Functional Safety Standards for Automotive Products

Mobility is one of the major benefits of our modern society. Many years ago, travel was only possible over short distances with uncomfortable means of transport, while today moving from A to B has become very easy through multiple conformable means of transport. The downside is that the number of people getting injured or losing their life due to this mobility has also increased dramatically for reasons mainly attributed to the human driver but also due to malfunctions of the means of transport itself. Traditionally, the human factor was tackled through education or surveillance (co-pilot in airplanes or law enforcement officers) and the main emphasis has been on reducing as well as mitigating the effect of malfunctions. This blog describes the evolution of such activities focusing on the automotive domain (primarily passenger cars).

Era 1

Passenger cars have been produced across the globe for many years and, initially, developers had no supporting guidance to judge when a vehicle was fit for purpose. Each car manufacturer, or even each team working on a given car model, had its own proprietary method to set its acceptance criteria and the risk both in terms of legal consequences of accidents and financial in case a re-call had to be triggered. In the case of a legal dispute, there was no easy way to decide if the technical solution was fit for purpose or not. Often, juries were supported by technical experts or even sometimes resorted to comparing different solutions in the market.

In this Era 1, the development and commercialization of cars were possible but with high effort and risk.

Era 2

Between 1998 and 2000, the first international standard looking into “functional safety” was released by the International Electrotechnical Commission - the IEC 61508. This captured the general experience of the community, then set a so-called state-of-the-art to follow in the development of safety-critical products. Although this was originally created to help the non-automotive community, it was adopted also for automotive products being the only available reference.

The key target of IEC 61508 was to mitigate risks associated with systematic failures (failures caused by bugs introduced in any of the development/deployment steps) and random hardware failures (failures caused by a physical fault on any of the hardware used, including wiring harness/PCBs, either permanent or temporary due e.g., to radiations). IEC 61508, now in its second edition with work underway to create a third edition, was and still is a good standard. However, it was based on a lifecycle and product topology not typical of the automotive sector where many suppliers are involved, space/weight/cost of components is more problematic, pushing for integration, etc. This still caused difficulties for automotive companies to fully follow IEC 61508 and justify their deviations.

This Era 2 had benefits, but it was like trying to fix a screw with a hammer. Also, it still provides insufficient or no guidance for some aspects and leaves room for interpretations for others.

画像

Era 3

To improve the situation, several automotive experts started to work in 2005 on a new equivalent but automotive optimized standard under the International Standard Organization: In 2010, the first edition of ISO 26262 was published, setting a new state-of-the-art for the automotive market. This finally provided the automotive community with a dedicated standard to guide them through automotive-specific safety-related issues. This standard has evolved over the years, and it’s now at its second edition, with the work toward the third edition about to start.

No doubt this Era 3 has seen benefits for the automotive community in terms of defining what needs to be considered and providing legal protection if something goes wrong. However, there are still many issues. Neglecting the cost aspects (are we doing too much?), there is the challenge that ISO 26262 does not offer complete guidance on how a safe product should be developed. It only provides guidance on what should be considered (yes, with some “how”) but:

1. The guidance provided is not still always comprehensive even if now more optimized for the automotive sector
2. The guidance provided can still lead to different interpretations

画像

This has pushed the community to use existing and/or create complementary standards. Just to name a few:

1. Handbooks such as Siemens SN 29500 or IEC 62380 have been used as references to compute FIT rates for hardware components (how likely they are to fail in the field). But such handbooks were not originally created for this usage and IEC 62380 was withdrawn in 2017 and replaced by IEC 61709. However, this is not usable standalone thus creating a gap.
2. New standards such as J2980 from the Society of Automotive Engineering were introduced in 2004 with the aim of creating a common reference to perform hazard analysis and ASIL classifications

This Era 3 was a big milestone for the automotive community providing much better guidance even if leaving some gaps and different interpretations. This can be a problem when considering the different mentalities of engineers across the globe: some engineers are using ISO 26262 as a starting point to develop safe products, while others are merely targeting simple compliance with ISO 26262 with the sole aim of reducing the risk of legal liability. This is potentially also the reason why compliance with ISO 26262 is not a direct legal requirement even to this day, except in a few specific cases.

Era 4

When ISO 26262 was conceived, the typical commercial passenger vehicles were relatively simple with:

1. Traditional applications: steering, braking, internal combustion engine, transmission, lighting, …
2. Traditional development processes: e.g., V cycles with engineers taking care of all steps, with the support of some tools
3. Traditional re-call/updates approaches: e.g., the vehicle had to be taken back to a garage for updates

The reality we live in now is completely different.

