Ensuring Functional Safety Compliance for ISO 26262

April 23, 2015 // By Adam Sherer, John Rose, Cadence Design Systems
Cars – and this includes their electronic control systems – must withstand years and years of wear and tear. ISO 26262 mandates that the systems will under all circumstance work properly. Design engineers have to know how they can ensure functional safety.

This is the Age of Enlightenment for our vehicles. With advances in technology, vehicles are becoming smarter and more autonomous by the generation. For example, advanced driver assistance systems (ADAS) are enabling vehicles to make intelligent choices in a wide range of driving situations, thus increasing our safety. Multiple microcontrollers (MCUs), sensors, and other semiconductors are at work to make this functionality possible. All of these components must be verified at the intellectual property (IP), semiconductor, engine control unit, and OEM levels—and then tested in manufacturing to ensure that everything works when a buyer drives away from the dealership in her new vehicle.

But after 10 years of operation, how will that same automotive system react to permanent (boot-time stuck-at – SA0/SA1 and single event transient - SET) faults and radiation-based (single event upset - SEU) faults? That is the role of the ISO 26262 standard and functional safety verification—to ensure that the automotive system will behave as expected, even in the face of unplanned or unexpected circumstances. This article discusses efficient methodologies to ensure functional safety compliance.

Safety Verification Classifies Faults

Automotive designs are generally developed with a specified set of safety goals that assure certain functionality of the system in the event of fault within the system. These faults have to be treated differently from manufacturing faults. Where the manufacturing fault is detected on test equipment at the factory, the safety-related fault must be detected when the device is installed in the running system. When a fault occurs in non-critical portions of the system it can be considered safe, but if it occurs in a critical portion, it may be dangerous. In this second situation, if it is both detected by the safety monitors and corrected by the subsequent systems, the fault can be identified as dangerous but detected. However, if it fails to be detected or is detected but violates a safety goal, the fault is dangerous.

Design category: