MPS interprets MPSafeTM: How important is automotive functional safety?

The number of chips in traditional cars is about 500 to 600, and the number of chips in autonomous driving and new energy vehicles is about 1,000 to 1,200. Models focusing on smart driving or autonomous driving require as many as 1,500 to 2,000 chips. Millions of new cars are added every year, and then coupled with a service life of more than ten years, if a single component or subsystem fails, it will cause serious harm to consumers and cars.

Of course, not all vehicle features need to have the same safety features (e.g. a video player does not need to be the same as a braking system), but critical systems rely on a variety of established reliability and safety certifications. The basic standard that automotive ICs must meet is AEC-Q100, which ensures that the IC can pass a series of prescribed stress tests to handle the inherently harsh environment of a vehicle. These tests are designed to explore device behavior under extreme electrical and environmental stresses to verify that the device will function properly throughout the vehicle's lifetime.

To simply understand, AEC-Q100 guarantees that the most basic devices meet automotive quality requirements and will not be damaged. However, with the rapid development of the automotive industry, including the introduction of technologies such as automation, interconnection and electrification, the device itself is not bad and does not necessarily guarantee the safety of the automotive system.

For this reason, ISO 26262 certification is becoming more and more important. Compared with the quality of the device itself, ISO 26262 focuses on functional safety to ensure that automotive parts can perform the correct function at the right time. The standard outlines a risk classification system (ASIL) designed to reduce the hazards caused to vehicles by the faulty behavior of electronic and electrical systems.

AEC certification mainly relies on test results, while ISO26262 certification requires that process documents meet the requirements. Currently, more and more semiconductor companies are beginning to pay attention to ISO26262 to comply with the new security requirements of OEMs.

For example, MPSafe ^TM is a new and advanced safety development process designed by MPS for automotive products. The process has been independently certified to meet the standards set forth by ISO26262, which applies to the design, development and production of automotive functional safety products. 

Recently, Jing Y. Guo, Functional Safety Manager of MPS Company, introduced automobile safety related knowledge to domestic media based on MPSafe ^{TM , ISO 26262, etc.}

What is the ISO 26262 standard?

Jing emphasized that to clarify ISO26262, two misunderstandings need to be avoided. First, functional safety and safety are not the same, and product quality and safety are also different.

ASIL levels are divided based on three factors, including Severity (severity), Exposure (exposure rate) and Controlability (controllability).

Severity refers to the degree of injury to drivers, passengers or pedestrians, exposure rate refers to the probability of a car malfunctioning in a given external environment, and controllability refers to the probability of avoiding an accident.

As shown in the figure, different ASIL levels are achieved according to different S, E and C standards.

Jing said that functional safety is not about ensuring that the car does not malfunction at all, because malfunctions occur randomly and are just a matter of probability. What ASIL needs to do is to ensure that after a malfunction occurs, the system can enter a safe state before an accident occurs. This security state needs to be defined based on different scenarios and does not necessarily mean shutting down the system completely. For example, if there is a problem with ADAS, the system will switch to manual driving mode to ensure that the car can be driven home. If there is a problem with the power system, it needs to be shut down and stopped quickly.

In addition, Jing also said that everyone makes mistakes, so ISO has developed a complete set of training and R&D processes to cope with this.

MPS’s response

Throughout the product life cycle, MPSafe ^TM can meet all requirements for functional safety, specifically:

Chip definition

Including chip function definition and chip security function definition. The MPS architecture team builds the required functions for the chip and also works closely with the MPS security team to understand the impact of chip functional safety on chip functionality. The security team is responsible for formulating, reviewing and passing the security plan for the chip, publishing the application assumptions belonging to the chip, and establishing a chip development security file.

