In this blog, we recap our recent eBook, “Functional Safety in Industrial Manufacturing: Navigating IEC 61508, ISO 13849, IEC 10218 for Safer, Smarter Operations.”

Functional Safety in Industrial Manufacturing: Navigating IEC 61508, ISO 13849, IEC 10218 for Safer, Smarter Operations

In the dynamic world of industrial manufacturing, the stakes have never been higher. As factories grow smarter and more interconnected, ensuring the safety of workers, equipment, and processes is paramount. Functional safety, a concept grounded in preventing and mitigating risks through system design and operational safeguards, has become a cornerstone of modern industrial practices.

This eBook serves as your comprehensive guide to navigating the complex but essential landscape of functional safety standards. From the foundational principles of IEC 61508 to the robotic-focused provisions of ISO 10218, we will delve into the key frameworks that underpin safer, smarter operations.

Whether you’re an engineer, safety professional, or business leader, understanding these standards is not just about compliance — it’s about future-proofing your operations in an era of rapid technological advancement. Let’s explore how to harness the power of functional safety for a more resilient and innovative manufacturing environment.

RELATED: Compliance Made Easy with Jama Connect^® for Automotive and Semiconductor Development

Understanding Functional Safety

What is Functional Safety? Functional safety ensures that industrial systems operate safely even when they fail. It encompasses risk assessment, hazard mitigation, and the implementation of controls that reduce risks to acceptable levels. Unlike general safety measures, functional safety directly addresses equipment malfunctions and system failures.

Why is Functional Safety Critical?

1. Protecting Lives and Assets: Reduces the likelihood of accidents, injuries, and damage.
2. Ensuring Compliance: Meets legal and regulatory requirements for industrial operations.
3. Boosting Operational Efficiency: Reduces downtime by preventing catastrophic failures

Real-World Examples

The importance of functional safety becomes evident through real-world scenarios where its absence or presence has significantly impacted outcomes. Below are several real-life examples that have been generalized for educational purposes:

1. Chemical Processing Plant: A chemical manufacturer experienced a significant incident due to the failure of a pressure control system. The lack of redundancy and inadequate safety measures led to a dangerous overpressure scenario, causing equipment damage and a toxic gas release. This incident underscored the need for comprehensive risk assessments and safety instrumented systems (SIS) compliant with functional safety standards.
   1. Improvement Through Functional Safety: Another plant, learning from such failures, implemented an SIS aligned with IEC 61508 standards. By incorporating redundancy in pressure sensors and automated shut-off valves, they successfully mitigated similar risks, resulting in zero incidents over a five-year period.
2. Automotive Industry: A global automotive manufacturer faced challenges in ensuring brake system reliability. Initial designs lacked sufficient fault-tolerant measures, which could have led to brake failure under specific conditions. Applying functional safety principles, the company developed a braking system that met SIL 3 requirements, enhancing reliability and customer trust.
3. Food Processing Machinery: A food processing company faced frequent machine shutdowns due to sensor malfunctions. This not only disrupted production but also posed safety risks to operators. By redesigning their systems to comply with ISO 13849 and implementing real-time diagnostics, the company reduced unplanned downtime by 40% and improved operator safety.
4. Renewable Energy Sector: A wind turbine operator encountered significant downtime due to control system errors. By adopting functional safety standards, they redesigned their turbine control systems to include failsafe mechanisms and predictive maintenance features, minimizing operational disruptions and ensuring safer energy production.

These examples illustrate how functional safety principles, when applied effectively, can prevent accidents, enhance reliability, and improve operational efficiency across diverse industries.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

IEC 61508 – The Foundation for Functional Safety

Overview of IEC 61508

IEC 61508 is the umbrella standard for functional safety, applicable across industries. It provides comprehensive guidelines for designing, implementing, and maintaining safety-related systems. This standard is particularly valuable for manufacturers dealing with complex systems that demand a high level of safety integrity.

Key Concepts

• Safety Integrity Levels (SIL): These levels define the required risk reduction for safety functions, guiding system designers in their choice of components and processes.
• System Lifecycle Approach: A holistic framework that considers safety at every stage, from concept to decommissioning.
• Risk Reduction: This involves combining advanced technology, rigorous processes, and human expertise to address potential hazards.

Practical Application

Manufacturers can integrate IEC 61508 to design fail-safe systems that detect, prevent, or mitigate failures before they escalate. For instance, in process industries like oil and gas, SIL assessments ensure that critical safety functions meet stringent reliability requirements.

IEC 61508 provides a structured approach for designing safety-related systems, ensuring they meet rigorous reliability and risk-reduction criteria. In industries like oil and gas, this standard is applied to Safety Instrumented Systems (SIS) that monitor and control critical processes. For instance, pressure sensors integrated into pipelines detect potential overpressure conditions. When thresholds are breached, the SIS activates emergency shutdown valves to isolate affected sections, preventing catastrophic equipment failures or environmental hazards. The standard’s lifecycle model ensures these systems are developed, tested, and maintained systematically, reducing the likelihood of failures during operation.

Another practical application is in renewable energy, where wind turbine control systems must operate reliably under varying conditions. By adhering to IEC 61508, manufacturers can incorporate fault-tolerant designs, such as redundant control modules and predictive maintenance algorithms. These enhancements ensure that turbines continue to function safely even when a component fails, maximizing energy production and operator safety. The standard’s emphasis on traceability and verification provides confidence that safety requirements are met throughout the system’s lifecycle, making it a cornerstone for functional safety across diverse industrial settings.

Real-World Applications

One notable example of IEC 61508 implementation is in the chemical processing industry, where automated safety instrumented systems (SIS) are crucial. These systems monitor critical parameters, such as pressure and temperature, and activate protective actions when thresholds are exceeded. For example, a major oil refinery implemented an SIS compliant with SIL 3 to prevent catastrophic equipment failure. The system included redundant pressure sensors and automated valve shutdown mechanisms, effectively reducing the risk of explosion.

Similarly, the automotive industry leverages IEC 61508 for the development of electronic control units (ECUs). A global automotive manufacturer used the standard to design braking systems that maintain performance even during sensor or actuator failures. By adhering to the lifecycle approach outlined in IEC 61508, the company ensured high reliability while minimizing development costs through early risk identification.

These cases highlight the adaptability of IEC 61508 across various sectors, demonstrating its value in achieving both safety and operational excellence.

RELATED: Navigating AI Safety with ISO 8800: Requirements Management Best Practices

ISO 13849 – Safety of Machinery

Purpose of ISO 13849

This standard focuses on the functional safety of machinery, specifically the design and validation of safety-related parts of control systems (SRP/CS). It is essential for environments where machinery interacts closely with operators, ensuring that even complex systems remain safe.

Performance Levels (PL) vs. SIL

While Safety Integrity Levels (SIL) measure risk reduction across systems, Performance Levels (PL) evaluate the probability of dangerous failures in machinery control systems. ISO 13849’s PL framework is particularly relevant for addressing mechanical hazards in automated production lines.

Ensuring Compliance To comply with ISO 13849, manufacturers must:

• Identify potential hazards in machinery.
• Design control systems with adequate fault tolerance.
• Conduct thorough validation and testing.

In industries like automotive or food processing, where machinery operates at high speeds, ISO 13849 provides the tools to ensure both productivity and operator safety.

IEC 62061 – Functional Safety for Machinery Systems

Overview IEC 62061 builds on IEC 61508 and ISO 13849, offering a structured approach to machinery system safety. It provides a detailed methodology for assessing risks, setting safety requirements, and validating safety-related systems.

Integrating Safety

By adopting IEC 62061, manufacturers can:

• Transition seamlessly between PL metrics and SIL frameworks, ensuring consistency across systems.
• Develop comprehensive safety lifecycle plans that align with operational goals.
• Optimize machinery designs for reliability and compliance.

