Achieving ISO 26262 certification with ASIL ready IP

By Ron DiGiuseppe |  No Comments  |  Posted: January 2, 2018
Topics/Categories: IP - Design Management, Selection, EDA - Verification  |  Tags: , , ,  | Organizations:

Achieving ISO 26262 certification for advanced driver assistance systems takes a combination of ASIL ready IP and rigorous development strategies.

Rapid progress in the development of advanced driver assistance systems (ADAS) and autonomous driving technology is challenging the semiconductor industry to bring the rigorous safety standards used in the automotive industry to its design process.

ADAS SoCs have to process increasing volumes of sensor data from many types of automotive sensors, driving the adoption of 64bit processing. Other trends in automotive semiconductor design include the use of:

  • Ethernet for managing large amounts of time-sensitive data traffic, and reducing point-to-point wiring
  • LPDDR4/4x, with data rates of at least 3.2Gbit/s, for faster DRAM operations
  • MIPI standards such MIPI Camera Serial Interface (CSI-2) and Display Serial Interface (DSI) for imaging and display applications
  • PCI Express for high-reliability chip-to-chip connectivity for 4G radios, future 5G radios, and external SSDs
  • 5G and IEEE standards such as 802.11p for real-time updates of maps and images to and from the Cloud, and vehicle-to-vehicle or vehicle-to-infrastructure communications
  • A shift from traditional 90nm, 65nm and 40nm processes to16nm, 14nm and even 7nm FinFET processes

Since high-end ADAS SoCs are mainly used for safety-critical applications, they must meet the stringent requirements of the ISO 26262 functional safety standard, as must all the companies which supply components or semiconductor IP that go into the overall design.

Best practices in applying the ISO 26262 functional safety standard

ISO 26262 describes four automotive safety integrity levels (ASILs) – A, B, C and D – which in turn define the various processes that automotive development teams must use to meet the standard. One key task is to minimize a design’s susceptibility to random hardware failures by defining the functional requirements, using a rigorous development process and taking steps to ensure that safety features can mitigate those hardware failures. Design teams working to meet ISO 26262 standards must also systematically analyze the status of any component or system throughout the supply chain.

The ISO 26262 certification process must start from the very beginning of development process, and include multiple steps to complete the certification process, some of which are detailed below.

Failure mode effect and diagnosis analysis

A failure mode effect and diagnosis analysis (FMEDA) report is generated by development teams to provide all the information about their adherence to ISO 26262 from a functional safety perspective. The FMEDA report must be concurrently reviewed by design and verification engineers. Safety managers monitor the development process, milestones and product reviews to ensure that all the documentation and traceability requirements defined by ISO 26262 are completed throughout the SoC development flow, at both the IP and full-chip level.

ASIL ratings provide evidence of compliance, and define both design targets and a rating assessment at the end of the development flow. The ASIL ratings range from A, for the lowest integrity requirements, to D, for the highest integrity requirements. Let’s go through an example to illustrate a safety-critical product development flow.

Example of a development flow

Figure 1 shows a standard development flow for an IP or SoC. The core architecture and specification goes through RTL design and implementation, and is then verified and validated in hardware and software in the final prototypes.

Hardware design and verification flow in a commercial product development flow (Source: Synopsys)

Figure 1 Hardware design and verification flow in a commercial product development flow (Source: Synopsys)

Making this flow into one that complies with ISO 26262 means starting at the beginning, with the core architecture and specification definition, as shown in Figure 2. This assures the SoC or IP is designed to meet the required functional safety level.

An ISO 26262 development flow sits alongside the main flow and ensures the SoC or IP meets the required functional safety level (Source: Synopsys)

Figure 2 An ISO 26262 development flow sits alongside the main flow and ensures the SoC or IP meets the required functional safety level (Source: Synopsys)

Architects and designers write safety plans to help manage the execution of safety activities, as shown in Figure 3. Safety plans help verify that the development flow meets the safety goals, implements the safety features specified in the safety plan, and measures the impact of any possible product failures and the design’s reaction to those failures in terms of functional safety. These plans are also reviewed by a safety manager.

The entire process up to this point is documented and delivered as Work Products, which include key milestones, resources, and the various implementation processes needed to meet functional safety requirements.

Architects and designers define safety plans to help manage and guide the execution of safety activities (Source: Synopsys)

Figure 3 Architects and designers define safety plans to help manage and guide the execution of safety activities (Source: Synopsys)

FMEDA forms a critical part of the safety plan, providing a detailed report encompassing various steps and analysis, as shown in Figure 4. It must include a fault injection analysis for both permanent and transient faults, so their impact can be assessed. FMEDA also considers all the possible failure and distribution modes to understand how the product will behave if a failure occurs and what sort of diagnostics the product implements to identify and communicate such failures to the system.

FMEDA, a detailed report with various steps and analysis, defines the ASIL level for the target application (Source: Synopsys)

Figure 4 FMEDA, a detailed report with various steps and analysis, defines the ASIL level for the target application (Source: Synopsys)

The ISO 26262 standard also provides guidelines on how to implement safety features to counter various failure modes. It does this by looking at the possible failures, based on the SoC architecture. This failure assessments analysis also applies to IP that is integrated into the SoC. The various mitigation functions and their effectiveness, as recommended by the standard, are shown in Table 1.

