|DVCLUB Europe | Automotive Safety and ISO26262
|Dirk Hansen, Mentor A Siemens Business, Functional Safety Professional
|Automotive market analysis predicts double digit annual growth in ICs development over the next decade. Throughout this period, the size and complexity of ICs will continue to grow exponentially, driven by demand for advanced driver-assistance and autonomous drive systems. Design and verification methodologies must evolve to meet demanding product development schedules while simultaneously demonstrating the achievement of functional safety. ISO26262, the state of the art standard ensuring development of functionally safe products, details two types of faults which must be addressed:
Systematic Faults: Ensuring the design operates correctly
Random Faults: Ensuring the design fails safely in the presence of unpredictable faults
While systematic faults incur their own unique challenges, redefining the methodology and approach to random fault safety analysis can significantly reduce the safety lifecycle execution time and eliminate iterations. The graphic below defines the key steps within an automotive safety lifecycle.In the past, expert driven judgement was the primary means of completing safety analysis, which includes defining all the failure modes in the design. As IC’s have grown, the ability for experts to comprehend all the failure modes is no longer feasible. Unfortunately, these errors aren’t identified until after the design is modified with safety mechanisms, functional coverage is re-closed, and an expensive fault campaign has completed.
New tools and activities within the Safety Analysis phase are required to eliminate this uncertainty from the safety lifecycle. Specifically, engineers must be able to accurately define how a device will fail and the design modifications required to protect against random hardware faults. These additional activities can be summarized into an initial safety assessment followed by safety exploration.
Using bottoms-up structural analysis techniques, engineers can quickly perform gap analysis on the existing safety architecture and determine the design modifications required to meet the target safety goals. This upfront guidance eliminates schedule uncertainty by providing a systematic approach to a single iteration safety lifecycle.
The first step within Safety Analysis is performing the initial safety assessment. Using structural analysis techniques, the design is evaluated for safety holes and compared against tops down expert driven judgement. This form of gap analysis validates the accuracy of expert estimated safety metrics such as failure in time (FIT), single point fault metric (SPFM), latent fault metric (LFM), and probabilistic metric for hardware failure (PMHF). This bottoms up approach analyzes both instance based and multi-cycle safety mechanisms and will calculate both the FIT and achievable diagnostic coverage of existing safety mechanisms. In addition, it provides valuable guidance into the safety holes in the design and their contribution to the overall FIT rate. With this information, the user is now armed with the knowledge required to evaluate modifications to the safety architecture and move to the safety exploration step.
In safety exploration, additions or modifications to the safety architecture are proposed and the achievable diagnostic coverage and impact to area are calculated. This step is expected to be iterative as it allows the user to experiment with different safety implementations, understand the achievable safety metrics and calculate the impact to power, performance, and area (PPA). Once the optimal safety architecture is identified, design engineers begin the process of hardening the design by implementing the proposed safety mechanisms.
3 Key Points:
DVCLUB Europe is made possible through the generosity of our sponsors.