Key Benefits

IEC 62061 emphasizes adaptability, allowing manufacturers to apply its principles to diverse machinery systems. For example, in semiconductor manufacturing, it ensures that high-precision equipment operates reliably under strict safety protocols.

THIS HAS BEEN A PREVIEW – TO READ THIS EBOOK IN ITS ENTIRETY, VISIT:
Functional Safety in Industrial Manufacturing:
Navigating IEC 61508, ISO 13849, IEC 10218 for Safer, Smarter Operations

In this blog, we’ll recap a section of our recent Expert Perspectives video, “Integrating Safety of Intended Functionality (SOTIF) Into the Automotive Requirements Engineering Process” – Click HERE to watch it in it entirety.

Expert Perspectives: Integrating Safety of Intended Functionality (SOTIF) Into the Automotive Requirements Engineering Process

Welcome to our Expert Perspectives Series, where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields.

In this episode, we speak with Dr. Hasan Ibne Akram on the topic of Integrating Safety of Intended Functionality (SOTIF) Into the Automotive Requirements Engineering Process.

Watch this video to learn more about:

• The differences between SOTIF and functional safety
• How to define and manage safety requirements addressing system limitations and edge cases
• How to conduct a hazard analysis and risk assessment to cover intended functionality

Below is a preview of our interview. Click HERE to watch it in its entirety.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Automotive

Kenzie Ingram: Welcome to Our Expert Perspective series where we showcase insights from leading experts in complex product systems and software development, covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future in their fields. I’m Kenzie Ingram, your host.

And today I’m excited to welcome Dr. Hasan Ibne Akram, an entrepreneur, computer scientist, book author, and CEO of engineering service company Matrickz based in Munich, Germany. With more than 17 years of experience in the automotive industry and working for two of the major German automotive OEMs, Dr. Akram brings a wealth of knowledge to this conversation. Today, we’re excited to showcase a discussion between Matt Mickle, Jama Software’s Director of Automotive Solutions, and Dr. Akram, on integrating safety of intended functionality, also known as SOTIF into the automotive requirements engineering process. Without further ado, I’d like to welcome Dr. Akram and Matt Mickle.

Matt Mickle: Thanks everyone for joining us today. My name is Matt Mickle. I’m the Director of Solutions for Automotive and Semiconductor at Jama Software. And I’m joined here today by Dr. Hasan Ibne Akram. Thanks very much for joining us today and answering some questions around integrating SOTIF into the automotive requirements engineering process. Dr. Akram, maybe we could start by just you telling us a little bit about yourself and your history with SOTIF and other industry standards and just a little bit about your background.

Dr. Hasan Ibne Akram: Absolutely. Thank you so much, Matt, for having me here. It’s amazing that we are having this conversation because this is very relevant today.
So my background in automotive started way back in 2005. So I was still a student, but I really wanted to go for a start-up. And back then, I landed a project with Continental. It was a braking system calculation project, and that’s how I got into automotive. And kept doing automotive stuff ever since.

And then, when I started my safety journey, I actually had no clue. So the first encounter to safety was a long time ago when I was actually working at a [inaudible 00:02:30] OEM as an external consultant. I was more responsible for the software. And during the lunch break, the functional safety colleague of that OEM, and in German, we call it FuSi, Funktionale Sicherheit, we used to call it FuSi. So I asked him, “What FuSi, the thing that you’re doing all the time? What is it about?” And quite condescendingly, he said, “We assume that whatever you guys are doing over there, every line of code, everything that you will do will go wrong.”

RELATED: Jama Connect^® for Automotive

Akram: That was kind of like a light bulb moment for me. “Wow, that’s interesting. What happens when everything goes wrong? What do we do?” That was really my genesis of the functional safety journey. And SOTIF didn’t exist back then, was doing ISO 26262. And during my PhD, I was specialized in automotive cybersecurity, so cybersecurity and functional safety, I really wanted to bring them together.

And then, we realized, the automotive industry realized that, hey, there is something missing. Because with traditional safety, the definition of traditional safety is all about malfunction, if something goes wrong. Even when we’re doing security, it’s beyond malfunction, it’s all about attack now.Now comes autonomous vehicle, kind of like ADAS’s features, active distance control, automated emergency brake, active cruise control, and different levels of autonomy, Level 1, Level 2. The definitions came much later, but the idea of SOTIF was, hey, there’s something inherently required, there’s something required, something missing, inherently missing in the current standard because there can be hazards beyond malfunction.

It’s all about intention and this is where SOTIF was created, that we will talk about safety of the intended functionality. And my involvement, like you wanted to ask, my involvement with all these standards, I was following these standards before from the very ideas because the community is very, very close community. All the safety people in my podcast, I had Hans-Leo Ross, I had people who are the… Hans-Leo Ross even showed the birth certificate of ISO 26262 because he literally wrote the first lines and everything of ISO 26262. And I was privileged to be around these people who are actually shaping the future of these standards and how the engineering work will be done in the autonomous vehicle sphere and safety will be defined. So yeah.

RELATED: The Impact of ISO 26262 on Automotive Development

Mickle: Nice. Well, that must’ve been quite enthralling at the time. So you mentioned that there was this gap sort of missing for functional safety and that SOTIF sort of filled that gap. Could you describe some of the key differences that are there between the standards?

Akram: Absolutely. So the key difference is, like I said, there was a gap. The gap was pretty evident, we’re talking about malfunction. If there is a fault, that fault would lead to a hazard, that’s ISO 26262, that’s traditional functional safety.

Now, what happens if there is nothing wrong in the vehicle, no malfunction, and we still have a hazard? So let me give you a metaphor. Imagine that you have a knife and you bought the knife. Your intention is to chop vegetables. So it’s a very sharp knife. The functionality is great, you’re chopping the vegetable, there is no malfunction, you’re chopping the vegetable. Now, by mistake, unintentionally, you cut your finger with it, it’s a hazard. Now, there is no malfunction still in the knife, the knife is 100 percent functional, it’s your intention that was to chop vegetables, but somehow, unintentionally, you cut your finger. And that’s where the safety of the intended functionality came in.

The famous example of such hazard is this high profile Tesla incident that happened, I don’t know, five, six years ago, where in a junction, because of the lighting condition, Tesla’s ADAS system could not recognize a truck that was passing the junction. And the driver happened to be watching Harry Potter and he didn’t pay attention. And this was fatal, I mean, the driver died. This was such a fatal accident. And there was nothing wrong in Tesla’s ADAS functionality, it’s just that this certain condition, there was no malfunction, this certain condition was not trained, and the ADAS system was not able to detect under certain lighting condition.

And that was the reason, but when we entered, when we started with this, it turned out vastly complex, the whole sphere of SOTIF, when you’re talking about the environment. I’ve just given you one example. So the environment is theoretically infinite. There can be infinite situations and there can be situations that we don’t know about. And the fact of the matter is, we don’t know what we don’t know. When you know something, you can take measure, that’s traditional ISO 26262. Now, we have this unknown unknown. You don’t even know what you don’t know. So that makes it extremely challenging and that’s why the whole process of autonomous vehicle development is going to be a continuous development process, we’ll have to continuously learn and incorporate safety and all those.

THIS HAS BEEN A PREVIEW OF OUR VIDEO AND TRANSCRIPT –
CLICK HERE TO WATCH THIS INTERVIEW IN ITS ENTIRETY:
Expert Perspectives: Integrating Safety of Intended Functionality (SOTIF) Into the Automotive Requirements Engineering Process

In this blog, we’ll recap our recent webinar, “Managing Functional Safety Development Efforts for Robotics Development” – Click HERE to watch it in its entirety.

