Functional safety and the farewell to the V-Modell: It was nice Onboard

Up to now, classical functional safety has been quite happy to follow the V-model of development, which of course is not fundamentally objectionable. Everyone finds their niche this way, and in day-to-day project work at different OEMs it became apparent over the years that niche tasks were usually performed by the various suppliers, depending on which position in the V-model was to be filled.

Previous development in functional safety was not limited, but focused on ISO26262 as one of the most relevant standards, since the entire topic of safety-relevant onboard development and its safety aspects follow this ISO – which in turn relies heavily on the classic V-model. ISO 26262 is a standard that deals with the safety aspects of electrical/electronic systems in vehicles, but only in passing and in a very generalized way.

However, with time comes change, and with it new challenges. The new challenge is: Car2X. Systems communicate with each other in the vehicle, with the environment, and the environment with them. Especially with the topic of automated driving, pure onboard systems are no longer sufficient to be able to cover current considerations – and also needs – in terms of safety.

Functional safety and ISO 21448: All that’s new and shiny? Is this supposed to shine at all?

So how do we meet these new challenges – in relation to the members of the automotive industry cosmos – and where does the boundary between cyber security and functional security now lie?

Not yet in force and wholly completed, ISO 21448 attempts to close the gap. The keyword is “SOTIF” – Safety of the Intended Functionality. This alone is certainly not enough to achieve “Vision Zero,” i.e., a safety level in automated driving that no longer permits any personal injury or even traffic fatalities. Also, the standard is still more of a “pre-standard” that does not yet have a release.

However, environment recognition in particular plays a major role in this ISO 21448 and thus, on the one hand, leaves the realm of pure onboard systems and, on the other hand, crosses the wide scope of cyber security, albeit with significant differences – these are even so significant that entire master’s theses could be written about them (this is not even meant rhetorically – students of Cognizant Mobility have done just that). By way of explanation and at the same time as a summary, it should be said that cyber security usually assumes an external intent, namely one with the intention of causing damage, an attack even, a manipulation in any case – whereas functional security takes a more differentiated approach to the matter: an attack from the vehicle environment may remain alleged and have a thoroughly non-criminal cause, which is something that SOTIF in particular actively takes into account.

ISO is therefore also highly concerned with things outside the vehicle, for example servers sending over-the-air updates, and here we are navigating the territories of cyber security, see also UNECE-R156 – it’s best to read our detailed article on this, which you can find under this link with one click in a new window can open. In general, it should be mentioned that SOTIF is mainly about things like environment detection, for example pedestrians, other vehicles, obstacles, traffic jams, etc.), but the connection to ISO 21448 (and ISO 24089) is obvious.

The importance of leaving the ISO26262 comfort zones and the V-model (even though the onboard aspects will of course continue to exist, albeit with a much broader spectrum) can be seen in the importance of new methods for environment and object detection: after all, pedestrians must already be detected definitively and unambiguously from SAE level 4, and the intended function, such as an emergency brake assistant, must be triggered without any error. To achieve this, not only must the safety of the functionality be ensured beyond doubt, but the enormous volumes of data collected during autonomous driving must also be processed securely and quickly and interpreted correctly, especially during time-critical maneuvers such as braking.

The relevant functional safety departments at Cognizant Mobility are already working on projects and feasibility studies with OEMs in precisely these areas in order to meet the existing challenges, but also and above all the upcoming challenges, the soft revolution mentioned at the beginning, in the area of safety in and around vehicles.

Functional Safety and Cognizant Mobility – It’s A Match!

