ISO 26262: Feeling Safe in Your Self-Driving Car
The word “safety” can mean a lot of different things to different people, but it’s a word we hear frequently when the topic involves automobiles. In contrast, “functional safety” has a long-established meaning in the design of electrical and mechanical systems: an automatic protection mechanism with a predictable response to failure. When a critical component fails, a functionally safe car either compensates and continues to operate properly or shuts down in a safe manner (such as slowing down and pulling off the road).
The ISO 26262 standard lays out a bunch of functional safety requirements for anyone designing an electrical or electronic system for use in road vehicles. I’ve been seeing many more references to ISO 26262 in the last few years, partly driven by the intense interest in self-driving cars. If some part of a traditional steering system has problems, in many cases the driver can take corrective action. But if the car is driving autonomously and the electronic steering system fails, there may not be time for a human to react. In some vehicles, there won’t even be manual controls available at all.
The latest news I saw on ISO 26262 was an announcement that the IDesignSpec Suite of software products from Agnisys has been certified to meet this standard. I wasn’t quite sure what this means and why it matters to chip designers, so I had one of my periodic chats with Agnisys CEO and founder Anupam Bakshi. He started by noting that ISO 26262 is not specific to self-driving cars, or even to cars in general, because it also applies to trucks, buses, heavy equipment, and more. It spans quite a wide range of vehicles and is important to several industries. Of course, the more safety-critical the application, the more the standard matters.
Anupam explained that the ISO 26262 document is huge, with many sections covering diverse topics related to the way that vehicular electronic systems and subsystems are designed and verified. One of these topics involves the electronic design automation (EDA) tools used by engineers to develop the arrays of sensors, chips distributed throughout the frame, complex wiring harnesses, and sophisticated central processors in modern automobiles. The standard mandates that these tools be qualified to ensure that that they don’t introduce errors in the design or fail to catch errors during verification.
This sounds like a significant burden on car companies, and Anupam noted that it indeed can be. However, it turns out that an EDA vendor has the option to qualify its own tools and minimize the effort required by its customers. The car designers don’t just take the vendor’s word for it; there’s an entire ecosystem of testing organizations that do extensive investigation of tools, tool flows, and the processes and people used to develop them. One of the most highly regarded such organizations is TÜV SÜD, which provides testing, inspection, and certification solutions worldwide for a number of important standards.
That’s what this announcement is all about. TÜV SÜD has certified that the Agnisys software products and development flow have achieved the stringent tool qualification criteria defined by ISO 26262. Anupam filled in some more details for me. Agnisys is certified to meet any Automotive Safety Integrity Level (ASIL) in the standard. Agnisys is also certified as meeting IEC 61508, a fundamental industrial functional safety standard that underlies ISO 26262 for vehicles and corresponding safety standards for several other industries.
Anupam read me the wording on the certificate, which includes the statements “qualified to be used in safety-related software development according to ISO 26262” and “suitable to be used in safety-related development according to IEC 61508.” I asked him how much effort it took to achieve this level of qualification, and he said that it was quite an involved procedure. The process of certification by TÜV SÜD included a series of audits of the Agnisys organization and tool development processes in addition to the assessment of the tools themselves. The evaluation spanned such topics as:
- Software development process
- Quality assurance (QA) measures
- Configuration and release management
- Product verification and validation
- Customer support
- Bug reporting procedures
- Company “safety culture”
So why is this important for the users of Agnisys tools? The certification means that developers of intellectual property (IP) and complex system-on-chip (SoC) devices using application-specific integrated circuit (ASIC) or field-programmable gate array (FPGA) technology do not have to take any additional steps to qualify or certify the Agnisys products in their flow. Agnisys provides the IDesignSpec Tool Qualification Kit (TQK) that users can apply directly to the tool evaluation step required by ISO 26262. This saves a big chunk of time and effort in the IP or chip development process. Using pre-qualified tools makes it easier to satisfy automotive system designers who insist that their silicon suppliers meet the standard.
I asked Anupam whether he already has customers designing automotive chips, and he said yes, including huge supercomputer-class artificial intelligence (AI) processors for autonomous vehicles. He noted that the qualification covers the full IDesignSpec Suite, with twelve products specifically called out on the certificate. He closed by saying that he was really proud of his team for delivering such high-quality products and successfully completing the rigorous inspection and assessment process. I encourage everyone doing safety-critical designs to find out more at https://www.agnisys.com/iso-26262-compliance/.
Overcoming the weaknesses of traditional natural language specifications requires writing the specifications in a precise format rather than natural language, and making this format executable so that tools can generate as many files as possible for the design, verification, programming, validation, and documentation teams. Learn how Agnisys approaches a solution to this challenge that is available today.
