016-017-018-019_EETE-VF

EETE NOVEMBER 2012

DESIGN & PRODUCTS AUTOMOTIVE ELECTRONICS ISO26262 in automotive IC development: just a tick-box exercise? By Thomas Mueller car ManufacTurers sTarTed using Ics to control safety Here, then, was a method which could underpin – or even applications as early as the 1980s. first used in anti-lock brakes supersede – the engineering judgment on which design engi- and airbags, electronics devices were soon implementing neers had previously been relying to ensure the safety of their complex functions such as vehicle stability control and, more products. The IsO26262 standard, developed in the middle of recently, active safety systems. Ics are now relied on not only the first decade of this century, took the application of safety to mitigate the consequences of crashes, but to prevent them design processes a step further. In many respects it follows the from happening in the first place. It is fair to say that electronics IEC61508 standard, but with the difference that it is specifically components are absolutely critical to the safety of all road users focused on automotive electronics and software. today. Quantities such as the safe failure ratio, applied in the Iec These electronics systems, used in tens of millions of cars on standard, were replaced by more complex metrics taking into the road today, have operated with a remarkable level of reliabil- account in addition latent failures (that is, failures which are ity, despite the absence of formal industry standards requiring dependent on the occurrence of direct failures). compliance with safety processes. In general, Ic manufacturers The safety integrity level specifications were renamed ASIL have deployed no more than a combination of fMea (failure (Automotive Safety Integrity Level), and their conditions were Mode and Effect Analysis) and a good deal of engineering judg- changed slightly. new requirements for the development pro- ment. The results, in terms of automotive safety, have been very cess were also introduced: in particular, a safety manager for successful. each Ic under development must conceive, validate and docu- The introduction of formal safety standards governing the ment the safety methodology underlying the Ic’s design. design and fabrication of automotive Ics might, then, seem to be a bureaucratic imposition which will do nothing to improve an already impressive safety record while adding time and cost to the product development process. are the standards really helpful either to the auto- motive industry or to road users? The new rules for automotive IC manufacturers The first attempt to standardize the approach to safety in automotive Ics was around the turn of the century, when the existing Iec61508 stan- dard was applied to microelectronics systems. This was originally a functional safety standard for application in industrial systems such as rail- ways and power plants. Iec61508 introduced Fig. 1: Position sensing with a 3D Hall sensor. (A) centre position of the hazard analysis, followed by safety specifica- magnet (B) off-centre position. tions such as the Safety Integrity Level (SIL) and the concept of a ‘maximum failure rate’. How ISO26262 is being applied today The next development, an extension of fMea called fMeda The specifications for automotive safety ICs laid down by car (Failure Mode Effect and Detection Analysis), proved to be an manufacturers now in most cases include a reference to the easy tool for designers of safety Ics to use. fMeda requires ISO26262 standard. Often, however, the SIL is defined for the the classification of IC failures as either ‘safe’ or ‘unsafe’. The electronic module (such as an accelerator pedal or electronic designer then has to implement a sound process for estimating control unit) of which the IC is a component, rather than for the probability of each failure’s occurrence, and to use diag- the IC itself. The ISO standard defines the specifications at a nostic techniques to detect failures. The result is a quantita- system level (for instance, two redundant systems with an asIL tive analysis derived from empirical evidence. The ratio of safe B rating are equivalent to an ASIL D), but deriving safety goals to unsafe failures – the main output of fMeda – determines, for an IC from the safety specifications of a module remains together with the failure rate, whether an sIL can be achieved difficult. or not. furthermore, specifying an asIL for the Ic in isolation, in addition to an asIL for the module or system, might lead to Thomas Mueller is product manager for automotive asIcs at the design of extra diagnosis features which will increase chip ams aG - www.ams.com/automotive - He can be reached at size and test time, and therefore increase cost, without improv- thomas.mueller@ams.com ing safety. This means it is important to consider the diagnosis 16 Electronic Engineering Times Europe November 2012 www.electronics-eetimes.com


EETE NOVEMBER 2012
To see the actual publication please follow the link above