How important is ISO 26262 training in IC design?

Article By : Jeff Hutton

An initial class on the ISO 26262 standard is very beneficial to have before an engineer starts a safety-critical design task, experts say.

In addition to the usual power, performance, area, cost and time-to-market specifications, automotive ICs must comply with safety, security and reliability requirements such as those outlined in the ISO 26262 Safety Standard.

The next version of the ISO 26262:2012 Safety Standard will include motorcycles and trucks. This leaves semiconductor companies wondering whether to invest in formal training for their engineers.

Synopsys has developed a large and growing portfolio of automotive semiconductor IP. We have also enhanced our electronic design automation (EDA) and software signoff tools to make it easier for hardware and software engineers to comply with the ISO 26262 and other automotive standards. We’ve learned a lot about what it takes to ensure functional safety and the value of upfront training of our design engineers on the ISO 26262 standard.

Fergus Casey, a design manager in Synopsys’ IP group that is designing safety critical automotive IP, is convinced that an initial class on the ISO 26262 standard that covers terminology, required documentation and automotive-specific techniques needed for the main engineering tasks is very beneficial to have before an engineer or engineering team starts a safety-critical design task.

“There are many terms, documents, process names and other things that need to be understood so that proper design techniques and analysis are used, and maximum efficiency is achieved,” said Casey. “It’s very hard to discuss the requirements for things like Automotive Safety Integrity Level (ASIL) or Tool Confidence Level (TCL) if everyone on the design team doesn’t understand the meaning of the terms and their background," he noted.

At Synopsys, our automotive IP designers go through a three-day training class taught by an accredited testing authority that provides functional safety training and qualification. After the initial class, we conduct additional training with our engineering teams and our safety managers. The goal of this training is enabling our designers to deliver IP that meets ISO 26262 requirements, passes internal and external safety audits with minimal reengineering and rework, and provides our customers with a comprehensive solution, including documentation.

Challenges of meeting requirements

There are several providers of ISO 26262 training. We recommend using a company that also does safety assessments for the types of systems or ICs that you’re developing. Working with a safety expert in assessing ISO 26262 compliance will allow the engineers to ask detailed questions about how they can apply the standard to their designs and what an assessor will look for in evaluating compliance.

Training in failure definitions and failure analysis has been particularly beneficial to our engineers. There are multiple methods that you can apply to meet the requirements of the ISO 26262 Standard, and knowing the difference and how and when to apply the different methods is very useful. An example is failure modes and effects analysis (FMEA) and fault tree analysis (FTA).

FTA is a top down, deductive failure analysis that uses Boolean logic to analyse undesired states while FMEA is an inductive reasoning single-point failure analysis and is done bottom up. After the application of one of these methods, the probability of each failure, the addition of safety mechanisms and the diagnostics of how the system reacts in the presence of the failure must all be determined and documented. Walking through examples of the methods, analysis and required documentation is a practical learning exercise.

Another challenge to designing ISO 26262-compliant ICs is the fact that this standard is a goal-based standard, as opposed to a prescriptive standard. This means that ISO 26262 does not define specific steps that must be followed to meet the requirements. A resulting goal such as the diagnostic coverage with respect to residual faults must be greater than or equal to 99% to achieve ASIL D is given, but no instructions on how to achieve it are provided.

Instead, engineering teams must determine what relevant engineering practices are needed to achieve that goal. This can be frustrating to engineers, but the standard was set up this way intentionally so that it can be applied over time to the best and most up-to-date engineering practices. Without prescriptive methods, training is even more important to give engineers the background and basis for making decisions on how to comply to ISO 26262.

Having worked for several years to develop EDA tools, IP and software signoff solutions for automotive applications, Synopsys has found that our automotive-focused engineers benefit from initial and continuous training on ISO 26262. With the additional layer of complexity that the ISO 26262 standard adds to safety critical automotive IC designs, the knowledge gained through good training is particularly valuable in ensuring correct and efficient application of the standard.

First seen on EE Times.