ESL Tutorial: Functional Safety in Next Generation Automotive Chips
Self-Driving Car is a challenge that is driving a lot of technology innovations today. A self-driving car requires a lot of complex computations to understand the context and take real-time decisions on the road. With an increase in technological complexity and consequently the size of the chip, the risk of systematic failures and random failures in hardware components increases. It is of paramount importance to design the self-driving vehicles to be safe for the occupants and other vehicles or pedestrians. ISO 26262 is the international standard for functional safety of electrical and electronic systems used in road vehicles.
ISO 26262 defines functional safety as the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems. ISO 26262 defines risk classes called Automotive Safety Integrity Levels (ASIL) and provides requirements and recommendations for a system to be compliant with the ASIL. The standard also defines various kinds of faults and metrics to assess the effectiveness of the hardware architecture with respect to safety. A fault in the electronic system can be safe or dangerous, depending on the way the fault propagates through the system, and the impact to system behavior. It is necessary to classify the faults to quantify the key metrics required by ISO 26262.
Safety mechanisms are required to prevent hazards due to hardware failures. This requires adding circuitry for error detection/correction in the chip design. The safety mechanism is responsible for the system to achieve a safe state before a hazardous event occurs due to the fault. It is imperative to know if these safety mechanisms can detect/correct errors as intended. The functionality of the safety mechanism can be tested only in the presence of a fault. Safety mechanisms can be designed in such a way that faults can be injected at specific nodes during functional verification. However, this is not sufficient to prove the effectiveness of safety mechanisms as there can be faults that propagate to the output but do not propagate to the safety mechanism. The effectiveness of the safety mechanisms is reflected in the ASIL ratings of the system. For the stringent ASILs, ISO 26262 highly recommends fault injection testing to check the completeness and correctness of safety mechanism implantation.
Fault injection testing involves introducing fault in the chip design and analyzing the response of the system for the said fault. Typically, all faults will not propagate to the output. A simple way to check if a given fault propagates to the output is by strobing the output and comparing it to the system output in the absence of the fault. For such a method to work, it is important to strobe the right signals and give the right stimulus. The required ISO metrics can be calculated after fault classification.
In this tutorial, we plan to introduce the concept of functional safety and talk about using fault injection verification to get data required for the calculation of metrics defined in ISO 26262.