The Importance of Functional Safety
Posted 02/06/2018 by Jatinder (JP) Singh
Over the holidays, I was updating the firmware on my car, when my 12 year old walked in and asked me why I was updating the software on our car. I told him that the software was an older version, and the updated software improves some of the safety features of our car. Having recently received ISO 26262 road vehicles functional safety certification for our Lattice Diamond software, I think I must have thrown in the term “Functional Safety” while talking to him. As an engineer, I can’t help but marvel how far along we have come in terms of Functional Safety.
Functional safety has always existed. However, with more human-machine interactions and the implementation of autonomous technology into machinery on our factory floors and cars, it has morphed into a specialized technical field and engineering discipline. Functional safety is about safe machinery and vehicle performance, without causing any risks to human life. Explaining functional safety to a younger mind helped me appreciate the importance of the overall safety system.
When you examine old cars and factories with large open (and dangerous) lathe machines and compare them to the modern cars equipped with automatic brakes, radars and safety saws that will shut down in nanoseconds (if not picoseconds), it’s clear that we have made tremendous progress. As machinery and cars continue to evolve, so does the complexity level of functional safety. The autonomous robots on the factory floor are expected to operate correctly, even under unintended use. Lack of safeguards can be expensive in terms of damage to machinery and even dangerous for human operators.
What is Functional Safety?
The exact definition according to the specification for Industrial Functional Safety Standard (IEC 61508) is "... part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities ...". Equipment under control, or EUC, refers to the machine or a car in question and E/E/PE refers to electrical, electronic or programmable electronics which is essentially what a modern machine is. Functional safety is part of the overall safety of the system (machine or car) as well as individual components used in the system which are also expected to perform the function they were designed for.
What Systems Does Functional Safety Cover?
The idea of functional safety applies only to active systems. The front door lock on a house provides safety, however it is not actively avoiding any failures. A door is an example of passive safety. Functional safety covers an active system that has safety mechanisms in place. These mechanisms are activities or technical solutions to detect, avoid and control these failures or mitigate their harmful effects. Many of these are also achieved by implementing a function, element or other redundant technologies; like built-in sensors in an autonomous robot in fulfillment centers that detects and avoids objects while moving large items. The safety mechanism is either able to switch or maintain the item in a safe state (like an assembly robot on standby and, if needed, shutdown, if it detects an object is blocking its path) or able to alert the driver to take control of the effect of the failure (like an autonomous car driving on an icy road). If at any time these machines fail to perform the intended function, there could be damages.
Failure Mechanisms
Think of hardware and software failures, which could be due to errors that may occur unpredictably during the lifetime of a system, systematic failures, and failure of an element or item that is caused in a deterministic way during development, manufacturing, or maintenance. There are a number of factors that can cause these, such as:
- Random or systematic failures of hardware or software
- Human error
- Environmental circumstances such as temperature, weather, electro-magnetic interference or mechanical
- Loss of power supply
Modern machines are a confluence of software and hardware; the software controls various aspects of the hardware and its operation. This means that the software operating systems have also started to fall under the functional safety requirements.
Safety Integrity Levels
The safety integrity level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function (SIF).
The systems covered under functional safety are designed to automatically prevent dangerous failures or to control them when they occur. It helps us to design a system that can execute specific functions correctly, even under non-intended use (or sometimes even misuse). Manufacturers are required to identify potential unintended behaviors of the system that could lead to a hazardous event, and perform risk assessments.
The risks associated with the systems are referred to as safety integrity levels (SIL) for industrial applications, or automotive safety integrity levels (ASIL) for automotive applications. These help assess the severity of the risk or hazard associated with the system. Each SIL and ASIL have a level; the higher the level, the lower the risk.
The table below shows the probability of failure on demand (PFD) and risk reduction factor (RRF) of low demand operation for different SILs (as covered in IEC 61508) and ASILs (as covered under ISO 26262).
The aim of functional safety is to bring risk down to a tolerable level and to reduce its negative impact.
Something that I hear often is the zero risk device; however, there is no such thing as zero risk. Risks can be reduced, but can never be completely eliminated. Each system manufacturer communicates a clear, comprehensive and defensible argument (supported by evidence) that the system is acceptably safe to operate in a particular context. This may include references to safety requirements and supporting evidence for an argument that describes how the safety requirements have been interpreted, allocated, decomposed, etc., and fulfilled as shown by the supporting evidence.
