Functional Safety

Functional Safety, ISO 26262 and MIPS

MIPS is enabling the creation of assistive and fully autonomous systems by making its licensable technologies ready for key functional safety standards.

We live in a world where automation is becoming commonplace across industries, from manufacturing to robotics to automotive. The latter in particular is seeing rapid development and it won’t be long before driverless vehicles are a regular sight on our roads. Even before that we will see high levels of driver assistance with elements such as safe-spacing and automatic breaking.

The move to autonomous vehicles will inevitably be a disruptive force in society that will have an impact on myriad industries, including taxis, haulage, insurance and even car ownership itself. Autonomous driving will save lives and with the transition to electric propulsion, it will benefit the environment too.

MIPS_I6500-F_ADAS

Thanks to improved safety regulations and in-car technologies such as seat belts and airbags, fatalities of those inside cars have dropped significantly over the last 10 years. However, due mainly to the sheer increase in the number of vehicles on the road, globally, road deaths from accidents have continued to increase. Statistically, most of these accidents are due to driver error, and by taking the human out of the equation, lives will be saved.

Cars are also getting more complex. The number of electronic control units (ECUs) used on average in a car has increased significantly over the last decade. According to figures from Strategy Analytics a luxury car in 2007 might have had more than 40 ECUs, but by 2018 will likely have more than 50, while some high-end cars might have up to 150 on their various buses. The processors have also become more complex, moving from 8/16-bit to 32-bit for many functions and in some cases combining multiple functions into more complex SoCs. To meet the needs of the advanced Automotive Driver Assistance Systems (ADAS) for tomorrow’s autonomous cars, this complexity is only likely to increase.

In 2000, the IEC 61508 standard was introduced to address the need for functional safety for all electrical, electronic, and programmable safety-related systems. However, in response to electronics becoming ever more fundamental and integral to the operation of vehicles, it became necessary to introduce an automotive-specific branch. Introduced in 2011, it is called ISO 26262 and specifies that all components in a car to conform to the functional safety standard, which it defines as, “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”.

What is functional safety?

A dependable system can be broken down into three parts, of which functional safety is one. It consists of three categories. First, is reliability, in that the system should work as it was designed to in response to a command and not fail. Secondly, it should be available when required, so can respond when required. Thirdly, it should be safe, so that the system will respond to a failure in such a way as to not cause any injuries. While it’s impossible to guarantee absolute safety, it’s designed to bring the risk down as much as possible.

Functional safety has always been part and parcel of many industries. It ensures that doors close when they should on trains and that aviation systems are safe, and in the medical world that equipment operates correctly.

In automotive terms, commonplace examples are ensuring that the airbags deploy when they should, that the ABS brakes activate when needed and the electric windows don’t close on a child’s fingers.

Why ISO 26262?

Expanding on IEC1508, ISO 26262 defines four Automotive Safety Integrity Levels (ASIL) ranging from A to D, with the latter the most stringent. ASIL Quality Management (QM) refers to components that just require standard quality management processes. As you can see from the diagram below, different components inside a vehicle require different levels, depending on applications.

asil_automotive-1024x364

The standard also differs from IEC1508 in that it understands that not all errors will lead to an accident, but there must be a way to recognize a failure and move to a ‘fail safe’ operation. For example, if a failure is detected in a function such as the automatic brakes in an autonomous car, a functionally safe system will use built-in redundancy to ensure that the system works as intended; then the vehicle can remove itself from road use until the function has been fixed.

ISO 26262 specifically takes into account that development must be distributed across different organizations, in the life-cycle of any particular aspect of the car. It also explicitly demands a full safety culture within an organisation.

Ready for Part 11

The original draft of ISO 26262 consisted of ten parts, but a revision (currently in draft) adds a Part 11. This refers to the application of ISO 26262 to semiconductor IP vendors. Previously, the standard only referred to the requirements of SoC manufacturers to adhere to the standard, but with the increasing importance of functional safety to automotive, it has been extended down the chain to IP providers.

With the I6500-F CPU, MIPS has adopted the requirements of functional safety and specifically to ISO 26262. The V-diagram below demonstrates that MIPS takes into account the safety requirements of the SoC vendor, and the work product resulting from the safety life cycle undergoes stringent independent confirmation measures, before releasing the final safety work package. The SoC vendor is then able to integrate our IP into their design with confidence that it will meet their target ASIL requirements.

mips-i6500-f-v-diagram
The full package

Our MIPS I6500-F is deemed as achieving ‘ASIL B decomposed from D’ and as such can be part of an ASIL D rated SoC. In addition to the IP itself, we supply a safety work package, together with an FMEDA safety analysis report by ResilTech, an independent third-party assessor on international safety standards.

With the development of the MIPS I6500-F CPU, MIPS is building on its expertise in meeting functional safety requirements, enabling our SoC customers to achieve conformance to the standards such as ISO 26262. The I6500-F has been developed as a Safety Element out of Context (SEooC), which enables it to be implemented inside a range of designs. The I6500-F has been independently verified for compliance with ISO 26262 by ResilTech so designers of emerging intelligent and autonomous systems can take the CPU core and the accompanying safety package to ensure this part of their system meets the highest safety requirements.

The I6500-F has been selected by leading SoC company Mobileye to power its forthcoming EyeQ®5 automotive vision platform and is ready to power the automotive, industrial IoT and robotic systems that will shape the autonomous future.

Go here to discover more about our MIPS I6500-F.