In a previous blog I compared ISO 26262 to IEC 61508. In this blog I will concentrate on the new part 11 of ISO 26262. ISO 26262 revision 1 was released in 2010 and while it had useful guidance on semiconductors it has taken it to the next level in revision 2 with a full 185 page part 11 dedicated to semiconductors. Much of this content was previously available as ISO/PAS 19451.
For comparison the main semiconductor guidance in IEC61508:2010 is spread across 37 pages
- IEC 61508-2:2010 Annex E – 5 pages
- IEC 61508-2:2010 Annex F – 8 pages
- IEC 61508-2:2010 tables A.1 to A.14 – 8 pages
- Various IEC 61508-2:210 – 2 pages
- IEC 61508-7:2010 Annex E(explanations behind 61508-2:2010 Annex F ) – 14 pages
TG#01 of IEC TC65/SC65A/MT 61508-1/2 are concentrating on the topic of complex semiconductors but I don’t think the outcome in the next revision of IEC 61508 will rival the 185 pages of ISO 26262 part 11. Perhaps eventually there will be a part of IEC 61508, perhaps IEC 61508-2-1, dedicated to semiconductors but if so it is probably 5 years off.
While there are differences between industrial and automotive functional safety the differences are small enough that I would still rate ISO 26262-11:2018 as essential reading for anybody interested in industrial semiconductors. It has lots of interesting insights and guidance. The team leading part 11 was headed by Riccardo Mariani of Intel and I am told had attendances of 80 people at some of the face to face meetings. I also believe not all issues could be resolved and some have been pushed to a future revision 3 but I don’t know what those issues were.
Figure 1 - A summary of what is in ISO 26262-11:2018 taken from a presentation I did last year
Future blogs in this series will give details of how to access standards and how to read standards but a good place to start is always with the scope. In the scope of this standard we find that it is informative only and states “This document has an informative character only. It contains possible interpretations of other parts of ISO 26262 with respect to semiconductor development” so if you think you know better than the reportedly up to 80 experts who helped write this part of ISO 26262 then more power to you. Another interesting statement in the scope is that “This document does not address the nominal performance of E/E-systems” which I guess leaves open the window for SOTIF (safety of intended functionality).
I like figures 2 and 4 which show how to break down the IC into parts, sub-parts and elementary sub-parts and the advice in 4.1.1 that a portion of the PMHF (probabilistic metric for random hardware failure) be allocated to the IC. It then goes on to give details of how to do a reliability prediction showing examples based on IEC 62380, SN29500 and the FIDES guide along with suggestions as to how the failure mode can be distributed based on expert judgement, area or transistor count. Given that IEC 62380 was obsoleted late in the ISO 26262 development, the guys cut and pasted the relevant IC sections from IEC 62380 into ISO 26262-11. I also like the emphasis placed on explaining that these predictions are focusing on random hardware failures and exclude systematic failure modes with EOS (electric over stress) called out as an example of a systematic failure mode. However they don’t go so far as to allow you to reduce the failure rate calculated using SN29500 or IEC 62380 to allow for the fact that functional safety standards use design techniques to eliminate the systematic failure modes.
There is some advice on good additional guidance on soft errors including soft errors in analog components. It does specify that the base failure rate before safety mechanisms such as ECC or AVF (architecture vulnerability factors) should be given. It also warns against using the low duty cycle of automotive (ratio of time powered on vs time power off) to artificially reduce the probability of failure per hour.
Sub-clause 188.8.131.52 is also interesting in that it talks about faults related to drift in analog outputs. It makes it clear that faults which result in the output staying within the specified limits are safe faults e.g. drift of 1% in a part specified with a safety accuracy of +/-2%. Under IEC 61508 it can be argued that these are no effect faults.
Later the standard goes on to give a series of design measures which should be applied during the design of digital, analog / mixed signal and sensor ICs. In effect this is extending the IEC 61508-2:2010 Annex F table F.1 checklist which currently only gives guidance for digital ICs. Interestingly the guidance does not depend on ASIL level.
There is a full 16 pages devoted to both common cause and cascading failures including lists of DFI (dependent failure initiators). It advocates the monitoring of shared resources but doesn’t advocate the use of Beta factors (see note 2 sub-clause 184.108.40.206).
All in all in my view this is an excellent interpretation of ISO 26262 for semiconductors. I do however wonder if semiconductor people will now stop reading the other parts of ISO 26262 and so lose the nuances and guidance available there. For instance the guidance from ISO 26262-8:2018 clause 13.
This blogs video is from some years ago but shows some of the areas where Analog Devices plays across automotive, industrial, avionics and medical all of which have functional safety requirements – it is worth playing for the dramatic music alone – see https://www.youtube.com/watch?v=ivigPxE8uIw