Season 3 - Episode #4 - The ISO26262 Digital Conference
With the ever growing importance of functional safety in automotive silicon, the ISO26262 standard has never been more important. However, it still doesn’t have the cross industry understanding it should have to keep automotive compute moving forward.
On the 24th and 25th March, The ISO26262 Digital Conference was hosted by a cross industry group called the 26262 club. The event unpacked and expanded the knowledge of ISO26262 and how it can be applied to the benefit of everyone’s safety. We speak to David Higham, the Senior Principal Functional Safety Engineer at Imagination Technologies, and member of The 26262 Club. He is also on the organising committee for the conference.
The conference is run as a not for profit endeavour, donating any funds received to STEM programmes aimed at encouraging young people of all races, genders and backgrounds to get involved in STEM and specifically computer science. We find out what The 26262 Club’s goals are, the topics that were discussed at the event and why ISO26262 is a fundamental next step across the industry for automotive compute.
For anyone who would like to know more about teh ISO26262 standard, all the presentations from the digital conference are now available to download for free at www.the26262club.com/digitalconference.
Dave Higham – Imagination Technologies - transcript
Q: Could you tell our listeners a little bit about yourself, your background and your role at Imagination Technologies?
I've got over 30 years’ experience now in real-time embedded systems development, primarily in automotive. I started off in developing power trains as a system engineer and systems engineering has been one of my passions throughout my career.
I have worked at various places, and I’ve had a fair share of different suppliers within the supply chain for automotive. Back in 2004 I had an opportunity to become a Head of Functional Safety, taking on the mantle of pushing this new standard, 26262, which hadn't been published yet, absorbing the information and getting involved with its publication, and the various working groups in the UK and internationally, and rolling it out.
I was involved in the evolution of the process and also the implementation at a product development level. So, I have been very much hands on with the standard. I moved laterally to Imagination Technologies, providers of hardware IP for graphic processing units (GPUs), neural network accelerators, CPUs and Ethernet packet processes.
So we've got a strong automotive presence and obviously if you're in the automotive sector, and it's safety related, then you've got to be compliant with ISO 26262. So I’ve been involved in aligning the company's processes and ways of working with ISO 26262 - working with a small team, but also the wider engineering and management team to make sure we've got the right culture in the right capability. System engineering fundamentally underpins everything that ISO 26262 is about, and perhaps that’s a message that is not that clearly understood.
Q: for any of our listeners that perhaps aren't aware, could you perhaps explain a little bit more around the standard and what its implications are?
The standard was initiated around 2005 And really, it was an initiated because the automotive industry didn't really have a domain specific functional safety standard. There was a parent standard course 61508 that had been knocking around for a few years, but really the automotive industry wanted to have its own domain safety standard.
There has been some work going on with MISRA who provided some guidelines on this, but really that didn't take as much traction as expected. And so, various international and national standards bodies got together and started drafting ISO 26262. It was first published in 2012, so after around six or seven years of development, we had our first international standard which is covers the development of electronics hardware and software based around the understanding that the risks associated with failures of those systems.
It starts at a vehicle level where we try to appraise, analyse and assess the consequences of failures of particular systems in vehicles, whether it be the power train, steering or brakes, more traditionally, to more recently, ADAS and AV systems. It then tries to estimate an associated risk i.e. a level of harm exposure and controllability. From that have automotive safety integrity levels (ASIL) risk levels which allow us to allocate process rigour appropriate to the ASIL level so that we can then work out a set of processes to develop requirements for a product, implement those requirements and test those requirements to ensure we get the behaviour that we expect.
ISO 26262 is a risk-based standard. It's process driven and doesn't prescribe technical solutions, but it's very much about laying a foundation where companies can work out appropriate methods and safety measures - whether it's a process measure or a technical solution within a product - to address the risks associated with failure of the products.
Q: Since it came into being has the ISO 26262 standard evolved with the changes in the industry?
The first edition was in 2011, with a second edition being published in 2018, so in those intervening years there were various different discussion groups who discussed what we do to address those changes within the industry. As a result the working group created something called SOTIF which is safety of the intended function. The standard looks at the failures associated with the software and hardware, but it doesn't really address the shortcomings of the actual nominal function. So SOTIF was really targeted at the emerging challenges that we've got with regards to ADAS and autonomous vehicles.
So that was really to trying to address, at a relatively high level, how we address the shortcomings of technologies, whether its shortcomings within sensor technology, the boundary of technical capabilities of a lidar or a camera sensor etc. And to be able to identify the biggest set of known unknowns, where we have a complete as possible picture of the operating environment. So to answer your question, ISO 26262 has evolved to some extent, with the emerging autonomous, vehicles and ADAS but it's been expanded in scope by this SOTIF standard which is ISO which was published last year.
Q: Despite the standard being ever more important, it doesn't currently have the cross industry understanding that it perhaps should have, so could you explain some of the reasons behind that?
The standard really did evolve from the traditional systems I mentioned - power train, steering, brakes etc, but as more companies enter the automotive space with the growth autonomous vehicles, I think, we find that there's always people learning and unfortunately, from a standards perspective, it's quite a textual rich document (and I'm trying to be positive here), it is written really well. However, there's a level of interpretation that's required with a level of understanding. Terms and definitions that can always be misinterpreted so there's always different interpretations, and I'm not saying that all our interpretations are equal (ome of them are right and some of them are more right than others). But what that’s lead to is a need for clarification, and a need to understand the experience of how you actually address these things.
