Functional Safety: Current Status And Perspectives With A View Toward Standardization Bodies

Functional safety is a topic highly driven by standards. This is due in part to legislation and regulation, but it also arises from the fact that functional safety spans a wide range of fields.

Even before specific standards were introduced, there were products that met the social consensus on safety. For example, carmakers were making cars that were safe and incorporated electrical and electronic devices long before ISO 26262 was published in 2011. However, this did not necessarily require a design process for safety-critical product development that encompasses the entire supply chain all the way back to the IC manufacturer. This is because, for a long time, safety was integrated into products like cars only at a very high level – in other words: very far from the individual ICs or SiP components. The OEMs and tier 1 suppliers used only the absolutely necessary electronic components in the critical path and often ensured the safety of these with diverse redundancy approaches.

The introduction of specific standards resulted primarily in standardization of the methods along the entire supply chain. In particular, ISO 26262 increasingly brought IC developers and semiconductor manufacturers face to face with the topic of functional safety – sometimes for the first time. In contrast to its parent standard, IEC 61508, the standard ISO 26262 specifies a clear process in many places. For example, only one process is explicitly defined for carrying out the “hazard analysis and risk assessment.” IEC 61508 lists a number of alternatives here and also allows the use of any other methods as long as they satisfy the requirements of the standard.

This explains why the standards are omnipresent during the initial development of safety-critical products or any other project generally involving functional safety. All departments are involved in the process, from management to hardware and software development, from production to field support. It is no longer possible to independently build a reliable piece of electronics and simply have it pass a final inspection of standards compliance, as was possible in the automotive sector with AEC-Q100, for example.

ISO 26262 has been and remains very useful to OEMs in particular. It gave them a simple way to require a relatively uniform process from their suppliers so that products would be simple to compare. If two functionally equivalent products are qualified for a sufficient ASIL, the decision can be made on the basis of price. It is no longer necessary to employ softer criteria to evaluate which supplier is offering higher quality and therefore a most likely safer product.

Now, however, some participants in different parts of the supply chain have discovered that problems can arise in terms of the ability to innovate. New approaches that were not incorporated when the standard was created and do not fit within the context of the standard are difficult to implement. This is not such a problem for individual test vehicles, but it is a significant obstacle to road approval for series products. In principle, ISO 26262 often does allow for the possibility of freely arguing for equivalent safety compared with products already operating in the field. In practice, however, the impediments to making such an argument are enormous. If the standard did not exist or if it did not recommend standard methods, this obstacle would certainly be much easier to overcome. In that case, all methods would be considered equivalent from the start.

Innovations worth mentioning here include artificial intelligence as well as AI-specific hardware and modular systems that can be reconfigured in the field by swapping components and over-the-air updates. With a more specific focus on protecting against hardware failures, concepts for predictive maintenance, early damage detection and redundancy reduction can also be included here.

Artificial intelligence and autonomous vehicles have been a prominent topic of public discussion for a number of years now, but so far no procedure has been defined for ensuring AI safety in a standardized way. One of the current challenges is that the functioning of such systems does not appear deterministic to an observer. With the established approach, however, an input that is not matched by a clearly defined output is considered unsafe. It is now the task of the standardization organizations and bodies that produce the functional safety standards to close this gap, allowing manufacturers along the supply chain to innovate with confidence. The update to IEC 61508 planned for the end of the year will contain a section on artificial intelligence. It remains to be seen which possibilities it will allow and how these will fare in the various areas of application. The future will also tell how closely the industry-specific standards follow the parent standard and whether they implement equivalent or unique methods for handing artificial intelligence. It will also be interesting to see how the other innovation topics are handled.