Managing Functional Safety Development Efforts for Robotics Development

Industrial manufacturing firms are undergoing rapid transformation as they navigate talent shortages, supply disruptions, digital adoption acceleration, and more. At the same time, they work diligently to accelerate time to market, streamline risk management, and keep accuracy and safety at the forefront.

In this webinar, learn about functional safety challenges during the development of complex robotics systems, and how to conform to IEC 61508. Also, learn about how Jama Software’s new robotics solution allows developers to quickly leverage a template and documentation to kickstart development efforts ensuring quicker time to market, and higher quality and safer products.

You’ll learn more about:

• Functional safety development challenges
• IEC 61508 best practices
• Tips and tricks on certification
• Jama Software’s new robotics solution offering and benefits

Below is a preview of our webinar. Click HERE to watch it in its entirety.

The following is an abbreviated transcript of our webinar.

Managing Functional Safety in Development Efforts for Robotics Development

Steven Meadows: Hi everyone, and welcome to the webinar on Managing Functional Safety and Development Efforts for Robotics Development. In terms of the agenda today, this is what we’re going to be covering. We’re going to start off with a speech and company introductions. We’ll then look at functional safety and providing IEC 61508 overview, associated challenges, and associated best practices. We’ll then switch gears and talk a little bit around Live Traceability™ followed by robotics development best practices. And then we’ll finally wrap up with Jama Software’s Robotics Solution. So let’s start with some speaker introductions. Go ahead, Nicole.

Nicole Pappler: Okay. Hey everybody. My name’s Nicole Pappler. I am a Senior Functional Safety Expert at AlektoMetis. I started working with safety-critical systems more than 20 years ago, working with automation, working with automotive, and other domains, and always moving around in safety-critical projects with safety-critical systems, being a developer, being a tester, being on the complete system side. About 10 years ago, I started then to work as an assessor of for functional safety at TÜV SÜD. And about three years ago, started together with my business partner, AlektoMetis to provide independent consulting and assessment services using all the experiences that we had up to now. If you want to Google me, I’m also active in several open source for functional safety, so you should be able to follow me around. If you want to contact me, my social media handle is nicpappler, so you can find me on GitHub Discord, and usually wherever you want to look.

As AlektoMetis, our company, together we have more than 20 years of experience. We provide a network of experts for functional safety, for cybersecurity, for multiple domains, so automation, railway, and automotive. And also, we can provide you with services regarding license compliances, processes, and quality management. We have a set of trainings and workshops available for functional safety, for security, or with our network, also for other topics that you need to cover for critical systems and to keep up to date and to drive topics forward, we participate actively in international committees for standard digitization like the IEC, ISO or DIN or also industry networks like the Bitkom, or the Industry Business Network 4.0.

Related: Jama Connect^® for Robotics Datasheet

Nicole Pappler: So first of all, I’d like to give you an overview of what’s all this about with functional safety and with IEC 61508. So I’m sure you are here because you already heard about functional safety. Maybe you’re a pro or beginner with functional safety. So first of all, functional safety is the topic that’s associated with reducing risks that are associated with products that can be caused either by random faults, which means faults of a sense, or faults by the controller, just random things stop working or start working in a very inconsistent way. So one of the big topics in functional safety is really avoiding random faults, avoiding faults due to hardware components just dying on you. And the other big topic in functional safety is the avoidance of risk due to systematic faults.

So systematic faults are usually faults that happen during the development, that happen during deployment, or maintenance of a product that is due to topics that are not covered, that are due to hazards you have not considered. This is due to functions you haven’t implemented correctly or that haven’t been tested if they are correctly implemented and then go into the field in an inconsistent or insufficient way. So functional safety can be achieved then by the methods of engineering and of process application. It means the random faults you avoid by systematically identifying what are the critical components, what are critical parts, and other critical functions within your system. Then choose suitable and robust system architectures suitable and robust components and hardware parts to be integrated into your system.

And then to avoid systematic fault by applying a suitable development process, by applying suitable verification measures, by using a suitable deployment and maintenance process. And then also going into a suitable change management process for your system, so that you don’t add bugs and sufficiencies to your system that wouldn’t be there by definition. So easily, you don’t need to start thinking about how to do this on your own. So there are standards around. And the main functional safety standard is the IEC 61508. It’s a standard that talks about functional safety for electrical and electronic and in any kind of ways programmable safety related systems. And although there are a lot of other safety standards around, IEC 61508 is still not only the most generic, but also the most used and most applied standard, not only in other industries but specifically also in the automation industry.

Related: FORT Robotics Selects Jama Connect^® to Replace Google Sheets for Product Development 

Pappler: So what will IEC 61508 help you with? So what is defined there? Most of it really consists of methods and definitions and explanations, how to do engineering and how to do the planning of your engineering, of the safety-relevant systems and equipment. Then with the process, how to reduce your development issues by planning ahead, by planning your resources, and by deciding what kind of methods are suitable for your kind of development. There are standard planning methods defined. You need to have a safety plan that’s more or less the project management plan thingy for your safety-relevant tasks. You have the definition of processes, so everything will be done in a consistent and traceable way. You will have templates though that you won’t have to invent the structure of a document that invents the structure of your definitions every time. Again, the standard also talks, let’s say on a very high level, but on a very important level about safety architectural requirements.

It walks you through a few basic architectural topics like one-channel systems, two-channel systems, and three-channel systems. How do you need to set them up? What are the minimum requirements regarding diagnosis you want to do live on these channels? So that already gives you a lot of help with the basic setup. What is the minimum requirement? And then you can go from there really deciding if is this sufficient for my use case. IEC 61508 also is very strong in the definition of verification activities, be this on the one hand side for inspections, for analyzers, for reviews of your plant concept, of your requirements of your specifications. And also on how to do testing on multiple stages of your development after deployment or during maintenance. It also guides you then after development, after production of your system, how to mitigate the issues or to avoid issues that might be introduced during installation or during the integration of your system into a bigger system.

This has been an abbreviated transcript of our webinar.

CLICK HERE TO WATCH THIS WEBINAR IN ITS ENTIRETY:
Managing Functional Safety Development Efforts for Robotics Development

Functional Safety (FuSA) Explained: The Vital Role of Standards and Compliance in Ensuring Critical Systems’ Safety

Have you heard of FuSA? It stands for Functional Safety, and it is a vital part of any system that requires safety assurance. FuSA was designed to reduce the risk of physical injury or damage due to malfunctioning equipment. This guide will provide an overview of the subject, including the standards, compliance requirements, and the different types of systems where FuSA is used.

What Is Functional Safety?

At its core, Functional Safety (FuSa) is a set of measures taken to ensure that a system meets certain safety requirements. In other words, it’s a way to make sure that any system can operate safely without causing physical injury or damage. This includes both hardware and software components within the system.

RELATED: Managing Functional Safety Development Efforts for Robotics Development

How Does FuSa Work?

The goal behind FuSa is to reduce the risk associated with a product’s failure as much as possible through the use of safety systems that are designed to detect any potential hazards and then take corrective action if necessary. To do this, developers must consider both hardware-based solutions such as monitoring devices or sensors, as well as software-based solutions such as algorithms or machine learning models that can detect potential faults before they occur. Once all potential risks have been identified and addressed, designers must then create a comprehensive test plan to validate all safety system components before the product is released into production.

FuSa Standards and Compliance Requirements

Several international standards have been established to help guide organizations in their implementation of FuSa. These standards include ISO 26262 for the automotive industry and IEC 61508 for industrial manufacturing and consumer electronics sector. Both these standards establish minimum requirements for safety-critical functions within a system. Additionally, each standard specifies certain testing procedures that must be followed in order to demonstrate compliance with the standard.

Typical Applications of FuSa

FuSa is commonly used in aerospace and defense applications as well as road vehicles, industrial machinery, medical devices, consumer products, and more. It can also be applied in critical systems such as those involving control functions or power generation/distribution systems. In all cases, the goal is to reduce the risk of unacceptable physical harm or damage due to malfunctioning systems or components.

