The evolution of automotive safety systems: the emergence of functional safety based on safety prediction

In less than ten minutes after you finish reading this article, more than 20 people around the world have passed away due to car accidents, and about 90% of them are from developing countries like China (data refer to statistics from the World Health Organization). While cars benefit mankind, in today's world where technology is unprecedentedly advanced, traffic accidents pose such a serious threat to public safety, which is nothing less than a great tragedy for mankind.

Since the birth of automobiles, people have never stopped pursuing safe driving. Passive safety measures such as the earliest seat belts and later airbags have saved tens of millions of lives. Active safety features such as ABS (anti-lock braking system), ESP (electronic stability program), and EBD (electronic brake force distribution system) have greatly improved automobile safety. However, traffic accidents are still one of the biggest causes of unnatural deaths and injuries.

Figure 1: Statistics from the World Health Organization: 1.3 million people die and 50 million are injured in traffic accidents every year worldwide.

"With the increasing complexity of systems and the extensive application of software and electromechanical equipment, the risk of traffic accidents caused by system failures and random hardware failures is also increasing. Therefore, a new automotive safety concept has emerged in recent years - safety prediction." At the "2012 Industry and Technology Outlook Media Seminar" held recently, Dr. Yolanda Xi, Global Product Marketing Manager of Freescale's Asia Pacific Automotive and Industrial Solutions Division, pointed out that "Safety prediction means that some systems in the car can detect faults in real time and warn to prevent faults before they occur. This is the concept of automotive functional safety that everyone is advocating." To this end, Freescale launched a safety assurance solution named "SafeAssure" to help system manufacturers more easily meet the functional safety standards in the automotive and industrial markets, and greatly reduce the difficulty of development and shorten the development cycle.

Figure 2: Evolution of automotive safety systems – the emergence of functional safety based on safety predictions.

From IEC61508 to ISO 26262, the evolution of automotive functional safety

Before the launch of ISO 26262 in November 2011, the functional safety standard followed by the automotive industry was the basic standard for functional safety of electronic, electrical and programmable devices, IEC 61508. However, as a general basic safety standard, this standard has many shortcomings for the particularity of the automotive industry, especially under the condition of the increasing complexity of automotive systems in recent years. ISO 26262, derived from IEC 61508, is tailored for the current automotive industry, especially the requirements of ISO 26262 for hardware and software development are suitable for the actual status of the current advanced automotive industry.

The ISO 26262 standard classifies the safety requirements of a system or a component of a system from A to D according to the degree of safety risk (Automotive Safety Integrity Level - ASIL), among which ASIL D is the highest level with the most stringent safety requirements. For system suppliers, it is necessary to meet these higher design requirements due to the increase in safety levels.

Safety incidents are always accompanied by common functional and quality-related R&D activities and product production. ISO26262 emphasizes all aspects of safety related to R&D activities and product production, and provides a life cycle concept for automotive safety, providing necessary support in these life cycle stages. ISO26262 covers the overall development process of functional safety, including planning, design, implementation, integration, verification, validation and configuration.

SafeAssure

Two months before the launch of ISO26262, Freescale's SafeAssure safety assurance solution was the first in the industry to be launched. "SafeAssure is a solution designed for functional safety standards in the automotive and industrial markets, helping companies simplify the process of meeting standards, shorten development time and reduce complexity." Yolanda pointed out, "Based on the SafeAssure functional safety assurance solution, manufacturers can easily achieve system safety standards from ASIL-A to D and SIL-1 to 4."

Figure 3: Freescale's Xi Yunxia: Based on the SafeAssure functional safety assurance solution, manufacturers can easily achieve system safety standards from ASIL-A to D.

The SafeAssure solution covers Freescale’s range of technologies, including microcontrollers , analog and power management ICs , and sensors . The SafeAssure solution provides manufacturers with four aspects of support, including:

Safety Process: Select products that are defined and designed to comply with standards requirements from the beginning, making functional safety an integral part of the product development process.

Safety hardware: Fault control is achieved through built-in safety features in Freescale microcontrollers, power management ICs and sensors, such as self-test, monitoring and hardware-based redundancy. Freescale automotive analog device solutions provide additional system-level safety features, including checking microcontroller timing, voltage and fault management.

