ASIL D Requires Precision

While the highest level of automotive safety requires precision in many ways, the path there is still fuzzy.

popularity

It seems the entire world is abuzz with the excitement surround autonomous driving, and while more driver assist features are added to new vehicles all the time, this is tempered by the fact that there is still much work to be done when it comes to safety.

For developers across the automotive ecosystem, safety comes down to the Automotive Safety Integrity Level (ASIL) risk classification scheme as defined by the ISO 26262 – Functional Safety for Road Vehicles standard.

ASIL D — the abbreviation of Automotive Safety Integrity Level D, which refers to the highest classification of initial hazard (injury risk) defined within ISO 26262 — is required for Level 5 full autonomous driving. And this level of stringency demands precision in design of hardware and software.

Adam Sherer, verification product management director at Cadence said engineering teams are indeed asking about exactly this. “We see some customers that are pursuing a comprehensive fault analysis for ASIL D in the safety critical systems. The challenge with that is when the devices are 200 to 500 million gate equivalent designs, that’s a lot of fault simulation – that’s a huge amount of fault simulation.”

He noted that the leading semiconductor companies in the space that have had several years of experience with ASIL D typically do a statistical sampling within the safety critical part of the system. “First, they narrow the design to the safety-critical subsystems, and then they do statistical analysis within. The brute force isn’t truly necessary because it’s not a design for test — what we’re really trying to examine are the diagnostic systems, not the design itself. It’s about how well the system can recover; that’s the main concern.”

Up another level, Rob Knoth, product management director, Digital & Signoff Group at Cadence reminded that it’s not as important what single tool is being used but the fact that safety is being approached from a flow perspective. “It’s possible to have the absolute best tool in the world, and use it poorly.”

He feels this is EDA vendors play an important role as a partner to help engineering teams achieve high levels of safety and security in their systems. “It’s about understanding how tools should be working together, making sure they are designed in an appropriate way, and the flow is designed appropriately so faults are not being introduced into the design based on how the tools are used.”

While structure is good, it can also feel constraining.

Robert Bates, chief safety officer in the embedded systems division at Mentor Graphics is a big fan of structure that ISO26262 puts on the way safety is considered but pointed out that in this environment, that structure is almost a shackle connected to the concept of scale both from the hardware, and software perspective for any kind of autonomous vehicle system higher than Level 2 to be successful. “There’s not going to be any linkage. ISO26262 assumes I’ve got a bunch of safety requirements that I’ve determined after a hazard analysis. Then I do a bunch of design to satisfy the safety requirements, which fits perfectly well into autonomous drive, and then I’ve got this implementation which satisfies the design and the safety requirements, and that’s where everything gets fuzzy. You have to look at both the implementation and the training, because I don’t think any of this is possible without sophisticated machine learning. So it’s not just the implementation, it’s all this data that goes into it. That’s where ISO26262 has no guidance for us, and the coming version also has no guidance for us.”

While the path may still be a little murky at this point, there is enough work happening around the globe to make truly autonomous driving a reality when all the pieces fall into place.

Related Stories
Why Auto Designs Take So Long
A design for safety methodology is essential to trim automotive design costs, but at this point it’s a work in progress.
What Can Go Wrong In Automotive (Part 1)
Security, diagnostics, standards and the future of autonomous vehicles.
What Can Go Wrong In Automotive (Part 3)
Why power has become so important in car electronics; the challenges in making autonomous vehicles reliable enough; adding margin for safe modes of operation.