Functional Safety: Art Or Science?

Nowadays, most hardware development projects deploy functional verification flows that include UVM-based constrained-random testbenches and formal verification. High design complexity, tough budget constraints, and short time to market are the norm, not the exception. Advanced verification is a necessity for many engineering teams. In our increasingly connected world, where billions of IoT devices soon will be communicating to us and to each other, security rapidly is becoming a key concern.

Functional safety sits somewhere in between functionality and security. Avionics, railway, industrial, and medical applications have long required specialized electronic development practices to fulfill the demands of safety standards. However, over the past decade two things have changed. First, the complexity of safety-critical applications has increased dramatically. FPGAs for avionics systems, for example, may now include multiple CPU cores and other COTS IP. Challenging performance and power targets and rigorous safety compliance can no longer be achieved without deploying cutting-edge technology and methodology. Second, with the automotive market dominated by advanced driver-assistance systems (ADAS), and autonomous vehicles at the horizon, functional safety has become a high-volume business.

In recent years, countless engineers worldwide had their daily tasks influenced by functional safety. The ISO 26262 standard has been key to bringing safety into the development processes of thousands of companies within the automotive supply chain. The level of awareness and progress made is immense.

However, after 10 years from the publication of the standard’s first draft, many semiconductor and IP providers still struggle to establish a mature, ISO 26262-compliant flow.

Engineers have a plethora of qualitative and quantitative approaches to choose from. Critical tasks are often carried out solely through expert judgement, and largely manual processes where the main supporting tools are nothing more than word processors and spreadsheets. The methodology applied changes hugely from company to company and project to project, depending on the expertise available, application domain, and target safety integrity level.

Diagnostic coverage and other fault-related metrics are key to verify safety mechanisms and accurately estimate how robust an electronic component is with respect to random hardware faults. Nevertheless, the choice of appropriate formulas and base failure rates is not obvious by far. And even a relatively small adjustment in the base failure rates may, in fact, have a large impact on the final product certification. Another area of concern is the qualification of software tools used during product development, as required by safety standards.

Vendors often are not clear on the level of support they offer, mixing the level of quality of a specific tool with the level of quality of the overall development flow. This implies the use of redundant, additional tasks to catch potential errors introduced by tools not adequately qualified in their own right.

Companies that want to streamline their safety-critical hardware development flow or are approaching this market for the first time need advanced, safety-specific tools and support. As is often the case, there is no single tool vendor or consultancy firm that can cover the whole flow. And yet, deploying best-in-class solutions from safety-committed vendors is proving crucial to establish efficient, rigorous development practices for safety-critical electronics.

The market for safety-critical electronics is booming and will continue to do so for the foreseeable future. Development practices must mature to keep pace.