When creating a safety system using FuSa principles, engineers typically use several tools such as FMEA (Failure Modes Effects Analysis), FMEDA (Failure Modes Effects & Diagnostic Analysis), FHA (Functional Hazard Analysis) etc., which are all based on the IEC EN 62304 standard for software development processes in medical devices; Road Vehicles Functional Safety Standard (ISO 26262); IEC 61508 for industrial automation; etc., all depending on what type of product/system one has in mind when developing a safety critical E/E/PS (Electronic / Electrical / Power Supply). All these rules vary depending on what type of product is being developed but usually involve assessing potential risks from different scenarios and establishing suitable safeguards against them so that they meet certain Safety Integrity Level requirements laid out by ISO/IEC 61508 standard.

RELATED: 2023 Predictions for Industrial and Consumer Electronics Product Development

Conclusion:

Functional Safety is an important consideration for any organization dealing with safety-critical systems or components involving significant risks from potential malfunctioning equipment or software failure leading to unacceptable physical harm or damage caused by the equipment itself. Engineers must use proper tools like FMEA & FMEDA during development process while ensuring adherence to standards such as ISO 26262 & IEC 61508 while developing their products meeting necessary Safety Integrity Level requirements laid out by these standards. As long as organizations are aware of these requirements and take steps towards implementing them properly into their products & services they should be able to develop reliable & safe products meeting customer expectations!

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by McKenzie Jonsson and Steve Rush.

Like many industries, the semiconductor industry has seen a dramatic change over the past several decades. Simple, single function devices have evolved into complex multi-function devices with firmware, supporting software and, in some cases, full reference designs. While the products that the semiconductor industry sells are still integrated circuits (ICs), in many cases the supporting software, documentation and system-level understanding are just as important as the product themselves. A key example of this are the products produced for the automotive industry that must meet the Functional Safety requirements of ISO 26262. 

Early in the days of integrated circuit design, companies generally focused on developing single function products. The development focus was on continuously optimizing for different applications and in many cases improving performance metrics like power, speed, and bandwidth. Later came an increased focus on reducing product size and cost. The common thinking was that if team could build a product with better performance metrics than the previous generation, there would be a market for the product. For these teams the skill of circuit design and the capabilities of manufacturing were the ultimate competitive advantage. A great deal of system-level understanding is not required, although many teams had Applications Engineers with an understanding of the various applications their products would be used for. 

For many companies in the semiconductor industry, circuit design and manufacturing are still competitive advantages. For others, an increased focus on integration has encouraged them to think in terms of providing a complete solution, rather than just products. Increasing levels of integration is often driven by a goal to decrease size and cost of the solution but doing so requires a better understanding of the end application and more systems-level thinking in developing the solution. This understanding of the end application leads to a focus on clearly understanding and communicating the requirements to ensure successful product development. While in single function products the requirements are often simple and the circuit design is the challenge, in more complex products the requirements can become quite complex and truly understanding the need is just as critical as executing on developing a solution. 

No aspect of integrated circuit development increased functional complexity as much as adding firmware and software to the overall solution being provided. While adding software and firmware to a solution is often done to solve a specific problem, it quickly opens up such a wide range of functional possibilities that the complexity grows rapidly. While there are still teams focused on advancing the state of the art of circuit design, just as many (maybe more) teams are developing full solutions with a semiconductor element as well as firmware, software and even system integration. The ultimate representation of this trend is semiconductor companies providing complete reference designs that contain nearly all the engineering required to produce an end-product. 

RELATED: ISO 26262 vs. ASPICE

In the automotive industry, the trend of providing a complete system-level solution has not been as strong as in other industries like IoT or consumer, but another trend has emerged: providing a safe solution. Integrated circuits sold into automotive applications have long had to achieve some of the toughest reliability standards. Now it is increasingly common for vehicle electronics to impact the safety of the vehicle, so not just reliability is required, but also functional safety. Achieving functional safety requires a lot more than circuit design and process technology. It requires understanding of how failures in an integrated circuit can impact the system. It requires robust development processes not traditionally employed in the semiconductor industry. 

Nowhere was the need for this more strongly articulated than at the “Guidance & Application of ISO 26262 to Semiconductors” conference held virtually in August 2021. In the first session of the conference, several automotive OEMs joined forces to explain how important it is for semiconductor suppliers to develop pre-integrated, pre-certified and pre-tested solutions that meet the requirements of ISO 26262 and place the minimum burden on system integrators to integrate the solution into their system and safety case. Functional Safety adds a lot of overhead to vehicle development and receiving complete solutions from their suppliers goes a long way toward reducing that burden. 

While many semiconductor suppliers have been playing catch up to meet the requirements of ISO 26262, others are turning it into a competitive advantage. These suppliers are winning business on the strength of their functional safety competency. They have developed robust processes featuring robust requirements management, configuration management and safety analysis. As a result, they can provide their customers complete safety cases that save their customers significant time when integrating their solutions. Some are even furthering the state of the art in functional safety by participating in standards development. It is common for multiple suppliers to have technically equivalent products, so in these cases safety competence can become the deciding factor in which semiconductor solution an OEM or Tier 1 supplier ultimately selects. 

With the automotive industry working toward fully autonomous vehicles, the importance of developing safe products is more critical than ever. It will take the whole industry working together to furthering the state of the art in all areas to achieve the goal of full autonomy. That state of the art includes both skillful circuit design and robust process that ensure safety. 

Never has there been a time where it was more critical for the semiconductor industry to adopt new skills. Circuit design and manufacturing will always be the core competency of semiconductor companies, but for those focused on the automotive industry safety, it is increasingly necessary for safety to be a core competency. Developing this as a core competency can lead to increased market share in today’s exciting automotive market. 

This post on functional safety for autonomous driving is Part III in our three-part series with automotive expert Patrick Freytag. If you haven’t already, please go back and read Part I, which talks about how the automotive sector is changing – and Part II, which discusses ways to address functional safety.

Since functional safety has a product lifecycle approach, it has a wide impact on all processes in a company. As a newcomer to functional safety, it’s challenging to focus on the most important aspects, especially for new entrants in the knowledge-intensive automotive sector. Here are best practices based on my observations and experience.

Functional Safety for Autonomous Driving – Best Practices for New Market Entrants 

Executive Management Team: Pay Attention to Functional Safety 

Product safety should be at topic of conversation for the Executive Management Team (EMT) because of the legal responsibilities placed upon the company by deploying a vehicle to customers. The EMT should understand that it needs dedicated resources to achieve product safety. One of the most important tasks of the EMT is to implement a Safety Engineering Management and to assure that roles and responsibilities for quality and safety are defined and communicated in the company. Members of the safety team need a specific skill set, so it is important to invest in functional safety education and qualification. It is important to foster a quality and safety culture in the company. For that reason, quality and safety should be part of goal agreement and performance evaluation. Quality and safety have to be recognized as a core responsibility and a performance indicator for employees.  

Project Management: Plan and Track Functional Safety 

Project management has to incorporate functional safety in the product concept and development plan. The Project Manager (PM) should consider the additional time and cost in the project plan and the project budget. Product development plans must include quality and safety milestones and the related work products. What should be done if the PM doesn’t receive proof that quality and safety milestones are reached at the gate reviews, for example? Well, that’s for sure a red flag. Situations like these may point to deeper rooted issues, and should not be brushed under the rug. The PM should start a GAP analysis and request an action plan. I recommend escalating the issue to the executive team ASAP in case there is missing proof of product safety. It won’t get better without commitment and planned actions, the longer you wait the worse the situation will get. Since safety considerations most typically permeate several layers of system design, it is not an attribute that can be tagged on shortly before the start of production, it has to be implemented from the beginning. 

