How to implement functional safety of automotive MCU? Jiefa Technology creates a safe and reliable product matrix

On February 21, 2023, at the 2nd Automotive Chip Industry Conference 2023 hosted by Gasgoo, Tu Chaoping, senior product manager of Jiefa Technology, explained the definition of functional safety, which is "the absence of unreasonable risks caused by hazards caused by abnormal performance of electronic and electrical systems." He said that although functional safety is a familiar concept, how to implement it in practice is a very challenging topic for chip companies, vehicle manufacturers and Tier 1.

The quality control of automotive-grade chips is the focus of Jiefa Technology. Since its establishment in 2013, Jiefa Technology has had four product lines enter mass production: cockpit IVI SOC, AMP power chip, MCU body control chip, and TPMS tire pressure monitoring chip. As of last year, Jiefa Technology's first functional safety MCU AC7840x has been sent for samples, and some customers have entered the product verification stage. This automotive-grade MCU based on the ARM Cortex-M4F core has ISO26262 functional safety ASIL-B and AEC-Q100 Grade 1 automotive grade support adaptation AUTOSAR V4.4, and can provide MCAL and configuration tools.

Tu Chaoping | Senior Product Manager, Jiefa Technology

The following is a summary of the speech:

Introduction to Automotive Functional Safety

Functional safety is already a familiar term, but how to implement it in practice is a very challenging topic for both chip companies and customers.

Functional safety has a definition: "There is no unreasonable risk caused by hazards due to abnormal functional performance of electronic and electrical systems." This sentence contains three dimensions. The first is abnormal functional performance, that is, functional failure, such as EPS steering failure, or unexpected performance contrary to the design intent, such as EPS steering error. This is functional abnormality.

There are three dimensions to judge this kind of risk: the first is the probability of the risk occurring. The second is the severity of the risk. The third is whether the risk is controllable or unacceptable. We judge the risk of something based on the above three dimensions.

In terms of functional safety standards for automobiles, IEC61508 is the basic standard specification in the field of functional safety, and ISO26262 is the functional safety standard for the automotive industry. ISO26262 provides relatively comprehensive guidance and agreements for the automotive safety lifecycle, which is more of an introduction to methodology, and the specific implementation plans vary from company to company. It stipulates risk-based level requirements and indicators for different levels of requirements, and also provides verification and approval measures to ensure that a sufficient and acceptable level of safety is achieved.

The ISO26262 standard covers a wide range of areas, including OEM, Tier 1, Tier 2, hardware, software, etc. In 2018, ISO 26262 was significantly updated and two standards were added: requirements for semiconductors, and requirements for motorcycles, trucks, and buses. Guidelines were added for model-based development, software safety analysis, dependent failure analysis, fault tolerance, and other projects, and the specifications are becoming more and more complete.

Image source: Jiefa Technology

ISO 26262 currently defines four levels of automotive functional integrity, including ABCD. Together with the QM level, there are five levels of automotive-grade chips. Different levels are divided based on the degree of hazard and probability mentioned above. The higher the degree of hazard and the greater the probability of occurrence, the higher the functional safety level requirement.

There are some indicator requirements, such as FIT failure time, where one FIT refers to the number of errors that occur when the chip works for 11 hours. ASIL-D level requires less than 10 failures, while ASIL-C and ASIL-B require less than 100. There are also requirements for different indicators such as single-point fault measurement and potential fault measurement, all of which are agreed upon in ISO26262.

Image source: Jiefa Technology

This is the functional requirement of different scenarios in the traditional architecture. As software-defined cars become more and more common, many functions will be integrated into one MCU for control. In addition, controllers in different areas may also involve multi-domain integration in the future. Therefore, the requirements for functional safety levels of related products are getting higher and higher, and the functional safety level requirements of some components will be upgraded from ASIL-B to ASIL-D. As an automotive-grade chip company, Jiefa Technology is also committed to creating products with higher functional safety levels.

Image source: Jiefa Technology presentation

In the semiconductor industry, semiconductor failure rate curves are used to show how the reliability of semiconductor devices changes over time. By performing accelerated life tests (such as aging or IDDQ tests) as part of factory testing, early life failures can be further reduced and the yield of chips can be guaranteed in the production line. For chip companies, whether DFT is considered carefully and whether the coverage is comprehensive during design is an important test, and it is also a process that requires accumulation and gradual improvement.

The area in the middle of the curve is the normal life failure part. The longer this curve is, the longer the effective working time of the chip is. Since some components on new energy vehicles are always in working condition and the working time limit is longer than that of fuel vehicles, we will focus on the working condition requirements of new energy vehicles when making functional safety products.

Chips are hardware products, and hardware will definitely age, wear out, and have a certain life cycle. We must ensure that the product can be used normally within the years required by customers. Fault classification is a relatively professional concept. When we make chips, we will consider the coverage of different types of faults and perform relevant calculations. Through FMEDA analysis, we can also obtain important indicators for measuring hardware random faults.

When we are developing ISO26262 solutions, we will consider several dimensions: on the product side, we will adopt certain technical measures to avoid and control failures, and use safety analysis methods such as DFMEA/FTA/FMEDA/DFA; on the personnel side, we will set up functional safety managers and safety engineers, and cultivate a safety culture at the company level; on the process side, the concept of functional safety involves all aspects, and a complete solution covering safety plans, verification plans, safety cases, verification reviews, accreditation reviews, quality management and other aspects must be formed.

Regarding functional safety requirements, the ISO26262 standard provides some guiding ideas. For example, 3-6 involves HARA analysis and determination of functional safety goals, 3-7 introduces the functional safety requirements methodology, 4-6 introduces technical safety concepts, system architecture design, and software and hardware interface definitions, and 5-6 and 6-6 introduce software safety requirements, hardware safety requirements, and random failure metrics.

Both hardware and software will have bugs, so functional safety will also have failures. The important thing is how to control failures. In the chip design process, failures need to be avoided from the process, method, and organization before release. After the chip is on the market, it is necessary to consider the implementation of fault control methods from the hardware and software aspects. There are random failures and systematic failures. Random failures are relatively easy to control, and failures can be quantitatively analyzed. They have certain probability distribution characteristics and can be protected by redundant design. Systematic failures have some technical requirements. The main difficulty lies in the unknown, and the role of redundant design is limited.

In the specific implementation, it is necessary to ensure the traceability of requirements from the dimensions of process, method, organization, learning, etc. during the chip R&D process, and conduct DFMEA analysis, design review, and evaluate the confidence of software tools and the maturity of third-party IP. Among them, the reuse of past experience and mature IP is very critical.

In the actual product application process, the functional safety characteristics of the chip are also very critical. Therefore, the technical safety mechanism of the chip is very important, including safety analysis methods such as FMEDA/DFA/FTA, as well as safety concepts such as software and hardware architecture design and corresponding measures, so that customers can refer to how to design products that meet functional safety during the software and hardware development process.

AutoChips Functional Safety MCU Product Introduction

Currently, Jefa Technology has launched automotive-grade MCU products that meet functional safety requirements. The four series of automotive-grade MCUs that have been in mass production and are about to be launched include AC7840x, AC7802x, AC7801x, and AC781x. Our automotive-grade MCUs are divided into low-end, mid-end, and high-end application scenarios.

Jiefa Technology focuses on automotive electronics, so all of its automotive-grade MCU products meet the most basic standard AEC-Q100. Our first chip product, AC781X, is currently in mass production. Next, Jiefa Technology will launch AC7803x and continue to improve its product matrix to facilitate product upgrades and iterations for customers.