Of course, a good revolution also needs protagonists, otherwise it would only be a turning point. These may be few and far between, but in the field of technological advancement – there it is again: time. And that is for a changed perspective on modernity, and on the needs of modern automotive companies. In this, it is common practice in the context of functional safety and beyond to the general project level that only pieces of the architecture and automotive chronology are awarded to different partners, the article already alluded to it. This distribution of individual morsels to a largely specialized supplier industry led to an intra-industry lock-in effect, similar to the unintended phenomenon in cloud IT (which is certainly not unintentional here and there, at least on the part of the providers. Not looking at you, Amazon…) – expertise, quite organically divided and networked across a wide variety of companies in the common product, similar to the departments of an organization in which accounting, human resources and developers work together toward a positive operating result without grasping the tasks of the others in detail. What for?

This is changing rapidly, however – a holistic approach is important, and Cognizant Mobility has always espoused the philosophy of a cross-OEM, cross-company platform for joint development – something that Kearny’s Michael Römer again identified as an important decision in our interview.

Cognizant Mobility therefore places a high value on holistic competencies that build on the entire development level in order to operate with high performance in all essential areas of automotive safety throughout the entire creation and development process. Even in the early concept phase, up to the final release of production, it must be possible to supervise the entire development from the point of view of safety – whereby it is above all the work outside the terrain that is worthwhile and important in order to be able to develop flexibly and holistically.

Because, who would have thought it – no matter how polite the revolution may be and how noble its purposes, you still have to leave the comfortable paths in order to enter new fields of technology.

Communication with the vehicle – and with the team: Hurray hurray, the FuSi is here!

Anyone familiar with the project landscape is also familiar with the various PowerPoint presentations in which companies roll out core competencies, experiences and testimonials in order to impress customers. Interesting to observe: Communication is usually only mentioned when it comes to control units, wireless systems, over-the-air updates – but rarely in relation to the company itself.

Communication is an essential competence here. The exchange with the development departments, with stakeholders, with the team at all levels can hardly be overrated, because without wanting to digress into phrases: System and component development do not take place behind closed office doors, but are a team sport. And yes, there is a league, and yes, there are winners.

Functional Safety 2022 is more than just positioning and operating in the V-Modell. It consists of functional development in the areas of hardware and software, it works with system engineers, hand in hand with the Functional Safety Management, to perform the process level safely and completely. Systems engineering plays a central role in bridging the gap between management and development – a problem in many companies, because safety management often knows all the standards, but – due to lack of contact, not lack of will – has too little operational development experience for functional safety. Their developers, in turn, are professionals in their field, but often lack competence in functional safety – a prank that can be solved, however. The necessary bridge to functional safety development can be closed by training safety engineers, who form the link between the process and operational levels within the framework of systems engineering. In this way, a holistic concept of functional safety can be created and mapped at project level, which not only ensures more comprehensive support and development, but also saves time and thus investments through short communication paths – even if it must be noted that time and money usually play a subordinate role in safety issues, at least nominally. Nevertheless, all stakeholders are pleased when, thanks to competence and well-ordered structures, savings can be booked as a bonus.

Functional security okay – But what about cyber security?

As we have already mentioned, the continuation of the UN ECE safety requirements and their transfer to industry in the form of various regulations means that the previously largely separate areas of functional safety and cyber security overlap. Certainly, the underlying assumption of disruption in the field of electrical/electronic systems may still be perceived differently in terms of intent, but as we move out of the purely onboard realm and into the field of environmental, object, and person recognition, the commonalities grow.

ISO 21434, in particular, is merging the areas of responsibility that OEMs and suppliers face differently. Cognizant Mobility not only leads the revolution at number 12 in the top 25 most influential IT service providers in the automotive sector but is also aware of the existential importance of holistic expertise, generated in-house, and is therefore not only strengthening its staff with professionals such as Martin Böhner, but is also opening an entire location in Nuremberg in order to give the topic the appropriate importance – and to shape further development for both functional security and cyber security in a truly, well, safe and secure way.

Because a revolution like this is simply more fun when it goes off safely.

If you have any further questions, we recommend that you get in touch with us in a straightforward manner, or directly with our functional safety department head, Andy Stiehler, who also helped us write this article. Alternatively, you can use our contact form or visit us on LinkedIN.