Introduction to Safety Management for Self Driving Cars
Introduction to concepts like Safety Culture, Safety Lifecycle, Safety Management, Development Interface Agreement and Confirmation Measures
Hello. Welcome to this medium article. We read about functional safety in the previous medium articles. Before analyzing a system under ISO 26262, we need to create a plan. Designing a safe vehicle requires more than a methodical analysis of hardware and software components.
Vehicles are complex systems with both sociological and technical requirements. If our company or team does not take safety seriously, how can we expect to design a safe vehicle? If roles and responsibilities haven’t been defined, important design steps might be missed. So our first step in functional safety is to write a safety plan. The safety plan forces us to define roles then outline the steps we will take to achieve functional safety. In this lesson I will discuss the basic parts of a safety plan so that we can document our own.
Safety Culture
It’s important to understand that technology malfunctions are not the only source of vehicle accidents. Social and organizational factors play a role as well. An organization should develop clear policies and strategies to support the development, production, and operation of safe systems. Imagine what would happen if our manager told us to skip a few software integration tests in order to meet a deadline?
Would we feel comfortable telling our manager no? Does our company have clear policies about what to do if we encounter design problems that aren’t our responsibility?
Decisions about technology after all, are made by humans. And humans are fallible. Good safety culture, put safety as the highest priority over competing constraints, like cost and productivity. Design decisions need to be well documented and traceable back to the people who made those decisions. Companies should reward achieving safe systems and penalize taking shortcuts. Without a good safety culture, functional safety is difficult to achieve. Our safety plan will need to include information about how our company promotes a safe culture.
Tailoring the Safety Lifecycle
Let’s look again at the steps contained in the V-model discussed in the previous medium article. I have included the image here for reference.
The V-model shows the entire safety life cycle, starting from the concept phase through the product development and ending in production. In general, a functional safety manager will need to coordinate and document the entire cycle. Ask yourself, is my product new or am I modifying an existing product? If we are designing a new product, we’ll have to follow and document the entire safety lifecycle. If we are modifying a product that already exist, we might not have to implement all of the steps in the safety lifecycle. New functionality perhaps only impacts certain parts of the concept phase or product development phase, so we can tailor the safety lifecycle to include only the parts impacted by the new functionality. That way, we can reuse some of the work that has already been done.
Let’s say, for example, that we are working on updating an automatic braking system that already exists. Our company has decided to use a new electronic control unit with a faster, more powerful processor. However, the break system’s functionality has not changed. Our first step is to make sure the new ECU really would not affect the braking system. If the new ECU has no effect, we might not have to change anything in the design. We could also reuse part of the original functional safety analysis. However, we would still need to run tests to make sure the new electronic control unit integrates with the rest of the system. In the safety plan, we would need to discuss if the product being developed is new or just a modification. Then we tailor the safety lifecycle and discuss what sections of the V-model need to be included. Tailoring the safety lifecycle allows us to focus on the parts of the product that are new.
Safety Management roles and responsibilities
Another part of the safety plan, involves defining roles and responsibilities. One person would not be expected to do all of the work required by ISO 26262. In fact, developing the functional safety of a product can involve multiple teams, both within a company and across different companies. Some of the most important roles in a safety related project include, the Project Manager who ensures all of the necessary resources are available to the project. The safety manager, who would write the safety plan and then monitor the project progress against that plan. A safety engineer, would be responsible for architectural designs and implementation steps like integration and testing. The safety auditor, makes sure that the company implements processes according to the functional safety standard. The safety assessor, acts as an independent judge as to whether the project has made the vehicle safer. A test manager, plans the tests that determine whether the system works as expected. Clearly defined roles in the safety plan, ensure that each member of the team knows what to do. Defining roles, also ensures that every activity has a team member assigned to it.
Development Interface Agreement
The automotive supply chain is generally divided into three players:
- OEMs
- Tier 1 suppliers
- Tier 2 suppliers
OEM stands for, Original Equipment Manufacturer. These are the brand name automotive companies that sell cars to consumers, but OEMs do not necessarily develop all of their vehicle systems in-house. OEMs outsource some development to what are called Tier 1 suppliers. The OEM and Tier 1 supplier, then take on a customer supplier relationship. The OEM might provide requirements for what a vehicle system needs to do and then, the Tier 1 supplier develops and produces the system for the OEM. Or, the OEM might provide a preliminary product design and then, the Tier 1 will finish the details. Tier 1 companies, oftentimes outsource their own work to Tier 2 companies. A common example would be, a Tier 1 that sources an electronic control unit from a Tier 2 company. Then, the Tier 1 supplier uses the electronic control unit to develop an automatic braking system for the OEM.
In the safety plan, there is a section called the Development Interface Agreement, or the DIA. The DIA, delineates the design and production responsibilities between the OEM and the Tier 1 supplier, or the Tier 1 supplier and the Tier 2 supplier.
Why include the Development Interface Agreement in the safety plan?
One reason is to avoid disputes during the planning and development of a product. Another reason is liability. If a vehicle has a safety issue after being sold to consumers, a Development Interface Agreement provides clarity about which company is best positioned to fix the system.
Confirmation Measures
The last part of the safety plan that we will discuss is the Confirmation Measures section. Confirmation measures check three things: that our processes comply with the functional safety standard, that their project execution is following the safety plan, and that the design really does improve safety. These measures are carried out by independent people who are not involved in the design or implementation of the product. The safety plan should describe what specific confirmation measures will be used. The plan will also discuss who is responsible for each measure in addition to how these measures will be carried out. Confirmation measures help ensure that the people who design the product and the people who review the design are independent.
Summary
We have gone through the major parts of a safety plan. The safety plan would be one of the first steps in developing a safe product. Designing a system under the functional safety standard requires methodical planning and execution. The safety plan serves as a guide to what will be done to achieve functional safety. The plan also defines responsibilities between the players involved in the project. This ensures that everybody knows what to do and that somebody is covering every task. As the project passes through the design, implementation, and production phases, the output will be checked against the safety plan.
With this, we have come to the end of this article. Thanks for reading this and following along. Hope you loved it! Bundle of thanks for reading it!
My Linkedin :)