Because the standard really scratches the surface and provides a framework and a guideline. It's not a recipe book, it doesn't say mix these two things together and you'll get a certain result. It does require brainpower, and to quote one of my colleagues who I've worked with on the standard, you've got to engage brain, and that is really one of the fundamental things - it does require engineering rigour, it’s not going to provide the answers on a plate. And that's why we always have this need to improve understanding, learn from people's experiences, but also adapt it to the technical trends that are emerging with ADAS and autonomous vehicles.
Q: Tell us about the ISO 26262 Club
There's were eight people on the organising committee for the club and we've worked together on various conferences. We got together before the end of last year to discuss whether there was a need to provide the wider automotive safety fraternity with some added knowledge. So we reached out to some of our contacts and acquaintances and we thought that there was a need.
We pitched it as a not-for-profit and we set it as a club, and we really wanted to get people's engagement to provide questions and input up front. What I've been doing is working with these colleagues to identify potential people who could come and speak, and subject areas we could provide workshops on.
At the conference we have four or five workshops at the end of the day, where we could focus on specific subject matter, to provide people with some of the real hands on experience that we felt that they might benefit from. We got some very useful sponsorship, which helped us present a professional front end.
So we used a third party to host it, through Zoom and we also got a Slack channel going, so we could provide some real-time feedback and Q&A to enhance the workshops and the presentations that going on. Germany and the UK were the main contributors to this and we’ve had a lot of experts involved in the organisation but more importantly, we were able to get a lot of people who were actively involved in the standard (various leaders of parts within ISO 26262, coming to speak, to get involved in panel session etc, so it really gave an opportunity for the audience to get a first-hand response from people actively involved in authoring the standard.
I think we did a really good job and from the feedback we've had and the engagement during the conference, I think it went really well.
Q: What was the outcomes of the conference?
There were four themes to the conference. We had 20 minute presentation sessions where we had various individuals who were asked to come forward to present. And those covered cross industry lessons learned (not specifically automotive), it was to try and provide some input from other industries. So we had some keynote speakers from York University, and various research projects, who gave us some oversight on what's happening in other industries regarding AI. One of the focus for the presentation sessions was for updates from the ISO Working Group, not just for 26262, but also from SOTIF with cyber security and other initiatives that are happening within the safety standards ecosystem.
That was quite useful because what we're seeing today is quite a lot of standards merging, and one of the challenges that we've got as users of those standards, is how do they all link together, and how do they translate across each other. The third part of the presentation sessions was really to get some user experiences of implementation of 26262, so we collated the best of the best cases for implementing challenging aspects of the standard of how companies go about broaching certain aspects, whether it's from a verification perspective, analysis perspective etc, and we have a couple of sessions on techniques for analysis of systems, to help us identify some of the hazards and derive some of the requirements that we need from our systems. We then had panel sessions, where we identified key players within the automotive safety arena - bringing those individuals in to ask questions in chaired panel sessions etc.
So, there was a whole range of stuff and it's actually amazing how we managed to pack so much into two six hour sessions. I personally think the online format worked really well, with the Slack channel providing another avenue for discussion. It also gave people the opportunity to jump in and out. We priced it around the €70 which gave people the opportunity to jump into things that they found were interesting but then go back to work for some of the other things – so keeping it online provides a bit of flexibility. Whether we will do it next year? We do have a plan to discuss it so we're going to get together in a few months time, and we’re also putting out a few newsletters to keep the club going.
Q: What will be the role of ISO 26262 going forward?
The standard provide the foundation for achieving safety in a vehicle, and the safety of the components and systems of the vehicle. I do think that the likes of SOTIF will bring a more vehicle level safety perspective to the engineering of safety within vehicles. So it's going to be the cornerstone. And it’s going to be that foundation that all suppliers in the automotive industry will have to reference and demonstrate they've got capability of delivering to, from a compliance perspective. As it moves forward there are early discussions now into the third edition of the standard.
So we've got seven or eight candidate subjects which will try to address some of the challenges we face, such as the reuse of complex software, and how we might be able to address stored energy within electric vehicles etc. So there we've got some various different topics to think on, not to mention EVs and the complexity of distributed systems. The phrase system of systems is often used, and that's really what an EV system is about. So I think in the third edition there's going to be some changes and the great thing about being involved in this, is that it does have a five year cycle for us to be able to address the challenges, get feedback from the industry, look at the new challenges from a technical or organisational perspective, and then adapt the standard to satisfy those needs.
Q: Funds raised at the conference were donated to STEM programmes
We are all volunteers and we're not conference organisers – we’re just people who have a passion to help others. So what we wanted to cover our costs but we had a few thousand Euros left over so we’re providing a scholarship. One of the members of the organising committee works at the Technical University of Rosenheim. And we’re going to sponsor two candidates who are going to work within the automotive industry, looking specifically at the challenges for safety, from a compute and an AI perspective. They’ve not being awarded yet, and we’re currently looking for candidates. We want to use that as an encouragement for people to go into that sphere of automotive research and development, and specifically automotive challenges for AI.