### DESIGNING FOR ADVANCED FUNCTIONAL SAFETY REQUIREMENTS

MATHIEU BLAZY-WINNING FUNCTIONAL SAFETY MANAGER

AMF-AUT-T2805 | AUGUST 2017





NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2017 NXP B.V. PUBLIC



## AGENDA

- Overview of ISO 26262 Standard
- NXP Approach to ISO 26262
- Conclusion

### FROM AUTOMOTIVE ... TO SAFE & SECURE MOBILITY



Enjoying Life. One hour per day in the car Saving Lives. 1.3M Road Fatalities Every Year Reducing CO2. EU mandates 20% reduction by 2020



### **ROAD TRAFFIC ACCIDENTS** THE CAUSES

| Critical           | Number    | %    |
|--------------------|-----------|------|
| Reasons            |           |      |
| Driver             | 2,046,000 | 94%  |
| Vehicles           | 44,000    | 2%   |
| Environment        | 52,000    | 2%   |
| Unknown            | 47,000    | 2%   |
| Total              | 2,189,000 | 100% |
| Data source: NMVCC | CS        |      |

#### Every year!

~1.3 m fatalities >50 m people seriously injured >\$3 trillion cost of road accidents >90% caused by human mistakes



We need to get the Human Factor out of the equation!





### **Elements of a Safe System**



VEHICLE SAFETY: SECURITY: FUNCTIONAL SAFETY: DEVICE RELIABILITY: Zero accidents by human error (ADAS & SOTIF) Zero accidents by system hacks Zero accidents by system failures (ISO 26262) Zero components failures (robust product)

SOTIF: Safety of the intended functionality



# Overview of ISO 26262 Standard





### **Functional Safety Standards**

- ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to electrical and/or electronic (E/E) systems within road vehicles.
- ISO 26262 addresses possible hazards caused by malfunctioning behavior of E/E safetyrelated systems.
- Addresses risks from systematic failures and random hardware failures.
- System safety is achieved through a number of **safety measures**.
- ISO 26262 provides an automotive-specific risk-based approach to determine integrity levels [Automotive Safety Integrity Levels (ASIL)].
- ISO 26262 uses ASILs to specify applicable requirements of ISO 26262 so as to avoid unreasonable residual risk.





### **ISO 26262 Product Development**

 ISO 26262 compliance is achieved between vehicle manufacturers, Automotive suppliers (Tier 1), semiconductor suppliers and IP providers





#### Q: But who does what?

PUBLIC 7



## Part 3 Concept



### **Determining ASIL**



### Hazard Analysis and Risk Assessment (HARA)

- Identify and categorize the hazards that can be triggered by malfunctions in the system
- The Risk Assessment is carried out using three criteria
  - Severity how much harm is done?

| Class       | S0          | S1                             | S2 | S3                                                                   |
|-------------|-------------|--------------------------------|----|----------------------------------------------------------------------|
| Description | No injuries | Light and moderate<br>injuries | _  | Life-threatening injuries<br>(survival uncertain), fatal<br>injuries |

- **Exposure** – how often is it likely to happen?

| Class       | E0         | E1                   | E2              | E3                 | E4               |
|-------------|------------|----------------------|-----------------|--------------------|------------------|
| Description | Incredible | Very low probability | Low probability | Medium probability | High probability |

- **Controllability** – can the hazard be controlled?

| Class       | C0                      | C1                  | C2                    | C3                                     |
|-------------|-------------------------|---------------------|-----------------------|----------------------------------------|
| Description | Controllable in general | Simply controllable | Normally controllable | Difficult to control or uncontrollable |

Reference ISO 26262-3:2011



### **Determination of ASIL and Safety Goals**

Q: So which ASIL

should I target in

my IC or IP?

