Ensuring Functional Safety For Self-Driving Cars

There may be no hotter topic in electronics than chips for autonomous vehicles. Self-driving cars have captured the public imagination and become a major area of investment. Both established automotive manufacturers and well-funded startups are producing vehicles with the highly complex chips needed to negotiate roads, deal with unpredictable humans and communicate with the cloud for machine learning applications. Many of the teams designing these chips are new to the world of automotive electronics and may not fully appreciate all the unique design and verification challenges. They must become intimately familiar with ISO 26262, the standard that sets the bar for safety of vehicle electrical and electronic systems.

ISO 26262 (“Road vehicles – Functional safety”) was published by the International Organization for Standardization (ISO) in 2011. It spans all forms of automotive electronics and predates the wide availability of advanced driver assistance or autonomous driving features, but ever-increasing automation has greatly increased awareness of the standard. Functional safety is the absence of unacceptable risk due to faults in the system. Faults are classified into systematic faults, often the result of mistakes in the design, and random faults, often caused by external conditions such as radiation or aging in electronic components. Furthermore, random faults can be permanent or transient. A fault may manifest itself as an error (incorrect condition or result) and the error could result in a failure under which the system is unable to function as required.

ISO 26262 defines the Automotive Safety Integrity Level (ASIL), a risk classification system for the functional safety of road vehicles. There are four ASILs identified by the standard: A, B, C and D. ASIL A represents the lowest degree and ASIL D the highest degree of automotive hazard. Risk may be introduced by the development tools used to design and verify the chips in the system. ISO 26262 requires the assessment of tool confidence level (TCL), based on whether a tool malfunction can introduce an error and the confidence that such a malfunction would be detected by the development process. The classification may result in two main outcomes: TCL1, for which no tool classification is needed, and TCL2/3, for which tool qualification is needed.

Figure 1: The recommended verification approach depends on the desired ASIL.

Another key aspect of ISO 26262 is the implementation and confirmation of the quality of the safety mechanisms. A safety mechanism is a technical solution to detect faults or control failures to achieve or maintain a safe state. For ISO 26262, developers need to:

• Identify Failure Mode and Effects Analysis (FMEA) for each IP block
• Define Safety Mechanisms to protect against random failures
• Compute estimated Safety Metrics with Failure Mode and Effect Diagnostic Analysis (FMEDA)
• Run fault injection to measure ISO 26262 metrics on the implemented design
• Generate an FMEDA report and a Safety manual

The impact of functional safety on the chip development process is significant, affecting people, procedures and documentation, and ultimately resulting in significant effort increase. EDA tools can help, but no single tool can provide a complete solution for ISO 26262 compliance. The standard spans design, verification, implementation, manufacturing and operation in the field. Specifically, for functional safety verification, a comprehensive unified solution can greatly improve the development team productivity. Such a solution needs to include:

• A collaborative and scalable environment automating the process from FMEA to FMEDA and the generation of work products for assessors or customers
• A fault campaign management framework based on unified fault definition and database shared across all tools and automating the FMEDA annotation and metrics
• Fast and efficient verification engines
• Industry standard planning, debug, coverage and integration with requirement tracking tools
• Certification material for the tool used as well as tools demonstrating the robustness and quality of the verification environment

Synopsys has developed the industry’s first and most comprehensive functional safety verification solution for companies developing IP and chips requiring ISO 26262 certification.

Figure 2: A unique functional safety verification solution.

Components of this solution include:

• A distributed FMEDA automation solution
• Static analysis early in the design process
• Functional qualification of the verification testbench
• Concurrent and distributed fault simulation
• Fault simulation for the analog portions of the chip
• Formal fault filtering techniques
• Emulation for longer fault scenarios and software-based safety mechanisms
• Planning, coverage and debug environment with unique fault analysis capabilities

Especially with the advent of autonomous driving features, automotive electronics represents a significant opportunity for semiconductor companies. Functional safety is a key consideration for automotive applications. Understanding the implications and requirements of functional safety and the ISO 26262 standard is essential. The process and the effectiveness of each individual technology must be integrated in a productivity increasing flow. The Synopsys unified functional safety verification solution can improve productivity by more than 50 percent, resulting in faster time to ISO 26262 compliance. For a white paper with more technical detail, click here.