Safety: The Absence of Unreasonable Risk
Author: Mike Bartley, T&VS founder and CEO | Filed as: automotive ics and ISO 26262
In a recent Design and Verification Europe meeting (DVClub) organised by T&VS a wide range of expert speakers shared their experiences on how to ensure automotive ICs are compliant with the safety requirements of the ISO 26262 standard. In the article Mike summarises the key points made in each of the presentations.
Automotive is currently the fastest growing IC market and is attracting interest from several potential new entrants. However, there are significant barriers to entry and one of those is compliance to ISO 26262 which governs how automotive ICs must be developed to be demonstrably safe.
Meeting Functional Safety Requirements for Automotive Applications
Adam Sherer from Cadence explained the importance of identifying the appropriate ASIL (Automotive Safety Integrity Level) before starting any new automotive IC development. For this to occur it is necessary to identify and classify the risks based on 3 factors: severity; exposure; and control-ability.
The severity identifies the potential impact of any risk and the exposure identifies the probability. These two factors define the classic risk analysis, however we also need to consider how much control the driver has over the risk. For example, if the car decides to apply the brakes and there’re no override by the driver then that has very low control-ability. The higher the ASIL then the more rigorous the development process needs to be (e.g. higher levels of coverage) and the higher the level of fault detection. View the full presentation.
Developing Safe ICs – Mentor Safe IC for ISO 26262 & IEC 61508
Alex Grove from Mentor Graphics highlighted that ISO26262 is about driving down the risk of faults because cost of failure is so high. In his presentation he identified two main types of faults: Systematic and Random. Systematic faults are the usual bugs that we try to find through functional. These can generally be avoided through greater rigor in the verification process using techniques such as FMEA/FMEDA and requirements-driven verification, with the higher ASILs requiring more rigor, e.g. through higher structural coverage targets. Random faults maybe permanent (e.g. stuck-at) or transient (e.g. EMI electro-migration) and the IC in development is required to detect such faults and either correct them or fail-safe. Once again, higher ASILs require higher detection rates. Alex outlined the Mentor automotive solution Polarion which has 4 key components: life-cycle management; safety analysis (based on the Austemper acquisition); design for safety; and safety verification. View the full presentation.
Functional Safety – The Absence of Unreasonable Risk
Olivier Bocquillon from Synopsys reminded us that safety is defined as the absence of unreasonable risk. He underlined the issue of random faults by highlighting the Toyota 2011 single bit flip which was caused by a cosmic ray and led to unintended acceleration. This was not only costly to Toyota but more importantly caused several deaths. In his presentation Olivier outlined what functional safety is, how it should be done and what needs to be done differently so that we will be able to relax in our autonomous cars? He concluded by outlining the Synopsys Z01X solution for running a fault injection campaign which is required to measure fault detection rates.