ISO 26262: A Global Outlook for 2015
Significant progress in electronic innovations such as advanced driver assistance systems, make compliance with ISO 26262 of the utmost importance. Every part of a hardware or software system must be deconstructed and assessed according to the requirements of the standard, and this puts the onus on every manufacturer and supplier all the way down the supply chain. OEM’s rightly acknowledge that these systems, particularly those which ‘take control’ of the vehicle, could imply liability in the event of system failure, and the implications for long-term reliability are sizeable. Therefore it is essential that every component, every tool, and every piece of software is suitably compliant with ISO 26262.
One area where there has been significant development since the standard was published is in the software used to test and validate the functionality of E/E systems. Design automation software vendors, such as Cadence, are releasing automated functional safety software solutions that reduce the time associated with verification processes for ISO 26262 compliance.
Released in October 2014, the Cadence System Development Suite is built on the company’s Incisive Verification Platform, and claims to reduce ISO 26262 compliance efforts by 50% by automating fault injection and results analysis for intellectual property (IP), system-on-chip (SoC), and system designs. The functional safety solution fulfils the traceability, safety verification, and TCL requirements of ISO 26262, and includes an Incisive Functional Safety Simulator and functional safety regression capabilities with the Incisive vManager Solution.
Cadence is one of many software companies that have developed software to assist developers and manufacturers with ISO 26262 compliance, and this is one way that the time-consuming process of ensuring compliance can be tackled.
Another interesting development in parallel with ISO 26262, is the advance made by AUTOSAR in an effort to develop a global standard for system architecture, so that the basic software functions of automotive ECU’s can be standardized.
AUTOSAR (Automotive Open System Architecture) is a development partnership between leading OEM’s and tier one suppliers in the automotive industry. The common objective is to create a development base for industry collaboration on basic functions while providing a platform which still encourages competition on innovative functions. The development partnership has been formed with the goals of:
- Standardization of basic software functionality of automotive ECU’s
- Scalability to different vehicles and their platform variants
- Transferability of software
- Support of different functional domains
- Definition of an open architecture
- Collaboration between various partners
- Development of highly dependable systems
- Support of applicable automotive international standards and state-of-the-art technologies.
In October 2014 AUTOSAR released the first version of Standard Acceptance Tests (Release 1.0). The acceptance tests, written at the specification level, are intended to validate the behaviour of a configured AUTOSAR implementation at its interfaces. The first release of acceptance tests includes test cases for the Runtime Environment (RTE), basic software services (NVRAM Manager, Diagnostic Event Manager, Diagnostic Communication Manager, ECU State Manager, and Communication Manager), bus behaviour (communication on CAN, LIN, FlexRay, generic features of the communication stack), and bus protocols (transport protocols, network management).
The main goal of the AUTOSAR Acceptance Test Specifications is to save considerable cost and effort in the field of testing activities through:
- Standardization of test cases; allowing the exchange of reliable test results. This means that test cases can be applied once for multiple customers, so both supplier and customers need not execute the same tests.
- Common test development and maintenance; providing significant help for users as they no longer have to specify and maintain test cases of their own.
- Definition of a universal methodology; enabling the extension of the standard test suite with user-specific features.
This standardization across software development and testing allows the use of standardized, re-usable software layers and components that exist in every automotive ECU. It also provides a consistent, repeatable ECU design methodology, which supports the requirements of ISO 26262.
ISO 26262 is quickly becoming commonplace in the European, American, Japanese and Korean markets, and 2015 will focus on the software and technologies that will facilitate compliance, and standardize software architecture and test procedures. However, other important automotive markets, such as China, are still to confirm their national standards and how they relate to ISO 26262.
The adoption of ISO 26262 in Korea is having a big impact on domestic parts suppliers, and both Hyundai Motor Company and Kia Motors have indicated that they will require ISO 26262 compliance for all parts used in their vehicles from the beginning of 2016.
Safety tests carried out by the Hyundai Motor Group between May and September last year showed that many of the domestically-sourced parts failed ISO 26262 functional safety tests. The tests were conducted over various assessment items based on the standard, and while established foreign suppliers generally scored well, many Korean companies averaged a score of 30-40/100, with the minimum level recommended by the Group 75/100. Those companies which fail to raise their compliance levels will not be able to supply the automaker beyond 2016, and that has put pressure on local suppliers, particularly smaller companies, which lack the financial and human resources to meet the standard.
The larger parts suppliers such as Hyundai Mobis, Mando, LG Electronics and SL are successfully incorporating ISO 26262 compliance into their products, and in 2012 Hyundai Mobis was the first Korean supplier to receive ISO 26262 certification from TUV SUD. It is the medium and smaller companies that are lagging behind due to resources, and the Hyundai Motor Group is working to support implementation by providing theoretical and practical training sessions for suppliers, and by distributing guidelines.
It’s a similar situation in Japan, where Toyota’s recent court case has highlighted the importance of functional safety. The manufacturer reached a settlement in 2013 in an Oklahoma trial which centred on the electronic throttle control system alleged to have caused the unintended acceleration of a 2005 Camry, leading to the death of one woman and the injury of another in 2007.
The software and the source code in that model pre-dates the release of the ISO 26262 standard, but it highlights the importance of compliance for manufacturers. Most importantly for the safety of drivers and other road users, and also in terms of legal liability for automakers to show they have taken all possible steps to guarantee the safety of their vehicles.
Toyota began using Siemens PLM software in January 2013 specifically to comply with ISO 26262 as part of a comprehensive initiative to produce safer vehicles for its customers. During 2014 the Japanese automaker announced its intention to increase the use of the ‘Teamcenter’ software throughout its development sites. The software enables Toyota to enhance collaboration between multiple divisions and significantly improve traceability management, facilitating compliance with the standards.
China’s national standard for functional safety is currently being drawn up, and in all likelihood it will be based on ISO 26262, if not a direct adoption of the standard. China’s national standard GB/T 20438 is based on the European standard IEC 61508 for functional safety, and has been in use for several years. A host of other national standards for functional safety in the rail, mechanical and process industries have also been based on their European counterparts, and it appears that the standard for automotive functional safety will follow suit.
Leading international testing and certification service provider in the functional safety sector, TUV Rheinland, began running workshops for ISO 26262 in Hong Kong in January 2013, in association with the Hong Kong Productivity Council Automotive Parts and Accessory Systems (APAS) R&D Centre. The organisation provides training and accreditation for ISO 26262, along with several other functional safety standards, in Greater China; and as early as 2012 certified over 100 functional safety engineers in China.
ISO 26262 has been widely adopted throughout automotive markets globally, and although the Chinese government has yet to confirm its own standards, other growing markets such as India have begun to adopt the ISO standard. Further acceptance of ISO 26262 as the global standard, will allow developments in software, testing procedures, and standardized equipment. This will be essential to create an environment for innovation, and allow designers and engineers to concentrate on system development over standards compliance.
As automakers in the Asian markets adopt the standard, it will apply pressure on parts suppliers to adhere to ISO 26262, and this is causing tension among the medium to small suppliers as many lack the resources and know-how to cope with the requirements. This will bring change in the supply chain in those markets as companies that fail to meet standards are weeded out, and those that respond to requirements develop their level of understanding of compliance.