Model-based design and functional safety

Functional safety is very important when developing any kind of software for a system in which a malfunction or anomaly might lead to personal injury or damage to the immediate environment. Functional safety means a built-in feature that eliminates or reduces the risks of this happening.

Functional safety needs to be traceable and documented. Certain standards might also be related to it, and these need to be met. Model-based design fulfils these requirements in particular and the needs of functional safety in general.

When we talk about demanding software development at Devecto, we usually mean software or systems that are developed for safety-critical uses such as these. Whether it’s a factory production line or forest harvesters weighing 20-30 tons – we can all imagine what damage such a machine could cause if something went wrong.

The procedure for ensuring safety in this kind of machine during product development is to:

1. Survey the risks and dangers
2. Specify the requirements for safety system functions
3. Design and validate the safety system

Survey the risks and dangers means first recognising, then precisely mapping the potentially dangerous situations beforehand, and then defining the related risks in terms of their likelihood and the consequences of them. These are then listed, and we find the most natural way of preventing the dangerous situation arising. This can mean either eliminating the danger entirely by designing a function differently – by, for example, replacing a high-voltage electrical function with a lower safer voltage. If this is not possible, the aim is to reduce the risk with passive methods, such as limiting access to the potentially dangerous parts of the system – for instance on a factory production line.

Beyond the natural or passive risks that can be reduced, we must specify what other risks the safety system needs to eliminate or reduce and how it’s going to do that. For example, the safety area around a machine can be ensured “actively” by using sensors or other technologies.

If none of the above can be used, what is left are organisational or personal measures. Organisational measures would include safety instructions for using a machine – for example, ensuring a safety area around a forest machine when it is in use; while personal measures would be, for instance, using earmuffs when working next to a loud machine.

Designing and validating the safety system is the core to functional safety. It means reliable features in the device and related software that are verifiable, traceable, and documented. These ensure operational safety at all times, so that dangerous situations will not arise in normal situations, and that, if something does malfunction, there are the means to detect and minimize any damage it might cause – e.g., a smoke alarm or an emergency stop mechanism. In model-based design some of the validation can also be done at the same time, because the same tools are used for both design and validation.

There are other requirements included in the definition of functional safety, but these are the ones that apply to design.

Traceability and documentation come up time and again in the requirements for functional safety. Model-based planning supports these requirements exceptionally well, because some of the documentation is automatically created during software development.

Earlier in our blog articles we have talked in more detail about how model-based design works, so I won’t go into that here in any detail, except to mention that:

• In model-based design the developer models the functionalities as entities instead of writing code.
• Model-based design usually generates the code automatically, and bases it on the visual model.

In this context, it means that the visual model provides not only the documentation you need but also the code, and the traceability of functional safety is also better linked to that documentation. What’s more, the visual model makes it much easier to explain the functions to those people in the project who might not understand the code so well. This means end users can be involved in evaluating safety features, which definitely improves the overall quality and safety of the product.

To sum up, the traceability requirements of functional safety are much easier to meet when the software development is done using model-based design.

Take an emergency stop mechanism for instance. The emergency stop needs to override all the other functions of the product. In practice, the most sensible way to build it is so that the emergency stop is independent of all other functions, and as such, the documentation for it will be fairly simple – especially, if it’s done with model-based design. In fact, model-based design will ensure that the documentation already exists to show that the emergency stop function is independent of all others.

If the model is changed at some point, the functional safety documentation will automatically be updated at the same time, though possible knock-on effects for other functions should be taken into account carefully.

Devices, machines, and systems can have a wide range of safety standards that manufacturers are required to meet. If these standards are at different levels, this will mean different safety requirements – all of which need to be verifiable.

The tools of model-based design are perfectly suited for meeting these standards, especially as it’s often the case that a standard requires model-based design to meet a certain validation error.

If the products require functional safety, they are often ones that have a long lifecycle and a high price. In this case it’s fair to say, that the only feasible option for the manufacturer is to develop and design the product using model-based design.

Model-based design means:

• The amount of work needed to ensure traceability and proper documentation is reduced as it can be integrated into the design.
• It’s possible to reach a higher validation error.
• Testing can start earlier and be more comprehensive, therby improving the quality and safety of the product.

Model-based design is often criticised for the high price of the tools used, but they more than cover their cost for this type of work, making the product development process more effective, so the product itself is of a far higher quality.

If products have not been developed using model-based design before, it is understandable that there will be questions. So if you are interested yet still a bit wary about it, just get in touch with us and we’ll be happy to discuss the possibilities of model-based design with you.

Jari Rauhamäki is a software architect with a PhD in Engineering from Tampere University. Jari’s special interests are safety-critical systems, machine safety and model-based design.

Jari can be reached at: jari.rauhamaki@devecto.com