- For each Hazardous event, determine the ASIL based on Severity, Exposure & Controllability
- Then formulate safety goals to prevent or mitigate each event, to avoid unreasonable risk

| Soverity alace | Probability class |    | Controllability class |    |
|----------------|-------------------|----|-----------------------|----|
| Severity class | Probability class | C1 | C2                    | C3 |
|                | E1                | QM | QM                    | QM |
| S1             | E2                | QM | QM                    | QM |
| 51             | E3                | QM | QM                    | А  |
|                | E4                | QM | А                     | В  |
|                | E1                | QM | QM                    | QM |
| S2             | E2                | QM | QM                    | А  |
| 52             | E3                | QM | А                     | В  |
|                | E4                | A  | В                     | С  |
|                | E1                | QM | QM                    | А  |
| S3             | E2                | QM | A                     | В  |
| 55             | E3                | A  | В                     | С  |
|                | E4                | В  | С                     | D  |

Table 4 — ASIL determination

Reference ISO 26262-3:2011





### **Functional Safety Concept**

- The functional safety concept addresses:
  - Fault detection and failure mitigation
  - Safe State transitioning
  - Fault tolerance mechanisms
  - Driver warning



#### Q: This is a top down approach, typically components & IP developed as Safety Element out of Context (SEooC), how to make assumptions?

Note: An SEooC is a safety-related element which is **not developed for a specific item**. This means it is **not developed in the context of a particular vehicle**.

Reference ISO 26262-3:2011



## Part 4 System



### Safety Mechanisms & Faults

- System
- A safety mechanism is a technical solution implemented by E/E functions or elements, or by other ٠ technologies, to detect faults or control failures in order to achieve or maintain a safe state
- Safety mechanisms are implemented to prevent faults from leading to single-point failures or to ٠ reduce residual failures and to prevent faults from being latent
  - multiple-point fault is a individual fault that, in combination with other independent faults, leads to a multiplepoint failure. Single Point Fault Latent Fault





Common Cause Fault



- Safety Mechanisms can take effect during •
  - Power up (pre-drive checks)
  - During operation
  - During power-down (post-drive checks)
  - Part of maintenance.

Q: How to decide where to implement safety mechanisms? ... in HW or SW, in system or component or IP...





### executions of online diagnostic tests Fault F

**Fault Detection & Reaction Times** 

#### Fault reaction time

٠

- time-span from the detection of a fault to reaching the safe state
- Fault tolerant time interval

**Diagnostic test interval** 

- amount of time between the

- time-span in which a fault or faults can be present in a system before a hazardous event occurs
- Multiple-point fault detection interval
  - time span to detect multiple-point fault before it can contribute to a multiple-point failure



Figure 4 — Fault reaction time and fault tolerant time interval

Reference ISO 26262-1:2011

System

Q: How to know which times to use? 1ms, 10ms, 100ms, 1sec, 1hr, several hours etc



## Part 5 Hardware



### **Target Metrics for ASIL**

- Associate the following target metrics to each safety goal
  - Single-point fault metric (SPFM)

Table 4 — Possible source for the derivation of the target "single-point fault metric" value

|                           | ASIL B | ASIL C | ASIL D |
|---------------------------|--------|--------|--------|
| Single-point fault metric | ≥90 %  | ≥97 %  | ≥99 %  |

-Latent-fault metric (LFM)

Table 5 — Possible source for the derivation of the target "latent-fault metric" value

|                     | ASIL B | ASIL C | ASIL D |
|---------------------|--------|--------|--------|
| Latent-fault metric | ≥60 %  | ≥80 %  | ≥90 %  |

Q: Which faults to consider? How to justify diagnostic coverage? ... Some guidance in Part 5 Annex D...

#### - Probabilistic Metric for random Hardware Failures (PMHF)

Table 6 — Possible source for the derivation of the random hardware failure target values

| ASIL | Random hardware failure target values |
|------|---------------------------------------|
| D    | <10 <sup>-8</sup> h <sup>-1</sup>     |
| С    | <10 <sup>-7</sup> h <sup>-1</sup>     |
| В    | <10 <sup>-7</sup> h <sup>-1</sup>     |

Q: Which portion of PMHF can an IC or IP use?