Safety software: Comprehensive automotive functional safety software products, including AUTOSAR OS, MCAL, driver and kernel self-test functions, and cooperate with leading third-party software providers to launch more safety software solutions.

Safety Support: Freescale leverages its broad technical capabilities to provide customer training and system design reviews on functional safety architecture, as well as extensive safety documentation and technical support.

The main goal of SafeAssure is to simplify the complex. To simplify failure analysis, Freescale also provides an important analysis tool - Failure Mode, Effect and Diagnostic Analysis (FMEDA). This tool analyzes the entire customer data and finally calculates whether the result meets the requirements of functional safety. The FMEDA tool can help customers calculate the final functional safety results according to their applications, so that the SafeAssure solution can effectively simplify the functional safety design work.

Functional safety mechanism from MPC5643L microcontroller

Yolanda pointed out: "The concept of hardware safety is mainly achieved by detecting and eliminating random hardware failures, using built-in safety mechanisms, including self-test, monitoring and hardware-based redundant design." Manufacturers can make full use of the functional safety mechanisms built into Freescale microcontrollers, power management ICs and sensors to achieve effective fault control, thereby meeting the functional safety design requirements of the target market.

Functional safety design requires predictions for possible functional failures, including single-point failures, latent failures, and common cause failures. According to the highest level ASIL D of ISO 26262, the designed system must be able to detect a single-point failure rate greater than 99%, and the potential failure detection rate must exceed 90%. For example, if the failure rate per hour of a system is less than 10-8, the failure rate per hour of the microcontroller must be less than 10-9. "We are more rigorous in the design process of our microcontrollers, and the probability of errors is lower." Yolanda said, "MPC5643L is a microcontroller product launched by Freescale for functional safety. The design of this product embodies the design concept of functional safety."

Redundant design is one of the effective measures to improve system failure safety. MPC5643L makes full use of redundant design to ensure strict functional safety standards. MPC5643L adopts dual e200Core core lockstep working mode, one core works while the other core monitors. In addition, MPC5643L also has redundancy for major modules such as watchdog timer, memory-related control unit, bus and peripherals . Moreover, in order to prevent single point failure, the built-in flash memory of MPC5643L also has automatic error correction function.

Usually, many systems can work normally at the beginning, but after a few years, some failures may occur due to external factors. This is the concept of potential failure, and functional safety design needs to consider potential failure. "In the past, the prevention of potential failure was implemented by software. Every time the software resets the microcontroller, it will check all the memory or logic. In MPC5643L, the verification function is implemented by hardware, that is, built-in self-test, which is a very important requirement for functional safety of microcontrollers. This self-test function can cover more than 90% of the error detection of memory, logic and peripherals." Yolanda pointed out.

In addition, common cause failures need to be considered. "What are common cause failures? For example , the clock is provided to many modules, and the voltage is also provided to the entire microcontroller. In addition, temperature is also an important consideration. If the chip temperature is too high, it may also cause the chip to fail." Yolanda explained the definition of common cause failures, "These common cause failures need to be detected. MPC5643L has detection of clock, voltage and temperature." Due to cost considerations and application environment reasons, microcontrollers in common applications do not have temperature sensors . These functional characteristics that consider common cause failures.

In addition, the MPC5643L also integrates an error collection and response module (FCCU) independent of the CPU. The module is also independent of the CPU in terms of clock and can operate completely independently to collect these errors and take corresponding response measures. This functional module is also not available in traditional MCUs.

Figure 4: The functional safety processor MPC5643L makes full use of multiple failure protection mechanisms such as hardware redundancy design.

Conclusion

According to Yolanda, safety prediction based on functional safety has been very mature in developed markets such as Europe, America and Japan, and many related products are about to be launched on the market, while it has just started in China. As a landmark application of safety prediction, advanced driver assistance systems have entered the R&D process of many high-end cars. For example, Freescale provides a complete set of solutions for advanced driver assistance systems, including rear-view parking assistance, panoramic assistance, and foreground safety prediction (lane departure warning, automatic cruise system, etc.). In fact, many of the world's leading automotive semiconductor solution providers are currently targeting advanced driver assistance systems, and the widespread application of automotive safety prediction based on functional safety is just around the corner.