Never miss a story from Breakfast Bytes. Subscribe for in-depth analysis and articles.
I have known Kurt Shuler, the VP marketing at Arteris, for some time. But this post is not going to talk about NoCs (networks-on-chips) at all. It is about the history of ISO 26262. Kurt has been on the committee developing the standard for the second edition. The big edition, from the point of view of the semiconductor ecosystem, is the addition of a new chapter 11.
If you have been around in semiconductors for the last few years, you cannot really have avoided discovering that ISO 26262 is some sort of standard for automotive safety. Indeed, it's actual title is Road Vehicles—Functional Safety. Despite the all-encompassing name, the 2011 version really only covers cars. It doesn't cover trucks, buses, motorcycles, race cars, or off-road vehicles. It also only covers electronics, not hydraulic or mechanical systems. But chips, and embedded software, for the normal cars you and I drive, are right in the center of its target.
For a big picture view of the history of functional safety, going back further than ISO 26262 to the Flixborough and Seveso accidents (if you are old enough, these names will ring a bell as major industrial accidents, if you are not then you've probably never heard of them), then see my post The Safest Train is One That Never Leaves the Station.
In 2011, the ISO 26262 spec came out. Kurt looked at it, working at an IP company, to see how it would impact the designs of their customers. His first discovery was that it was really hard to use even if designing a chip from scratch. But almost nobody designs a chip from scratch, without any third-party IP, or design reuse from a previous chip. Arteris was largely based in France at the time, and the VP Sales there said that we will need to deal with this stuff seriously. It turned out that the place where most of the fundamental work on functional safety was also in Europe, at the University of Pisa (yes, that would be the city famous for ten million tourists taking pictures of themselves holding up the leaning tower). They studied everything from statistical analysis to all aspects of semiconductors. The big name was Ricardo Mariani. These days he is an Intel Fellow after they acquired his company Yogitech. Kurt describes him as the "godfather of functional safety". Appropriately for a godfather, he's even Italian.
Kurt got involved with working on Chapter 11 of ISO 26262, which was not in the original 2011 edition. For a bit more background on that, see my post ISO 26262...Chapter 11. Whereas chapters 1-10 address hardware, software, and tools, chapter 11 addresses how IP suppliers and integrators work together, basically how a group of companies can together create a chip. Another Italian, Lauri Ora (then at Arm) did much of the heavy lifting.
The way ISO works, each country is separate. Standards are first discussed within each country, and then the international work is done to pull that work together, and then it is reviewed. The work on the second edition of ISO 26262 is in this review stage now and Kurt hoped that it will be out before the end of the year. The big focus of the second edition is to make it more useful and less ambiguous. You might guess that if things are ambiguous, that people would cut corners while remaining within the zone of ambiguity. However, it seems that instead, they end up being too conservative which creates a lot of work. This made me think of timing signoff: if your models are too pessimistic, you waste a lot of effort making the design meet timing with those bad models, when in reality it met timing already.
Within Arteris, the other point person was their functional safety manager, Alexis Boutillier. One challenge for us as an industry is that there are very few people like Alexis who understand both ISO 26262 and semiconductor. The automotive companies are full of ISO 26262 experts, and the semiconductor companies are obviously full of semiconductor experts, but very few people have in-depth knowledge of both. Arteris decided to fix that problem internally by training everyone, including executives, to be Certified Functional Safety Practitioners. That was a good idea in some ways, but caused immediate turnover problems: people put their certification on their LinkedIn profile and immediately they would get calls from recruiters. "I didn't see that one coming," Kurt told me.
One part of what might be in the ISO 26262 standard has been pushed into another standard. So here's a new number for you to learn, ISO 21448 (although currently, it is still ISO/PAS 21448 since it is just a "publicly available specification"). There is also a new acronym for you to learn, SOTIF, which stands for Safety Of The Intended Function (or Functionality). By the way, the numbers for ISO standards are set at ISO HQ in Geneva and it is just coincidence that when it was first created, ISO 26262 got a "cute" number. It is going to be harder to remember 21448.
The purpose of SOTIF is to start to address some of the aspects of autonomous driving, where safety is not just connected with a failure of some type, whether a transistor failing, an alpha particle, or similar. A video camera can be overloaded by bright sunlight, for example. I may be oversimplifying, but SOTIF is looking at safety during normal operation whereas ISO 26262 is looking at ways that the vehicle can continue to operate when there are actual failures. SOTIF is taking a more holistic look and acknowledging that "stuff happens". Bright lights, dust, smoke, snowstorms, all affect the sensor data and the "brain" of the car is processing and making decisions based on probability. With neural networks, it is literally based on probability, algorithmic code less so. At some level, it is about reducing the probability of failure to be low enough (and remember, it can never be reduced to zero unless "the train never leaves the station").
Look for the new ISO 26262, called either the second edition, or sometimes ISO 26262:2018. In addition to the general updates, it explicitly addresses the design of semiconductors in vehicles (that is chapter 11). It also expands the definition of vehicle to include the more mainstream vehicles excluded from the first edition: trucks, buses, and motorcycles.
Sign up for Sunday Brunch, the weekly Breakfast Bytes email.