Achieve Compliance with ISO 26262 Functional Safety Standards
Key takeaways:
- ISO 26262 is an international standard that ensures functional safety throughout the life cycle of every vehicle’s electrical and electronic systems.
- ISO 26262 is mostly a goal-based standard. It establishes safety goals through hazard analysis and risk assessment and systematically refines safety requirements to the specific component level.
- ISO 26262 defines four Automotive Safety Integrity Levels (ASIL) from A to D, which specify the safety requirements―based on the probability and impact of harm.
Modern vehicles integrate between 1,500 and 3,000 integrated circuits (ICs).
These ICs control everything from safety-critical systems like brakes and power steering to sophisticated Advanced driver assistance systems (ADAS) and infotainment systems.
To ensure that safety is always firmly kept in the crosshairs of automotive manufacturers, the International Organization for Standardization (ISO) developed the ISO 26262 functional safety specifications in 2011. ISO 26262 aims to mitigate the risks of systematic and random hardware failures by tailoring the IEC 61508 standards to meet the unique demands of the automotive sector, including power supplies, sensors, actuators, and other critical electric and or electronic elements.
This article provides a comprehensive overview of the ISO 26262 standard and its significant worldwide impact on automotive IC development. It also delves into how Keysight's ISO 26262-certified design data and intellectual property (IP) management solutions enable automotive design engineers to adhere to these crucial safety standards effectively and efficiently.
Basics of ISO 26262
ISO 26262 is a vital safety standard within the automotive industry. It focuses on the functional safety of road vehicles’ electrical and electronic (E/E) and software-controlled features throughout their life cycles. The standard is instrumental in guiding the design, testing, validation, and manufacturing of critical safety systems, such as steering or anti-lock braking systems (ABS). Moreover, it introduces a tailored methodology for assessing Automotive Safety Integrity Levels (ASIL), enhancing the safety and reliability of automotive components.
Originating from the IEC 61508 standard, which mandates that E/E system designers account for environmental factors (such as shock, vibration, temperature, and electromagnetic interference) that could jeopardize product safety, ISO 26262 specifies these requirements for the automotive domain.
The 2018 update to ISO 26262 introduced significant enhancements, including new standards for semiconductors and motorcycles, trucks, and buses. This revision also expanded the scope to encompass guidance on model-based development, software safety analysis, dependent failure analysis, fault tolerance, and additional critical safety considerations.
Overview of ISO 26262's scopes
ISO 26262 is a comprehensive standard encompassing the full spectrum of automotive safety lifecycle, including management, development, production, operation, service, and decommissioning.
What ISO 26262 covers
ISO 26262's scope is specific. It applies to all safety-related systems with one or more E/E systems installed in vehicles, as well as possible hazards caused by a malfunction of E/E safety-related systems, including ones due to system interaction.
What ISO 26262 does not cover
ISO 26262 does not apply to:
- Hazards related to electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, or energy release unless malfunctions in safety-related E/E systems directly cause those.
- E/E systems for special-purpose vehicles designed for drivers with disabilities.
- Systems and components in production or already under development before the publication date of ISO 26262.
- Fully autonomous vehicles, as ISO 26262 assumes someone is driving the car. (ISO PAS 21448 (SOTIF) complements this gap.)
ISO 26262 Is Not Mandatory
ISO 26262 is not a mandatory standard. However, its comprehensive guidelines for managing the functional safety of electrical and electronic (E/E) systems in vehicles are recognized as best practices, facilitating more structured and effective development and production processes.
Moreover, ISO 26262’s comprehensive guidelines for managing the functional safety of electrical and electronic (E/E) systems in vehicles are recognized as best practices, facilitating more structured and effective development and production processes. Original Equipment Manufacturers (OEMs) often require suppliers to implement ISO 26262. This expectation extends across the supply chain, emphasizing the standard's critical role in the automotive sector.
How does ISO 26262 work?
Central to ISO 26262 is the concept of a safety lifecycle, providing a framework for managing and minimizing risks associated with E/E systems.
Figure 1. ISO 26262 concepts and steps
Here's an overview of the process:
Identify items
In the context of ISO 26262, an “item” refers to a specific automotive system or subsystem that performs a particular function of the vehicle to which the ISO safety life cycle applies. This involves outlining a preliminary architecture for each electrical and electronic (E/E) unit or component within the car. For example, the antilock braking system (ABS) is an item.
Define top-level functional requirements
Defining the top-level functional requirements is essential for every identified item. This step categorizes each subsystem's architecture and function, setting the initial groundwork for detailed safety analysis.