IEC 61508 and ISO 26262 Standards
Functional safety standards such as IEC 61508, Industrial Functional Safety and ISO 26262, and Road Vehicles Functional Safety provide guidelines for the system manufacturers. The original IEC 61508 series is the international standard for safety related systems. ISO 26262 is an adaptation of this standard for road vehicles or automotive systems. These standards supports the assessment of risks to minimize failures in systems irrespective of where and how they are used.
IEC 61508 sets out requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level (SIL). Each of these standards are divided into a number of sections, also known as the parts framework.
These standards consist of seven parts:
- IEC 61508-1, General requirements
- IEC 61508-2, Requirements for electrical/electronic/programmable electronic safety-related systems
- IEC 61508-3, Software requirements
- IEC 61508-4, Definitions and abbreviations
- IEC 61508-5, Examples of methods for the determination of safety integrity levels
- IEC 61508-6, Guidelines on the application of IEC 61508-2 and IEC 61508-3
- IEC 61508-7, Overview of techniques and measures
These frameworks provide guidance for system manufacturers to consider safety from the very beginning when the system requirements are being considered. The diagram below from Lattice’s Diamond Functional Safety Manual shows how functional safety is adapted for an FPGA design during planning (requirements), designing (architecture, modelling, and FPGA development), testing, verification and validating stages. It covers the process flow for manufacturers who develop products using FPGAs for safety critical applications.
Systems Approach to Functional Safety
We talked about the electrical, electronic or programmable electronics (E/E/PE) systems. These include everything – sensors, control logic, communication systems or network, actuators, including any critical actions of an autonomous system or a human operator. These safety-related systems that would have used electro-mechanical technology or solid-state electronics now use programmable electronics instead. Devices such as programmable controllers, programmable logic controllers (PLCs) and digital communication systems (e.g. bus systems) are part of this trend. Even ASSPs in this space are being replaced by combinations of FPGAs and processors. FPGAs, specifically, offer the flexibility to manage implemented system functions – testing, verifying and validating the functions including allowing designers to update functions or algorithms implemented in them.
Many of the enabling technologies, such as processors and sensors, are increasingly being integrated into more reliable and secure systems. The lower costs and flexibility of programmable devices are enabling the implementation of intelligence capabilities into systems at the edge in a secure, safe and contained way.
Safety-Related Systems
The concept of functional safety applies to everyday life and every industry you can think of. Below are many examples of functional safety in various industries.
Automotive
In our cars, functional safety ensures that airbags instantly deploy only during impact and not while driving. Also, the fuel injector system control ensures that the car only accelerates when a command is given. Brake systems activate when required. In a modern vehicle, functional safety ensures the correct operation of all automotive electronics including control software.
Manufacturing
Functional safety is what reduces inherent risks in hazardous industrial environments like factory floors, chemical plants and warehouses. My past life has been working on the control systems for a power plant system. An automatic valve mechanism would ensure that dangerous chemicals or high pressure steam systems are isolated. In warehouses across the world, a crane’s safe load indicator helps avoid overloading which can collapse and potentially hurt workers or innocent bystanders. Laser barriers will automatically shut-down an autonomous robot in a car manufacturing facility when a human or object enters its activity range. All of these systems help prevent injuries, as well as costly damage to machinery.
Transportation
When you travel by train, functional safety is at work to ensure that the doors close before the train starts moving and that they don’t open while in motion. You may have heard that air travel is the safest mode of transportation – and that is due to the fact that the aviation industry is among the safest in the world. Think of an automated flight control system that controls the pitch, roll and yaw of the aircraft, including heading and altitude. In case of an emergency, the system alerts the pilots, who are trained to take over control.
Medical
The medical industry has one of the strictest safety requirements – it pretty much defines the difference between life and death of a patient. Functional safety in X-ray and Magnetic Resonance Imaging (MRI) machines ensures that the apparatus functions correctly both electrically and mechanically, and generates rays within acceptable limits for humans. When an infusion pump malfunctions, functional safety protocols will ensure that alarms are activated to signal the malfunction and deactivate the pump to protect the patient.
Conclusion
During the last decade, functional safety has becoming increasingly important as it has essentially become a requirement for every manufacturer. With even more cohesive integration of software and hardware systems, we are already seeing an increasing dependence on these standards to cover such systems. With all the advancements, I feel that we are still in infancy when it comes to functional safety; think of the amount of safety systems in place in an autonomous cars and a companion robot. Functional safety is going to explode just like those science fiction stories we have grown up with.
So, next time when you get in an elevator or drive your car, stop and think how much effort was put into making this product safe for human interaction.