1. Electric vehicles are replacing internal combustion engines. We have more advanced ADAS features and even the first deployment and commercialization of Automated Driving (e.g. ALKS, Robotaxi).
2. Agile development process is being adopted more frequently to have quicker turn-around time and phased deployment of features (with, in some cases, also insufficient testing). On top of this, the traditional development process characterized by creating requirements, implementing, testing, etc. is amended in some cases to make use of Artificial Intelligence. This is nothing more than a model trained through examples that are then expected to correctly predict correct behavior in situations not experienced during the training phase.
3. Over-The-Air (OTA) updates are becoming popular not just for convenience (e.g., updating the map of the navigation system) but also for updating and even roll-out of safety-related functions after the start of production.

All of this is considerably revolutionizing the automotive sector, adding a completely different level of risks and, consequently, reducing the aspects where ISO 26262 is providing sufficient guidance. ISO 26262 is becoming a must for addressing the “easy” risks attributed to systematic and random hardware faults, while the other challenges require different solutions and standards. To name a few:

• ISO 21448 “Safety of the Intended Functionality” was introduced in 2019, later updated in 2022, acknowledging that the performance of technology has limits: for example, one type of sensor is not sufficient to mimic the capability of the average human even when free from any systematic and random hardware faults, and a modal diversity is required. ISO 21448 has also increased awareness about the misuse of technologies as it became evident that just education is not sufficient: for example, some of the ADAS functionality can be activated outside of their intended operating condition or increasing human distraction leading to new hazards. This has also triggered the introduction of Driving Monitor Systems.
• Due to the increased connectivity within a vehicle, including wireless access as needed for OTA, and the increased influence that electronic systems can have on the dynamics of a vehicle, there is also an increased risk of having critical safety situations triggered by security attacks. For example, braking or acceleration/steering triggered by a remote hacker. As such, the standard ISO/SAE 21434 was introduced in 2021 and even mandated by regulatory bodies.
• To address the specific challenges associated with automated driving (whose level of automation is well described in SAE J3016, originally created in 2014 and published in 2021 also as ISO/PAS 22736), a group of experts worked on the paper SaFAD　(Safety First for Automated Driving) published in 2020 as ISO TR 4804 and now evolving into ISO TS 5083. In parallel, the first edition of the standard UL4600 got published in 2020 by Underwriters' Laboratories. This is a collection of prompts walking through what should be considered at a minimum when working on autonomous products. The second edition of UL4600 was published in 2022, with the third edition now being worked on.
• The future standards ISO/IEC TR 4569 and ISO PAS 8800 are trying to address challenges when using Artificial Intelligence in safety-related products. The first is intended to be more generic, while the second is more optimized for the automotive sector.
• In terms of Electric Vehicles, specific challenges may require reference back to IEC 61508. To have more specific guidance, the future standard ISO TR 9968 is being prepared.
• Finally, for some emerging applications such as AD, detecting hardware faults when these are happening is not sufficient. Standards such as ISO TR 9839 are being created focusing initially on intermittent faults.

The list above covers only some of the obvious standards that automotive engineers dealing with products that could have a safety impact (most of them!) should be considering and, at least, understand the relevance to their activity. Many more standards exist (e.g., ISO 22737 covering low-speed automated driving systems for predefined routes or SAE J3187 providing a guidance to use STPA, System Theoretic Process Analysis, which is very useful to identify risks in complex systems). Entities such as BSI (British Standard Institute) provide good guidance or ISO/PAS 8926 is created to guide the usage of pre-existing software (i.e., not developed based on safety standards) within an automotive safety context.

画像

Naturally, having so many different standards, especially from different standardization bodies, is confusing for engineers. In many cases, the same group of engineers is involved in the creation of multiple standards, but this is not always the case and is not even a condition. Recently, IEEE initiated the standard P2851 to address the general interoperability issue, and Accellera has a working group trying to create a common data model approach to allow easy exchange FMEDAs across engineers. These activities are now underway, and we still have to wait to judge their contribution.

Renesas believes in the great benefits of standards and the importance of their interoperability. This is the reason we are involved in most of the standards mentioned in this blog. Through our expertise, we help the community develop a good framework for guiding engineers, being directly involved with trends and influencing directions. I am personally very active in international conferences, and I have also joined this year the organizing committee of “the 26262 club” to help the community better.