In order to achieve functional safety for an item it is important to apply relevant risk reduction measures for those hazardous events that have an unacceptable level of risk (which is defined through the risk assessment). In this post we will discuss what types of measures, called “safety measures”, are usually applied to achieve functional safety for various risk levels and what classes of the safety measures do exist.
Let’s think of what compiles our hazardous event. As discussed previously, the hazardous event consists of a context (which is environmental or operational), a subject (that used to be a person in our case), a hazard itself and a description of harm. It is obvious, that in order to reduce the level of risk and make it acceptable for the hazardous event, we need to apply measures that either prevent, or mitigate the it. Functional safety is focused on the hazardous events prevention only but we will take a look at the mitigation techniques too, to get a full picture.
Hazardous Event Prevention
Generally, there are 5 types of a hazardous event prevention techniques, listed below, where the first one is considered the most efficient and the last one is the least efficient.
- Hazard elimination
- Hazard replacement
- Technical measures
- Informative measures & human actions
- Personal protective equipment
The first thing we can do to prevent a hazardous event is the hazard elimination. Imagine there is the hazard “unintentional vehicle acceleration with 4 m/s² or higher”. We know it may generate several hazardous events so let’s take as an example the one where the vehicle collides with a pedestrian in the parking area. It makes total sense that avoiding unintentional acceleration is the key to prevent the hazardous event, because if there is no acceleration, then there is no collision. One should keep in mind that the hazard elimination is tightly intertwined with the process/design updates. In our example, to eliminate potential unintentional acceleration as a hazard, we will have to conduct an extensive safety analysis of the item and other vehicle systems to find out which faults and failures trigger the hazard and fix them. This fix is the design change.
The second option is to replace the hazard with another one, which will have lower severity and lower risk level as a result. An example here is if we would still have an unintentional acceleration but with the lower magnitude, e.g. 2 m/s² which has fairly lower severity than if the acceleration would be 4 m/s². As well as in case of the hazard elimination, here we will have to apply process/design updates. Specifically with our example we will have to engineer the vehicle in such a way that it will not be able to accelerate quicker than 2 m/s². This type of measure is quite often used for golf cars and other low speed vehicles that may ride in pedestrian areas. Their speed and acceleration are limited by design so that even in case of a collision the hazardous event severity will be low as well as a risk level.
Technical measures are often used if there is no possibility to apply any design changes and updates for your item (like if there is no way to change a drivetrain in a vehicle). In this case we will install an additional equipment that will monitor hazards and will try to prevent it from propagating to a hazardous event. In our case the technical measure may be a LiDar that detects if there is a pedestrian in front of the vehicle and an independent safety braking controller that stops the vehicle if it tries to accelerate unintentionally in this situation. Airbag is another example of technical measure intended to prevent the hazardous event associated with the vehicle crash.
Informative measures are warnings for humans about the hazard somewhere around. These measures request persons to act in response to the informative measure to avoid hazardous event, heavily relying on the human behaviour. Road signs, HMI notifications, infrastructure warnings, user manuals etc, are all informative measures. For the case of unintentional acceleration we may have a clause in the vehicle user manual that prescribes to keep brake pedal depressed if the vehicle is in a “Drive” gear/mode. That will help to avoid the hazardous event by suppressing the unintentional acceleration.
Personal protective equipment is the least efficient measure amongst others as this relies on the fact that the subject will use it. If we speak about pedestrians as a subject, they may wear special protective equipment every time they walk at a parking lot area but we all understand that achieving that is quite unlikely.
An important thing here is that technical measures, informative measures and personal protective equipment do not prevent a hazard but prevent a hazardous event (at least they are intended to prevent it).
Hazardous Event Mitigation
Hazardous event prevention strategy (which is 5-layered) seems to be very efficient, but we all remember the idea of Swiss Cheese which says that the hazardous event may happen if several measures fail to protect the subject from a hazardous event. And unfortunately that happens sometimes, especially if we do not prevent a hazard, but try to mitigate it.
In our case if the pedestrian gets injuries after the collision has happened, only active emergency actions may help to save his life. We may talk about first responders actions here. If there is a situation with the vehicle crash, we may speak of E-call as a measure to mitigate hazardous event.
In the upcoming posts we will discuss functional safety standards and how they help to structure hazardous events prevention strategy.