Functional Safety

Functional Safety, ISO 26262 and MIPS

MIPS is enabling the creation of assistive and fully autonomous systems by making its licensable technologies compliant with functional safety standards.

We live in a world where automation is becoming commonplace across industries, from manufacturing to robotics to automotive.

The move to autonomous vehicles will inevitably be a disruptive force in society that will have an impact on myriad industries, including taxis, haulage, insurance and even car ownership itself. Autonomous driving will save lives and with the transition to electric propulsion, it will benefit the environment too.

MIPS_I6500-F_ADAS

In 2000, the IEC 61508 standard was introduced to address the need for functional safety for all electrical, electronic, and programmable safety-related systems. However, in response to electronics becoming ever more fundamental and integral to the operation of vehicles, it became necessary to introduce an automotive-specific branch. As an adaptation of IEC 61508, ISO 26262 was first published in 2011 to apply to the specific requirements of passenger cars and light utility vehicles. It specifies that all components in a car to conform to the functional safety standard, which it defines as, “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”.

What is functional safety?

A dependable system can be broken down into three parts, of which functional safety is one. It consists of three categories. First, is reliability, in that the system should work as it was designed to in response to a command and not fail. Secondly, it should be available when required, so can respond when required. Thirdly, it should be safe, so that the system will respond to a failure in such a way as to not cause any injuries. While it’s impossible to guarantee absolute safety, it’s designed to bring the risk down as much as possible.

Functional safety has always been part and parcel of many industries. It ensures that doors close when they should on trains and that aviation systems are safe, and in the medical world that equipment operates correctly.

In automotive terms, commonplace examples are ensuring that the airbags deploy when they should, that the ABS brakes activate when needed and the electric windows don’t close on a child’s fingers.

Why ISO 26262?

Expanding on IEC1508, ISO 26262 defines four Automotive Safety Integrity Levels (ASIL) ranging from A to D, with the latter the most stringent. ASIL Quality Management (QM) refers to components that just require standard quality management processes. As you can see from the diagram below, different components inside a vehicle require different levels, depending on applications.

asil_automotive-1024x364

The standard also differs from IEC1508 in that it understands that not all errors will lead to an accident, but there must be a way to recognize a failure and move to a ‘fail safe’ operation. For example, if a failure is detected in a function such as the automatic brakes in an autonomous car, a functionally safe system will use built-in redundancy to ensure that the system works as intended; then the vehicle can remove itself from road use until the function has been fixed.

ISO 26262 specifically takes into account that development must be distributed across different organizations, in the life-cycle of any particular aspect of the car. It also explicitly demands a full safety culture within an organization.

Functional safety requirements and the ISO 26262 standard will continue to evolve along with the ever-evolving automobile, especially as we move toward more autonomous vehicles, software defined vehicles, and electric vehicles.

Within MIPS eVocore CPUs, MIPS has adopted the requirements of functional safety and specifically to ISO 26262. The V-diagram below demonstrates that MIPS takes into account the safety requirements of the SoC vendor, and the work product resulting from the safety life cycle undergoes stringent independent confirmation measures, before releasing the final safety work package. The SoC vendor is then able to integrate our IP into their design with confidence that it will meet their target ASIL requirements.

mips-i6500-f-v-diagram
The full package

MIPS eVocore CPUs are deemed as achieving ‘ASIL B decomposed from D’ and as such can be part of an ASIL D rated SoC. The CPUs are developed as Safety Element out of Context (SEooC), which enables them to be implemented inside a range of designs. In addition to the IP itself, we supply a safety work package, together with an FMEDA safety analysis report by ResilTech, an independent third-party assessor on international safety standards.

The eVocore P8700 has been selected by leading SoC company Mobileye to power its forthcoming EyeQ®5 automotive vision platform and is ready to power the automotive, industrial IoT and robotic systems that will shape the autonomous future.