Happy 10th Birthday ISO 26262

Today is the 10th anniversary of ISO 26262. It was first published on 11th November 2011. ISO 26262, titled Road vehicles – Functional safety is...err...about the functional safety of road vehicles. Cadence recently announced our own functional safety solution and the Midas platform. I covered that in my post Announcing Cadence Safety Solution and the Midas Platform...Turn Your Automotive Products into Gold.

If you have paid even passing attention to what has been going on in automotive functional safety, then you'll have heard of ISO 26262. You may even know that chapter 11 is the best! That's the one about semiconductors and semiconductor IP that was added in the second edition in 2018.

For an overview and history of ISO 26262, see my posts over the years:

• "The Safest Train Is One that Never Leaves the Station" (a history of functional safety leading to IEC 61508, and a dive into ISO 26262 first edition)
• History of ISO 26262 (with Kurt Schuler of Arteris who was on the committee for the second edition of the standard)
• ISO 26262...Chapter 11 (chapter 11 is the one on semiconductors in the second edition)

What Is in ISO 26262

The first edition, the one with a 10th anniversary today, is officially ISO 26262:2011. It was based on development that started in 2006. It completely replaces IEC 61508 and is not a child standard like the early ones for industrial and rail. It separately addresses vehicle (which it calls an "item"), system, hardware, and software. It covered just the electrical and electronic systems of production cars under 3500kg. It did not cover hydraulic and mechanical systems, specialist vehicles like Formula 1 race cars, trucks, buses, motorcycles, or off-road vehicles.

The second edition, ISO 26262:2018 extended the scope to all road vehicles except mopeds. One problem in the first edition is that it used the term "hardware qualification" but it means something different from when we talk about qualification or "qual" in the semiconductor world. It became "hardware evaluation" in the second edition.

Functional Safety and ASIL Levels

Functional safety of road vehicles comes down to a few tenets:

• Risk can never be reduced to zero
• For each application, there is a non-zero acceptable risk level
• Avoid failures that can be avoided
• Detect failures that cannot be avoided, and transition to a safe state to avoid harm

There are two broad classes of faults, systematic and random. A systematic fault is deterministic and always occurs under the same conditions. The focus is on fault avoidance. A random fault is non-deterministic and may be described with a probability distribution. Think of things like high-energy cosmic rays flipping a bit in a memory. The focus is on fault detection.

Another concept introduced in ISO 26262 that you might have heard of is the Automotive Safety Integrity Level, or ASIL. There are four levels known as ASIL-A to ASIL-D, with ASIL-A requiring the lowest level of risk-reduction for functional safety, and ASIL-D the highest. 

Events are classified in a number of dimensions that are combined together to give the ASIL level:

• Severity (if the event happens, how bad can it be):
  • S0 No Injuries
  • S1 Light to moderate injuries
  • S2 Severe to life-threatening (survival probable) injuries
  • S3 Life-threatening (survival uncertain) to fatal injuries
• Exposure (how likely is the event):
  • E0 Incredibly unlikely
  • E1 Very low probability (injury could happen only in rare operating conditions)
  • E2 Low probability
  • E3 Medium probability
  • E4 High probability (injury could happen under most operating conditions)
• Controllability (how controllable is it by the driver):
  • C0 Controllable in general
  • C1 Simply controllable
  • C2 Normally controllable (most drivers could act to prevent injury)
  • C3 Difficult to control or uncontrollable

Other Related Standards

Accellera has a Functional Safety Working Group. You can read more details in my post Accellera Functional Safety. The mission of the group, which is chaired by Cadence's Allessandra Nardi, is "to standardize information for capturing and propagating the safety intent from the system down to the SoC/IP design and implementation including failure mode propagation, verification, validation, reliability, and safety mechanisms". The key aspect of this is USF, the Universal Safety Format, which allows EDA tools to communicate safety requirements.

Another ISO standard related to cars is ISO 21434. This standard is titled Road Vehicles — Cybersecurity Engineering. You can read more about it in my post Have You Heard of ISO 21434? You Will. The standard is currently under development and the first draft became publicly available in February 2020 and it deals with the cybersecurity risk in road vehicle electronic systems. Security professionals like to say that there is no safety without security. And it is true. You've probably seen this before, but in case not, here is the video of Chris Miller and Chris Valasek taking control of a Wired journalist's Jeep, and eventually, driving it into a ditch.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.

.