Reference ISO 26262-5:2011



### **Hardware Integration & Testing**

### Table 11 — Hardware integration tests to verify the completeness and correctness of the safety mechanisms implementation with respect to the hardware safety requirements

|   | Methods                              |    | ASIL |    |    |  |
|---|--------------------------------------|----|------|----|----|--|
|   |                                      |    | В    | С  | D  |  |
| 1 | Functional testing <sup>a</sup>      | ++ | ++   | ++ | ++ |  |
| 2 | Fault injection testing <sup>b</sup> | +  | +    | ++ | ++ |  |
| 3 | Electrical testing <sup>c</sup>      | ++ | ++   | ++ | ++ |  |

#### Table 12 — Hardware integration tests to verify robustness and operation under external stresses

|            | Methods                                                               |    | ASIL |    |    |  |
|------------|-----------------------------------------------------------------------|----|------|----|----|--|
|            | Methods                                                               | Α  | в    | С  | D  |  |
| 1a         | Environmental testing with basic functional verification <sup>a</sup> | ++ | ++   | ++ | ++ |  |
| 1b         | Expanded functional test <sup>b</sup>                                 | 0  | +    | +  | ++ |  |
| 1c         | Statistical test <sup>c</sup>                                         | 0  | 0    | +  | ++ |  |
| 1 <b>d</b> | Worst case test <sup>d</sup>                                          | 0  | 0    | 0  | +  |  |
| 1e         | Over limit teste                                                      | +  | +    | +  | +  |  |
| 1f         | Mechanical test <sup>f</sup>                                          | ++ | ++   | ++ | ++ |  |
| 1g         | Accelerated life test <sup>g</sup>                                    | +  | +    | ++ | ++ |  |
| 1h         | Mechanical Endurance test <sup>h</sup>                                | ++ | ++   | ++ | ++ |  |
| 1i         | EMC and ESD test <sup>i</sup>                                         | ++ | ++   | ++ | ++ |  |
| 1j         | Chemical test <sup>j</sup>                                            | ++ | ++   | ++ | ++ |  |

Q: Fairly standards tests, except for fault injection?

Reference ISO 26262-5:2011

PUBLIC

## Part 6 Software



### **SW Safety Mechanisms**

#### Table 4 — Mechanisms for error detection at the software architectural level

| Methods                                   |                                                                                                                                         | ASIL                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                         |  |
|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Methods                                   | Α                                                                                                                                       | В                                                                                                                                                                                                                        | С                                                                                                                                                                                                                                                                                 | D                                                                                                                                                                                                                                                                                                                       |  |
| Range checks of input and output data     | ++                                                                                                                                      | ++                                                                                                                                                                                                                       | ++                                                                                                                                                                                                                                                                                | ++                                                                                                                                                                                                                                                                                                                      |  |
| Plausibility check <sup>a</sup>           | +                                                                                                                                       | +                                                                                                                                                                                                                        | +                                                                                                                                                                                                                                                                                 | ++                                                                                                                                                                                                                                                                                                                      |  |
| Detection of data errors <sup>b</sup>     | +                                                                                                                                       | +                                                                                                                                                                                                                        | +                                                                                                                                                                                                                                                                                 | +                                                                                                                                                                                                                                                                                                                       |  |
| External monitoring facility <sup>c</sup> | 0                                                                                                                                       | +                                                                                                                                                                                                                        | +                                                                                                                                                                                                                                                                                 | ++                                                                                                                                                                                                                                                                                                                      |  |
| Control flow monitoring                   | 0                                                                                                                                       | +                                                                                                                                                                                                                        | ++                                                                                                                                                                                                                                                                                | ++                                                                                                                                                                                                                                                                                                                      |  |
| Diverse software design                   | 0                                                                                                                                       | 0                                                                                                                                                                                                                        | +                                                                                                                                                                                                                                                                                 | ++                                                                                                                                                                                                                                                                                                                      |  |
|                                           | Plausibility check <sup>a</sup> Detection of data errors <sup>b</sup> External monitoring facility <sup>c</sup> Control flow monitoring | Range checks of input and output data     ++       Plausibility check <sup>a</sup> +       Detection of data errors <sup>b</sup> +       External monitoring facility <sup>c</sup> o       Control flow monitoring     o | Methods     A     B       Range checks of input and output data     ++     ++       Plausibility check <sup>a</sup> +     +       Detection of data errors <sup>b</sup> +     +       External monitoring facility <sup>c</sup> o     +       Control flow monitoring     o     + | Methods     A     B     C       Range checks of input and output data     ++     ++     ++       Plausibility check <sup>a</sup> +     +     +       Detection of data errors <sup>b</sup> +     +     +       External monitoring facility <sup>c</sup> o     +     +       Control flow monitoring     o     +     ++ |  |

<sup>a</sup> Plausibility checks can include using a reference model of the desired behaviour, assertion checks, or comparing signals from different sources.

