How to Approach Designs Targeting Automotive ISO 26262 Functional Safety Compliance: Part Two

Our Functional Safety Solutions to Kick-Start Automotive Safety Designs

Automotive functional safety focuses on implementing protective measures to mitigate dangers caused by a system failure or unanticipated behavior in a vehicle. Functional safety mechanisms help in identifying malfunctions and defining actions to be considered for safer operation.

Part one of this blog series covered Automotive Safety Integrity Level (ASIL) requirements and the design implementation flow. Continue reading the second part of this blog series to understand how our functional safety solutions can assist to kick-start automotive safety designs.

Functional Safety Reference Application

If you are implementing functional safety in your designs for the first time, we offer a reference application that showcases a safety-critical data monitoring use case and helps you understand how to approach the wide and complex topic of functional safety. The MPLAB^® Code Configurator-based demo is implemented on the Explorer 16/32 Development Board (DM240001-2) and dsPIC33CH512MP508 PIM (MA330046). It implements a select few defined functionalities as shown in the block diagram and a subset of the safety mechanisms that would be required in a real-world implementation based on the standard. The reference application showcases the design process, integrated diagnostics and redundancy.

Basic problem statement:

• Collect analog sensor (potentiometer) data
• Compare data to preset limits (e.g., coolant temperature)
• Periodically send data to a host controller
• Respond to asynchronous requests

Top-level functional safety requirements defined:

• The sensor-safe operating range is computed and/or updated during the operating life and safely stored (this is referred to as “calibration”)
• While active, the sensor output range is checked for validity and made available every second
• Sensor reading is repeated periodically to satisfy responsiveness of the system to driver action. The information is made available on a push button press
• The sensor reading is acquired; each reading is compared with the calibration limits. If it is within these limits, the current minimum or maximum values are updated if needed; otherwise, an “Out of Range” error message is sent to the control unit element

Functional Safety Solutions

Our ISO 26262 functional safety-compliant and functional safety-ready devices offer safety resources to simplify the develop­ment of ISO 26262-compliant applications. The ecosystem of our AEC-Q100 Grade 0-qualified dsPIC33C Digital Signal Controllers (DSCs) offers the following resources to simplify safety certification of your automotive designs:

• Select dsPIC33C DSCs are qualified as functional safety-compliant, which are designed by following the ISO 26262 compliant development process 
• Failure Modes, Effects and Diagnostic Analysis (FMEDA) report and Functional Safety Manual (FSM) 
• Functional safety reference application
• Application note: ISO 26262 Functional Safety: Implementa­tion of a Safety Element Out of Context (AN3864)
• TÜV Rheinland-certified safety diagnostic libraries for designs targeting up to ASIL C^*
• Development ecosystem for functional safety applications with TÜV SÜD-certified MPLAB^® XC16 compiler and a qualification package for the MPLAB ecosystem
• Targeting higher safety levels (ASIL C) is device dependent and requires ASIL decomposition techniques

ISO 26262 Functional Safety Packages

Begin your new safety-critical application’s design using our dsPIC33C based ISO 26262 Functional Safety Packages. We provide:

Conclusion

Whether you are new to automotive functional safety or a seasoned expert, you can count on Microchip’s proven experience to help you meet functional safety requirements while minimizing cost, risk and development time. Our comprehensive portfolio of automotive dsPIC33 DSCs provides real-time response and high reliability in extreme operating conditions, including extreme temperatures, and features for functional safety and security to meet your automotive design challenges. Get started with the first step in designing your functional safety application with our safety solutions.

Learn more about our functional safety.

Access the Microchip University course on functional safety

Addendum

Terminologies

Numerous terminologies are used in the ISO 26262 standard with highly detailed definitions that occasionally may not line up with their typical usage. To ensure that there is a clear knowledge of the meaning and scope of the term, preventing uncertain interpretations, it is crucial to get familiar with the most used words.

Part 1 Clause 3, “Terms and Definitions” in the ISO 26262 Standard is a good reference source for the terminologies. The following are a few keywords:

The top-level target of the Standard is an Item. An Item is described as a “System or combination of Systems, to which ISO 26262 is applied, that implements a function or part of a function at the vehicle level” ([1], Part 1-3.84).

A System is a “set of components or subsystems that relates at least a sensor, a controller and an actuator with one another” ([1], Part 1-3.163).

A Component is a “non-system level Element that is logically or technically separable and is comprised of more than one Hardware part or one or more software units” ([1], Part 1-3.21).

An Element is a generic term to refer to a “System, components (hardware or software), hardware parts or software units” ([1], Part 1-3.41)

A SEooC (Safety Element out of Context) is a “Safety-related Element that is not developed in the context of a specific Item. A SEooC can be a System, a combination of Systems, a software component, a software unit, a hardware component or a hardware part” ([1], Part 1-3.138).

Functional Safety is defined as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior of electric/electronic Systems”