Sensors

Playing it safe

3rd March 2016
Joe Bush
0

Steve Rogerson looks at the effects of automotive functional safety standard ISO26262 at component level. The arrival of the ISO26262 functional safety standard for automotive is causing headaches not just for the car manufacturers and their tier one suppliers, but right the way down the supply chain. 

At every stage, suppliers and manufacturers not only have to meet the safety requirements of the standard but produce documentation to prove that is the case.

This is causing both technical and administrative difficulties for companies, even for the manufacturers of the basic components that will make up a system. Whereas once they could just supply qualified components, they now need to work closely with the companies that will integrate these components in subsystems and larger modules to understand how they will fit into the final product – the car.

This is because the standard defines automotive safety integrity levels, or Asils, ranging from A to D - Asil D is the top level where failure could lead to the loss of life or serious injury. All components have to be documented in the associated safety manual for the required Asil.

However, as Roger Forchhammer, Applications Manager at ST Microelectronics pointed out: “If it is an Asil D system, every component within it doesn’t have to be Asil D, though that can be an easy way out.”

A serious situation

The situation is being taken seriously at ON Semiconductor, where it has a complete ISO26262 functional safety team with individuals supporting automotive activity within the various business units.

“We are committed to ISO26262 in all our divisions,” said Lance Williams, ON’s Vice President of Automotive Strategy. “This includes not just manufacturing but the whole safety lifecycle from development right through to production.”

Part of this process is developing a common language that works all the way up and down the supply chain so designers understand each other.

“We could be a tier three that supplies a tier two that builds a PCB, then supplies it to a tier one that makes a module and supplies it to an OEM,” said Williams. “Through this design process, you need a common language so everyone knows what is the hazard and what you are protecting against.”

This comes into play as electronic components do not work in isolation but interact with other components and systems. This means extra work for the design team.

“We have to consider not just what happens if our part fails but what happens with our part if one of these other components fail,” said Intersil Applications Manager Tony Allen.

Forchhammer added: “We have to work closer with the customer. You need input and understanding from the system level of safety goals and from them the safety requirements, and these have to be translated to hardware, software or a mix of the two. It is best to have the voice of the customer to make sure you meet the expectations.”

Big changes

However, the biggest change is in the product specification and development stage where the Asil analysis has to become part of the process - this cannot be left to the design stage.

“You have to look at how the parts will comply with an Asil analysis,” said Allen. “Parts are developed with a safety analysis document. But ISO26262 is more than that. It is about the whole manufacturing design. We haven’t got that in place yet. We are making sure the parts meet the Asil requirements.”

Jason Chiang, Senior Marketing Manager at Microsemi, said the standard had involved a rethink of platform design.

“They can’t just design a system and put in components and then look at certification,” he said. “Everything is more up-front now for safety design. It is a shift in corporate culture.”

This was picked up by Kyle Fabris, Automotive Functional Safety Engineering Manager at Linear Technology. He said: “ISO26262 really enforces a safety culture to every aspect of design, right down to the IC.”

He said at the IC level there was a lot that companies could do to help the tier ones and OEMs with their safety goals. This involves designing the chips so they can handle a wide variety of use cases. “The more we put in, the better it is,” he said.

Chiang added: “We have to think as a whole, not just at product level. We have to look at how we design the product and document the usability of the product for safety.”

This means documenting clearly how the customer can use the product for safety applications and the risks the product brings with it that have to be integrated into a safety critical design. For legacy products, this can mean going back and redoing the documentation with safety in mind.

“For new products, we do that up-front,” said Chiang. “For next generation products, there will be additional safety processes such as temperature sensors, validity checks and so on. We can look at how the silicon is optimised for this. We are working with automotive customers to understand their system level requirements.”

Fabris added: “Documentation has increased, and that is throughout the process of the design, not just at the end. There are lots of things that have to be in the documentation that help the customer use the part.”

Because ISO26262 is a top down standard, it allows for the use of what it calls safety elements out of context (SEooC). This is a boost for component suppliers as it means they don’t always need a full knowledge of how the part will be used. However, all assumptions must be documented.

“It means we can design to a set of requirements based on an assumed area that the part is going to be used in,” said Fabris.

Other standards

For companies supplying products to automotive, complying with strict standards is not new, with the AEC standards being a good example. For many of these companies, the advent of ISO26262 has meant little change to the product but an increase in documentation and testing to ensure that it meets safety critical requirements.

“We have been doing AEC-Q200 testing,” said Ron Demcko, a fellow at AVX. “That requires very specific environmental and life tests for any part used in the automotive arena. It involves a very large amount of data.”

He said that while ISO26262 was a system level specification, it did bring with it requirements for fail-safe circuitry.

“This means we have to have passive components, for example, that even if they are driven over-spec with no fault of ours, they still have to function,” he said. “We have developed capacitors that if they are driven into a failure, they will still work. That is because if you have a self-driving car or a crash avoidance system, they can’t afford to lose performance due to a component failing.”

IP

The standard also affects companies such as ARM, which provide the IP rather than making physical products. This was why, just over a year ago, the company started bringing out safety packages for its cores. These provided much of the documentation that its silicon partners could use to help meet ISO26262 requirements.

However, Chris Turner, ARM’s Director of Advanced Technology, said the standard was, “not a game changer for us” as many of the safety elements needed were already incorporated in the core designs.

“There are features to detect and control faults,” he said. “We have had features such as these for a long while. And we have evolved. Newer processors have more such features. What the standard requires is for us to demonstrate to our customers and our customers’ customers that we can do all these things properly.”

And he said that ARM was involved in the production of the second generation of the standard to make sure more of the IP business model was included. “We are already ahead of the game,” he said.

Cost

The extra design and documentation burden of ISO26262 obviously comes at a cost, but suppliers have mixed views as to how much this is, and whether it is something that should just be absorbed into the design and production flow on the grounds that it will save money in the long run.

Williams at ON Semiconductor, for example, believes there is “easily” 30% more effort and time for producing an Asil product. However, he said that moving a standard product to Asil would not involve an extra charge to the customer, but building an ASIC from scratch that did have to meet an Asil would cost more.

Allen from Intersil said: “There are additional mechanisms on the chip to do the diagnostics and so on, but you can get a lot of safety for little cost by thinking about how you design the part.”

Fabris agreed: “The die size has increased because we have to add diagnostic type circuitry. We are adding functionality that lets the customer reduce their overhead from a system perspective.”

Forchhammer added: “It has had an impact on physical cost - the cost of the silicon. The complexity has increased and that increases the risk and the potential for errors, and that translates into engineering costs. The documentation adds time to the process.”

And Chiang from Microsemi said: “There is a cost to get this implemented but long term it establishes a process that can be replicated and will pay for itself.”

Conclusion

As car makers add more driver assistance features to their vehicles, allowing them to take more control from the driver, then the issues of safety become increasingly important. ISO26262 is the first step on the way to ensuring that functional safety is considered, not just as an add-on at the end, but right the way through the process from concept to final production. Component manufacturers are now having to grapple with issues that were normally left to people further up the design chain. The result, hopefully, will be fewer deaths on the road, as that ultimately is what it is all about.

Featured products

Product Spotlight

Upcoming Events

View all events
Newsletter
Latest global electronics news
© Copyright 2024 Electronic Specifier