Identify hazards
Hazard Analysis and Risk Assessment (HARA) aims to identify potential hazards associated with each item. Every item has a comprehensive set of pre-defined hazardous events. For example, vehicle skidding caused by ABS failure is one of the possible hazards for ABS. This step is crucial for understanding the risks and planning for mitigation.
Assign automotive safety integrity levels (ASILs)
Assigning Automotive Safety Integrity Levels (ASILs) is crucial in ISO 26262 for categorizing risks in automotive systems.
ASIL ratings, from A (least severe) to D (most severe, life-threatening), depend on three factors:
- Probability: Estimates the exposure to harm due to system failures.
- Controllability: Measures the driver's ability to control the situation if the system fails.
- Severity: Evaluates the potential level of harm to the driver or others from uncontrolled failure.
ASIL ratings help prioritize safety measures. Non-safety-critical events receive a quality management level. The standard breaks down Exposure into five classifications, while Severity and Controllability have four.
Figure 2. Examples of Automotive Safety Integrity Level (ASIL) ratings
ISO 26262 also guides combining the variables to determine the ASIL rating for an electronic system, subsystem, or component within the road vehicle. Moreover, the Society for Automotive Safety Engineers (SAE) created the "J2980 – Considerations for ISO26262 ASIL Hazard Classification" guide to simplify the classification process and enable consistent ASIL ratings.
Determine safety goals
For each identified hazardous event, ISO 26262 sets a safety goal with the same ASIL rating as the hazard. A safety goal is a primary safety requirement emerging from the vehicle-level Hazard Analysis and Risk Assessment (HARA). A safety goal might cover several hazards; conversely, a single hazard might relate to multiple safety goals.
Define functional safety requirements
ISO 26262 refines safety goals into lower-level safety requirements, allocating these requirements to architectural components such as subsystems, hardware-level systems, and software-level components.
Product design
During the product design phase, automotive engineers create and implement solutions that meet the pre-defined safety requirements to eliminate or mitigate the hazards.
Verification and validation
Verification engineers test the product to ensure it meets safety requirements and effectively eliminates or mitigates any identified hazards.
Validation involves testing the product's intended environment to ensure it behaves as expected.
Address safety in supporting processes
Ensuring automotive functional safety extends to supporting processes such as change management, production, operation, and safety audits, which must comply with ISO 26262.
These steps emphasize identifying and mitigating risks of every automotive E/E system and subsystem, ensuring they adhere to rigorous safety standards throughout the engineering lifecycle.
Importance of ISO 26262 for automotive design
Why is ISO 26262 functional safety standard important for the automotive industry?
ISO 26262 is a comprehensive guideline that enhances vehicle safety, improves design effectiveness, and boosts customer trust.
Enhanced vehicle safety
Although ISO 26262 is not a regulation but an industry standard, it is consulted by regulators like the National Highway Traffic Safety Administration and rules like the Federal Motor Vehicle Safety Standards. ISO 26262's focus on the entire safety lifecycle of automotive electronic and electrical (E/E) systems ensures that vehicles remain safe over their average lifespan in the U.S., around 11-12 years. By adhering to this standard, manufacturers can guarantee that their suppliers also uphold stringent safety measures, thus preventing costly quality issues during production.
More effective product design
The ISO 26262 standard addresses the growing complexity of automotive hardware and software integration in automotive E/E systems by offering detailed guidelines for concurrent development and testing. This approach ensures that all components are tested and integrated rigorously, essential for achieving the highest safety standards.
Improved customer trust
Adherence to ISO 26262 reinforces customer confidence in the vehicle’s safety over the long term. For instance, knowing that a newly developed electric vehicle complies with ISO 26262 safety standards makes buyers more confident about their adoption, contributing to stronger customer loyalty.
ISO 26262 functional safety’s influences on automotive SoC design
Modern automotive development is marked by increasing demands for agility, consolidation of functionality, and rapid change. Additionally, the spectrum of risk and exposure has broadened with the growing demand for electric vehicles and V2X connectivity. The ISO 26262 functional safety standard ensures that designers never lose their focus on safety.
Below are some of the expectations that the design and validation processes must comply with:
Early focus on safety
ISO 26262 imposes a disciplined approach to safety design. Automotive IC design workflows must incorporate safety goals and requirements from the early conceptualization and feasibility stages.