Types of methods that may be used to detect data errors include error detecting codes and multiple data storage.

An external monitoring facility can be, for example, an ASIC or another software element performing a watchdog function.

#### Table 5 — Mechanisms for error handling at the software architectural level

|    | Methods                                      |   | ASIL |    |    |  |
|----|----------------------------------------------|---|------|----|----|--|
|    |                                              |   | в    | С  | D  |  |
| 1a | Static recovery mechanism <sup>a</sup>       | + | +    | +  | +  |  |
| 1b | Graceful degradation <sup>b</sup>            | + | +    | ++ | ++ |  |
| 1c | Independent parallel redundancy <sup>c</sup> | 0 | o    | +  | ++ |  |
| 1d | Correcting codes for data                    | + | +    | +  | +  |  |

<sup>a</sup> Static recovery mechanisms can include the use of recovery blocks, backward recovery, forward recovery and recovery through repetition.

<sup>b</sup> Graceful degradation at the software level refers to prioritizing functions to minimize the adverse effects of potential failures on functional safety.

Independent parallel redundancy can be realized as dissimilar software in each parallel path.



## Part 7 Production



### **Part 7 Production**

- Develop and maintain a production process for safety-related elements or items that are intended to be installed in road vehicles.
  - Typically existing production processes aligned with ISO TS 16949 are also well aligned with ISO 26262 requirements
- In addition, the compliance with **safety-related special characteristics** may be required
  - Examples of such safety-related special characteristics are
    - specific process parameters (e.g. temperature range or fastening torque)
    - material characteristics
    - production tolerance
    - Configuration
- Also, safety impact analysis of changes or field returns is required during production -> augmenting standard processes to comply.



## ISO 26262 2<sup>nd</sup> Edition



### ISO 26262 2<sup>nd</sup> Edition

• The 2<sup>nd</sup> edition of ISO 26262 is planned for release in 2018.

#### Most notable changes

- Scope now for series production road vehicles, except mopeds.
- Specific content added for Trucks, Buses, Trailers, Semitrailers and motorcycles (although very minimal)
- Part 11 guideline added for Semiconductors
- Part 12 added for motorcycles (mapping of MSIL to ASIL)
- Interaction between safety and security organizations mentioned (no specifics)
- Method for **dependent failure analysis** provided in multiple examples
- Guidance for fault tolerance
- Part 8.13 Hardware Qualification reworked to focus on non ISO 26262 developed hardware
- Overall improvements to clarify understanding
- Limited new content towards fail operational / autonomous vehicles indicating not yet mature enough in industry to standardize

Disclaimer: Above notes from DIS version, may change in final release

## NXP Approach to ISO 26262



### **Functional Safety Standards**





### NXP's Safe Assure Program





- Launched <u>SafeAssure</u> initiative in September 2011 focusing on NXP's functional safety solutions
- **NXP Development Processes** are aligned with ISO 26262 since 2013 across product lines
  - BCaM7 deployment will align at BU Auto level
- 100+ Products being developed to target ISO 26262:
  - Aug 2012 AMP HW Leopard (MPC564xL) 32-bit MCU <u>Certified</u> by Exida
  - 2013 AMP SW First release of Safety MCAL (sMCAL)
  - 2014 AAA HW Analog PowerSBC
  - Many more products are in the development pipeline and will come to completion in the years to come











### Example Interaction Between Car OEM, Tier 1 & Tier 2 (NXP)



NP

### HW & SW Components developed as SEooC



Applicable to HW Component developed as SEooC

Reference ISO 26262-10:2012



## Tailoring of ISO26262 to Component developed as Safety Element out of Context (SEooC)



Applicable to Component developed as SEooC

Reference ISO 26262-10:2012



### ISO 26262 Product Development - BCaM7

 ISO 26262 compliance is achieved between vehicle manufacturers, Automotive suppliers (Tier 1), semiconductor suppliers and IP providers





### **NXP Processes aligned with ISO 26262**

• NXP ISO 26262 process complies with **all** applicable ISO 26262 **ASIL D** requirements for HW or SW SEooC development

| ISO 26262            | NXP Process                                                      | ASIL A                         | ASIL B | ASIL C | ASIL D |  |
|----------------------|------------------------------------------------------------------|--------------------------------|--------|--------|--------|--|
| Part 2<br>Management | Safety Plan, Safety Case, Confirmation Measures                  | Yes                            |        |        |        |  |
| Part 3 Concept       | OEM / Tier 1 responsibility                                      | NA                             |        |        |        |  |
| Part 4 System        | System assumptions & Safety Requirements – HW/SW                 | Yes, only partially applicable |        |        |        |  |
| Part 5 Hardware      | HW – Safety requirements traced to<br>implementation and testing | Yes                            |        |        |        |  |
| Part 6 Software      | SW – Safety requirements traced to<br>implementation and testing | Yes                            |        |        |        |  |
| Part 7 Production    | Standard processes, aligned with ISO 26262                       | Yes                            |        |        |        |  |
| Part 8 Processes     | Standard processes, aligned with ISO 26262                       | Yes                            |        |        |        |  |
| Part 9 Analysis      | FMEDA, FTA & DFA                                                 | Yes                            |        |        |        |  |
| Part 10 Guideline    | SEooC Development & application of ISO 26262 to components       | Yes, SEooC development         |        |        |        |  |

- One process for all products, regardless of safety architecture ASIL target
- Only **difference** is for Confirmation Measures which are tailored to ASIL target

### **NXP ISO 26262 Confirmation Measures**

NXP performs ISO 26262 Confirmation Reviews (CR), Audit and Assessment as required by ISO 26262 for SEooC development

| Confirmation<br>Measures | ASIL A | ASIL B | ASIL C | ASIL D |
|--------------------------|--------|--------|--------|--------|
| CR Safety Analysis       | Yes    | Yes    | Yes    | Yes    |
| CR Safety Plan           |        | Yes    | Yes    | Yes    |
| CR Safety Case           |        | Yes    | Yes    | Yes    |
| CR Software Tools        |        |        | Yes    | Yes    |
| Audit                    |        |        | Yes    | Yes    |
| Assessment               |        |        | Yes    | Yes    |

Note: The following confirmation reviews are not applicable: hazard analysis and risk assessment, item integration and testing, validation plan & proven in use argument

- Confirmation Measures (CM) performed depending on ASIL
  - All checks executed with **independence level 13** by NXP Quality organization
  - NXP Assessors **certified** by SGS-TÜV Saar as Automotive Functional Safety Professional (AFSP)
  - NXP CM process **certified** by SGS-TÜV Saar as ISO 26262 ASIL D

#### CAR Secure Connected, Self-Driving Cars will Save >1,3M Road fatalities globally Surround View Blind Spot Detection Cross **Traffic Sign** Traffic Recognition Alert **Emergency Braking** ark Assis Park Assistance Adaptive Rear Pedestrian Detection Surround View Cruise Control Collision **Collision Avoidance** Warning Lane Departure 3 Warning Surround View NXP Offers Complete Safe & ...including Big Data Secure ADAS System Infrastructure Ģ $\cap$ **رب**ا + **BIG DATA** THINK ACT SENSE Secure Secure Network Network Radar **Digital Networking** Processing Powertrain Sensor Fusion Infrastructure Vision Chassis Secure V2X Security Braking Security

