Renesas Electronics on ISO 26262 challenges for the semiconductor industry
Automotive IQ sat down with Riccardo Vincelli, Director of Functional Safety Competence Center at Renesas Electronics, to discuss challenges with ISO 26262 for the semiconductor industry.
Riccardo Vincelli, you are Director of the Functional Safety Competence Center at Renesas Electronics, and you have been part of our “ISO 26262” conference. Now, you are joining the “Application of ISO 26262 to Semiconductor” event. What is the challenge with ISO 26262 for the semiconductor industry?
One of the main challenge today is the understanding of the ISO standard from the different players. Part 11 now offers a better informative guidance of what do we need to do to develop a safe product (as today ISO26262-5, annex D or ISO26262-10), but many interpret it as a kind of “exclusive” rule, like a normative requirement, and not allowing deviations – but it’s not like that (you cannot make a standard considering each and every case and safe products cannot be achieved by just following a copy and paste approach). Understanding the motivations behind is the key.
Also one of the big challenges is to educate engineers on what needs to be done as this requires a considerable change in mindset from traditional engineering practices. Finally, with the safety analysis we have to perform, we are forced to provide more information to our customers that were not shared before. That is another challenge: How to educate about internal elements and their relation to the final “context” when providing SEooC components that our customers have to customize? A wrong understanding may lead to a wrong system with safety consequences.
The second edition of ISO 26262 includes a new chapter especially for semiconductors, chapter 11. What does this chapter change for you in your day to day work?
Actually, not much, because we used to follow already the guidelines reported in Part 11. Actually, Part 11 is reflecting most of our exiting practices (Renesas was a key contributor to part 11). For example, looking at the dependency analysis, the initiators now reported in ISO26262-11 are mostly based on our internal guidelines already available before, so it’s not changing our daily work but is making our daily work a bit easier, because now it's easier to talk to most of the guys and justify what we are doing/why. There are still some portions that are missing in ISO26262 like how to deal with legacy products, full operational and autonomous driving. But we also cannot expect a safety standard to spell out all aspects for you. Only a collection of “best practices” based on the current state of the art and constrained by the schedule imposed to develop an ISO standard.
One of the challenges is to increase safety by keeping costs down. How can Functional Safety be made (more) affordable for semiconductor devices?
Yes, that is a big question for everyone. One of the challenge is that today we are pushing a lot for out of context developments (aka SEooC), and, for this, the suppliers are forced to take assumptions. But without a full system context and to allow flexibility assumptions sometimes may be very conservative increasing costs. That is one of the issues. And if you are targeting some known systems as airbags, steering, braking, this is fairly OK. But if we are moving to complex Systems on Chips for autonomous driving not everything is known today, and then we are forced to take very conservative assumptions increasing costs or leave handling to the customer increasing risks and challenging to prove suitability. That is the border where if you don’t have a very strong relation with lead customers, you may end up having something much more expensive than what it would be. That is one of the big challenges now; to really bring costs down you need to understand more about the system and co-operate. Then out of context approach for complex components and leading edge applications may not work.
Semiconductor companies are lobbying against FMEDA and FTA being in the ISO 26262 guideline. What is the issue with those fault testing methods?
I cannot say that there is a lobby against FMEDA and FTA in the ISO working group. I’ve never come across this really in my discussions. The reason we are not referring explicitly to FMEDA or FTA but more about deductive, inductive, is because FMEDA and FTA are not the only solutions, and especially moving to complex components, to new challenges, you may find some better approaches to do it (e.g. see STAMP gaining popularity). That is the main reason why such dedicated names are not specifically used. Of course, today, everyone is using FMEDAs. FTA is mainly used at system level (at component level this is more done for ASICs where we get very specific top level requirements from customer), but, again, I would not say there’s a lobby against this, it’s just that we want to keep it more open to find the best solutions.
What role will SOTIF (ISO/PAS 21448: safety of the intended functionality) play in the semiconductor company?
As we will be discussing now in the panel, SOTIF is more a system aspect. But it may have implications down to components potentially for two aspects:
- 1) one is related to the definition of safety concepts. Because in the case of SEooC components we need to define our concept (based on assumptions), to understand the SOTIF, and implications, will help to create more realistic definitions.
- 2) the second is related to redundancy that, due to SOTIF, may require also some degree of diversity. So it may not be possible to use the same components multiple times to achieve potentially a full operational system, but you may require diversity and then these may have an implication to the company portfolio.
However SOTIF is still a relatively young standard with still lot to discover.