Considerations for ensuring functional safety in safety-critical applications during implementation and verification of IP cores
Philipp Jacobsohn, Senior Staff Applications Engineer, SmartDV
Companies that are active in the field of creating products with special requirements for functional safety often request certification of third-party components, such as IP cores. There are different industry standards that define both the range of use of the product and the allowed probability of failure. The context of use plays a role in determining the requisite safety level for a given piece of technology: for example, products that are used in the safety-relevant area of an automobile have higher requirements for error-free operation than those that are only used for non-critical applications, such as infotainment.
The common standard in the automotive sector is ISO 26262-1:2018, more commonly dubbed ISO 26262, which is itself a subgroup of the IEC 61508 standard. The IEC 61508 standard is again subdivided into five safety integrity levels: SIL 0 to SIL 4. The ISO 26262 standard, on the other hand, contains four levels: ASIL A to ASIL D (ASIL = automotive SIL). The SIL category defines the permissible probability with which a system can achieve an error case. The higher the level, the stricter the safety requirements in both standards, with ASIL D being the most stringent for automotive.
The use of the application dictates which requirements the final product must meet, and which categorization corresponds to these needs. Strategies must then be defined on how to prevent failures entirely, minimize the probability of failure cases occurring, or—if this is not possible—react to errors when they do occur. In general, a distinction must be made between systematic errors (which result, for example, from errors in circuit development or insufficient verification) and randomly occurring errors (which are caused by external influences). Depending on the area of application and the level of the requirement for error-free operation, it can be necessary to provide an error-tolerant implementation. In principle, such a requirement has a significantly increased effort for implementation and, of course, also for verification. Here it is necessary to bear in mind that not only the verification of the correctness of the circuit itself must be carried out, but also that of error-detection and correction circuits—the circuit must be verified to perform as expected, but also not to perform in any way that is not expected.
To ensure compliance with a certain safety standard, it is necessary to obtain certification through an independent organization such as TÜV SÜD (Germany). This is a notoriously intricate process, with tightly defined requirements for testing, record-keeping, and more. As such, the benefits of certification must be weighed against the substantial investment of time and resources involved. In most cases, it makes no sense to certify individual subcomponents such as IP cores, as these are used in the context of a more complex circuit.
Even if only a certification of the final product is to be carried out, each component must meet the requirements that apply to the overall system.
Therefore, it is necessary for all subcomponents to carry out the circuit implementation in compliance with strict rules, and to intentionally consider the subsequent use of the product in safety-relevant applications during the development phase. The previously mentioned standards define processes that must be maintained. In the case of the ISO 26262 standard, these are:
- Detailed planning, during which the requirements for functional safety are defined
- Analysis, intended to identify hazards and possible error modes
- Implementation phase, which executes the two previous steps
Subsequently, verification and validation of the system take place.
It takes no small amount of effort to achieve this type of certification. Throughout the design process, all steps and sub-steps must be well documented and the results recorded. This includes a detailed accounting of the electronic design automation (EDA) tools used, verification methodology and processes employed, error coverage, and so on. Alongside the design and verification tasks themselves are the additional efforts and attention to detail required to create appropriate documentation. “Getting it right” is an arduous process, and the stakes are high: it should also be noted that only a certain “frozen” version of a product is qualified, which must remain unchanged after receiving certification. The tool versions that were used when creating the product must also remain the same. All of this, of course, must be meticulously documented throughout.
When a project requires IP with certification or safety-related collateral, the comprehensive commitment and effort demanded by safety-critical designs cannot be ignored. It is, therefore, critical to consider not only the experience and expertise that the IP provider has with safety in general, but also with the specific applicable industry standard. Choosing an IP supplier that will offer proactive support can help to alleviate additional stress amid the rigors of the safety-critical chip design process.
About Philipp Jacobsohn
Philipp Jacobsohn is Senior Staff Applications Engineer at SmartDV, where he supports users of design IP and verification IP in North America and Europe. Beyond his work enabling the chip design success of SmartDV’s customers, Philipp is an avid technical writer with a keen interest in sharing the considerable knowledge he has cultivated over nearly 30 years in the semiconductor industry. Prior to joining the team at SmartDV in 2023, Philipp held a variety of engineering and field applications roles at J. Haugg, Synopsys, Synplicity, Epson Europe Electronics, Lattice Semiconductors, EBV Elektronik, and SEI-Elbatex. Philipp is based in Switzerland.