Source: TTI Market Eye article
05/14/2018 // Murray Slovick for TTI Market Eye
Functional safety is an immutable requirement for critical automotive systems. As such, in November 2011 the ISO 26262 standard was introduced defining the safety aspects for development of electric and electronic automotive systems. ISO 26262 describes all requirements to achieve functional safety. As an example: compliant systems must be able to identify their malfunctions and mitigate the effects such that passenger safety is preserved. Compliance with the standard is achieved between vehicle manufacturers, Tier 1 automotive suppliers, semiconductor suppliers and IP providers.
The standard describes four automotive safety integrity levels (ASILs) ranging from level A, for the lowest integrity requirements and steps up through levels B and C to D, for the highest integrity requirements – which in turn define the various processes that automotive development teams must use to meet the standard. An ISO 26262 development flow sits alongside the main design flow and ensures that the SoC or associated IP meets the required functional safety level. Design teams working to meet ISO 26262 standards must systematically analyze the status of any component or system throughout the supply chain.
ISO 26262 quickly became the guiding standard for functional safety for the automotive development process. But in the seven years since 26262 was published much has changed: intensified use of car sharing services, development of Advanced Driver Assistance Systems (ADAS) and the emergence of self-driving vehicles, to name just three key technology drivers.
With automotive progress has come greater need for absolute certainty that electronic systems are going to perform as intended without malfunctioning. Autonomous vehicles, for example, bring the challenge of not just functional safety but fail-operational functionality, sometimes also referred to as fault-tolerance, where a failure in one component does not stop the whole system from working correctly – the system is expected to reconfigure itself as necessary to ensure that it does so.
Rapid progress in the development of ADAS and autonomous driving technology is now challenging the semiconductor industry to bring the rigorous safety standards used in the automotive industry to its design process.
The problem is that while ISO 26262 included a section on hardware development, the standard previously had no specific guidelines for semiconductors themselves.
Until now. A new second edition will be released this year and perhaps not long after you read this. Designated ISO 26262:2018 it will add two additional parts to the original standard. Importantly, in Part 11 this second edition will lay out guidelines for the application of ISO 26262 requirements to semiconductor development. Part 11 also addresses intellectual property (IP), specifically for ISO 26262-related silicon IP suppliers. Part 11 has been written to ensure that the 20662 standard remains relevant when applied to systems commonly used in ADAS and fully autonomous driving architectures. In this way it could help to close any safety gaps now appearing during on autonomous driving tests.
Part 11 guideline provides detailed information to help semiconductor manufacturers develop ISO 26262 compliant parts. The section has tips, recommendations, and examples for creating ISO 26262 compliant ICs and IP, and includes information on failure rates and transient faults, as well as specifying diagnostic coverage.
The update has numerous other changes, including sections on improving cybersecurity functional safety. Part 12 of the second edition adds specific content for motorcycles, trucks, buses, trailers and semi-trailers.
This forthcoming release will bring significantly more information to support semiconductor suppliers In the areas of digital and analog components, programmable logic devices (PLDs), multi-core processors and sensors and as well as silicon IP.
Let’s look at these one at a time:
- The sub-section on digital components provides detailed definitions and guidance on fault models of components such as memories, discusses failure modes of common digital blocks, and shows how to estimate diagnostic coverage. It describes digital blocks, helps to determine failure rates, explains qualitative and quantitative analysis techniques and talks about use of verification via fault injection simulation.
- In Analog and Mixed Signal Part 11 covers how to divide up an analog device to aid safety analysis and discusses potential failure modes, discusses Analog Single Event Transients (ASET) and under and overvoltage diagnostics Guidance is provided on the level of safety analysis required and examples of failure modes for common analog blocks given.
- Functional safety must be considered both while developing and using a configurable component. Part 11 offers information on types of PLDs, shows the hardware assumptions generated by the PLD manufacturer that must be validated by the PLD user and highlights key failure modes and associated safety mechanisms. It also discusses avoidance of systematic faults and verification techniques.
- In the sub-section on multicore Part 11 provides an introduction to the topic of multi-core components. It goes over the safety requirements previously allocated to separate hardware components, now allocated to a single multi-core component. Particular attention is paid to freedom from interference in multi-core components.
- Sensors and transducers, covered in detail in ISO 26262 for the first time, starts with a general overview of sensors, failure modes, and production processes. It addresses Micro Electro Mechanical System (MEMS) functional safety evaluation and strives to clarify sensor failure modes and transducer failure modes and gives examples of root causes.
- Since ICs typically contain intellectual property (IP) from suppliers (flash memory, standard cells, microcontrollers) Part 11 addresses IP, in particular with regard to any ISO 26262-related IP with one or more allocated safety requirements. It describes know how to handle all variations of IP and issues guidance for integrating in-context IP and pre-existing Safety Element out of Context (SEooC) IP. The section describes safety analysis content for different IP types and speaks to how other sections of ISO 26262 have been adapted to support IP.
Of course any automotive application also must meet the automotive reliability requirements defined by the Automotive Electronics Council’s AEC-Q100 “Stress Test Qualification for Packaged Integrated Circuits,” AEC Q101 for discrete parts, AEC-Q102 for Discrete Optoelectronics, AEC-Q104 for Multichip Modules and AEC-Q200 for passive components.