Functional safety has always existed. However, with more human-machine interactions and the implementation of autonomous technology into the machinery on our factory floors and cars, it has morphed into a specialized technical field and engineering discipline. Functional safety is about safe machinery and vehicle performance, without causing any risks to human life. When you examine old cars and factories with large open (and dangerous) lathe machines and compare them to the modern cars equipped with automatic brakes, radars and safety saws that will shut down in nanoseconds (if not picoseconds), it’s clear that we have made tremendous progress. As machinery and cars continue to evolve, so does the complexity level of functional safety. The autonomous robots on the factory floor are expected to operate correctly, even under unintended use. Lack of safeguards can be expensive in terms of damage to machinery and even dangerous for human operators.
The exact definition according to the specification for Industrial Functional Safety Standard (IEC 61508) is “… part of the overall safety relating to the EUC and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities …”. Equipment under control, or EUC, refers to the machine or a car in question and E/E/PE refers to electrical, electronic or programmable electronics which is essentially what a modern machine is. Functional safety is part of the overall safety of the system (machine or car) as well as individual components used in the system which are also expected to perform the function they were designed for.
What Systems Does Functional Safety Cover?
The idea of functional safety applies only to active systems. The front door lock on a house provides safety, however it is not actively avoiding any failures. A door is an example of passive safety. Functional safety covers an active system that has safety mechanisms in place. These mechanisms are activities or technical solutions to detect, avoid and control these failures or mitigate their harmful effects. Many of these are also achieved by implementing a function, element or other redundant technologies; like built-in sensors in an autonomous robot in fulfillment centers that detects and avoids objects while moving large items. The safety mechanism is either able to switch or maintain the item in a safe state (like an assembly robot on standby and, if needed, shutdown, if it detects an object is blocking its path) or able to alert the driver to take control of the effect of the failure (like an autonomous car driving on an icy road). If at any time these machines fail to perform the intended function, there could be damages.
Safety Integrity Levels
The safety integrity level (SIL) is defined as a relative level of risk-reduction provided by a safety function, or to specify a target level of risk reduction. In simple terms, SIL is a measurement of performance required for a safety instrumented function (SIF).
The systems covered under functional safety are designed to automatically prevent dangerous failures or to control them when they occur. It helps us to design a system that can execute specific functions correctly, even under non-intended use (or sometimes even misuse). Manufacturers are required to identify potential unintended behaviors of the system that could lead to a hazardous event, and perform risk assessments.
The risks associated with the systems are referred to as safety integrity levels (SIL) for industrial applications, or automotive safety integrity levels (ASIL) for automotive applications. These help assess the severity of the risk or hazard associated with the system. Each SIL and ASIL have a level; the higher the level, the lower the risk. The table below shows the probability of failure on demand (PFD) and risk reduction factor (RRF) of low demand operation for different SILs (as covered in IEC 61508) and ASILs (as covered under ISO 26262).
The aim of functional safety is to bring risk down to a tolerable level and to reduce its negative impact.
Something that I hear often is the zero risk device; however, there is no such thing as zero risk. Risks can be reduced, but can never be completely eliminated. Each system manufacturer communicates a clear, comprehensive and defensible argument (supported by evidence) that the system is acceptably safe to operate in a particular context. This may include references to safety requirements and supporting evidence for an argument that describes how the safety requirements have been interpreted, allocated, decomposed, etc., and fulfilled as shown by the supporting evidence.
IEC 61508 and ISO 26262 Standards
Functional safety standards such as IEC 61508, Industrial Functional Safety and ISO 26262, and Road Vehicles Functional Safety provide guidelines for the system manufacturers. The original IEC 61508 series is the international standard for safety related systems. ISO 26262 is an adaptation of this standard for road vehicles or automotive systems. These standards supports the assessment of risks to minimize failures in systems irrespective of where and how they are used.
IEC 61508 sets out requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level (SIL). Each of these standards are divided into a number of sections, also known as the parts framework.
These standards consist of seven parts:
- IEC 61508-1, General requirements
- IEC 61508-2, Requirements for electrical/electronic/programmable electronic safety-related systems
- IEC 61508-3, Software requirements
- IEC 61508-4, Definitions and abbreviations
- IEC 61508-5, Examples of methods for the determination of safety integrity levels
- IEC 61508-6, Guidelines on the application of IEC 61508-2 and IEC 61508-3
- IEC 61508-7, Overview of techniques and measures
These frameworks provide guidance for system manufacturers to consider safety from the very beginning when the system requirements are being considered. The diagram below from Lattice’s Diamond Functional Safety Manual shows how functional safety is adapted for an FPGA design during planning (requirements), designing (architecture, modeling, and FPGA development), testing, verification and validating stages. It covers the process flow for manufacturers who develop products using FPGAs for safety-critical applications.
Systems Approach to Functional Safety
We talked about the electrical, electronic or programmable electronics (E/E/PE) systems. These include everything – sensors, control logic, communication systems or network, actuators, including any critical actions of an autonomous system or a human operator. These safety-related systems that would have used electro-mechanical technology or solid-state electronics now use programmable electronics instead. Devices such as programmable controllers, programmable logic controllers (PLCs) and digital communication systems (e.g. bus systems) are part of this trend. Even ASSPs in this space are being replaced by combinations of FPGAs and processors. FPGAs, specifically, offer the flexibility to manage implemented system functions – testing, verifying and validating the functions including allowing designers to update functions or algorithms implemented in them.
Many of the enabling technologies, such as processors and sensors, are increasingly being integrated into more reliable and secure systems. The lower costs and flexibility of programmable devices are enabling the implementation of intelligence capabilities into systems at the edge in a secure, safe and contained way.
The concept of functional safety applies to everyday life and every industry you can think of. In our cars, functional safety ensures that airbags instantly deploy only during impact and not while driving. Also, the fuel injector system control ensures that the car only accelerates when a command is given. Brake systems activate when required. In a modern vehicle, functional safety ensures the correct operation of all automotive electronics including control software. When you travel by train, functional safety is at work to ensure that the doors close before the train starts moving and that they don’t open while in motion. You may have heard that air travel is the safest mode of transportation – and that is due to the fact that the aviation industry is among the safest in the world. Think of an automated flight control system that controls the pitch, roll and yaw of the aircraft, including heading and altitude. In case of an emergency, the system alerts the pilots, who are trained to take over control.
During the last decade, functional safety has becoming increasingly important as it has essentially become a requirement for every manufacturer. With even more cohesive integration of software and hardware systems, we are already seeing an increasing dependence on these standards to cover such systems. With all the advancements, I feel that we are still in infancy when it comes to functional safety; think of the amount of safety systems in place in an autonomous cars and a companion robot. Functional safety is going to explode just like those science fiction stories we have grown up with.
So, next time when you get in an elevator or drive your car, stop and think how much effort was put into making this product safe for human interaction.
About the Author:
JP Singh is Automotive Marketing Manager at Lattice Semiconductor where he manages global marketing and business development for the automotive segment. Mr. Singh has over 20 years of experience in the semiconductor industry. As an application engineer in his prior role, he brings 15 years of system-level design experience to bear on solving complex problems through the use of Lattice’s award-winning, low power FPGAs. Mr. Singh received his MSEE from the University of Wisconsin-Milwaukee, Marketing Strategy Diploma from Cornell University, and Design Thinking Diploma from MIT.
Published in Telematics Wire