ISO 26262 – This Changes Everything

Conference: DVCLUB Europe: SAFETY (Nov 2016)
Speaker: John Brennan
Organisation: Cadence Design Systems, Inc.
Presentation Title: ISO 26262 – This Changes Everything
Abstract: ISO 26262 is an international standard for functional safety of electrical and/or electronic systems for production of automobiles, and is the first standard of its kind which will drive significant change in both EDA and silicon suppliers. Similar to it parent superset, IEC 61508, ISO 26262 is a risk-based safety standard – something EDA has not dealt with in the past. In simple terms, risk metrics are qualitatively assessed and safety measures are defined to avoid or control systematic failures, and to detect or control random hardware failures, or to mitigate their effects. This is metric driven verification (MDV) on steroids. With ISO 26262 moving into the spotlight for automotive functional safety, Cadence has seen more questions and confusion than answers, and discussions are emerging around the application of the standard to actual silicon designs for automotive systems. We know based on actual adoption in production environments – this standard will have a significant impact on us in terms of tools, methodology, metrics, documentation, traceability, process and ecosystem communication.

The good news is for most MDV environments, ISO 26262 is fairly manageable on the verification aspect. The bad news is that no matter how you cut it, this is more work and changes everything. ISO 26262 Part 5 is focused on product development at the hardware level, and specifies the safety activities during the phase of the automotive hardware development. In this phase, hardware safety design is planned, implemented, integrated, and tested.

To prove the safety integrity compliance in the hardware development process, quantitative evaluations on the hardware are required. These quantitative evaluations are new functional and safety metrics which need to be both statistical and measured, and both correlated to assessment results. The assessment results qualify a design with an Automotive Safety Integrity Level (ASIL) which ranges from ASIL-A (lowest) to ASIL-D (highest). In this tutorial, we will explain the scope of ISO 26262 and provide guidance on the most important attributes of the standard specific to the verification flow. Both the flow and the tool become certifiable assets and part of the safety integrity analysis. And emphasis will be placed on what needs to be done and why, versus how.

The talk will highlight functional safety measurements and its closely related functional verification counterpart, because as we have seen in production, when you augment the functional verification aspects with functional safety aspects, you minimize duplication of effort. Further, if you are able to utilize specialized built for purpose tools such as statistical calculators for planning purposes, formal for fault collapsing, and accelerators for measuring transient faults, flow productivity is substantially improved. Lastly, as users will attest, having the right tool support for ISO26262 can become an essential asset for verification of devices that are intended to be used in a safety critical application.

While not intended to be a cookbook, that would take several days, this talk will reflect on the interdependencies of the verification tools to the ISO 26262 standard, providing clear visibility on to what the new verification environments need to look like and why.

  • ISO 26262 defines a new aspect of verification – functional safety
  • Functional safety is not only important in automotive, but for consumer products where the cost of failure it too high
  • The technology and methodology enabling automation in this area is new, but tools are available today for developers
Speaker Bio: Product Management Director for Cadence Design Systems for the past 16 years, focused on verification and recently functional safety.

View the Presentation Materials: