Functional safety’s role in improved automotive safety

F = fault coverage — Micron SAFER memory

Micron LPDDR5 is the industry’s first ISO 26262 ASIL-D certified memory. JEDEC compliant and automotive qualified, Micron’s memory portfolio addresses the automotive industry’s requirement for LPDRAM with functional safety support.

The requirement for functional safety in LPDRAM extends well beyond advanced driver-assistance system (ADAS) applications and into in-vehicle-infotainment (IVI) and driver information systems as these applications continue to converge and correspondingly affect the functional safety of the vehicle.

If you have read some of the earlier SAFER blogs, you probably know that functional safety is defined as the absence of unreasonable risk due to hazards caused by the failure of electrical and electronic (E/E) systems during operation. Functional safety focuses on those aspects that improve safety, detect faults and control failure — i.e., minimize uncertainty.

Let’s dig deeper to understand the two types of fault coverage and the hardware element classification.

Systematic fault coverage

Systematic fault coverage ensures that the risk of a product having a systematic issue is low enough for the targeted ASIL level by using well defined processes andmethodologies as specified by the ISO-26262 standard. Systematic faults may occur during specification, design, manufacture, test, or any other step. Systematic faults have potential for very high impact as, unlike a random hardware fault, the systematic fault may affect every vehicle in the fleet.

Random fault coverage

These are failures that appear arbitrarily during the lifetime of a device. Random failures can be further classified into two categories: transient faults (single-event upsets or soft errors) or permanent faults (hard errors such as stuck at a logic level). These types of failures are generally addressed by introducing safety mechanisms that help identify these faults, enabling the system to take the proper actions, including correcting the fault or enabling the system to maintain a safe state despite the fault.

Because of potential overhead costs associated with the adoption of stringent process-related methodologies for the prevention, as well as the implementation of safety mechanisms for the detection of faults, the ISO 26262 certification defines up to four different automotive safety integrity levels (ASIL). They reflect the severity and impact of the violation of the safety goals and, as such, define an incremental associated list of mandatory practices for systematic issue avoidance, as well as a set of stringent metric targets for random failure detection capability, for each ASIL (with ASIL-D being the most demanding level). This allows for the scaling of system or component cost versus the impact of failure. A simplified view of the ASIL calculation is shown in the chart below.

Automotive safety integrity level (ASIL) prime

With regard to the random fault detection metrics, ISO 26262 defines that an ASIL-D system needs to achieve a failure rate of fewer than10 failures in time (FIT), as measured at the system level. An ASIL-B system needs to achieve a FIT rate of fewer than 100 at the system level. One FIT is defined as one failure in 109 hours.

The need and case for ISO 26262 functional safety compliant memories

In the second edition of ISO 26262 standard (which was published in 2018, several years after the introduction of the original ISO 26262 standard in 2011), part 8, clause 13 was revised with the addition of a classification that correlates to the underlying complexity of a given hardware system and the corresponding methods that could be used to achieve a specific ASIL compliance at the system level.

System integrators were initially incorrectly classifying DRAM devices as Class II hardware elements – i.e., few operating modes and states to be analyzed for safety, no internal safety mechanisms. This classification is inconsistent with the underlying complexity of today’s DRAM devices, which are on par in terms of complexity with some of the most advanced SoCs and GPUs.

An industry leading safety consultancy, exida, contends that DRAM for safety applications should be classified as a Class III hardware element which would make them consistent with the criteria outlined in the ISO 26262-8, clause 13.4.1.1. It is also a requirement that any safety application that employs a Class III hardware element in the design must use an ISO 26262 compliant device once such a device is available.

LPDDR DRAM should be classified as a Class III HW element

The HW element classification according to the criteria ISO 26262-8, clause 13.4.1.1.

Hardware element classification criteria from functional safety consultancy firm, exida¹.

Per the ISO specification, “Class III hardware elements should be developed in compliance with ISO 26262” and only permits it as an exceptional case for a transitional period: “… the “evaluation of Class III elements” is not the preferred approach and therefore the next version of the hardware element is planned to be developed in compliance with ISO 26262.”