## TOMORROW: ENABLING THE SAFE & SECURE CONNECTED



### Where the Failures Come From

- Typically, dangerous failures in a safety system come from a combination of the following
  - Development bugs Software or hardware
  - Insufficient system safety architecture
  - Transient failures in semiconductors, primarily SRAM very high rate of occurrence
  - Permanent failures in hardware



|                                    |          |      |        |  | <u>Residual</u> Failure rate |              |
|------------------------------------|----------|------|--------|--|------------------------------|--------------|
| Failure Type                       | per hour | FIT  | %      |  | 1.00E-05                     | MCU Raw      |
| MCU SRAM Transient Failure rate    | 7.00E-07 | 700  | 70.00% |  | 1.00E-06                     |              |
| MCU FF Transient Failure rate      | 2.00E-07 | 200  | 20.00% |  | 1.00E-07                     |              |
| MCU Package Permanent Failure rate | 8.00E-08 | 80   | 8.00%  |  | 1.00E-08                     | MCU ASIL B 🖌 |
| MCU Die Permanent Failure rate     | 2.00E-08 | 20   | 2.00%  |  | 1.00E-09                     | MCU ASIL D   |
| MCU Total Failure rate             | 1.00E-06 | 1000 | 100%   |  | 1.00E-10                     |              |

Note: Assumption - MCU is allocated only 10% of System ASIL target



### **MCU Safety Context**

- Applications have different safety requirements driven by different safety contexts, but the need for safe SW execution is common across all
- The objective is to make SW execution safe to achieve ASIL B or ASIL D depending on target market

|                                          |                                                       | ASIL B                   | ASIL D                   |                                    |
|------------------------------------------|-------------------------------------------------------|--------------------------|--------------------------|------------------------------------|
| Detect                                   | Fault Detection Time Interval                         | 10                       | ) ms                     | Residual Failure rate              |
| incorrect<br>operation<br>during         | Diagnostic Coverage<br>(transient & permanent faults) | 90%                      | 99%                      | 1.00E-05<br>1.00E-06 MCU Raw       |
| runtime                                  | Residual Failure rate                                 | 1 x 10 <sup>-8</sup> / h | 1 x 10 <sup>-9</sup> / h | 1.00E-07<br>1.00E-08 MCU ASIL B    |
| Start-up /<br>Shut-down<br>periodic test | Diagnostic Coverage<br>(permanent faults)             | 60%                      | 90%                      | 1.00E-09<br>1.00E-10<br>MCU ASIL D |
| MCU HW t                                 | o support SW Independence                             | Μ                        | IPU                      | ]                                  |

Note: Assumption - MCU is allocated only 10% of System ASIL target

# **Defining the Safety Concept**

- Objective
  - Define how ASIL targets will be achieved between a mix of on-chip HW safety measures and system level safety measures (HW/SW)
- ISO 26262-5 Annex D Elements related to HW Components
  - Low application dependency: Power, Clock, Flash, SRAM & Processing Unit
  - High application dependency: Digital IO & Analog IO



