The proliferation of electronic systems in automobiles has resulted in the creation of new automotive standards to ensure safety.
The ISO 26262 standard is an adoption of the more general IEC 61508 functional safety standard for electrical/ electronic/ programmable electronic safety-related systems.
ISO 26262 defines functional safety for automotive equipment and addresses possible hazards caused by the malfunctioning of electronic and electrical systems in passenger vehicles. Components of automotive electrical/electronic systems play a critical role in achieving compliance with the ISO 26262 standard.
At every level in the development of safety systems, from the selection of processor IP and the IP development process, to software development and even document creation, there is a need to address functional safety compliance. Understanding the compliance with ISO 26262 from a processor IP perspective, the role of the processor IP, its software, and its documentation can help ease the certification process.
What is functional safety?
Car manufacturers are excited to tell us about all of the new and cool features their cars have and how they have hundreds of upgrades over the previous year's model. One advantage that's being touted more and more often is the safety system.
Automakers are adding more and more safety features and capabilities, including advanced driver assistance systems (ADAS) like lane departure detection, blind spot detection, high-end radar and vision systems, and emergency braking assistance.
If you look at some of the systems available today you will be struck by the scale of influence that car electronic systems have over the driving experience and automotive safety. Electronic ADASs are increasing in both use and importance (see Figure 1).
The ISO 26262 standard
With this rapid growth in usage of electrical, electronic, and programmable safety-related systems in passenger cars, there was a need for a safety standard. The ISO 26262 standard, first published on November 11, 2011, was created to define functional safety guidelines for automotive safety systems.
Ultimately it is up to the automotive OEM and Tier 1 suppliers designing and building the automotive safety systems to make sure they comply with the ISO 26262 standard for their pre-defined safety functions. The OEM and Tier 1 suppliers have the task of piecing together their technology, components, software, and documentation to achieve certification.
The safety burden has extended from the automotive OEM to the component supplier(s) and then to the IP supplier(s) of the technology that goes into the chip. At every level in the development of safety systems, there is a need to deliver technology and software that encompass functional safety compliance.
With the need for more complex and sophisticated safety systems comes the need for more complex and sophisticated semiconductor IP.
The IP used in these safety-critical system components needs to be created in an ISO 26262-aware organization with appropriate processes and facilitating technology to expedite ISO 26262 certification of the systems built by automotive OEMs and Tier 1 suppliers.
This means that the IP developer has to follow the procedures and, where applicable, implement safety features that meet specified Automotive Safety Integrity Levels (ASILs).
Estimating risk in automotive safety applications
The ASIL is a key component for ISO 26262 compliance and is determined at the beginning of the development process.
The intended functions of the system are analyzed with respect to possible hazards to identify the safety requirements of the system. The ASIL specification asks the question: "If a failure arises, what will happen to the driver and associated road users?"
The estimation of this risk, based on a combination of the probability of exposure, the possible controllability by a driver, and the severity of the possible outcome if a critical event occurs, leads to the ASIL rating (see Figure 2). The ASIL does not address the technologies used in the system; it is purely focused on the harm to the driver and other road users.
ASIL determination formula.
Each safety requirement is assigned an ASIL of A, B, C, or D, with D having the most safety-critical processes and strictest testing regulations.
The ISO 26262 standard specifically identifies the minimum testing requirements depending on the ASIL designation of the component.
This aids in determining the methods that must be used for test. Once the ASIL is determined, a safety goal for the system is formulated. This defines the system behavior needed to ensure safety.
Like its parent standard, IEC 61508, ISO 26262 is a risk-based safety standard, meaning the risk of hazardous operational situations are qualitatively assessed and safety measures are defined to avoid or control systemic failures and to detect or control random hardware failures, or mitigate their effects.
ISO 26262 and processor IP
Processor IP is at the heart of many, if not most, new automotive safety system controllers and system-on-chips (SoCs).
The processor runs the software that determines the functions of the ASIC or SoC and, ultimately, the safety performance of the whole system.
The relationships among the processor IP, the software running on it, and achievement of certification now becomes a much more complex mapping of responsibility of safety compliance across the supply chain of the OEM, the component supplier, and now the processor IP provider.
This means that the processor IP provider also needs to be knowledgeable in the requirements of ISO 26262 and ASIL awareness.
Next page: Creating an ISO 26262-ready processor core