But what’s next? – How do you really get started with system development? – And how to consider safety? – Actually these very first steps that you do after “kickoff” are extremely crucial for a successfull project and represent probably the most important phase of the whole product development process.
According the Automotive safety standard ISO26262 this part is called the Concept Phase, described in part 3 of the norm (generally abbreviated as ISO26262-3). In the context of a particular project we translated the textual descriptions of the individual steps of this phase with their inputs and outputs into “Visio-crafted” flow-diagrams, see figure.
As the figure shows, the concept phase consists of 4 individual steps. Each of these steps is described in detail in a separate chapter of part 3 of the norm:
- 3-5: Item definition
- 3-6: Initiation of the safety lifecycle
- 3-7: Hazard analysis and risk assessment
- 3-8: Functional safety concept
These individual steps within the Concept Phase have the following goals:
Item Definition (§5 of ISO 26262-3): It has 2 goals:
- It has to define and describe the item, its dependencies on, and interaction with, the environment and other items.
- It has to support an adequate understanding of the item so that the activities in subsequent phases can be performed.
Means: here you write down what you actually want to develop and analyze and how it interacts with its environment – more from an external view.
Initiation of the safety lifecycle (§6 of ISO 26262-3): This step also has 2 goals:
- It has to initiate the safety lifecycle is to make the distinction between a new item development and a modification to an existing item (see ISO 26262-2:2011, Figure 2).
- It has to define the safety lifecycle activities (see ISO 26262-2:2011, Figure 2) that will be carried out in the case of a modification.
Means: here you specify the designated overall sequence of steps within the system – or better: safety – development process.
Hazard analysis and risk assessment (§7 of ISO 26262-3): This step has the following goal:
It has to identify and to categorise the hazards that malfunctions in the item can trigger and to formulate the safety goals related to the prevention or mitigation of the hazardous events, in order to avoid unreasonable risk.
Means: here you analyze and document in a structurized way what might go wrong with your system, i.e. you perform a HARA (Hazard And Risk Assessment). One important metric introduced here is the so-called Automotive Safety Integrity Level, ASIL, determined from the 3 other metrics Severity, Probability and Controllability as shown in the table.
Functional safety concept (§8 of ISO 26262-3): This step has the following goal:
It has to derive the functional safety requirements, from the safety goals, and to allocate them to the preliminary architectural elements of the item, or to external measures. Most attention has to be put to functions categorized as “ASIL D”.
Means: here you specify what the design has to consider to mitigate the hazards defined in the HARA and specify the functional safety requirements.
span style=”color: #808080;”>Background information:
The standard ISO 26262 for functional safety in automotive systems – for vehicles up to 3500kg – was published in November 2011. It addresses possible hazards caused by malfunctioning behaviour of electrical and electronical (“E/E”) safety-related systems, including interaction of these systems. Other hazards, not primarily related to such systems – like electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy and similar hazards – are only adressed by the ISO 26262 in case they might be caused by malfunctioning behaviour of E/E safety-related systems.
It consists altogether of 10 parts, 9 of them are normative and one – part 10 – represents an additional guideline, e.g. provides examples how to decompose ASILs (Automotive Safety Integrity Levels), how to combine FMEAs and FTAs or of a so-called “proven in use argument”.