IP quality
AEC-Q100 is an industry-standard failure-mechanism-based stress test qualification for automotive integrated circuits (ICs). As shown in the Table below, there are four temperature ranges defined from Grade 0 to 3.
An AEC-Q100 qualified IC means that it has passed the specified stress tests and ensures a certain level of reliability at the temperature range. Testing automotive IPs to the AEC-Q 100 standard could reduce design risks and improve product quality.
Fault modeling
The standard requires analysis of possible failure modes and fault injection testing. Thus, electronic design automation (EDA) tools must support comprehensive fault modeling, simulation, and analysis capabilities to anticipate and mitigate potential safety-related failures.
Safety mechanisms
ISO 26262 mandates automated safety mechanisms to detect and mitigate faults. These mechanisms — like error correction codes, watchdog timers, and redundancy — must be rigorously designed, verified, and validated.
Enhanced verification and validation
The standard demands rigorous verification and validation methods, such as formal verification, advanced simulation techniques, and hardware emulation, to validate the requirements according to the ASIL ratings.
Documentation and traceability
ISO 26262 requires comprehensive documentation and traceability throughout the design and development process. Evidence created through each development layer must be traceable to requirements, justified and then documented as a safety case, which is kept around for years after the design work has been completed. Tools and processes must generate and maintain detailed documentation of design choices, safety analyses, verification and validation results, and changes over the product life cycle.
Figure 3. Traceability for ISO 26262: Requirement derivation and evidence collection
Tool qualification
The standard requires qualification of all the development tools used to design and develop safety-related systems. Software vendors including design data and IP management solutions must ensure that their tools meet these qualifications.
Dependent failure analysis (DFA): ISO 26262 emphasizes identifying and analyzing dependency failures. Design workflows must include DFA to evaluate how failures in one part of the system could impact others.
Production and operation
The standard's mandates extend beyond the design phase to include production and operations. SoCs must be designed for manufacturability and testability to ensure the consistent output and reliable operation of safety-related systems.
Life cycle management
The standard requires consideration of the entire development life cycle of the automotive component, from initial concept through decommissioning. Design workflows must accommodate life cycle management considerations, including design updates, obsolescence management, and change impact assessments.
Automotive chiplet adoption
In the past three years, automotive system-on-chip (SoC) designers have increasingly moved toward using chiplets. This new modular-based approach integrates heterogeneous components to construct a multi-die system. This reduces costs, makes the IC designs more flexible, and accelerates the time-to-market. However, it also brings up safety challenges like:
- Finding chiplets with the best-suited intellectual properties (IPs) that satisfy various ISO 26262 requirements.
- Integrating those chiplet blocks with full traceability.
- Verifying the working of the IP blocks individually and together at design time.
New process-related challenges also emerge, like building up organizational knowledge about these new chiplets that are untested in the field.
See a demo of Keysight's ISO 26262-certified IP Management
Key impacts of ISO 26262 on automotive EDA workflows
The above considerations require enhancements in today’s electronic design automation (EDA) workflows. Here are the six critical implications on EDA workflows designers must consider.
No. 1 Enhanced traceability
EDA workflows must facilitate design data and IP traceability through the full design hierarchy from top to bottom in the automotive design space. A change at any level must bubble up through all the layers of all the projects that depend on that IP directly or indirectly. The simulation, verification, regression, and validation workflows for all the impacted layers must be automatically triggered, executed, and recorded for ISO 26262 safety compliance reviews.
No. 2 ISO 26262-certified tool qualification
For the process to be compliant, all the tools used in the process must be certified for the standard, including the EDA design data management and IP management tools. Tools are assigned one of three tool confidence levels (TCLs). Depending on its TCL, qualification methods include increased confidence from use, evaluation of the software development process, and validation.
No. 3 Design documentation
EDA tools must be tightly integrated with all the design documentation for reporting purposes.
No 4. Reporting efficiency
EDA workflows should be capable of automatically generating detailed datasheets for ISO 26262 compliance, which includes Bills of Materials (BOMs), verification reports, regression reports, and analytics that will alert designers to potential problems early on.
No 5. Configuration management
EDA workflows must ensure configuration management (version control) for all work products, design files, and design data. It must facilitate workflows associated with configuration management, like identifying differences between changes and the person responsible for a change. A detailed configuration management plan must be maintained for the entire project.
No 6. Change management
Change management in ISO 26262 mandates a systematic approach to analyzing, controlling, and documenting changes to safety-related work products, items, and elements throughout the engineering life cycle. This is to ensure that changes don't adversely impact the functional safety of the automotive systems being developed.
