The electronic content in automobiles has increased steadily over the past few decades and shows no signs of slowing as many high-tech firms and OEMs race towards the development of fully autonomous vehicles. While the range of autonomy varies, from no control to full control, the vast majority of currently available vehicles contain systems with some degree of autonomy, such as electronic stability control (ESC) or lane centering. These electronic systems, which are intended to assist the driver, make an increasing number of decisions for the driver and often entirely remove the driver from the decision making process. These systems have generally increased driver and passenger safety, but can cause harm if they malfunction or have a design weakness.
As a result, they pose new development challenges to the entire automotive supply chain. In 2011, the International Standards Organization (ISO) published a functional safety standard called ISO 26262, outlining industry best practices for safety-related automotive system development. While the adoption of the standard is voluntary, most OEMs worldwide are requiring compliance from their suppliers. Suppliers that delay the adoption of this standard for themselves are likely to experience erosion in their future business opportunities.
The ISO 26262 standard contains requirements for both the development process and for the design of safety-related electronic systems in road vehicles. These requirements are based on a hazard and risk assessment of the system itself. The scope of the standard is limited to malfunctioning electrical or electronic systems. As a result, compliant systems must be able to identify their malfunctions and mitigate their effects such that passenger safety is preserved. For this reason, safety architectures now rely heavily on diagnostics and redundancy to detect malfunctioning system components and to transition the system to a safe state. In general, this requirement reaches IC component suppliers by requiring more content integrated into existing solutions and the capability of running diagnostics and communicating their status.
Take for example a system using a sensor IC as a simple switch. The system must be able to diagnose if the sensor output is in the correct state, because it is a safety-related function. Depending on the requirements and risk of the system, this can be accomplished in many ways. For example, complex diagnostic circuits and communication protocols could be added to the sensor IC itself. Alternatively, a redundant sensor could be added at the system level—with no enhanced functionality or ability to communicate diagnostics in each single IC. A comparison of the redundant sensor outputs acts as a type of diagnostic protocol since, under safe operating conditions, the outputs of the two sensors should always match within a predefined error window. Both of these vastly different approaches meet system requirements, but have very different implications on both cost and availability of the right hardware (sensor component) to do the job. Component suppliers to the automotive market are now trying to understand and keep pace with the evolving requirements and trade-offs of these safety-related systems, and offer solutions that are easy for their customers to integrate.
Since the introduction of the ISO 26262 standard, the concept of what is considered “safe” has also evolved. In earlier architectures the loss of a system, for example a power steering system, was considered by many as a safe but nuisance occurrence. Categorizing system unavailability as “safe” had direct implications on the system architecture. The architecture would be required to identify any malfunctions that were considered unsafe and mitigate them, but those malfunctions that led to the loss of the power steering system did not require mitigation. This resulted in the need for only certain malfunctions to be identified and not others, thereby limiting the additional functionality required for safety, including on-chip diagnostics in IC components.
The perception of what is considered safe has since shifted as the industry realizes that the sudden loss of power steering can lead to an accident for smaller adults, inexperienced drivers, or the elderly. Automakers are now demanding when safety-related systems fail that they continue to operate to some degree. This “fail operational” or “fault tolerant” requirement has a direct impact on the architecture necessary to support it. The systems must include various levels of redundancy depending on whether the post-failure performance can be degraded from the nominal performance. “Fault tolerant” systems represent the next-generation of safety-related systems, and this topic will be addressed in the 2nd edition of the ISO 26262 standard.
The most direct result of fail operational systems is the use of redundant system functions in an architecture that allows transition to a backup system if a malfunction occurs in the primary system. In response, IC component suppliers are beginning to offer double and triple die within a single package to support the need for redundancy without occupying more physical space. Offering multichip solutions is one example of how some IC suppliers are developing new technologies to meet specific needs of safety-related systems.
