What is sufficiently safe?
A supplier's view
2026-01-06 3 min Season 1 Episode 13
Description & Show Notes
Hello and welcome to a new episode of “Applied FuSa,” a podcast for FuSa pragmatists.
In this episode, we will answer one of the most crucial questions in any safety-related project: How do I know that my product is sufficiently safe? And what exactly is the difference between compliance and achievement of functional safety?
Note: The scope of this episode is limited to the safety of a supplier's design. In addition, non-technical requirements like compliance with standards still apply, of course.
Note: The scope of this episode is limited to the safety of a supplier's design. In addition, non-technical requirements like compliance with standards still apply, of course.
Transcript
Hello and welcome to a new episode of “Applied FuSa,” a podcast for FuSa pragmatists. In this episode, we will answer one of the most crucial questions in any safety-related project: How do I know that my product is sufficiently safe? And what exactly is the difference between compliance and achievement of functional safety?
A frequently unresolved question at the end of a project is whether the product can be considered sufficiently safe. One reason for this uncertainty is that customers typically do not define clear acceptance criteria. What is often overlooked in this context is the fact that the functional safety concept already provides precisely such a criterion. However, this presupposes that the functional safety concept has been fully defined — which, unfortunately, is not always the case. Reference is made here to the episode “FSC versus TSC.” The following case study is intended to illustrate why an FSC is fully sufficient to demonstrate the complete achievement of functional safety. If a supplier develops a sensor system that is, for example, involved in the implementation of ADAS functions such as AEB or ACC, then some of the potential malfunctions are usually safety-relevant. For each of these malfunctions, the customer must develop a complete functional safety concept and provide it to the supplier as a requirements document. It is assumed that the customer ensures that the risk of violating safety goals at the vehicle level by a safety relevant malfunction is sufficiently minimized through the functional safety concept associated with that particular malfunction. In other words: the sensor can be considered sufficiently safe once it has been demonstrated that all applicable functional safety concepts have been fully and correctly implemented. This is achieved, among other things, through a final and sufficiently independent FS assessment and the subsequent closing of the safety case. The assessment report confirms that all FS work products have been correctly created, and the safety case ultimately demonstrates that the development of these FS work products has implemented the functional safety concepts. This approach is generally applicable. Any system involved in the implementation of a safety-relevant vehicle function will have safety-relevant malfunctions for which there must accordingly be a functional safety concept. These concepts must be defined by the customer commissioning the system in such a way that the residual risk of violations of safety goals can be considered sufficiently reduced. Evidence for this must also be provided. The responsibility lies with the customer, who commissions the system including the implemented safety concepts from the supplier. The supplier, in turn, must demonstrate that the required safety concepts have been fully implemented. As a result of this combination, it follows automatically that the system can be considered sufficiently safe, and no further acceptance criteria of any kind are necessary.
Applied FuSa – a podcast for Functional Safety pragmatists. Get your new piece of FuSa every other week.
Expert
00:00:22
Moderator
00:03:10