Challenges of ISO 26262 compliance in automotive IC design
The compliance expectations and EDA workflows described above result in several challenges:
More complex design requirements
The ISO 26262 functional safety standard has 12 detailed parts and additional guidelines. Ensuring compliance with all aspects of the standard is a challenge.
Design traceability
Design tracking and documentation across the full design hierarchy: Without purpose-built tools, it’s extremely difficult to manually track all design data, intellectual property (IP) usages, dependencies, and documentation. Yet it is critical to do so because even the slightest change in a low-level design may lead to cascading effects on higher-level functionality failure.
Unknown SoC usage conditions
Integrated circuit (IC) design teams in both fabless semiconductor companies and integrated device manufacturers (IDMs) may not know how their designs will be integrated eventually into a vehicle. In such cases, they can make assumptions about safety goals and requirements, document them, and design the SoC and its parts as ISO 26262 safety elements out of context (SEooCs). This ensures that all the consumer projects know their safety-related assumptions.
Design data management
The ISO 26262 standard requires all the design data — analog, digital, and analog mixed signals — to be organized and contextualized throughout the development process, from concept to tape-out. Without a purpose-built tool, this requires a lot of effort.
IP Integration
Finding a suitable automotive intellectual property (IP) that satisfies all the complex functional and fabrication requirements while also being ISO 26262-compliant can be challenging. This includes comparative analyses, evaluations of different IP offerings from various vendors, compliance check, and the rationale behind choosing a specific IP.
Figure 4. IPs involved in vehicle parking assist systems
Another frequent hurdle for large design organizations is locating IPs stored in disparate systems across teams. This requires a comprehensive understanding of the specifications of the automotive system and knowledge about various IPs certified under ISO 26262 within the organization.
How Keysight Design Data and IP Management streamline ISO 26262 compliance
Keysight Design Data and IP Management is an ISO 26262-certified platform that enhances design traceability and enables automotive integrated circuit (IC) design teams to comply efficiently with the ISO 26262 standards.
The Design Data and IP Management Platform consists of two software components:
- Keysight IP Management (HUB) enables enterprises to catalog, reuse, publish, and track all internal and third-party silicon IPs throughout the engineering life cycle.
- Keysight Design Data Management (SOS) provides a sophisticated development environment for global teams to efficiently collaborate and manage IC design data from concept to tape-out.
Let's look at some of their compliance-easing features.
Achieve IP traceability across the full design hierarchy
To meet ISO 26262 functional safety requirements, accurate traceability of IP across full design hierarchy consisting of IP blocks and IP consumer projects is paramount.
Figure 5. An example design hierarchy with an SoC used in multiple projects
Keysight HUB knows exactly where any IP is being used, its dependencies, and the hierarchy within its design. You don't need to track down IP usage across your enterprise manually.
Track IP dependencies
With Keysight HUB, IC designers can track IP dependencies on one unified platform, with the bill of materials (BOM) or consumer filter options to sift through massive IP documentation across multiple design centers.
Integrate with all major EDA tools
Keysight HUB and SOS integrate with all the major EDA tools like:
- Cadence Virtuoso Studio
- Empyrean Aether
- MathWorks MATLAB
- Siemens EDA (Pyxis)
- Siemens EDA (Tanner)
- Silvaco Gateway
- Synopsys Custom Compiler
Your in-house proprietary tools can integrate with HUB and SOS through their application programming interfaces.
Learn more: Keysight SOS for Virtuoso Studio
Centralize data and documentation management
Keysight HUB can store IP-related BOM, design files, datasheets, licensing, and process design kit (PDK) centrally for use across your enterprise with auto synchronization plus secured data transfers and handoffs. It also integrates with document and storage systems like Confluence, Google Docs, Dropbox, and Box.
Automate Issue tracking
Track any issues reported against internal and third-party IP blocks being used in your projects. This is essential for ISO 26262-recommended configuration management. Keysight HUB integrates with popular issue-tracking software like Jira and Bugzilla.
Boost team collaboration
Keysight HUB hosts dedicated project forums. Design engineers and IP managers can use them to create, manage, and share user experiences, scripts, methodologies, libraries, and ideas.
Simplify ISO 26262 functional safety compliance with Keysight
This article gives you an overview of ISO 26262 and its impacts on automotive semiconductor and electronic design.
Apply for a free trial today for hands-on experience of using our ISO 26262-certified tools to streamline design data and IP management and simplify ISO 26262 compliance for your automotive designs.