Functional Safety Case Study: FS-US-01
Customer type: OEM EV Startup
Location: West Coast USA
Status: Completed (Sep 2017 through to Dec 2019)
Summary: An OEM EV start-up based on the West Coast of the USA needed expert help managing and delivering Functional Safety on their new platform of products. The project spanned all vehicle systems and domains, including making the vehicle architecture ready for Level 3 autonomy. Over a period of two years we supported them from a globally deployed team of managers, consultants and engineers on a deliverables-based project. This approach meant the customer benefited from:
- A turn-key approach, with our teams handling the full challenge of Functional Safety from set-up through to initial implementation
- Parallel provision of expert training and technical knowledge transfer to the customers’ internal team, enabling them to complete the project autonomously
- A joined-up approach on ideas and development needs with teams across three-continents, working cohesively and efficiently
- Keeping their core engineering team focused on the on-time development of their product, while we focused on producing the necessary artefacts to meet Functional Safety needs, which allowed the product to fulfil its targets and be ready for market launch
- Technical depth and breadth across ISO 26262 Parts 2-9 with a comprehensive list of Work Products.
- Support from the UK for independent audit and assessment to perform the progressive confirmation measures required by ISO 26262
Details: For a period of just over two years we deployed a Functional Safety team to a startup OEM. This was a turn-key, deliverables-based project where we had the responsibility to manage and deliver Functional Safety for their ground-up EV platform (SUV and Sedan). The team was variable in size depending on the phase of the project but was distributed across three sites, globally from China via Europe to the West Coast, USA. For the most-part our work was conducted on-site at the clients’ engineering facilities.
Treating the whole vehicle as the Functional Safety Item, we developed a comprehensive and practical Functional Safety concept to ISO 26262 that reflected the dynamic and agile working nature of the client. By working this way, we were able to develop Functional Safety concepts for sometimes ill-defined features and maintain their accelerated timing. We planned and managed all safety activities from concept, whilst delivering and managing a comprehensive requirements deck covering all safety-related components of the vehicle. Working closely with the client design engineers and with their suppliers, we were able to ensure the Functional Safety Requirements (FSR) were achievable using the available components and where necessary, make iterations/trade-offs to achieve a realistic but safe solution. This was not an easy task, with some new features on this vehicle having a requirement to be able to support genuine L3 autonomy. Significant time was therefore spent working on the power distribution architecture, communications architecture and redundancy (both of and within components) to achieve this. As a result of our support, the first vehicle architecture was ready to implement L3 features – such as Traffic Jam Pilot – by the end of the project, a necessary deliverable for the product and a successful milestone within the project
In parallel to this we developed and deployed a bespoke training and coaching program. With over 150 years of combined industry experience within our Functional Safety team, our qualified engineers are active participants in the international committees of the corresponding standards to which the training courses we run pertain – including ISO 26262, ISO/PAS 21448 (SOTIF), ISO/SAE 21434 and MISRA Guidelines – and so have first-hand knowledge of the rationale and the thinking behind the text in each standard. Through a program of awareness training, over 150 client staff were trained on the awareness and principles of Functional Safety. From component sourcing, to HR, through to Production, everyone in the organization understood their role in developing and producing a safe product. This was an important organizational step, as to address Functional Safety effectively it is necessary to build confidence in the people, processes and product.
Providing training for the whole organization allowed us to rapidly accelerate the knowledge and capability of the staff who came from a generally non-automotive background. In addition, whilst the Functional Safety requirements deck was being stabilized, we trained an internal team of seven staff within our customers’ business to become competent Functional Safety engineers. This technical knowledge transfer was a critical criterion for engaging us on the project – as a result, the client was not obliged to contract out engineering services once we had built their internal competency.
As the project progressed, by handing over some of the day-to-day maintenance of the requirements deck and interaction with suppliers, we were able to re-focus our team onto supporting the two crucial components which were being developed in-house:
- The Human Machine Interface (displays and user interface)
- The Gateway Module (the communications and power heart of the vehicle)
In both cases we worked with the systems, hardware and software development teams to come up with realistic technical architectures that could achieve our Functional Safety requirements. Working with silicon and operating system vendors, we reviewed safety manuals and assumptions of use to ensure detailed designs could achieve the required integrity. In some cases, this needed lateral thinking since the “safe-states” anticipated by the silicon vendor were not compatible with the vehicle architecture. Working in this way we were able to solve this with some additional hardware, saving the client additional development expense and time. Once these tasks were completed, we then moved on to directing and coordinating safety analysis activities, from FMEA to FTA and on to hardware architectural metrics for these components.
Throughout the program we managed the safety lifecycle, reporting progress and resolving issues through the senior management path and reporting directly into the weekly program reviews. An independent team from the UK was also deployed to perform progressive confirmation measures required by ISO 26262. Independence is important to maintain for audit purposes and was possible due to the depth of capability available to us within our global team.
Having generated a structured safety case report – ready to be populated and prepared for the safety goal validation plans – we concluded our involvement in the project, leaving it in the capable hands of the internally trained customer team, ready for a successful engineering completion and launch.
Engineering team deployed:
- 1x safety manager, 2x consultants, 1x engineer: USA
- 1x consultant, 1x engineer: UK
- 1x consultant, 1x engineer: China
Standards involved:
- ISO 26262 Parts 2, 3, 4, 5, 6, 7, 8, 9
- ISO 13849 (Dependent Failure Analysis concepts)
- SN 29500
Work Products developed: Safety policy, safety plan, functional safety assessment plan, field monitoring plan, item definition (ID), hazard analysis and risk assessment (HARA), functional safety concept (FSC), technical safety concept (TSC), architectural design, fault trees (FTA), failure mode and effects analyses (FMEA), hardware architectural metrics/FMEDA, guidelines for hardware and software development, communications guidelines, verification plans and test cases, safety goal validation plans and test cases, route-to-the road process and templates, safety case report, verification review reports, audit templates, supplier audit plan, supplier selection guidance, software tool evaluation report, confirmation review reports.