The Uncontrolled Rise Of Functional Safety Standards

Over the past 30 years, advances in software and hardware have made it possible to create sophisticated systems controlling crucial aspects of complex equipment, from rolling and pitching in aircrafts, to steering and braking in cars. The processes and methods defined in functional safety standards are crucial to ensure that these systems behave as expected and safely, even when certain parts –– such as a microprocessor or other hardware component ––malfunction. Standards often require strict processes to identify potential hazards on the final product, assess the associated risk, mitigate it with appropriate safety measures and provide evidence that the residual risk is acceptable.

The avionics industry is strictly regulated by a number of certification standards, including DO-178 for software and DO-254 for hardware, published in 2000 and officially adopted in 2005. The publication of IEC 61508 in the late 1990s was a turning point in the history of functional safety standards. This generic standard for electric and electronic systems has been adapted to specific domains, such as railways, medical and industrial. Its youngest offspring is the functional safety standard ISO 26262 whose first edition was published in 2011. The second edition is expected in 2018.

The key goal of functional safety standards is to avoid putting human lives in danger. Although it is understandable that different industries may require different standards, it would be reasonable to expect a common framework, independent from specific development and certification processes.

In reality, of course, the development of safety standards has been affected by historical circumstances, and a variety of corporate interests and institutional bodies. Technical aspects are only one side of the story. Carmakers and suppliers, for example, want a reference state-of-the-art flow to reduce the risk of liability. In the avionics industry, U.S. and Europe have different certification processes and agencies.

Nonetheless, there are and have been efforts to synchronize across industries and nations. In 2010, a multi-domain analysis of functional safety standards was performed in the context of the CG2E (“Club des Grandes Entreprises de l’Embarqué”) initiative. A paper reported on similarities and differences on technical content, interpretation and utilization of various standards. Considerations were:

• Is safety ensured through a separate, specialized system or integrated in the main functional system?
• Does the standard only prescribe objectives or also indicate specific, acceptable methods to achieve them?
• How is the severity of risks categorized?
• What failures are modeled as probabilistic events and what are deterministic?

One interesting finding from the paper states: “The approach to quantification of system failure risks is identical in the aeronautic, automation, automotive, nuclear, railway and space dependability standards. In particular, none of them gives credit to probabilistic assessment of software failure.”

In other words, only hardware malfunctions are quantified with a probabilistic approach.

The avionics industry is looking at ways to harmonize standards and streamline certifications as well. The Federal Aviation Administration (FAA) launched a series of workshops on this topic and Europe created a research project known as RESSAC (Re-Engineering and Streamlining the Standards for Avionics Certification).

A key objective of RESSAC is to define a set of overarching properties that a safety-related system must satisfy, and a set of criteria to ensure that a development process complies with them. If successful, various existing standards could be placed under this more general framework, and new, alternative methods of compliance could be adopted more easily.

In practice, this is almost a generational change as it is hard to get away from established practices, particularly when the level of involvement of authorities ideally would be reduced.