Development & Functional Safety Team: Implement and Validate Functional Safety 

Industry experience shows that functional safety is not a topic you can assign to one responsible person. For example, a technical safety concept is created by a team of software, hardware, and system-level experts and moderated by a systems architect in collaboration with functional safety engineers. This means that the functional safety manager is a role that is played a few times in a company, while the role of a safety engineer can be assigned to even an entire team. As mentioned, functional safety requires specific domain knowledge and safety engineering expertise. But what can be done if this expertise is missing in-house? My recommendation is to compensate it with external resources as an interim solution. Start functional safety education and qualification as a long-term solution. Safety must be addressed in product development with adequate engineering methods and domain knowledge to define safety requirements. These safety requirements have to be implemented, tracked, managed, verified, and validated to make sure that risk reduction is realized, and the product is safe.  

The Evolution of Functional Safety for Autonomous Driving 

The functional safety focus is on avoiding and mitigating failures in E/E systems. That also works well for Advanced Driver Assistance Systems (ADAS). When a failure is detected, the driver gets alerted, and mitigation measures are performed to reach a safe state. These systems are called fail-safe. Let’s take Adaptive Cruise Control (ACC) as an example. When a failure is detected, a warning will be displayed in the Instrument Cluster. This visual warning is typically combined with an acoustical warning to get the attention of the driver. The ACC function will be switched off, and the driver is in charge to control the vehicle’s speed and keep a safe distance again.  

Additional Safety Considerations for Autonomous Driving 

The ADAS safety mechanism described above will not be sufficient for a fully autonomous vehicle. It’s not possible to switch off the automated driving system because there is no driver in the loop to take over. An Autonomous Vehicle (AV) has to work under all (failure) conditions, it has to be fail-operational. An AV without a driver in the loop also needs situational awareness, understand the surrounding world, decide, and act. This situational awareness is created by data fusion from a variety of complex sensor systems based on lidars, cameras, and radars. The combined data is then interpreted to plan and take action. This interpretation and planning are achieved by complex algorithms, driven by Artificial Intelligence (AI) and Machine Learning (ML).  

Today, many connected and ADAS-equipped cars are already available. Connectivity features and information sharing are increasingly used for updating vehicle features, maintenance-related diagnostics, and traffic services. This development will also increase the attractiveness of an attack on vehicles by hackers with different motivations and it introduces additional risks for vehicle cybersecurity.  

Safety Concerns Due to System Limitations and Misuse 

What happens if an automated driving system has no system failure but doesn’t work as intended? Unsafe behavior could be triggered by limitations in the sensor systems, extreme conditions, or unforeseen situations. In addition, misuse could confuse the AI algorithms and result in unsafe behavior too.  

An example of misuse of an ADAS was showed by Consumer Reports. Consumer Reports reported in April 2021 that it was able to trick a Tesla into driving in autopilot mode with no one at the wheel. Real-life proof followed in May – Police arrested Tesla driver for operating his car from the back seat while traveling on a San Francisco Bay Area freeway. The officer confirmed the sole occupant was in the backseat, so he took action to stop the car and saw the occupant move to the driver’s seat before the car stopped. In response, Tesla activated the cabin camera with a software update to detect and alert driver inattentiveness while autopilot is engaged for Model 3 and Model Y end of May.  

Here a typical example of limitations, an AV is driving and confronted with black ice conditions. While an experienced driver should be able to comprehend the situation and respond properly, an AI-based AV might not. Without sensing the icy road condition, an AV might drive faster than is safe for the condition. 

As a result, there has to be an addition to functional safety considering safety violations that occur in absence of a system failure. 

RELATED: Watch a demonstration of the Jama Connect for Automotive Solution

Safety of Intended Functionality or SOTIF (ISO/PAS 21448) 

The publicly available specification ISO/PAS 21448, titled “Road vehicles — Safety of the intended functionality” was published in 2019. SOTIF is defined in the standard as: “The absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseeable misuse by persons.” The goal of SOTIF is to avoid situations where vehicles are working as designed, but are failing under real-world scenarios. ISO 21448 provides guidance on the design, verification, and validation measures to achieve the SOTIF. The current version covers Advanced Driver Assistance Systems (SAE J3016 L1 and L2). It can be considered for higher levels of automation; however, additional measures will be necessary. 

 The Standard for the Evaluation of Autonomous Products (ANSI/UL 4600) 

The UL 4600 standard was issued in April 2020 with the scope of the Safety Evaluation of fully Autonomous Driving Systems that operate without human intervention. The goal of UL 4600 is to ensure that a comprehensive safety case is created, including safety goals, argumentation, and evidence. UL 4600 covers the safety principles, risk mitigation, tools, techniques, and life-cycle processes for building and evaluating a safety argument for vehicles that can operate in an autonomous mode without human supervision. Therefore, the ML-based system aspects of the autonomous operation are covered. UL 4600 works well with existing automotive safety standards such as ISO 26262 and ISO/PAS 21448 by building on their strengths while also filling their autonomy-specific gaps.  

Conclusion

The safety challenge for autonomous vehicles can’t be addressed with a single standard as of today. As we move on from existing Advanced Driver Assistance (L1 and L2+) to fully Automated Driving Systems (L5) the standards and methods will evolve too.  

Current state-of-the-art automotive safety is achieved with a combination of different engineering methods and processes: 

Functional Safety (ISO 26262)

Guards the E/E malfunction behavior due to systematic and random hardware failures for vehicles with a human driver present responsible for safe operation

Safety of the Intended Functionality (ISO/PAS 21448) 

Deals with the functional limitation regarding the absence of unreasonable risk due to hazards resulting from functional insufficiency of the intended functionality or reasonably foreseeable misuse by persons. SOTIF covers L1 & L2 ADAS vehicles with a human driver present responsible for safe operation. 

Cybersecurity engineering (ISO/SAE 21434)  

Protects road vehicle systems and components from harmful attacks, unauthorized access, damage, or anything else that could interfere and compromise safety functions 

Evaluation of Autonomous Products (ANSI/UL4600) 

Proofs the safety of fully autonomous road vehicles that can operate without human supervision  

Take Away: The combination of different engineering methods is needed on the way to fully Autonomous Driving  

• Functional Safety helps you to do things right 
• Safety of Intended Functionality helps you to do the right things 
• Cybersecurity helps to protect the safety functions from being compromised 
• Evaluation of Autonomous Products helps you to provide proof that you did enough safety engineering work to achieve a safe autonomous product

This blog post concludes the 3-blog miniseries on automotive insights and best practices on the way to autonomous driving. Special thanks to Jama Software for the opportunity to share my observations and experience with you. I hope you enjoyed reading my thoughts and got useful insights into the complex and interesting world of automotive safety and autonomous driving.  

My last blog post covered why and how the automotive sector is changing fast over the last few years – you can find that post here. A common expectatio

Safety Considerations for Product Design 

Modern cars are a complex piece of technology. They are connected, have sophisticated Infotainment Systems (IVI) and Advanced Driver Assistance Systems (ADAS). You will be surprised about the amount of software used in the 30 to 70 electronic control units in a car. There are up to 100 million lines of code deployed in a modern high-end car today. System complexity will increase even more when we move beyond ADAS-supported driving to Automated Driving Systems (ADSs) in the future.

The challenge for the industry is that new potential hazards may arise with the increasing use of electronics and software in cars. Apart from complex technology and consumers’ expectations, we will get regulations covering the safety of future cars. In the U.S., this is the responsibility of the National Highway Traffic Safety Administration (NHTSA).

Defined by the Vehicle Safety Act in 1966, the NHTSA has the sole authority to make final decisions on rules and safety standards for future road vehicles. Once the NHTSA establishes a standard, the Agency is required to ensure that manufacturers comply when producing new vehicles.