Chip design

Implement the specifications and functional requirements of the chip based on the system security requirements that the chip needs to meet. The security team performed a Quantitative Safety Analysis (FMEDA) on the chip to assess risks and ensure that the system safety requirements were met. The chip design team needs to provide dependent failure analysis (Dependent Failure Analysis) to conduct failure analysis of the chip's IC functions and safety mechanisms. Through simulation, packaging failure analysis and quality analysis, different failure mode mechanisms are deduced and verified, and the safety mechanism of the chip is analyzed to see whether it meets the requirements. The chip design team also needs to establish a complete chip verification solution with the chip verification team, etc.

chip sample

Manufacturers responsible for providing packaging for MPSafe ^{TM should strictly follow the MPSafe TM} process and requirements to produce samples to meet automotive safety levels. The entire chip sample production process is supervised by the safety team to ensure that there is no deviation between the requirements and actual production.

Chip test

Chip testing includes chip electrical characterization testing (Electrical Characterization), reliability testing (Reliability Test), IC characterization testing (IC Characterization), experimental bench functional and electrical testing (Road Test Functional and Electrical Verification), and the use of automatic test equipment. Large-scale testing (ATE Test) and so on. Once any failure or problem occurs during these tests, the team immediately analyzes the failure and problem and proposes a solution, and re-produces new chip samples to ensure that the problem is completely solved and risks are avoided.

Finished product shipment

While all the above four steps are proceeding normally, the MPS safety team has always worked closely with third-party authoritative certification agencies to ensure that all design, testing, and production links of the MPSafe ^TM development process and production process meet safety requirements. All links will pass authoritative third-party certification, and safety certificates and manuals that comply with the certification will be issued. After completing all security application analysis and certification, the chip will complete all pre-shipment testing and shipment under strict MPS standards.

Briefly list the MPSafe ^TM product portfolio

Previously, MPS mainly developed analog power circuits, but functional safety requires a lot of digital control. MPS began focusing on automotive functional safety power products a few years ago and has successively launched a variety of products to support systems reaching ASIL-D functional safety levels.

MPS products have the following characteristics:

Built-in self-test (BIST)

Integrated safety mechanisms, such as BIST, provide high diagnostic coverage to ensure reliability during every driving cycle. There are two forms of BIST in voltage monitors:

1) Analog Circuit Self-Test (ABIST): ABIST performs diagnosing circuit faults by injecting current or voltage into the diagnostic circuit. This function verifies that the diagnostic circuitry can switch between fault and non-fault conditions, indicating that the simulated safety mechanism is functioning properly. During this process, all safety-relevant comparators and monitored reference voltages are checked.

2) Logic circuit self-test (LBIST): LBIST allows the hardware to test itself. LBIST has the ability to detect errors in internal logic circuits.

Reference voltage monitoring

The importance of the system's reference voltage (Reference Voltage) to the chip is self-evident. It is the basis for the normal operation of multiple circuits and modules in the chip. In the chip, multiple modules need to use the reference voltage as the basis for precise voltage control, such as analog-to-digital converters (ADCs), etc. If the reference voltage is unstable, it will lead to unstable chip operation, increased errors and reduced performance. Therefore, the quality of the reference voltage is crucial to the normal operation of the chip. In order to ensure the accuracy and stability of the chip's reference voltage, MPS is equipped with a reference voltage detection mechanism to supervise the system reference voltage by introducing redundant reference voltages. Once it is found that the system voltage drifts beyond the preset range, it will be pulled low and interrupt the error.

System clock monitoring

The clock signal of the system is the synchronization signal of each circuit and module in the IC to ensure that each circuit and module performs corresponding operations at the correct time and in the correct order. For example, the clock signal can synchronize counters, state machines, data sampling and data communication, etc. wait. If the clock signal fails, it will cause the circuits and modules in the IC to be unable to synchronize, and may even lead to data loss, error counting, failure of the state machine to successfully jump, and even system crashes, etc. Therefore, in the IC design process, the monitoring of clock signals is particularly important. By introducing a reference clock, MPS monitors each other with the system clock. When the system clock drifts beyond the preset range, it can pull down the interrupt chip and report the error.