In the field of automotive electronics, the year 2011 was a long time ago. So, it is about time that the initial ISO 26262 specification that was adopted back then gets an update. The latest version will be known as ISO26262:2018 and will expand the scope of the original to cover more types of vehicles. It will add an entire section on semiconductors. This is good because with the existing standard there were many questions about best practices for semiconductor design.
The original specification only applied to passenger vehicles with a maximum gross weight of 3,500 kilograms. The weight limit is being eliminated and the spec adds other vehicles such as trucks, buses, and even motorcycles. The 2011 version applied to automotive electronic systems, but had little to say about semiconductors or the tools used to develop them. Very often this created confusion for chip developers and even more so for IP providers. ISO 26262 was really a system level specification, and sub-components could not be certified. Individual IC’s became what is known as a Safety Element Out of Context (SEooC). I have attended many technical panels where the participants tried to parse the implications of the 2011 standard in this regard. Hopefully the 2018 standard will add clarity here.
It is impossible to talk about semiconductor quality if we do not include the tools used to design and verify them. The 2018 version enumerates four different methods that can be applied to help qualify tools. The level needed depends on the characteristics of the tool as used in the flow. So called Tool Confidence Levels come from a determination of two inputs. The first is Tool Error Detection (TD1-TD3), with 1 being a high degree of confidence that the tool can detect an error. The second is Tool Impact (TI1-2), with TI1 being no chance that a tool malfunction can lead to a design failure. There is a matrix that combines these two factors into the Tool Confidence Level (TCL1-TCL3). When looking at the precautions necessary for a given automotive function, the ASIL level of the function has to be factored in.
Mentor has put together a useful white paper on the updates in ISO26262:2018. Included in this are some tables that help map out the effort recommended on tool qualification, given the inputs of TCL and ASIL. See the figure below from their white paper.
It’s an important to acknowledge that the tools used to design electronics for automotive use are an essential link in the quality chain. Over the decades that I have been involved with design tools, there has been an evolution from what you might call the early frontier days, to what is now a fairly sophisticated approach to tool and tool result quality. This has largely happened through pressure from customers. Of course tool vendors have also been willing participants in this activity, witness the ISO 9000 push years back. Through all of this, tool customers have learned and adapted in order to get their job done – namely to produce reliable chips.
Better tool qualification helps everyone, so having ISO26262 with its automotive origins providing the catalyst is not a bad thing. Maybe now that chips are being used in applications where failure could be life threatening, it is more than just a good thing. Tool vendors like Mentor have and will continue to invest in improving their tools to meet the new higher standards. It’s good to see them engaging in the public conversation around the ISO 26262 standard, and the upcoming related standards for fully autonomous vehicles. If you want to give their white paper a full read through it can be found on their website.