Diagnostic Type Effectiveness
HW Redundancy High - 99%
Configuration Register Test High - 99%
EDC* on Memory High - 99%
Combination of Timeout monitoring, Frame Counter & information Redundancy High - 99%
Self-test supported by Hardware High - 99%
Multi-bit HW redundancy Medium - 90%
Timeout monitoring Medium - 90%
Frame Counter Medium - 90%
Information Redundancy Medium - 90%
Parity Bit - per Word Low - 60%

Table 1: Various mitigation functions and their effectiveness as defined by ISO 26262 (Source: Synopsys)

ISO 26262 defines the most effective safety mechanism to be hardware redundancy, and this approach is used on some systems to reach ASIL D. Other mechanisms, in order of effectiveness from high to low, include:

  • Configuration register test, EDC on memory, combination of timeout monitoring, frame counter & information redundancy
  • Multi-bit hardware redundancy, timeout monitoring, frame counter, information redundancy
  • Parity bit per word

Now the impact of the designated safety features can be defined in the FMEDA report. Safety features fall into three categories:

  • Protection mechanisms, such as protecting the interface between the various components, such as IP, in the SoC architecture; parity protection on the data path and configuration registers; and ECC protection for both writes and reads.
  • Replication mechanisms, which include duplicating or triplicating key modules and using voting logic to ensure redundancy.
  • Various, which includes parity checks for all the state registers, single-cycle pulse validity, various dedicated interrupts, and hot-state machine protection for bad states.

Meeting the requirements necessary to achieve ISO 26262 functional safety certification is a stringent process, which includes creating the FMEDA report, designating a safety plan that defines safety features for the target ASIL, employing a safety manager, and documenting and reviewing every milestone with all the stakeholders.

Additional automotive requirements

In addition to meeting ISO 26262 functional safety requirements, automotive SoC development teams and the rest of the supply chain must adhere to automotive reliability and quality requirements.

Any product, including IP, for an automotive application must meet the automotive reliability requirements defined by AEC-Q100. Automotive reliability is measured in terms of parts-per-million failure rates under various operating modes and at much higher temperatures than those used to test consumer products. For this reason, SoC and IP designers define temperature profiles which their products are designed and tested to meet, based on the target application. IP providers must make sure their IP meets the reliability targets of the application, which means exploring how a transistor or electromigration analysis might be affected by the defined temperature profile. IP providers must work with foundries to ensure that any special automotive rules are applied to their design.

Any product development in the automotive supply chain must also meet automotive quality management requirements. In addition to having quality manuals and compliance reports, developers also need to create a design failure mode and effect analysis report that says that the SoC and its components meet the automotive quality management requirements.

Conclusion

Designing automotive SoCs and supporting components such as semiconductor IP demands a parallel functional safety assurance process, rooted in a deep understanding of the requirements of ISO 26262, AEC-Q100 and subtle technical details such as the impact of various temperature profiles on the potential failure modes of an IP block. A safety manager is also necessary to keep the safety process on track, ensure the documentation is kept up to date, and to review safety plans for unexplored failure modes. The overall process should include design and verification engineers throughout.

Synopsys has made significant investments in developing its understanding of these processes so its certified IP can help speed up the development of automotive SoCs.

The company has launched ASIL B ready certified controllers and PHY IP for standards including PCI Express, USB, MIPI and LPDDR4, as well as certified processor and foundation IP. It has also developed ASIL D ready ISO 26262 certified EEPROM and trim non-volatile memory IP. Each of these is certified by SGS-TÜV Saar, an independent training, testing and certification organization serving the automotive industry, and is supplied with safety packages, FMEDA and safety manuals.

Many of these IP blocks have now been implemented and tested on 16nm finFET processes, and shown to meet the most stringent Grade 1 temperature requirements, of -40C to 125C operation.

Synopsys’ DesignWare IP for automotive SoCs usually includes safety features such as:

  • Error correcting code protection for detecting and correcting transient and permanent errors
  • Parity protection on datapath and configuration registers for ensuring correct data is carried through the SoC
  • Debug capabilities, error injection and statistics monitoring for comprehensive system testing
  • Diagnostic circuits to periodically test for errors that violate safety goals

Synopsys also provides the necessary design failure mode and effect analysis reports and has created development organizations, policies and processes that help it meet automotive quality requirements. Its IP is designed for high reliability and tested against applicable AEC-Q100 specifications, which should reduce the time it takes for designers to achieve SoC-level AEC-Q100 qualifications.

Further information

For more information on how to achieve ISO 26262 certification with ASIL ready IP, visit DesignWare IP for Automotive SoCs.

Author

Ron DiGiuseppe, senior strategic marketing manager at Synopsys, is responsible for automotive segment marketing for Synopsys DesignWare IP solutions for ADAS, functional safety, infotainment and MCU applications.

DiGiuseppe brings more than 18 years of semiconductor experience to Synopsys. Prior to joining Synopsys, DiGiuseppe held a range of management positions at Xilinx for automotive connectivity IP products, as well as engineering development and management roles for companies including Oki Semiconductor, NEC, and Raytheon Corporation.

DiGiuseppe holds a bachelor's degree in electrical engineering from San Jose State University and a certificate in network engineering from University of California.

Company info

Synopsys Corporate Headquarters
690 East Middlefield Road
Mountain View, CA 94043
(650) 584-5000
(800) 541-7737
 www.synopsys.com

Sign up for more

If this was useful to you, why not make sure you're getting our regular digests of  Tech Design Forum's technical content? Register and receive our newsletter free.

Leave a Comment

PLATINUM SPONSORS

Synopsys Cadence Design Systems Mentor - A Siemens Business
View All Sponsors