Automotive Safety: A New Perspective
The word ‘safety’ is subject to various different interpretations. However, when applied to modern automobile design it can generally be categorized using the following structure:
- Passive safety: Assuming that an accident is effectively inevitable, the aim of passive safety mechanisms is to minimize the severity of that accident. The passive safety elements found within a vehicle include seatbelts, crumple zones, etc.
- Active safety: The systems that are concerned with active safety (based on the knowledge of the current state of the vehicle) will aim to avoid accidents altogether in addition to the minimization of its effects if an accident occurs. Seatbelt pre-tensioning, airbag deployment, predictive emergency braking, anti-lock braking systems and traction control are all examples of this.
- Functional safety: This focusses on ensuring that all of the electrical and electronic systems (such as power supplies, sensors, communication networks, actuators, etc), including (but not limited to) all active safety related systems, function correctly. Functional safety is dealt with by the ISO-26262 standard (published in November 2011).
It is important to state from the beginning that functional safety does not mean that there is no risk of a malfunction taking place – instead, functional safety implies the absence of unacceptable risk due to hazards caused by malfunctioning behavior of electrical and electronic systems.
Fig. 1: Translation from functional safety goals to hardware design, with associated validation & verification. For higher resolution click here.
Origins of ISO-26262
The basis of the ISO-26262 standard resides in the more generic IEC- 61508, which has a broad field of application (industrial process, control and automation, as well as oil/gas, nuclear, etc). ISO-26262 has been built on the IEC-61508, but is totally dedicated to the automotive sector – more precisely its application is limited to safety-related electrical and electronic systems installed in series production passenger cars with a maximum gross weight of 3.500 kg. The first draft release surfaced in 2009, resulting in considerable commotion within the automotive sector. The widespread perception was that this would be another set of rules imposed on the industry, leading to longer development cycles and lots more paperwork. However, once the standard was in place, stakeholders quickly saw the benefits of such harmonization.
Benefits of ISO-26262
ISO-26262 allows car manufacturers to indemnify themselves from liability in case a malfunction remains undetected when following the standard, because the latter is treated by the judicial systems as ‘the reference for development’. At the process level it allows the following of a clear guidance on the development and validation of electrical and electronic systems, avoiding errors in implementation (which could otherwise induce expensive recall activity and damage the brand name). Benefits to customers, though no always recognized, are also present – the standard can give each of them confidence in their purchased automobile.
ASILs
When it comes to functional safety, the overriding goal is to minimize the susceptibility to random hardware failures by taking the necessary design measures, defining the functional requirements, applying systematic analysis methods and avoiding systematic failures through applied rigor in procedures within the development process. The automotive safety integrity level (ASIL) is a key to ensuring ISO-26262 compliance is upheld. Determined at the start of the development process, through this the functions of the automotive system in question can be analyzed and thorough risk assessment carried out.
In reality semiconductor suppliers cannot bring integrated circuits (ICs) to market which are ‘ASIL-x certified’ – as an ASIL is assigned to an application or function, rather than to an isolated hardware component or ‘element’. Any supplier claiming anything to the contrary simply isn’t taking the standard seriously and lacks a genuine understanding the complexities of ISO-26262.
Functional safety in hardware design
The foundation of the functional safety concept is the creation of functional safety goals. These goals are defined for a given system, or ‘item’ as it is referred to in the ISO-26262 standard. For each item, a hazard and risk analysis (HARA) is performed, which results in a list of possible hazards that need risk reduction and hazardous events linked to a number of situations. Retaining only the relevant combinations of hazard and situation, referred to as ‘scenarios’, for each of these, analysis then proceeds to severity/exposure/controllability determination. Severity evaluates the potential harm of the scenario (with levels 0 to 3). Exposure (with levels 0 to 4) evaluates the average exposure rate of the scenario. Controllability (with levels 0 to 3) evaluates the possibility for avoiding harm in that scenario. There is no free interpretation of the different levels, which have been associated with certain quantitative metrics. Design engineers should work their way from the highest value downwards until the next associated description no longer applies. A table links severity/exposure/controllability values to the ASIL rating. Once an ASIL for each scenario is determined, the next step is to define a safety goal for each of the scenarios, together with a safe state.
Table 1: ASIL Determination Based on Severity/Exposure/Controllability Levels. For higher resolution click here. (Image Courtesy of the International Organization for Standardization).
Following this, the set goals and states are translated into functional safety requirements. Then comes the critical step of defining a functional safety concept to realize the function or item and associated safety measures/mechanisms for the hazard risk reduction. When multiple elements realize a single function, the safety goals and requirements have to be allocated and assigned, then further cascaded down to the individual element. The ASIL remains associated to the individual requirement and not to the element. An element can therefore have multiple safety functions and requirements, each with their own ASIL. Through system level exploration the search for the most optimal architecture can yield different ASILs for the same function assigned to an architectural element, as what is considered ‘optimal’ in each case depends heavily on the designer’s constraints (limited choice of existing hardware components, limited PCB area, limited computational power, system cost restrictions, etc).
This can be illustrated by the following simplified example of an electrical power assisted steering (EPAS) system and an acceleration pedal system, both functions realized with a magnetic position sensor IC. Let us suppose that both systems have gone through a thorough HARA and resulted in an ASIL-D requirement linked to the functional safety goal ‘ensure the output signal is proportional to the driver’s intent’. Assuming in each case the same transfer function, with maximum output signal equal to wide open throttle (WOT) for acceleration system or maximum torque for the steering system. Taking a fault detection time of 500 ms for the sensor IC, this could be enough to avoid an accident for the accelerator pedal case, but for the torque steering sensor this could result in dramatic safety problems at high speed making the IC not suitable for the given EPAS system design.
The role of semiconductor suppliers in functional safety
Forward-thinking semiconductor suppliers can contribute to the new era of functional safety at the system level in several ways. Firstly by maximizing the on-chip diagnostic functionality found within their devices (providing under/over-voltage protection mechanisms, inclusion of cyclic redundancy checks to reported messages, adding data redundancy to memory content to enhance fault tolerance, providing signal chain clipping/clamping information, introducing built-in self tests, etc). Secondly by implementing widely adopted digital protocols such as SAE-J2716 (SENT), PSI-5 and SPI to name a few, in order to report these diagnostics to the system microcontroller. Thirdly semiconductor suppliers need to offer system design flexibility through their extended product portfolio (including dual-die sensors that can provide homogeneous redundancy in a single package).
In conclusion, ISO-26262 should not be thought of as just an administrative burden. It needs to be appreciated as a culture that influences every single organizational layer and impacts on each stage of the product development cycle. It is a state-of mind that comes to expression in what we do on a daily basis.
About the author: Based in Belgium, Bruno Boury is Product Line Manager for Magnetic Sensing at Melexis, having worked for the company since 2007. He has a master’s degree in Electrical Engineering from the University of Leuven and a MBA from Solvay Business School.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