In 2016 the NHTSA published “Vision for Safety,” a non-regulatory approach to automated vehicle technology safety. “Entities are encouraged to follow a robust design and validation process based on a systems-engineering approach to design ADSs free of unreasonable safety risks. The overall process should adopt and follow industry standards, such as the functional safety process standard for road vehicles…” 

Which industry standard is the NHTSA referring to? 

The mentioned standard is the ISO 26262 standard. First issued by International Organization for Standardization (ISO) in 2011 and later updated in 2018. The ISO 26262 is titled “Road vehicles – functional safety,” the first comprehensive voluntary industry standard for safety engineering of Electrical and Electronic Systems (E/E) in road vehicles. This standard recognizes that safety is a system attribute and can be addressed using systems engineering methods. ISO 26262 emphasizes the importance of implementing a safety engineering management and fostering a safety culture. 

What is functional safety and how to comply? 

Functional safety is defined as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems.” The goal of ISO 26262 is to ensure safety from the earliest concept to the point when the vehicle is retired. To ensure vehicle safety, the standard outlines an automotive safety life cycle that describes the entire production life cycle.  

Specific steps are required in each phase of the safety life cycle. One of the most important steps at the beginning of the safety life cycle is the Hazard & Risk Analysis of potential hazards (HARA). The result is an Automotive Safety Integrity Level (ASIL) classification of the hazard and the formulation of an overall safety goal. Safety goals are basically the level of safety required by a system or component to function without posing any threats to the vehicle. 

An ASIL is assigned by evaluating three risk parameters, severity, exposure, and controllability. Severity defines the consequences to the life of people due to the failure that may occur. Exposure is the likelihood of the conditions under which a particular failure would result in a safety hazard. Controllability determines the extent to which the driver will be able to control the vehicle should a safety goal be breached due to the failure or malfunctioning. An ISO 26262 method provides guidance on how to assign the ASIL for a hazard once severity, exposure, and controllability are determined.  

In the next step, a functional safety concept is developed for each safety goal. The functional safety concept defines functional safety requirements within the context of the vehicle architecture, including fault detection and failure mitigation mechanisms, to satisfy the safety goals. Then the technical safety concept is developed to specify the technical safety requirements within the system architecture. The technical safety concept is the basis for deriving the hardware and software safety requirements that are used for developing the product. These safety requirements have to be traced, managed and validated through product development to assure the delivery of a safe product. 

RELATED: Watch a demonstration of the Jama Connect for Automotive Solution

Why is functional safety important? 

Functional Safety describes a risk-based system engineering approach to avoid unreasonable risk. From a business aspect, using ISO 26262 as a guideline helps you to avoid costly product recalls due to safety hazards. Tesla recalled roughly 135,000 Model S and Model X vehicles over Touch-Screen failures in February 2021. The move came after the National Highway Traffic Safety Administration requested a safety recall. NHTSA asked for the recall because the center display in some models can fail when a memory chip runs out of storage capacity, affecting safety functions such as windshield defogging and defrosting controls, exterior turn signal lighting, and rearview backup camera display. 

Following the standard minimizes the risk of harm to people and non-acceptance of your products by the market. In particular, automobile manufacturers have a legal responsibility to design their vehicles to guarantee driver, passenger, and pedestrian safety. As a consequence, automobile manufacturers can be named as defendants in a product liability suit. For example, Toyota Motors agreed to pay $1.2 billion to settle the Justice Department’s criminal investigation into whether the company hid safety defects related to unintended acceleration in 2014. 

Takeaway 

Functional safety is an essential part of product development and needs to be addressed early in the concept phase and considered through the full product life-cycle. ISO 26262 offers an engineering guideline and methods to avoid or at least mitigate systematic failures and random hardware failures of Electrical and Electronic Systems. The derived functional safety requirements have to be implemented at the lowest level up to the system level, both from a hardware and software perspective. This offers the ability to prove that the added E/E-systems are free of unreasonable safety risks. 

The pragmatic engineering approach is to use existing knowledge, or how I call it, to use the industry’s memory. You should look at the ISO 26262 series as the framework, and set of guidelines and methods. ISO 26262 can help you with system engineering methods for a safe product and still give you some flexibility in the development process. This is especially helpful for newcomers to the automotive industry, who may lack specific automotive safety engineering experience. 

Let’s put it that way, using existing engineering methods and knowledge is like standing on the shoulders of a giant – you can see further. This is even more true for automotive product safety because there is no room for trial and error. 

Stay tuned: The next blog post in this series will give real-life advice on how to implement functional safety in your organization and products, and a glance at the evolution of functional safety for autonomous driving. 

Editors Note: This post on safety and security in in automotive development is a guest post by from our partner Ansys. To learn more about Ansys, visit their website. 

Safety and security have always represented a driving force in automotive engineering. Today, these performance criteria are more important than ever, as vehicles continue to grow exponentially in technological complexity. Advanced technologies deliver benefits, but also create new risks and potential failure modes. 

With sales of electric vehicles projected to reach $567 billion by 20251, the design of powertrains and battery management systems has been brought to the forefront. Automakers also hope to capture a share of the global autonomous vehicle market, which will account for $556.67 billion by 20262, placing more focus on embedded control software, perception systems and sensors. 

Before these diverse innovations can be commercialized, they must be analyzed and verified for reliable performance under every operating condition. Equally important, all electronics must be proven to work together at the system level, which means developing a robust system-level architecture, testing every integration point, and identifying and addressing weaknesses.  

The Industry’s Leading Software for Automotive Modeling, Analysis and Simulation 

Mastering these diverse, complex automotive engineering tasks may seem overwhelming ― or even impossible ― but there is good news. An established leader in engineering simulation for over 50 years, Ansys enables automakers to navigate the complex design and verification challenges associated with electrification, ADAS and other technology advancements.  

The depth and breadth of the Ansys portfolio mirrors the complexity of today’s vehicle designs ― bringing modeling, analysis and simulation together in a robust, connected platform. From physics-based simulations that focus on crash-worthiness to the verification of embedded software, sensors, cameras and radars, Ansys solutions help automakers analyze every component in today’s cars.  

RELATED: Watch a demonstration of the Jama Connect for Automotive Solution

Navigating the Unique Challenges of Safety and Security 

Regarding electronics safety and security, software from Ansys helps automotive engineers by supporting safe software development, functional safety analysis and cybersecurity analysis. 

Safer Embedded Software Development 

Underlying the advanced electronic systems found in modern cars are millions of lines of embedded software code that ensure their flawless operation under every driving scenario. Ensuring that the overall software model, and every line of code, deliver the desired functionality is critical to protecting the safety of human passengers. To meet the highest safety standards and comply with regulatory guidelines, software engineers must subject this code to rigorous testing.  

With Ansys SCADE, engineers can streamline design and verification processes via automatic code generation of ISO 26262 critical software up to ASIL D. SCADE can be easily integrated into existing AUTOSAR development flows for software components, eliminating time-consuming manual reviews.  

For example, as Subaru created control software code for its first hybrid vehicle, it automated 95% of the development process by relying on Ansys SCADE to generate code for the car’s innovative engine, called the e-BOXER. Today, it only takes Subaru engineers half a day to implement a model for the e-BOXER’s electronic control unit (ECU) once the control logic has been defined. This enables Subaru’s developers to modify the ECU’s logic and architecture much more frequently and easily as they explore continuing design innovations. 

Explore how automakers are improving the accuracy and speed of embedded software development by 50%. 

Robust, Automated Safety Analysis  

Functional safety analysis ensures that automotive electronics deliver reliable performance over time, without system failures leading to unreasonable risk. This analysis must encompass the entire electronics architecture, including down to the chip level.  

