceXpert can help in this process.
We begin our collaboration with our partners, as a rule, with an analysis of the current situation in order to develop a first roadmap as to how functional safety can be embodied in the company. This results in a further step, the need for support in the implementation of appropriate measures and the introduction or modification of processes. As part of the conclusion of introductory support, independent experts can continuously track and evaluate the achievement of the planned objectives and the compliance with standard requirements.
ServiceXpert has already advised and supported numerous suppliers in the automotive and commercial vehicle sector with the analysis and implementation of new processes. Not only do the ServiceXpert specialists successfully provide their expertise to the customer, they also make available their process experience at major OEMs.
ServiceXpert, a company within the ESG Group, employs over 85 staff in Hamburg and Munich. ServiceXpert is a Europe-wide operating system and software house with a focused portfolio of services for the life cycle management of EE-information for leading commercial vehicle manufacturers and their supplier industry.