Automotive Safety: Achieving ISO 26262 Compliance with Processor IP (Part 1 of 2)

Part 1 of 2

By Paul Garden, Product Marketing Manager, ARC Processors, Synopsys

Introduction

The proliferation of electronic systems in automobiles has resulted in the creation of new automotive standards to ensure safety. The ISO 26262 standard is an adaption of the more general International Electromechanical Commission (IEC) 61508 functional safety standard. ISO 26262 defines functional safety for automotive equipment and addresses possible hazards caused by the malfunctioning of electronic and electrical systems in passenger vehicles. Components of automotive electrical/electronic systems play a critical role in achieving compliance to the ISO 26262 standard. This two part article examines ISO 26262 compliance from a processor IP perspective, describing the role processor IP plays and the processor features that facilitate the certification process.

Why Functional Safety?

A friend of mine was recently looking at buying a new car from his local dealership. The sales person was very excited to tell him about all of the new and cool features the car had, and how it contained more than 500 upgrades over the previous year’s model. One of the features that stood out from all of the rest was the emergency braking safety capability, which stopped the car on its own when encountering an immovable object. The feature was designed for safety and makes sense in many cases, especially for the distracted driver. But he didn’t want this feature with his car! He didn’t buy the car, but was struck by the scale of influence that car electronic systems have over the driving experience and safety today. Electronic safety systems are increasing in both use and importance in the automotive world with the arrival of Advanced Driver-Assisted Systems (ADAS), and ‘self-driving car’ safety systems are on the near horizon (see Figure 1).

Figure 1: Growing demand for advanced driver-assisted systems

With this rapid growth in usage of electrical, electronic and programmable safety-related systems in passenger cars, there was a need for a safety standard. The ISO 26262 standard, first published on November 11, 2011, was created to define functional safety guidelines for automotive safety systems. ISO 26262 is an adaptation of the IEC 61508 functional safety standard for automotive electrical/electronic/programmable safety-related systems. The ISO 26262 standard:

  • Provides an automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases
  • Defines functional safety aspects of the entire development process (such as requirements specification, design, implementation, integration, verification, validation and configuration)
  • Outlines an automotive-specific risk-based approach for determining risk classes (Automotive Safety Integrity Levels, or ASILs)
  • Uses ASILs to specify the necessary safety requirements for achieving an acceptable risk
  • Specifies requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety is being achieved.

The ISO 26262 standard consists of 10 parts:

  1. Vocabulary
  2. Management of functional safety
  3. Concept phase
  4. Product development at the system level
  5. Product development at the hardware level
  6. Product development at the software level
  7. Production and operation
  8. Supporting processes
  9. ASIL- and safety-oriented analysis
  10. Guideline on ISO 26262
    •  

Ultimately it is up to the OEM and tier 1 suppliers designing and building the automotive safety system to make sure it complies with the ISO 26262 standard for their pre-defined safety function. The OEM and tier 1 suppliers have the task of piecing together their technology, components, software and documentation to achieve certification.

This safety-compliant trend is driving the requirement for ISO 26262 compliance all the way through the system development process. The safety burden has extended from the automotive OEM to the component supplier(s) to the IP supplier(s) of technology that go into the chip, which in turn is a positive step as it makes the cars we drive safer. At every level in the development of safety systems, there is a need to deliver technology and software that encompass functional safety compliance.

With the need for more complex and sophisticated safety systems comes the need for more complex and sophisticated semiconductor IP. The IP used in these safety-critical system components needs to be created in an ISO 26262-aware organization with appropriate processes and facilitating technology to expedite ISO 26262 certification of the systems built by automotive OEMs and tier 1 suppliers. This means that the IP developer has to follow the processes, procedures and, where applicable, implement safety features that meet specified Automotive Safety Integrity Levels (ASIL- A, B, C, D).

Automotive Safety Integrity Level (ASIL)

The ASIL is a key component for ISO 26262 compliance and is determined at the beginning of the development process. The intended functions of the system are analyzed with respect to possible hazards to identify the safety requirements of the system. The ASIL specification asks the question, “If a failure arises, what will happen to the driver and associated road users?“

The estimation of this risk, based on a combination of the probability of exposure, the possible controllability by a driver and the severity of the possible outcome if a critical event occurs, leads to the ASIL rating (see Figure 2). The ASIL does not address the technologies used in the system; it is purely focused on the harm to the driver and other road users.

Each safety requirement is assigned an ASIL of A, B, C, or D, with D having the most safety-critical processes and strictest testing regulations. The ISO 26262 standard specifically identifies the minimum testing requirements depending on the ASIL designation of the component. This aids in determining the methods that must be used for test. Once the ASIL is determined, a safety goal for the system is formulated. This defines the system behavior needed to ensure safety.

Figure 2: ASIL determination formula

When ISO 26262 ASILs Aren’t IEC 61508 SILs

ISO 26262 is an adaption of the IEC 61508 functional safety standard for automotive electric/electronic systems. IEC 61508 defines Safety Integrity Levels (SILs); ISO 26262 defines ASILs. But unlike IEC 61508, ISO 26262 is “not a reliability standard.” It doesn’t set precise numbers for acceptable probabilities of failure. ASILs are not determined in the same manner as IEC 61508 SILs and there is no direct correlation between IEC 61508 SILs and ISO 26262 ASILs (Figure 3).

Figure 3: The indirect correlation of ISO 26262 to IEC 61508 safety integrity levels

Like its parent standard IEC 61508, ISO 26262 is a risk-based safety standard, meaning the risk of hazardous operational situations are qualitatively assessed and safety measures are defined to avoid or control systematic failures and to detect or control random hardware failures, or mitigate their effects.

In the first part of this two-part article we defined functional safety and the ASILs that determine the minimum testing requirements for safety-critical systems. Stay tuned for the second part of this article, where we will discuss the need for processor IP that facilitate ISO certification of safety critical systems developed by OEMs and tier 1 suppliers.

References

[1] ISO 26262: From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/ISO_26262

[2] Automotive Advanced Driver Assistance Systems – Challenges and Opportunities: Ian Riches, Director Global Automotive Practice
http://on-demand.gputechconf.com/gtc/2013/presentations/S3413-Advanced-Driver-Assistance-Systems-ADAS.pdf

[3] Understanding ISO 26262 ASILs, July 9, 2013: Chris Hobbs and Patrick Lee | Electronic Design