Functional safety management (FSM) is becoming a hot topic due to the increasing complexity of vehicle electronics and new driver-assistance functions being based on more complex networking of existing systems. With the IEC (International Electrotechnical Commission) 61508 standard for functional safety of electrical and electronic safety-related systems in place since 2000, the increasing importance of ensuring functional safety in the car has led to the community draft (CD) of the specific automotive safety standard. Called ISO 26262, it details the design of a development process that is tailored to ensure functional safety. First drafted in 2004, it is expected to take effect in June 2011.
The current situation is a little schizophrenic, though. On the one hand, product liability issues require that every automotive system must work reliably under all circumstances. On the other hand, “systems are currently not always developed with the question in mind which risks may be caused by them,” said Dr. Dieter Lederer, Managing Director of Vector Consulting Services. “Currently, functional safety is often delegated to the component level. However, functional safety is not a component quality but a system property. Our experience shows that a lot remains to be done to achieve a true focus on system design.”
Since a lack of risk analysis, lack of system limit definitions, and insufficient translation of requirements into system architecture can cause expensive improvement steps in the late development process, the second annual Vector Forum on functional safety attracted around 100 participants and speakers from vehicle manufacturers and suppliers. Though presentations and discussions revealed some controversies among the experts, there seems to be a lot of common ground as well. “Functional safety is not just a technical issue. At the end of the day, it is a change process that has to lead to a change in culture,” said Lederer.
Functional safety is also an economic factor, argued Dr. Stefan Kriebel, department head of driving dynamics software development at BMW Group in Munich, Germany. “The lack of functional safety know-how and the lack of implementation of adequate processes to achieve functional safety in development projects are cost drivers,” he said. “We find that the know-how is not always available where it is needed. A safety-oriented development process is not yet a standard in the industry. OEMs are currently suffering from the enormous effort to integrate components bottom-up instead of top-down. The state of the art is to develop locally optimal solutions. What we really need is a comprehensive functional architecture and a clear partitioning of vehicle architectural design. After all, we sell cars and not just individual functions.”
The expert refrained from finger pointing, though. Kriebel is convinced that it is the vehicle manufacturer’s responsibility to define this functional architecture. Addressing the suppliers, he openly invited them to “challenge us to define the system limits.” To develop functional safety, the middle layer of functional architecture needs to be modeled in between user architecture and technical architecture. “Otherwise the complexity on the technology level becomes unmanageable,” he said.
As an example, he mentioned electronic control units that work fine on the single-system level but are nevertheless a main cause of additional work because of the way they behave in the onboard network. “The introduction of a functional architecture for the development of functional safety should easily deliver 20% lower costs by doing away with many testing efforts and speeding up the integration phase. We are strongly motivated to move in this direction,” Kriebel said.
The economic importance of functional safety as a potential cost driver or cost improvement is naturally seen a little differently, depending on the point of view.
Jürgen Belz, head of the department processes, methods, and tools at Hella KGaA Hueck & Co. of Lippstadt, Germany, illustrates the supplier’s point of view. “Projects with functional-safety requirements have estimated additional costs of 8 to 12% caused by tasks such as formal documentation.”
On the other hand, Dipl.-Ing. Peter Zimmerschitt-Halbig, an expert in the functional safety management team of Continental AG’s electronic braking systems business unit in Frankfurt, Germany, said,“It is true that functional safety management causes higher project costs initially, but these costs go down considerably as the start of production is approached. In total, savings are possible. Functional safety management is not additional work but better work organization.”
While the debate about costs will lessen as the industry’s learning curve progresses, there is also a much more basic debate going on.
“Currently there is a lot of interpretation and negotiating going on about how much functional safety is actually needed,” said Belz. “Some OEMs require (A)SIL Level A, while others are not concerned about functional safety at all. We were surprised, for instance, to find that the U.S. market is not really concerned about functional safety in our areas of activity despite the great importance of product liability.”
With regard to the forthcoming ISO 26262, “we find a good match between process maturity such as SPICE level 3 and the new standard,” Belz concluded.
To exemplify the current challenge of maintaining functional safety during the development process, Belz confirmed that it is quite common for Hella to cope with up to 500 modifications per quarter and development project. Managing this efficiently will require a shift of today’s focus on testing to the development phase.
“Product development must follow identified risks, both from a product and process perspective, but we do not see an industry-wide agreement on who has the responsibility for such comprehensive risk analysis,” said Dr. Simon Burton, manager at Vector Consulting Services. Burton argues that functional-safety management is a migration to a new level of process quality: “The CMMI framework’s maturity level 3 provides the basic project management and engineering capabilities.”
Henning Butz, Head of Information Management and Electronic Networks Development at Airbus Industries in Hamburg, Germany, confirmed the importance of the development process design: “Process assurance is a core element of functional safety.”
Looking back on many years of safety dedication, Butz said that “embedded functions in an aircraft are often so complex that they cannot be 100% tested and are much too complex for being understood from a mere mechanical analogy point of view. This is why all critical aircraft functions are designed to a tremendous degree of fault tolerance. Our software-development process is very similar to the proposed automotive ISO 26262. When you compare this to the aerospace ARP 4754, RTCA DO 178B, and other standards you will find a considerable match.”