Ansys medini analyze streamlines and automates functional safety analysis via a model-based environment that supports executing the safety-related activities required by applicable standards like ISO 26262. It has helped many customers reduce time and costs, without sacrificing analytic rigor. 

For example, LiTHIUM BALANCE develops battery management system (BMS) solutions for electric vehicles in keeping with the most stringent safety, performance and reliability standards. By leveraging medini analyze, engineers at LiTHIUM BALANCE quickly and affordably manage the functional safety verification of their BMS designs.  

By providing an easy-to-understand, visual representation of complex electronics and their integration points, Ansys has benefited ZF Friedrichshafen AG, a global technology company that supplies systems to automakers. Ansys medini analyze has streamlined and accelerated functional safety analysis for hardware, software and systems ― delivering possible efficiencies including an up to 50% reduction in the time devoted to these tasks.  

The emergence of automated driving has brought an even greater challenge: What if components such as sensors are working as designed, but their capabilities fall short under real-world conditions? A new standard, ISO 21448, focuses on safety of the intended functionality (SOTIF). Ansys medini analyze helps engineers not only identify weaknesses, triggering conditions and causal effects, but also interfaces with simulation and testing tools to validate perception software and other ADAS components.   

Ready to take your safety case to the next level? Request an Ansys medini trial.  

Rigorous Cybersecurity Analysis 

The increased amount of software and connectivity in cars has made them vulnerable to cyberattacks. Recent headlines, as well as the ISO 21434 cybersecurity standard, have made cybersecurity analysis an essential part of the automotive development process.  

Ansys medini analyze for Cybersecurity addresses system-level security via an easy-to-use modeling and analysis environment, ensuring that the complex electronics architecture is impervious to attacks. By quickly identifying and addressing potential threats and vulnerabilities, engineers can deliver secure products, reduce time to market, maximize profits and comply with upcoming cybersecurity regulations.  

Learn more about systematically performing threat analysis and risk assessment via Ansys medini analyze 

A Partnership That Delivers Added Value 

Today many automotive leaders are applying Ansys solutions, while also leveraging Jama Connect for product development. A value-added partnership between these companies means that Jama customers can seamlessly and directly integrate Ansys SCADE and Ansys medini analyze. For the first time, the automotive electronics development and testing process is supported by a linked set of industry-leading software tools.  

To learn more about the benefits of this partnership, watch our recent webinar or review our white paper.   

To learn more about how Jama Connect for Automotive can help your team achieve safety and security compliance, streamline development, and speed time to market, download our solution overview.

DOWNLOAD NOW

Editor’s Note: This post about the high cost of failure when developing automotive electronics was originally published here on ElectronicDesign.com on June 5th, 2019, and was written by Jeff Darrow, who is involved with Automotive MOSFET Product Marketing at Infineon Technologies.

What’s The Price Tag on Failure in Automotive Design

The automotive market is driven by safety and reliability requirements. As vehicles rely more heavily on semiconductors for their functionality and safety-critical features, the concept of Zero Defects is gaining pace. This article will examine stringent quality requirements in the context of growing use of power MOSFETs. MOSFET device packaging is highlighted as a critical element in achieving the goal of Zero Defects.

Today, the scale of electronics in a typical car is staggering when compared to everyday items like mobile phones and notebook computers. Modern cars and trucks can have up to 100 networked microprocessors running 150 million lines of code with thousands of supporting active components.

Because nearly all automotive innovation requires electronic systems, semiconductors have become the fastest growing component in a modern vehicle, with cars containing more than $1,000 worth of semiconductor parts.¹ Electronic systems control all safety-critical functions such as engines, transmissions, steering, braking, and electric motors. With highly autonomous driving features coming to market now, complexity will further increase along with the risk for catastrophic electronic system failures.

Automotive Sets a High Bar for Quality

Early concerns about automotive component quality impacting vehicle safety were addressed with the formation of the Automotive Electronics Council (AEC)² Q100 and Q101 specifications. Established by OEMs Chrysler, Ford, and Delco Electronics, the AEC’s aim was to generate common standards in the automotive industry for the qualification of semiconductors.

These standards, along with those from the Society of Automotive Engineers (SAE), the Joint Electron Device Engineering Council (JEDEC), IEC/ISO, and the International Automotive Task Force (IATF), form the basis for component requirements in automotive applications. Many larger Tier 1 automotive manufacturers still have reservations about the adequacy of these standards and impose their own customer specific requirements (CSRs) on components.

AEC Q101 Standard Needs to Evolve

A feature of the AEC “Q” standards is that they’re only used for the one-time qualification testing of components in several categories (Fig. 1).

1. AEC Q standards are used for one-time qualification testing of components.

For example, testing is rigorously defined for discrete semiconductors, but this characterizes quality of samples and predicted reliability in service rather than setting defined limits for actual allowable rates of field failures. A failure rate that was acceptable in older vehicles with relatively few electronic components can be totally inadequate in a car with thousands of components.

Even with no defects identified in a qualification test, there’s no guarantee of reliability in typical environmental conditions from −40 to 250°F. Quality control and component reliability in the ongoing manufacturing process is left to the manufacturers’ internal quality system.

A typical AEC-Q101 qualification test uses 77 parts from each of three manufacturing lots. These are tested to defined hours or cycles with no failures, which represents lot Tolerance percent defective (LTPD) = 1% at 90% confidence level, or a maximum of 0.4% defective at 60% confidence level in production testing.

Such numbers would be an alarming yield in volume production and would signal an early-life product failure rate of 11 FITs (failures in 10⁹ hours) based on the Arrhenius equation with activation energy of 0.7 eV and 55°C use versus 175°C test temperature. A chi-squared distribution and 60% confidence level are assumed. In context, if the typical 30,000 electronic components in a vehicle all had this intrinsic failure rate, the vehicle population would have a mean time between failures (MTBF) of just three months.

Semiconductor Manufacturers Drive Toward Zero Defects

Power MOSFET use in vehicles has risen steadily and is predicted to increase from an average of a little less than 80 per car in 2017 to about 140 by 2025 (Fig. 2). Future EVs will contain around 400 MOSFET devices. MOSFETs are used in powertrain, body, safety and convenience applications, such as engine/transmission control, power distribution, automatic braking systems, power liftgate and window motors. Component failure in any of these applications could result in immobilization, injury, or, in worst case, loss of life.

2. Projected power MOSFET usage in vehicles. (Source: Infineon)

Assume the lot defect rate for power MOSFETs of 1% is screened-out in test to a residual rate of 0.001%. This would be 100 times better than the LTPD that’s tested with the Q101 specification. This 10-DPM (defect per million) failure rate would mean that about 700 cars in every million could be fitted with defective parts. With an estimated 1 billion plus cars on the roads today,³ the scale of the potential problem is again clear. Although 1 DPM has been seen in general market applications as a world-class target, 0.1 DPM heading to Zero Defects is the expected figure in automotive applications.

Quality Must be Designed In

To achieve the lowest defect rate, the manufacturer must have a quality culture that encompasses the entire product development and manufacturing process, from initial concept through design, production, and manufacturing, to final test and product fulfillment. People are central to the goal, as is full management commitment and training for all staff who are internally and externally audited to measure the trend toward Zero Defects.

An excellence program that emphasizes continuous improvement backed up with meaningful metrics must be put in place. A comprehensive datasheet and specific automotive design rules drive the product design and verification, with a validation plan to ensure that the part fits customer requirements and expectations.

Infineon, a leading supplier of automotive MOSFETs, is on its way toward Zero Defects for all of its products: DPM rates for automotive-grade MOSFETs are now proven to be less than 0.1 PPM, just below 50 PPB as of mid-2019.

he trend toward Zero Defects continues with the company’s adoption of leadless packages using internal top-side copper clips. The leadless MOSFETs are designed to meet the same reliability standards as Infineon’s leaded products and still offer higher power density. sTOLL, TDSON-8 (Super S08) and TSDSON-8 (S308) devices with this technology have exhibited high leadless-package reliability and low thermal resistance, along with having a smaller footprint and higher power density than a DPAK with equivalent R_DS(on).

