What to Do About IP Developed Before ISO 26262?

If you have paid even passing attention to what has been going on in automotive functional safety, then you'll have heard of ISO 26262. You may even know that chapter 11 is the best! That's the one about semiconductors and semiconductor IP that was added in the second edition in 2018.

If you want a gentle introduction to ISO 26262 then see my blog posts:

• "The Safest Train Is One that Never Leaves the Station"
• History of ISO 26262
• ISO 26262...Chapter 11

At the recent CadenceLIVE Americas, Karol Niewiadomski of SGS TÜV Saar GmbH and Tom Wong of Cadence presented Validating Legacy IPs Against Requirements of ISO 26262:2018 Automotive Functional Safety Standards. You might not have heard of SGS (and it has nothing to do with the SGS that merged with Thomson Semiconductor to form ST Microelectronics). They provide inspection, verification, testing, and certification services. They are big, with 95,000 employees in 2,400 offices and laboratories. SGS-TÜV is focused on functional safety.

ISO 26262 is a methodology for developing new automotive electronics. But let's get real. Lots of automotive electronics existed prior to ISO 26262. It is too expensive to redevelop from scratch using the correct methodology. As Karol pointed out at one point in the presentation, "try going to your microprocessor vendor and asking it to redevelop their product to be ASIL compliant". However, we know these products, whether they are chips or IP, are "safe and reliable" in that there have been no big failures after their having shipped in the millions. And they continue to ship and be sold with no modification.

The challenge is that ISO 26262 part 8 Clause 13 tells us to develop Class III components according to the standard, and providing evidence about appropriate measures for avoidance/control of systematic faults. But legacy IP does not fit these options, since they are already developed.

ISO 26262 divides components into three classes:

• Class I: Components with no, or only a few, states: resistor, capacitor, transistor
• Class II: Functionality is black-box verifiable: a fuel-sensor, a standalone ADC
• Class III: Functionality too complex to be black-box verifiable:
  • Sources for systematic faults can only be understood and analyzed by knowledge about the detailed implementation and the development process
  • Elements with internal safety mechanisms relevant to control or detect internal failures such as an ASIC or ASSP chip

So the big question is how do we adapt these to the post-ISO 26262 world? We are concerned mainly with class III of course, and at Cadence, with semiconductor IP since we don't manufacture production chips (except for our Palladium and Protium products).

You want ASIL-X compliance? Bad luck, ASIL does not allow retrofitting. But legacy IP already exists and will continue to exist for at least several more years. But you want something more than "not ASIL compliant" to show some level of suitability for use in safety-related applications.

ASIL-X READY was created by SGS-TuV Saar to provide a safety check for legacy IP.  Especially in light of the fact that ISO 26262 does not allow for retrofitting.  It goes through a similarly rigorous review and analysis in FMEDA, and to meet the metrics for various level of ASIL readiness as well as a requirement to produce a safety manual. Of course, this isn't just a label that gets dropped on any piece of IP without any analysis. Evidence for “safety suitability” of legacy IP is a requirement and not all IP will qualify. In more detail:

• Initial feedback on the robustness of the legacy IP in scope
• Calculation of SPFM, LFM, PMHF, SFF (see my post ETS2020: Functional Safety for explanations of these terms)
• Embedded failure mode ranking benchmark
• Safety manual providing additional information in terms of integration into a safety-related environment

This is as close as possible to everything an IP would undergo for ASIL-X certification, except for actually being designed using an ASIL-compliant process.

That's not to say that how it was designed doesn't matter. The "three Ps of ISO 26262 functional safety activities" are still people, process, and product (see the diagram above).

Tom Wong summed it up for me after the presentation:

There are IP developed prior to ISO 26262. They are in production chips and have shipped in millions. And proven to be “safe and reliable” by virtue that there were no big failures. This had been the case for automotive prior to FuSa. These IP continue to be sold with no modifications.

Due to new requirements for ADAS and autonomous driving chips (AI acceleration chips), customers have asked for ASIL certification even for these legacy IP. What we have done is to get “ASIL-ready” with our IP and provide safety manual and FMEDA report/certificates. We won’t be able to get ASIL-compliant status because retrofits are not allowed.

But going forward, new automotive IP developments will normally be targeted towards ASIL-compliant as opposed to ASIL-ready. Cadence is working towards that goal. This will require the second P = process compliance (documentation, procedures, ISO 9001, etc.)

Learn More

Learn more about our IP family on the Automotive IP Solution Resources page.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email