Figure D.1 — Generic hardware of a system Reference ISO 26262-5:2011



### **Module Classification - Safety**

• Each module on the MCU is classified as Safety Related or Not Safety Related

| Elements in ISO<br>26262-5, Table<br>D.1 | MPC5744P<br>FMEDA | MPC5744P Module                                         | Part of<br>Software<br>Execution<br>Function | Safety<br>Mechanism | Comments                                                             |
|------------------------------------------|-------------------|---------------------------------------------------------|----------------------------------------------|---------------------|----------------------------------------------------------------------|
| Power Supply                             | Power             | Power Management Controller (PMC)                       | YES                                          |                     |                                                                      |
| · oner suppry                            |                   | Power Control Unit (MC_PCU)                             | YES                                          |                     |                                                                      |
|                                          |                   | Phase Lock Loop (2 x PLL)                               | YES                                          |                     |                                                                      |
|                                          |                   | Clock Monitor Unit (5 x CMU)                            |                                              | YES                 |                                                                      |
| Clock                                    | Clock             | Clock Generation Module (MC_CGM)                        | YES                                          |                     |                                                                      |
|                                          |                   | External Oscillator (XOSC)                              | YES                                          |                     |                                                                      |
|                                          |                   | Internal RC Oscillator (IRCOSC)                         | YES                                          |                     |                                                                      |
| Non-Volatile                             |                   | Embedded Flash Memory (c55fmc)                          | YES                                          |                     |                                                                      |
| Memory                                   | Flash             | Flash Memory Controller (PFLASH)                        | YES                                          |                     |                                                                      |
| wiennory                                 |                   | End-to-end Error Correction Code (e2eECC)               |                                              | YES                 |                                                                      |
|                                          |                   | System SRAM                                             | YES                                          |                     |                                                                      |
| Volatile Memory                          | SRAM              | RAM Controller (PRAMC)                                  | YES                                          |                     |                                                                      |
|                                          |                   | End-to-end Error Correction Code (e2eECC)               |                                              | YES                 |                                                                      |
|                                          |                   | Main Core_0 (e200z4251n3)                               | YES                                          |                     |                                                                      |
|                                          |                   | Checker Core_0s (e200z424) (Delayed Lockstep)           |                                              | YES                 |                                                                      |
|                                          |                   | Crossbar Switch (XBAR)                                  | YES                                          |                     |                                                                      |
|                                          |                   | JTAG Controller (JTAGC)                                 |                                              |                     | Not Safety Related module - Debug logic                              |
| Processing Unit                          | Core              | Nexus debug modules (NXMC, NPC, NAL & NAP)              |                                              |                     | Not Safety Related module - Debug logic                              |
| Processing Unit                          | Core              | Cyclic Redundancy Check (CRC)                           |                                              | YES                 |                                                                      |
|                                          |                   | Fault Collection and Control Unit (FCCU)                |                                              | YES                 |                                                                      |
|                                          |                   | Memory Error Management Unit (MEMU)                     |                                              | YES                 |                                                                      |
|                                          |                   | Self-Test Control Unit (STCU2) (includes MBIST & LBIST) |                                              | YES                 |                                                                      |
|                                          |                   | Register Protection (REG_PROT)                          |                                              | YES                 |                                                                      |
| Communication<br>(External)              |                   | CAN (3 x FlexCAN)                                       |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | Serial Interprocessor Interface (SIPI)                  |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | 10/100-Mbps Ethernet MAC (ENET)                         |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          | Peripheral        | Peripheral Bridge (2 x PBRIDGE)                         |                                              |                     | Peripheral module - High application dependency (failure rates only) |
| Analogue I/O and                         |                   | System Integration Unit Lite2 (SIUL2)                   |                                              |                     | Peripheral module - High application dependency (failure rates only) |
| Digital I/O                              |                   | Analog to Digital Converter (4 x ADC)                   |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | Wakeup Unit (WKPU)                                      |                                              |                     | Peripheral module - High application dependency (failure rates only) |



### Realizing the MCU Safety Concept - MPC5744P



# **Defining the Safety Concept – RADAR Example**

- Objective
  - Define how ASIL targets will be achieved between a mix of on-chip HW safety measures and system level safety measures (HW/SW)
- ISO 26262-5 Annex D Elements related to HW Components
  - Low application dependency: Power, Clock, Flash, SRAM & Processing Unit
  - High application dependency: RF, Digital & Analog IO



# Customer Deliverables





### **NXP SafeAssure Products**

To support the customer to build his safety system, the following deliverables are provided **as standard** for **all** ISO 26262 developed products.

- Public Information available via NXP Website
  - Quality Certificates
  - Safety Manual
  - Reference Manual
  - Data Sheet
- Confidential Information available under NDA
  - Safety Plan
  - ISO 26262 Safety Case
  - Permanent Failure Rate data (Die & Package) IEC/TR 62380 or SN29500
  - Transient Failure Rate data (Die) JEDEC Standard JESD89
  - Safety Analysis (FMEDA, FTA, DFA) & Report
  - PPAP
  - Confirmation Measures Report (summary of all applicable confirmation measures)





# Safety Manual





### **Safety Manual**

### Objective

- Enables customers to build their safety system using the MCU safety mechanisms and defines system level HW & SW assumptions
- Simplify integration of NXP's safety products into applications
- A comprehensible description of all information relating to FS in a single entity to ensure integrity of information