The leadless package frame has a wide tin-plate area for good solderability and yields a best-in-class figure of merit for the ratio of chip R_DS(on) to package resistance (Fig. 3). Devices were analyzed in each package of the latest technology (SFET4/SFET5).

RELATED: Watch a demonstration of the Jama Connect for Automotive Solution

3. Leadless copper-clip termination yields the lowest chip to package resistance ratio.

The copper-clip termination approach also has the advantage of minimum inductance for reduced voltage overshoots and excellent EMI behavior to boost robustness in real applications (Fig. 4).

4. Leadless copper-clip termination has the lowest source and drain inductance.

Another marker for quality is the ability of the MOSFET encapsulation to adhere internally under temperature stress. Infineon’ OptiMOS devices have demonstrated the ability to withstand any delamination after 260°C preconditioning and 1000 thermal cycles (Fig. 5).

5. Infineon’s MOSFETs showed no delamination after preconditioning and temperature cycling.

Process Control and Stability is Key to Quality

High-performance design features are worthless without a production process control system that maintains quality and stability in manufacturing. Advanced statistical process control methods give real-time monitoring of key process parameters such as metal thickness and its line width, as well as resist coating and its line width. Outgoing product quality screening includes intelligent Part Average Testing with trend analysis of the effects of “outliers”—parts that meet the upper and lower specification limits but are beyond the expected distribution of results.

Yield loss in the various manufacturing processes is analyzed using statistical bin limits (SBL) for abnormally high (and low) figures. Wafers are optically inspected with pattern recognition to identify “at risk” die around areas where clusters of defects are occurring (Good Die, Bad Neighborhood).

Should a systematic defect be identified, the industry standard 8D (8 Discipline) problem solving sequence is invoked to prevent recurrence with systematic rollout to all locations and long-term follow-up of preventive actions (Fig. 6).

6. The “8D” problem-solving process.

Summary

With the volume of cars on the road only set to increase with a rapidly growing number of electronic components built in, traditional levels of component reliability are simply not sufficient when the consequence of failure could be loss of life. Zero Defects is the goal, and semiconductor manufacturers have leveraged AEC stress test qualification with internal design and manufacturing controls and testing to achieve the target.

Is Zero Defect possible? It is, as years of history showing more than 70% of automotive production running at Zero Defect has been achieved by Infineon. Is it worth the effort and cost? For driver and passenger safety, it’s worth every cent.

To learn more about how Jama Connect for Automotive can help your team simplify compliance, streamline development, and speed time to market, download our solution overview.

DOWNLOAD NOW

Below you’ll find an abbreviated transcript and the full webinar recording.

Bridging the Gaps in Safety-Critical Product Development

Michael Jastrom: In case you’ve never heard of Jama Software, Jama Connect is a solution for product development. Product development includes, of course, capturing the requirements, requirements management but also activities like test and quality management, which gives you end to end traceability. Also, risk and hazard analysis because a lot of our customers are using Jama Connect for functional safety-critical work the same way that

Ansys SCADE is being used. Jama Connect is a platform that achieves these things by providing you with key capabilities, like traceability, collaboration, reuse, and many others. I don’t want to go here into detail. In a minute, Francois and I will give you a live demonstration so that you can actually see how all this plays out in practice.

One thing that is very important that I would like to point out is that Jama Connect is an open platform. It is very easy to seamlessly integrate it with other tools. We see Jama Connect as the best of class solution. For this part of your development you want to use best of class and so do you want for others. That’s why you’re using SCADE, I assume. We ensure that you have a seamless integration.

Before I give you a tour of the solution, let’s look at the problem with respect to product development today. In product development, you typically follow the V-model if you have to do with functional safety critical systems. This has been practiced since the ’60s very successfully. There’s just one problem with it. The V-model in systems engineering tends to be slow. By the time you define your concept of operations, you went all the way down to implementation there. By the time you can do the verification and validation activities of the top level, a lot of time passed. There’s a lot of interest these days in HM methodologies. One question that we often hear is how do you apply HM methods in the context of functional safety critical work and systems engineering. The answer to that we call continuous engineering.

This is how it works and where Jama Connect applies. Jama Connect basically covers the top two thirds of the V-model by providing you with a platform for modern requirements management that gives you cross functional collaboration, which allows you to easily exchange information, capture decision, conduct reviews of electronic signatures, and so forth.

At some point, you reach the point where the scope of Jama Connect ends. That’s where something like Ansys SCADE comes in. We provide you with real time and seamless traceability across two boundaries so that you have end to end traceability with best of class solutions. On the top right here, this is again where Jama Connect comes in. Jama Connect also supports you with test management activities so that you have end to end traceability from your requirements all the way to your test cases and test results. Jama Connect doesn’t end there because Jama Connect provides you with reuse capabilities that allows you to build the next version by using branching and merging of variant management so that you can easily manage multiple variants and take advantage of the good work that you already did.

The next question is how do you actually apply that in practice? This requires a paradigm shift. This is visualized on the left-hand side here by depicting the traditional systems engineering approach, which tends to be document based, which you can see here with example outlines from the corresponding RS standard. Now, we haven’t worked with documents in systems engineering for a while. There are tools around for requirements management. Yet, if you look at all the generation of requirements tools, that still has a very strong document feel to it. In Jama Connect we really switch away from that and go to an item-based mindset where you have fine grade traceability. Obviously, to really understand on a fine grade level what the impact of change is, where you have gaps in your coverage, and so forth.

Here you see you simply find relationship model that shows you how you can connect to various items. For example, you can have themes and epics, which are terms from the ancient world, but still mixed it up with things like product concept and system architecture, which are more traditional systems engineering. If we have a look at that, then you get something like this. This relationship diagram has been actually taken directly from Jama Connect so you can flexibly adapt it there. The arrows indicate the traceability capabilities. For example, you that epics and user stories are connected. Jama Connect will tell you if you have a gap between your epic and your user story. You can find gaps in your coverage. Jama Connect helps you with impact and change management. If you change the epic, then all the connected user stories and validation test cases will be marked as suspect. There are a number of other features, roles, workflows, templates. A number of capabilities that really allow you to have repeat iterations following the traditional systems engineering process but with an agile mindset. We have customers from many different industries. Just to provide you with one example, one of our customers from the avionics industry used Jama Connect in a lot of areas. Just to pick up one metric, they managed to increase the speed of resolving issues by 30% by using what Jama Connect provides you with.

RELATED: Watch a demonstration of the Jama Connect for Automotive Solution

Francois Xavier Dormoy: Yes, the topic is how we can make this synchronization and how we can integrate both SCADE models, and these requirements, and these traceability. In fact, we have in SCADE and in all SCADE tools, we have a gateway. A gateway to requirement management tool, like Jama Connect. For instance, in Jama Connect, of course, you will be able to create requirements, to manage requirements, manage traceability links. You can create links. You can see all the traceability. You can perform your impact analysis. You can generate matrices, etc. All these, of course, will be done in Jama Connect and you will use SCADE for design, for the architecture, for the testing, etc.

What we allow in this gateway is for people designing to have a look at the requirements. We have a way to import in SCADE requirements and we have a way in SCADE to create links between SCADE elements, SCADE artifacts, and any requirements. These links will not be stored in SCADE. They will be stored in Jama Connect. We have the six portraiture in order to export back to Jama SCADE artifacts together with traceability.

To learn more about how Jama Connect for Automotive can help your team simplify compliance, streamline development, and speed time to market, download our solution overview.

DOWNLOAD NOW