German Testing Provider Derides Asian Car Manufacturers on Lack of Functional Safety

Following a series of inexcusable incidents that have put lives at risk and eroded consumer confidence in some of the world’s largest and most revered brands, improvement on functional safety in the automotive industry has become widely accepted.

The widely publicised braking issue in Toyota’s iconic hybrid car, the Prius, last year is a case in point. The problems, which were linked to glitches in the vehicle’s complex software and electronics systems, resulted in a global recall at a cost of US$2billion. In addition, German carmaker BMW faced a similar crisis back in 2004 when the anti-lock brake system in its 5 series experienced blackouts when brake force exceeded 120 kiloponds.

Unfortunately the automotive industry’s approach to achieving functional safety is still broadly inefficient and, in some cases, ineffective. All too often, for example, we see manufacturers approach functional safety as an afterthought following product development, rather than as an integral part of the design process. This results in a glut of companies spending millions of dollars every year rectifying issues, rather than avoiding them from the start. Manufacturers also seldom benchmark functional safety tests against the relevant industry standards.

In doing so, they put themselves in jeopardy of experiencing issues exporting cars to international markets. So what is the most efficient and effective means of approaching functional safety? The first step is to fully understand what it is and why it is necessary.

Functional safety is a step beyond traditional product safety that considers the reliability of the function of a product, instead of the safety of its individual components. Consider a car brake, for example. Traditional product safety would assess the safety of the individual mechanical and electrical components in the brake.

Functional safety, on the other hand, would examine the reliability of these components working together to stop the car. This can be a complex assessment given the intricate maze of interconnected hardware and software used in modern vehicles to perform functions. However, in reality, this underlines its importance.

The first step to achieving functional safety is identifying when it is necessity, which should start at the design stage. A risk assessment process, carried out according to accepted principles of risk assessment, is the best way of achieving this. This approach, for example, defines which actions of a product are defined as safety-relevant and which are not safety-relevant. Risk assessment can also establish how safety critical the ability to perform particular actions is.

Once a product’s safety-relevant actions are defined, the next step is to assess their automotive Safety Integrity Level (ASIL). ASIL is a measure of the risk-reduction required by the safety function. It is defined in four steps: ASIL A (the lowest amount of risk-reduction) to ASIL D (the highest amount of risk-reduction). Selection of the ASIL is matched by the risk-reduction required to the safety criticality of the function. For safety functions with a relatively low criticality, ASIL A may be appropriate; whereas safety functions with a high degree of criticality may require an ASIL C or even an ASIL D designation.

Step three is to make corrective actions, where necessary, to ensure the safety function performs to the design intent under conditions of incorrect operator input and failure modes. This involves having its design and lifecycle managed by qualified and competent engineers carrying out processes to a recognised functional safety standard. There are several international standards addressing functional safety. For most products, the requirements for a functionally safe product are outlined in IEC 61508.

In the automotive industry, IEC 61508 is a rudimentary safety publication covering the functional safety of electrical, electronic and programmable electronic safety-related systems. Notably, some issues have been raised with applying the standard to the industry. For example, the overall safety lifecycle of IEC 61508 assumes installation of the item at the customer site to precede the overall safety validation, which is not the case for mass-market road vehicles where the safety of the car is validated before the start of production. Additionally, IEC 61508 considers safety functions often to be distinct from the control functions. However, control functions and safety functions of automotive systems are usually inseparable.

Help, however, is on the way in the form of a new international standard, ISO 26262 – the draft of which was published in 2009. Its principles are based on IEC 61508, although it is more relevant for the automotive industry as it has been developed in consultation with industry experts and international industry standardisation bodies.

The standard, which became fully operational on 17th December 2011, is intended to be applied to safety-related systems that include one or more electronic systems. It will also address possible hazards caused by Electro Magnetic interference. Importantly, it has already been adopted by some forward thinking automotive organisations; however, many are lagging behind.

There is no doubt that the next decade will proceed at a historic pace in technology advancement in the automotive industry. Aligned with this progression, functional safety will become increasingly important, especially as new functionalities in driver assistance dynamics control and additional safety systems emerge. Those that act quickly will reap the most significant reward. And those that act slowly will continue to put their customers as well as their top and bottom lines at threat.

Credits: wilswong