Jaguar Land Rover: Standards in functional safety

Rogar Rivett, Functional Safety Technical Specialist at JLR, outlines the critical role of standards in the company's global planning and design functions.

As a globally growing business that trades with the rest of the world, almost everything we do at Jaguar Land Rover is governed by standards. And nothing is more important than functional safety. In the past, working on vehicle safety was firmly grounded in the material world. Our attention was on parts, components, tolerances, failures – components failing and the effect they would have on the vehicle, its inhabitants and pedestrians. Today, we still focus on these things but have other considerations, driven wholly by the rise of software control in mainstream vehicles.

With purely mechanical machines it was all about reliability, engineering materials and systems, so they wouldn’t fail. With software controlling a significant and increasing proportion of modern vehicle functions, the complexity and potential for failure is multiplied. The discipline of functional safety is critical for car manufacturers in understanding these risks, to the user and the public, as well as in deriving relevant engineering solutions.

The variety and depth of software control used in modern high-end vehicles would probably surprise many outside the automotive industry, to the extent now that if the software power source or connection is lost, a car will not move. Even in modest cars it’s becoming increasingly significant. It’s often said that the modern motorcar has more software in it than a jet fighter, so it is clear to see how functional safety standards must continually evolve alongside the technology. They have always been a first line of defence for our industry’s material, engineering, and mechanical thinking, but they now encompass critical functional safety requirements for software.

We routinely refer to ISO 26262, which defines safety requirements for automotive equipment throughout the lifecycle of all electronic and electrical safety-related systems. It aims to address potential hazards caused by software malfunction. This functional safety standard spans the entire development process, and provides an important means for determining risk classes and automotive safety integrity levels (ASILs). Each ASIL is established by performing a risk analysis of the potential hazard by looking at the severity, exposure and controllability of the vehicle operating scenario.

Furthermore, the progression of driverless, autonomous vehicle technology is moving steadily forward and our existing cars are evermore connected with external networks.

This all adds a further layer for international standards organizations and committees to negotiate. For example, the question of how secure a highly internet-connected vehicle needs to be, so that it can resist attempted hacking and cyberattacks? This has a bearing not only on the specific software makeup, but on every system it controls. How easily could hackers partially or completely disable user control? In determining related standards, a balance must be struck—if connected cars are to be made impenetrable in this regard, how easily could malfunctioning safety systems be overridden (either by the user, or an external agent) in an emergency?

With all this complexity, and the rapid pace of technological development, it is important that the development of global standards is undertaken in partnership with all major stakeholders in every country to ensure they are appropriate and not over or under-powered. Globally agreed standards provide a level playing field, and a common reference point.

Functional safety standards are a universal language and set of definitions, that everybody across the industry, and related supply chains, can understand. Given the mobile nature of the technology in question, it is imperative that automotive functional safety standards governing connectivity and software control don’t change when you drive across a border.