Author: Empowering Manufacturing with Technology
Key Points
ISO 26262 integrates functional safety development into the well-known “V-model” development process. Based on the division of system/software/hardware levels, the functional safety development activities of ISO 26262 are integrated into the three “V-models” as shown in the figure below. The functional safety development points contained in these three “V-models” have been explained in previous articles in this series.
Friends who work on engineering projects know that for a mass-produced product, in addition to completing the development work, it is also necessary to review the development products before the product can be released. The same goes for functional safety development. “ISO 26262, part 2, functional safety management” provides detailed information on the audit process and requirements of functional safety, with the corresponding terminology being “confirmation measures”.
A practical situation is that it is easy for readers to get confused when reading the explanation and requirements related to “confirmation measures” in ISO 26262, especially when combined with the translation of the three dimensions in the Chinese national standard GB/T 34590, as shown below:
-
Confirmation review
-
Functional safety audit
-
Functional safety assessment
Therefore, this article will attempt to distinguish the three dimensions of “confirmation measures” and provide valuable reference for readers.
Note:
-
Considering the confusion in Chinese translation, unless necessary, English concepts will be used to describe the following content.
-
Compared with the 2011 version, the explanation and requirements of confirmation measures in ISO 26262-2018 have been supplemented, and it is recommended that readers read the 2018 version to facilitate understanding.
- Confirmation Measures and Its Three DimensionsAs mentioned above, the main purpose of Confirmation measures is to assess the development process and artifacts of functional safety to confirm compliance with ISO 26262 requirements. This assessment needs to be carried out from three dimensions, as shown in the figure below.
The objects and purposes of these three dimensions are as follows:
From the above comparison, it can be summarized that Confirmation review and Functional safety audit do not focus on whether the safety measures related to the design are reasonable, but only on whether the safety measures have been developed in accordance with ISO 26262 requirements. The focus of Functional safety assessment is to evaluate whether functional safety can be achieved when the safety measures meet the development requirements.
From the above perspective, it can be seen that the three dimensions are not isolated.
On the one hand, since the implementation of safety measures in accordance with ISO 26262 requirements is a prerequisite for functional safety assessment, reasonable flexibility can be given according to the complexity of the project from the perspective of project development flexibility. For relatively simple projects, Confirmation review and Functional safety audit can be combined with Functional safety assessment during the review to avoid forcibly splitting them into three activities. ISO 26262 has mentioned this point:
ISO 26262-2018, part2, 6.4.9.1
NOTE 7 Confirmation measures such as confirmation reviews and functional safety audits can be merged and combined with the functional safety assessment to support the handling of comparable variants of an item.
On the one hand, the results from confirmation reviews and functional safety audits can serve as inputs for functional safety assessments, so that during the assessment, it can be assumed that safety measures have already been implemented, and the focus can be on their appropriateness and effectiveness. This is also mentioned in ISO 26262.
ISO 26262-2018, Part 2, 6.4.12.8 states that a functional safety assessment should consider the following:
a) …
b) the results from the confirmation reviews and functional safety audits.
The purpose of the comparison above is to differentiate the three dimensions of confirmation measures. The following will provide further explanations about these three dimensions. Meanwhile, since it is a “review”, it is necessary to determine the “reviewer”. In engineering development, independence is required for the “reviewer”, and this will also be explained in the following section.
- Confirmation Review
As previously mentioned, the objects of Confirmation Review are the key outputs in the functional safety development process (e.g. H&R, safety plan, safety concept, safety case, etc.). Therefore, according to the safety plan, Confirmation Reviews can be initiated once the corresponding output is completed. Confirmation review work for all outputs before the product SOP needs to be completed.
ISO 26262-2018, Part 2 supplements the requirement for the reviewer:6.4.10.3: In order to enhance confidence in achieving the review objectives, the reviewer verifies the work product’s correctness, completeness, consistency, adequacy and contents against the corresponding requirements in ISO 26262 series of standards.
The independence requirements for a reviewer vary depending on the ASIL level of functional safety requirements, with higher ASIL levels requiring stricter independence. The independence requirements of ISO 26262 are shown in the figure below.
The definitions of the labeled parts in the figure are as follows:
-
I 0: It is advisable to implement the recognized measure, but if it is implemented, it should be carried out by different personnel.
-
I 1: The recognized measure should be implemented by different personnel.
-
I 2: The recognized measure should be implemented by personnel from different teams, which means that they do not report to the same direct supervisor.
-
I 3: The recognized measure should be implemented by personnel from different departments or organizations, that is, departments responsible for related work products are independent in terms of management, resources, and publishing rights.
- Functional safety audit
ISO 26262-2018, part 2 supplements the purpose of functional safety audit:### 6.4.11.3
A functional safety audit may be conducted by evaluating whether the process-related objectives of the ISO 26262 series of standards have been achieved. These objectives are summarized as a) to g) in ISO 26262-2018, and the audit is based on these points:
a) Evaluate the implementation of processes against the definitions of activities mentioned or specified in the safety plan;
b) Evaluate safety plan products against organization-specific rules and processes;
c) Evaluate arguments, if provided, explaining how the process-related objectives of the ISO 26262 series of standards have been achieved;
d) Evaluate whether the work products required by the safety plan have been made available;
e) Define tailored safety activities, provide corresponding rationales for them, and review the provided rationales.f) Evaluation of compliance with ISO 26262-8:2018, 10.4.3, and consistency of work products required by the safety plan;
g) Improvement recommendations according to 5.4.2.6, if applicable, such as in cases of non-compliances.
The independence requirements for auditors vary based on the ASIL level of functional safety requirements, with higher levels of ASIL requiring stricter independence requirements.
- Functional Safety Assessment
ISO 26262 requires the scope of functional safety assessment to at least include the following three aspects:
-
Work products required by the safety plan;
-
Processes for functional safety requirements;
-
Suitability and effectiveness review of implemented and assessable safety measures during relevant development phases.
From this, we can see that functional safety assessment can be considered a more comprehensive evaluation compared to the other two, and it verifies that the confirmation review and functional safety audit mentioned earlier can serve as inputs for the assessment.
So when should an assessment be conducted, given that functional safety assessment is more comprehensive? Generally, for complex projects, assessment should be planned as early as possible instead of being pushed to the project release node. The supplementary advice provided by ISO 26262-2018 is as follows:
6.4.12.3 A functional safety assessment:
a) Shall be planned in accordance with 6.4.6.5 f).b) The planning process should take place no later than the beginning of the system-level product development.
c) The performance of the planning process should be carried out gradually during the product development.
d) The planning process must be finalized before the product is released for production.
The requirements for the independence of assessors depend on the ASIL (Automotive Safety Integrity Level) of the functional safety requirements. The higher the ASIL level, the more stringent the independence requirements.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.