Key practices for designing products for functional safety.
By Pavithra C. Suriyanarayanan and Srini Krishnaswami
The autonomous vehicle market is growing at a tremendous rate and functional safety in conventional, hybrid, and electric automobiles plays a significant role in achieving the required certification. Auto makers must go through numerous government regulations that call for increased safety and reliability all the way down to the component level, including the IP and SoC that are used. ISO 26262:2018 and Safety of the Intended Functionality (SOTIF) or ISO/PAS 21488:2019 are standards that define norms for functional safety in automobiles.
Today’s cars are fully developed electronic systems on wheels, with all parts being interrelated. As a result, it is important to apply a holistic approach when developing automotive systems. Various stakeholders in the automotive supply chain contribute to a finished, safe, and drivable computer on wheels (figure 1).
Fig. 1: Different tiers in the automotive supply chain.
In an effort to mitigate some of the inherent human error when driving a vehicle, today’s cars have a variety of driver assistance technologies, including forward collision warning, automatic emergency braking, lane monitoring, and blind spot detection safety features. All of these systems are built on semiconductor components, which often include multiple IP cores, as well as embedded processors or microcomputers that execute software. This IP is subject to systematic errors, caused by faulty software or bugs in the logic, and random hardware errors, due to aging of components or transient errors, that can have a significant impact on the semiconductor components that determine safe operation of our automobiles.
For a component such as an embedded processor, the impact of errors from software, development processes, and random hardware faults can be catastrophic. A processor relies on correct program sequencing—order and timing dependent. A glitch or a particle strike can alter one bit and cause either a lockup or incorrect program execution.
While safety mechanisms can be implemented, a thorough independent assessment to evaluate the safety analysis and development process provides a uniform measure to qualify IP. For technology to be able to save lives, it is extremely critical that it is properly qualified and an independent assessment is performed to validate conformance to the ISO 26262:2018 standard.
Every module or subsystem in a vehicle may consist of IP with a blend of safety elements in-context and safety elements out-of-context (SEooCs), which is often IP that is designed without any specific use case in mind. With heterogeneous end products from various vendors, it is important to recognize that the ISO 26262:2018 standard provides unified guidelines that apply to both an IP component such as a SEooC as well as to a subsystem component such as a camera, radar, LiDAR, or control unit. However, not all semiconductor IP suppliers provide full ASIL compliance that includes systematic and random fault analysis. Synopsys provides IP that is certified as ISO 26262:2018 ASIL compliant, meaning this IP can detect both random (hardware) and systematic (development process) failures. A certification for ASIL compliance is a metric that takes the guesswork out of the quality of a SEooC by performing an audit and assessment of the development process for systematic and random hardware metrics.
ASIL compliance is an assessment conducted by a third-party that covers all relevant parts subject to the tailoring of the ISO 26262:2018 standard. Third-party audit and assessments are performed on the Functional Safety Development Process, Systematic Methods, and Random Hardware Fault Analysis.
Overall, both the process involved in developing a safety product and the product itself (including design, analysis, and verification items) are included in this certification.
The ISO 26262:2018 standard provides unified safety guidelines for all stakeholders across the automotive industry, from semiconductor companies to car manufacturers. Achieving overall safety will require implementing several safety measures at every level.
Synopsys DesignWare ARC Processor IP develops 80+ safety documents (also called work products), where all work products go through stringent procedures with multiple checks and balances. This process includes multiple iterations of the review and approval process, followed by an internal audit and assessment before it is sent to third-party assessment for compliance. At Synopsys, IP development teams work in collaboration with an internal functional safety (FuSa) team that adheres to the independence levels defined by the ISO 26262:2018 standard to execute confirmation measures including Confirmation Reviews, FuSa Audits, and FuSa Assessments. Synopsys has a strong safety culture in place, which also includes an ISO 26262 compliant FuSa development process and a quality management system (QMS) to ensure high-quality certified processor IP.
Figure 2 shows two key process-based practices that are essential for achieving complete and successful ISO 26262:2018 ASIL compliance for both systematic and random faults with a third-party auditor/assessor.
Fig. 2: The Synopsys safety culture ensures high-quality certified processor IP.
It is critical that everyone involved in the ASIL compliance certification process be accountable in the product development life cycle to ensure the IP meets functional safety requirements. A practice where ‘safety is the highest priority’ wins when a good safety culture is practiced. It is not just a team but an organizational level effort where various leaders and teams collaborate and contribute to this effort. An effective safety culture requires personal dedication and integrity among those responsible for achieving and maintaining functional safety, as well as individuals performing or supporting safety activities in the organization, In addition, a ‘safety is the highest priority’ mindset that allows for practices that prevent complacency, a commitment to excellence, individuals feeling a sense of personal responsibility, and corporate self-regulation are necessary.
Typically, during development of a product, multiple owners are involved in various work products simultaneously. As a result, it is important to control the work product revisions as well as any updates made to the template used for a work product during the development process. Use of a central source management system is essential in maintaining checks and consistency in technical content and in keeping up with frequent template updates. Key tags like date of check-in/checkout, latest version, number of revisions, and tracking overall updates are clearly defined using this system.
An integrated requirement management system is used to develop the many work products such as Technical Safety Concept (TSC), Product Development Document, and others. Particularly in the TSC, assessment and audit criteria for ASIL compliance include:
For a Safety Element out-of Context (SEooC), Top-Level Safety Requirements (TLSR) are paramount and Technical Safety. Requirements (TSRs) are derived to meet TSLRs, as shown in figure 3.
Fig. 3: Workflow (integration) of an SeooC.
With the number of SEooC suppliers rapidly increasing, adapting to the needs of autonomous and semi-autonomous systems is extremely critical. Therefore, it is important for the integral stakeholders of the automotive supply chain to be aware that not all vendors deliver products that meet the ISO 26262:2018 standard. Similarly, IP vendors may not entirely comply with the safety guidelines to meet safety requirements for integration. Though these claims may seem trivial, it is extremely important that key practices such as a good safety culture and stringent checks are imposed at every stage of product development. ASIL compliance is a uniform measure that can be applied to IP and SoC to set a quality and functional safety adherence level.
IP used in automotive systems is fully ASIL compliant when it meets all parts of the ISO 26262:2018 standard, as assessed by accredited and independent auditors. At Synopsys, building safe systems is achieved by promoting an exceptional safety culture within the organization. Synopsys ARC Functional Safety processors go through stringent procedures with multiple checks and balances as defined by the ISO 26262:2018 standard, helping to ease integration for designers.
Read the white paper to learn more: Driving Change – The Importance of ASIL Compliant Certified IP in Automotive Systems
Srini Krishnaswami is a senior R&D manager for Functional Safety at Synopsys.
Leave a Reply