ISO 26262 semiconductor safety
Safety concerns for automotive systems took a giant leap forward with the advent of the airbag and anti-lock brakes, and continued through the electronic revolution with better security systems and warning lights signaling internal problems. Now, computer software and hardware have taken over nearly all safety/security/operating functions, making semiconductors the most varied pieces of equipment in a car today.
ISO 26262 is the international standard compliance document for functional safety of electronics in vehicles. One of the main drawbacks of putting hardware through the ISO 26262 process using testing products is the expense of evaluation before any results can be verified. The pre-checks in place can create a “one-step-forward, two-steps back” conundrum: components in automobiles must not only be tested as error-free at installation; they must also pose no threat when malfunctioning, or “entering an unexpected state,” as ISO 26262 states.
We will look at several aspects of hardware certification and manufacturing, and how they relate to the software systems that drive them. Automation will be one key feature in the next generation of chips; repeatability will be ever more important in meeting the rigorous standards set up in the regulation.
The advantages of end-to-end standards
The great plus for ISO 26262 is that it is an international standard. Any truly overriding standard for an industry as large as automotive is bound to reduce costs because any innovation made and approved for electronic systems through a standard is good for all companies; the research can move on without hugely expensive retooling for every manufacturer.
In theory, accepted, detailed safety practices apply to everyone, so a major milestone is met when a practice is finalized. Yet politics and financials can get in the way. Manufacturers (and nations) who initially agree to accept such standards find some aspect that does not exactly fit.
One brief argument for an overarching development rule like ISO 26262 is that the ends justify the means. (1) This report said that “It seems like a lot of extra steps to have to go through … The immediate gains of ISO 26262 and its qualification processes may seem like extra work, time and expense. Be assured, however, that it’s worth it … Engineers, sales, and marketing can all agree. ISO 26262 provides a set of common rules they can all adhere to with less subjectivity and more confidence in the final product’s quality.”
However, the title of this piece, “ISO 26262 compliance is not a costly overhead,” is misleading. Control compliance is always a costly overhead. Companies do not argue that safety is not desirable; they argue the validity of the means to get to safety.
Integration with legacy systems
The demand for semiconductors that arose with electronic systems in computing continues at a rapid pace. Aircraft and automobiles are just a large piece of an ever-expanding market for computer-driven mechanical systems.
New standards like ISO 26262 demand that designs for electronic parts begin with compliance in mind. Start by first creating the process to fulfill the requirements. In software, legacy systems are important building blocks for new research. The same holds true for the manufacturing systems for semiconductors. Since ISO 26262 is an end-to-end standard, manufacturers are faced with the expensive task of tooling from the beginning of their operation, and designing at the most basic starting point. (2)
“A complete functional safety verification flow for automotive SoCs must ensure zero design bugs, using coverage-driven functional verification, and zero safety risks, using a functional safety verification strategy that complies with the ISO 26262 automotive safety standard,” this report said.
Importantly, this dual safety standard – no design problems and safe use even in failure – involves the entire supply chain for a motor vehicle. (3) The car maker ensures that its Tier 1 supplier is compliant; the Tier 1 supplier does the same with its hardware vendor; the vendors must get compliance from the chip supplier; the chip supplier must show it has the system requirements covered.
Who’s at fault?
To comply with these complex rules and make products that tend to be more and more failsafe, chipmakers are designing semiconductors with built-in-self-test on startup. This is not a new process, but is continually being upgraded to include the ability to self-test after a number of cycles, and eventually the chip will self-test continuously.
Engineers are also refining the term “faults,” their causes and how to better test for faults and failures. (4) A fault can be in the design, a specific hardware item, or in software causing a malfunction in the chip, this report said. The better the self-test at startup or shutdown, the better the system can detect soft faults, or those that do not cause system breakdown but could contribute in the future.
Semiconductor companies must be prepared to install multi-layered fault testing in their processes, the report said. Here, designers can save time and money in the entire manufacturing chain by developing the correct countermeasures against faults from the beginning. Like ISO 26262 itself, the safety structure is simultaneously viewed in the entire scope of the vehicle and its use, and at the microprocessor level for every function.
This report also recommends a plan called failure Modes and Effects Analysis (FMEA). Defined as “structured approach to discovering potential failures that may exist within the design of a product or process,” this planning tool builds scenarios as it is used, and develops them in a spreadsheet format. As stated earlier, one of the costly aspects of implementing ISO 26262 is the many preliminary steps that must occur before the manufacturer sees a product. This product might still not conform to safety assurances. The FMEA helps increase the likelihood that a component will pass the failure tests.
There are several methods to continue this fault checking in the development of the product, as well. Multiple checking devices, or separated circuits that exist only to check, log and classify faults, must be built in. Every one of these checkers is a bit of insurance for the final product. It is ideal to have fault checkers that check themselves, too.
Automation fits the bill
Most products made today are made using a set of automated systems. Even a custom designed product is built using automated manufacturing machinery. For instance, most metal cutting operations are CNC today.
Automating as many processes as possible increases the value per hour of output. This is true in cleanrooms for chips. (5) Many quality control issues are eliminated by correctly automated steps. Semiconductor manufacturing has the added burden of mandatory ultra-clean construction environments. Chip creation means removing not only visible but invisible contaminants.
The latest developments in cleanroom automation can help manufacturers hold to the tightest safety testing requirements, and an end-to-end automated design-build system is the coming technology for addressing functional safety. (6)
In this report, the author suggests that each step in the process that is automated removes or reduces errors, thereby removing faults from the eventual product. Since each step in ISO 26262 needs documentation of design flaws and tested flaws, automation offers repeatability for both, especially in the manufacturing phase. This overall end-to-end structure for automation removes the errors that cut-and-paste types of automation entail: if machines and methods from various suppliers are cobbled together, this fact alone makes the system error-prone. “A design should be able to go from the safety requirements analysis or Hazard Risk Analysis (HARA) through functional analysis, hardening and fault-injection with minimal and traceable manual input,” the report said.
The entire process should also combine the risk analysis, testing/reporting hardware and software, and fault campaigns into the single system. “This rigorous process will generate auditable and verifiable collateral that enables the system to receive the required safety integrity certification level and give system designers the confidence that they need in their chips.”
In conclusion, we have an author who gives three top reasons for manufacturers to implement functional safety into hardware rather than software, and why chipmakers should lead in this safety area. (7) He argues that:
- Software development and maintenance is more difficult and expensive to certify than hardware IP
- Hardware IP is pre-tested and repeatable, whereas software faces future unpredictability
- Semiconductor makers “set a baseline of safety features that must be implemented, which is less risky than low-grade software developed without knowledge, input or feedback.”
These factors present opportunities for hardware manufacturers to lead the way in ISO 26262 implementation. Whether semiconductor makers put in the most advanced end-to-end system or not, the safety of automotive systems depends on software and hardware that is multi-tested and certified.