Sensata discusses the main challenges in the application of ISO 26262 to semiconductors
Automotive IQ sat down with Lisa Clark, Functional Safety Manager at Sensata Technologies, and talked about key issues in applying ISO 26262 to semiconductors, ahead of the conference where Mrs. Clark also will be presenting.
Can you tell me more about your role in Sensata, and your role in the ISO 26262 working groups?
I am responsible for establishing an ISO 26262 compliant development process for global use within Sensata and for providing training and support for the development teams. Sensata Technologies is a world leader in mission-critical sensors and electrical protection. Actually, the name ‘Sensata’ comes from the Latin word sensata, meaning “those gifted with sense.” Sensata has a diverse portfolio of sensor and control products that serve the automotive, aircraft, industrial, military, heavy vehicle, recreational vehicle and marine markets. We service these markets by supplying products that improve safety, energy efficiency and a clean environment. I am the US part leader for Part 11 and led the creation of several clauses in Part 11 including one on ‘sensors and transducers’. I was also an active contributor and editor of the clause on ‘analog and mixed signal.’ I am also the US part leader and active contributor to Part 7 ‘Production, Operation, Service & Decommissioning.’ I joined the USTAG because I wanted to understand how the standard was intended to be applied to semiconductors and I wanted to influence the content. I think I achieved those objectives.
Do you think there was universal need for part 11?
Absolutely. The standard was written from a vehicle/system perspective which makes sense when you are trying to preserve occupant safety but it wasn’t specific about how it should be followed for semiconductors or what would be in or out of scope. Some of the principles just can’t be applied in the same way for semiconductor components as they are for systems. The standard was also inconsistent in a few places mentioning ‘items, systems and elements’ and just ‘items’ in other places. What Part 11 did was to clarify what was relevant for semiconductors and to offer examples of how certain requirements were applied at a semiconductor component level. In fact, I think some of the most useful content in Part 11 is the prolific inclusion of examples both in the text and in the annexes. A good example of this distinction would be in the calculation of failure rate. You can’t look up the failure rate of an ASIC in a reliability handbook the way you can look up other standard components. There is a whole separate way of doing that which is now explained in the base failure rate clause of Part 11.
How will the new inclusion of the semiconductors to ISO 26262 influence the day-to-day activities of functional safety managers with the semi industry?
This is a great question. Because there was previously no specific guidance given about semiconductor elements in the standard, how the requirements of the standard applied to semiconductors was open to interpretation. Even though Part 11 is an informative part and is not prescriptive, its content represents a baseline approach for semiconductor development and will likely be used as a model for future programs…and future assessments. Safety managers must get familiar with the content of Part 11 after its publication and make sure that their developments are utilizing the information contained in it. They may find that there are gaps in their process and/or their safety cases that will need to be filled. The more safety managers are informed about what is considered to be standard practice, the better they can provide rationale that supports their internal practices and ,ultimately, their safety cases.
What activities are Sensata doing in order to ensure that it complies with highest standard of functional safety in the automotive industry?
We are doing many things like all companies adapting to the standard so I will mention a couple of the things that I think are the most important. We are investing in our process. What I mean by this is that we are putting effort into the safety development process so that it is comprehensive but also easy to use. We are building in what is required by the standard in a way that supports the users of the process. We are developing our process so that it will be consistent across every development in every location. We are using standardized templates and formats for work products, where possible, and providing instructions and examples for all of them. We have created a functional safety portal that is accessible from any Sensata global location that contains reference material, examples, training and a forum for discussion for the development teams. We want our process to be self-guiding as much as possible and easy for our teams to use. The second thing that is critically important is to establish a comprehensive training program that supports the development process. You can have a good process, but if your teams don’t know how to use it or why they must use it you still have some work to do. Our training program establishes what knowledge from the standard is required based on functional role. The trainings also require exams that assess the level of understanding of the material since safety is so important to each of us.
Based on your point of view, what challenges are semiconductors facing in order to comply with part 11?
I think the biggest challenge is in providing comprehensive rationale that is needed to support much of the engineering judgement used when developing semiconductors. For instance, the typical diagnostic coverage values of 60, 90 and 99% for low medium and high coverage safety mechanisms will be removed in the 2nd edition and rationale will be needed to defend the DC used in the safety analysis. This rationale must be documented to provide evidence of due diligence. Fault injection software can be used as evidence of diagnostic coverage but it may not yet be a standard part of everyone’s development process. Another challenge may be that some semiconductor suppliers are doing things differently than explicit examples in Part 11 that have the potential to be judged as incorrect or not state-of-the-art during an assessment. We need to remember that Part 11 provides examples but those examples are not all-inclusive. Be prepared to provide sound rationale for any engineering judgements made – and document these judgements as you go along. Don’t try to remember them all right before an assessment.
Confidence in the use of software tools is crucial for automated driving and ISO 26262, how is Sensata overcoming these challenges?
Semiconductor development depends heavily on the use of software tools. If a tool does not have the highest confidence, it must be qualified or proven that its use will not negatively impact the risk of the E/E system under development. This can be tricky but, in general, I think we have a good sense for which of our tools can impact risk and which don’t – but we must document this ‘intuition’ based on evidence and rationale. For example, if your tool chain is comprised of software tools that are semiconductor ‘industry standard’ by well-known companies that are also investing in functional safety advancement, you may have high confidence in them and need to sufficiently document why you have that confidence. If you use a ‘home-grown’ tool that was developed ‘mostly’ according to a coding standard whose output is not checked, you will have a tough time providing evidence of high confidence…and maybe you won’t want to use that tool any longer. Many software tool providers offer ISO 26262 ‘qualification’ packages that will assist in creating the evidence needed to support high confidence levels in your particular tool chain….And speaking of tool chains, another good practice is to have a standardized tool chain that is used for every development, if possible. By using a standard flow and configuration, you can create your confidence evaluation once, qualify any needed tools and then use that documentation for all development projects. This will require more up front work but will greatly simplify what needs to be done on each individual project.
How are you coping with challenges above?
I think you need to keep in mind that designing and implementing a safety compliant process is a process in itself. Many companies are still working on understanding and implementing/refining the first edition of the standard and soon the second edition will be released. You can’t get everything done immediately so you must focus on the most important items to work on and resist the temptation to work on only those things that are urgent. Focus on providing a solid foundation for your process like your tool chain and training programs. I can’t say enough about having a solid training program for the engineering teams. For a company to successfully integrate safety developments, everyone needs to understand how their role is affected by the requirements of the standard. That means that safety understanding can’t be limited to subject matter experts; it needs to take on a life of its own and become everyone’s ‘new normal.’I also think that we need to spread basic safety awareness through our companies and help our people to understand why this great additional effort is required. Most development teams are already operating lean and functional safety is a big additional burden on resource. Try to be a patient ambassador of your company’s safety culture and understand that it is a process. When someone asks me if this or that is ‘good enough’, I reply with a question: Is it good enough to be in your child’s car? That usually gives the safety culture a little boost!