Reading Time: 4 minutes Difficulty: AdvancedReferring back to the previous article, we should remind ourselves that the key points of the ISO 26262 standard includes that of planning, coordinating and monitoring the progress of safety-related activities, as well as the responsibility of ensuring that confirmation measures are carried out throughout the Safety Life Cycle. Let’s focus on a important aspect called the Functional Safety Concept.
Referring back to the previous article, we should remind ourselves that the key points of the ISO 26262 standard includes that of planning, coordinating and monitoring the progress of safety-related activities, as well as the responsibility of ensuring that confirmation measures are carried out throughout the Safety Life Cycle. Let’s focus on a important aspect called the Functional Safety Concept.
Introduction to the Concept vs. Safety Life Cycle
The Functional Safety Concept phase is foreseen in the initial part of the ISO 26262 life cycle, as it establishes the bases to be considered in the design for the achievement of the safety objectives already set with the determination of ASILs with the HARA method.
The exact definition of the Functional Safety Concept (FSC) is:
specification of the functional safety requirements* with associated information, their assignment to elements within the architecture, and their interaction to achieve safety objectives.
*The FSR (Functional Safety Requirement) is instead:
specification of the implementation-independent safety behavior or implementation-independent safety measure, including its safety-related attributes.
In the interest of clarity, let’s compare the two definitions:
| FS | Functional Safety Concept (FSC) | Functional Safety Requirement (FSR) |
|---|---|---|
| What it refers to | Vehicle | Systems or sub-systems |
| Purpose | Describes how safety objectives will be achieved | Translate the FSC into specific and verifiable requirements for individual components of the system |
| What it specifies |
|
|
| Example | For an Adaptive Cruise Control (ACC) system, the FSC may specify how the system reacts to sensor failures, such as loss of radar signal, to maintain safety of the vehicle. | An FSR for the ACC could specify that the system must automatically disengage and alert the driver in the event of failure of a radar sensor within 2 seconds. |
In summary, FSC provides an overall view of how safety of the vehicle will be achieved, while FSRs translate this view into practical and measurable requirements for individual components of the system.
Do you want to help our page grow?
Follow us on LinkedinDo you need immediate assistance for compliance with ISO 26262 (Functional Safety)?
Prerequisites of the Functional Safety Concept
The inputs for definition of the FSC are:
- Definition of the item
- Hazard analysis and risk assessment report
- Architectural design of the system
- Consider any dependencies between systems and interfaces, interactions of the driver and the environment
- Determine the relationship between faults, safety mechanisms and driver interactions/behaviors
All this is reported in the Safety Plan, which is followed by the implementation of the specific requirements; this plan must contain all the necessary information on how to implement, manage over time, and trace the responsibilities related to functional safety.
Example of application of the Functional Safety Concept
Let’s see an example of application of the Functional Safety Concept to lane centering systems (ALC, Automatic Level Control).
The assumption is that failure management strategies are generally provided for LAC systems.
This means being able to disengage the ALC system without further actions and without interfering with other systems by transiting in a safe condition, as in the example diagram below, provided by NHTSA: DOT HS 812 573 – Functional Safety Assessment of an Automated Lane Centering System.
This is an architecture that by way of explanation can support a failure and still keep the ALC system active. In the event of a second failure, a failure management strategy can be followed.
However, it remains essential to include specific safety requirements for driver warning systems, i.e., for example, related to the possibility of recording electronic faults in the ALC control modules, or to detect any electronic fault that may have significant effects on the functionality of Automatic Level Control.
In fact, warning the driver is a key element in ensuring that the driver follows the right course of action. The purpose of the warning is to reduce the risk exposure time within an acceptable range, and therefore using indicator lights or tactile signals, such as vibration of the steering wheel or seat, audio or messages on the display.
Do you want to help our page grow?
Follow us on LinkedinGo back to the blog
