Avoid system errors right from the start – An interview with Lisa Weichsel, Project Engineer at PEM Motion
Functional safety ensures the safety of complex products, plants and processes for people and the environment. Experts are already involved in the conceptual or development phase in order to minimize risks of the products.
Lisa Weichsel has been working as project engineer at PEM Motion since 2019 and is active in the field of functional safety. She has not only dealt with the topic in detail in her master thesis, but has also advised and accompanied some of our customers in developments.
Today, Lisa takes us along into her daily work and reports on experiences and projects in the functional safety sector.
What was your most exciting experience at PEM so far?
My most exciting experience with PEM so far has been accompanying the development of a “Safety Element out of Context (SEooC)” from the very beginning. This is a safety relevant subsystem which is not specified in connection with a specific vehicle. This project offers me many opportunities to extend my own knowledge and to fully support the development process according to ISO 26262:2018.
Furthermore, I am always happy to share my knowledge about a relatively dry topic, which is often considered to inhibit innovation, with others and to create enthusiasm in workshops with our customers.
What is functional safety?
The basic safety standard IEC 61508 defines functional safety as an essential part of the overall safety of a system. The ISO 26262 standard – on the functional safety of road vehicles – defines functional safety as the ability of an electrical, electronic or programmable electronic system (E/E/PE) to assume a well-defined safe state or to remain in a safe state in the event of a dangerous failure. It is therefore a matter of designing electrical systems to be safe and setting uniform standards through norms. The goal of functional safety is to protect people and the environment from risks arising from malfunctions in the use of technical products and systems.
In which areas is functional safety implemented?
Functional safety occurs wherever the safety of an entire system depends on the correct functioning of an E/E/PE system. In most cases, functional safety plays a role when complex products, systems or processes are involved whose safety functions are taken over by a safety-related control system.
Manufacturers of technical products and systems are obliged by the Product Liability Act to develop their systems in accordance with the state of the art and science and to ensure the safety of their products. They are liable for damages arising in connection with the developed system. I can test every function of a drilling machine and perform a stress test. A driver assistance system is already more difficult to test. The possible use and test cases here quickly exceed a range that can realistically be tested.
Without an overriding safety management system, which covers the identification of hazards, the development of safety-related systems and verification, companies are usually unable to prove the safety integrity of their system.
Why is functional safety that important in the development of new products?
New technologies open up new risks as well as opportunities. The identification and evaluation of the relevant risks are of great importance in this context. In order to avoid errors and dangerous system failures, an overarching functional safety management system is required for controlling purposes. This ensures that a system achieves the required safety integrity. Only in this way can the coverage of the safety objectives by the safety requirements and the fulfillment of the requirements by the technical development be fully verified and guaranteed.
It is worthwhile for companies to tackle functional safety at an early stage. This is often more time and cost effective than dealing with the topic at the time of approval.
This leads us directly to the next question: First the prototype, then functional safety – or the other way around?
The earlier functional safety is taken into account, the easier it is to integrate it into the system. Protective measures guarantee the overall safety of the system within the scope of risk reduction. The risk can be reduced both by eliminating hazards and by reducing the extent of damage or the probability of occurrence. DIN EN ISO 12100:2010 “Safety of machinery – General principles for design – Risk assessment and risk reduction” describes a three-step procedure for the definition of protective measures:
- Step 1: Inherently safe construction
- Step 2: Technical protection measures
- Step 3: Operational information
A machine is considered to be inherently safe if hazards are eliminated or associated risks reduced by an appropriate selection of design features. Corresponding design features in hardware design are, for example, architectural features such as redundancies, which enable hardware fault tolerance ≥ 1. The first stage is the only stage in which hazards can be eliminated . The first stage is the only stage in which hazards can be eliminated completely.
In stage two, the remaining risks are reduced by additional technical or other protective measures. In the field of sensor technology, for example, there is the possibility to design the sensor entirely according to the required safety integrity level of the safety-relevant function. This would correspond to an inherently safe design. Or alternatively, additional protective and diagnostic measures could be integrated into the logic processing unit to ensure the required safety integrity level.
If there are residual risks after the application of levels one and two, any residual risk must be indicated in an operational information notice.
In general, it is important to consider protective measures in the design phase, if possible, as these are usually more effective and cheaper than measures taken at a later stage.
Let’s take a practical look. How do I know which standards to meet? How do I find my way through the jungle of individual standards?
The application of standards is generally voluntary. Standards become legally binding when laws or regulations such as EU directives refer to them. Standards prepared by the German Institute for Standardization (DIN) or international technical committees generally serve to identify the state of the art at the time of their publication and provide a guide for development. To find the right standards, bibliographic databases can help. In principle, however, it is always necessary to look at the scope of a standard and assess whether it applies to the subject of development. It is often helpful to be clear about which EU directives should be applied and to conduct a standards search based on this.
Which areas are particularly important for companies in the mobility industry?
A number of basic safety standards for individual industries are derived from IEC 61508.
ISO 26262 in particular is frequently used in the automotive sector. This standard provides guidelines for the introduction of a higher-level safety management system.
The standard provides a safety lifecycle based on the V-model of development and defines required activities within the individual lifecycle phases. The standard applies from the initial planning phase through development, operation, maintenance, decommissioning and dismantling. The aim of the standard is to support the user from the classification of the risks that may arise in connection with his system to the proof of the required safety integrity. For this purpose, the standard provides methods and design specifications to derive the necessary safety requirements and to achieve an acceptable residual risk.
Vehicles that are not intended for public road traffic often fall within the scope of ISO 13849 on functional safety of machinery.
According to the Machinery Directive 2006/42/EC (Article 2, a) a machine is “an assembly, fitted with or intended to be fitted with a drive system other than directly applied human or animal power, consisting of linked parts or components, at least one of which moves and which are assembled for a specific application”.
This standard primarily provides a development guide to meet architectural requirements, component reliability and the application of diagnostic measures to achieve the required safety integrity.
Are there other issues that companies need to address to ensure security and functionality?
An essential aspect for ensuring the overall security of a technical system is requirements management. As required by ISO 26262, this should provide complete traceability from the security objectives to the requirements and verification. A complete requirements management is crucial for every technical development.
Are there other issues that companies need to address to ensure security and functionality?
Individuality – We support our customers individually from the first planning phase to development, operation, maintenance, decommissioning and dismantling. In doing so, we always take into account other applicable guidelines and standards, such as ECE regulations in vehicles. We offer individual support in the implementation of functional safety standards and the integration of functional safety management into the customer’s development processes. Our technical know-how enables us to support our customers in the development of functional safety concepts and the technical implementation of safety requirements. Customers benefit from our experience in the field of disruptive innovation to apply functional safety standards to new, innovative developments.
For us, consulting is not about showing which criteria a potential product does not meet – together with the customer, we focus on ensuring that everything is met, we look at the “HOW” and not at the “why not”.
What is the best way for those interested to get an overview?
There are a number of important standards for functional safety in industry, in particular the higher-level basic safety standard EN/IEC 61508, from which the basic safety standards EN ISO 13849 (machine industry) and ISO 26262 are derived, as well as a number of standards for functional safety with detailed safety requirements for specific applications (Type C standard). In the end, however, it always depends on the system to be developed.
We are happy to offer interested readers individual workshops to jointly define an orientation and the goals.
For further information please visit our website and contact us directly!