Functional safety is one of the most important features in embedded systems and so it’s no surprise that we’re constantly talking about it with our customers, attending events and monitoring for advancements. It was an honour to be invited back to chair IQPC’s ninth ISO 26262 conference in Munich, Germany, in March. This is probably the biggest and longest running expert forum on the technical implementations of ISO 26262, the technical safety standard for the automotive industry, so it’s the ideal event to hear case studies and talk to industry experts.
This year things were a little different as the ISO 26262 stream ran alongside three other relevant streams: Security for Semiconductors, chaired by Texas Instruments; Safety of the Intended Function (SotIF), chaired by APTIV and Testing ADAS and Self-Driving Cars, chaired by Toyota research institute. These streams were intertwined with special focus on inter-dependencies of SotIF (ISO PAS 21448) and Functional Safety (ISO 26262): the unsurprising conclusion being that for ADAS, these two documents are complementary and will be used together.
For the ISO 26262 stream, which I chaired, there was strong attendance and contribution from many members of national and international ISO 26262 working groups. These included Nicolas Becker, Part 9 leader and SotIF chair, Dr David Ward, Part 6 leader. It was also notable that functional safety and ISO 26262 is fully entrenched in the auto industry; this year’s focus was on the solution space rather than problem space, with many examples of ISO 26262 compliant products and process solutions start to become a market necessity in order to enable the expected EV+ADAS revolution (and no dull presentations on the content of the standard).
From the 20+ presentations given in the ISO 26262 stream, there were some notable messages and the presentations that stood out to me personally included:
- Safety Cases: A clear case for the role of safety cases in demonstrating and communicating the achievement of functional safety was made. The point was also emphasised via a specific workshop and special pre-release of the MISRA Guideline for Automotive Safety Cases made available to delegates. At the time of the first edition of ISO 26262, many nations were hoping and planning that the safety case was just a “compilation of work products”, but now many are realising the importance of the safety discussion to communicate and justify safety claims. This is especially true as we involve independent safety assessors that make a judgement on the achievement of functional safety.
- The inclusion of trucks, buses and motorcycles in ISO 26262. The extended scope of the second edition of ISO 26262, which now includes trucks and buses and motorcycles, was shared at the conference. As a keen motorcyclist myself, the BMW presentation won through because it included so many great pictures of motorbikes. Interestingly, two approaches were taken for the integration of trucks (and buses) and motorcycles into the second edition of ISO 26262, where the requirements for trucks was integrated into the existing parts of the standard while motorcycles have a part (Part 12) all to themselves. I believe this was influenced by the fact that the motorcycles and mopeds have their own ISO sub-committee (TC22/SC38).
An interesting addition to Part 12 is the motorcycle safety integrity levels (MSIL) that are mapped to the nominal ASIL of ISO 26262. However, I’m personally not 100% convinced of the “state-of-the-art” rationale for this mapping that effectively increases the threshold of “unreasonable risk” of malfunctioning behaviour of electronics and software of motorcycles, meaning that a lower bar for functional safety is set for motorcycles compared to trucks, buses and cars.
- SotIF and AI: Related to SotIF was an insightful presentation was given on the latest research into AI and machine learning in automotive, with a look in architectural considerations, the move away from neuronal coverage, to formal verification and using activation patterns for runtime monitoring of the neural network. Most likely this was only a glimpse but emphasises this persistent challenge as road vehicles become more autonomous. I didn’t get a chance to see any of the presentations and panel sessions of the other streams but if I could’ve replicated myself I would’ve have loved to have seen more of the SotIF.
I felt that one of the most valuable aspects of conferences was the breakout discussions, often initiated by panel discussions. To my surprise, there are still many apparent new-comers to ISO 26262, but on the other hand, there are those at the other end of the spectrum that are engaged with the trickier aspects of autonomy, AI and machine learning.
Though perhaps sounding a bit dry, it’s worth noting that the ontology for architectural design was an underlying theme to some papers, and more generally the principles of system engineering were reverberating throughout the week. Emphasizing the fact that system engineering underpins all our design and development activities.
From my personal perspective, bearing in mind this is the fourth time I’ve chaired the conference, I’m never failed to be surprised by content and “take-aways” from this event, not forgetting to mention the connection with old and new faces.
And, of course, being in Munich there was a well-needed trip to Hofbrauhaus, with its resident Um-pah band, and homebrews!