### Content

- MCU Safety Context
- MCU Safety Concept
- System level hardware assumptions
- System level software assumptions
- FMEDA summary
- Dependent Failures Analysis summary

#### Safety Manual for MCU Solution





# **Safety Manual: Structure**

- MCU Safety Context
  - Safe states, Fault tolerant time interval

### MCU Safety Concept

- Describes the safety concept of the device (what is implemented and how does it work)
- System level hardware assumptions
  - Describes the functions required by external hardware to complement the MCU safety concept (Error out monitor)

### System level software assumptions

- Description of necessary or recommended sw mechanisms for each module (Initial checks, configuration & runtime checks)

### Failure Rates and FMEDA

- Short introduction to FMEDA

### Dependent Failure Analysis

- βic IEC 61508 Ed. 2.0 part 2, Annex E: Analysis of dependent failures
- Countermeasures against common cause failures on chip level







## **Safety Support – System Level Application Notes**

#### **Design Guidelines for**

- Integration of Microcontroller and Analog & Power Management device
- Explains main individual product Safety features
- Uses a typical Electrical Power steering application to explain product alignment
- Covers the ASIL D safety requirements that are satisfied by using both products:
  - MPC5643L requires external measures to support a system level ASIL D safety level
  - MC33907/08 provides those external measures:
    - External power supply and monitor
    - External watchdog timer
    - Error output monitor

#### Integrating the MPC5643L and MC33907/08 for ISO26262 ASIL-D Applications

This application note provides design guidelines for integrating the Freescele NPC5643L microcontroller unit (NCU) and Freescale MIC33807/DIS System Basis Chip in automotive electric (electronic systems that target the ISO 25262 functional safety standard. It provides an overview of the MPC5643L and the NC33807/DIS feature set and covers the functional safety requirements that are satisfied in order to achieve 45L D level of safety.

Integrating the VIPC3643L and VIC33907/VIC33908 in a system provides many advantages for the customer. Prescale SISO 25362 solutions, that form part of the Preescale Safe Assure program, help system manufacturers more easily achieve system compliance with functional safety standards by simplifying the system architecture.

#### I. MPC5643L Overview

This section describes the IVPC5643L features that are of interest when integrating the device with the IVC32907/06.

#### A. Safety Concept

The MPC3643L is built around a dual e200x4d core Sphere of Replication (SoR) safety platform with a safety concept targeting (SO 25252 45)L 0 integrity level, in order to minimae additional software and module level features to reach this target, on-chipredundancy is offered for the critical components office NCU (CPU core, DMA controller, interrupt controller, prostare tus system, memory protection unit, firsh memory and RAM controllers, peripheral bus bridge, system timers, and watchdog timer). A Redundancy control and checker unit (BCCU) is implemented at each output of this SoR. ECC is available for on-chip RAM and flash memories. The programmable Realt Collection and Control. (PCCU) monitors the integrity status of the device and provides file/levale state control.

#### B. Power Supply Requirements

The on-chip voltage regulator module provides the following features. Single high supply requires nominal 3.0%. An external balax transistor is used to reduce dissipation capacity at , high temperature but an embedded transistor can be used if power dissipation is maintained within package dissipation capacity (lower frequency of operation). All (Osare at same woltage



# Dynamic FMEDA





\*

â

# Safety Support – Dynamic FMEDA

#### Objective

- Tailor FMEDA to match application configuration
- Enables customers, by supporting their system level architectural choices

#### Content

- FMEDA methods aligned with functional safety standards
  - SPFM & LFM, PMFH ISO 26262
  - SFF & PFH- IEC 61508 Ed. 2.0
  - $\beta ic$  IEC 61508 Ed. 2.0 part 2, Annex E
- Dynamic FMEDA covers elements with low application dependency: Clock, Power Supply, Flash, SRAM, Processing Unit...

#### Work flow and result

- Customer specifies the failure model (dependent on Safety Integrity Level) required by their application, and then confirms the Safety Measures that will be used or not be used
- A tailored FMEDA is then supplied to customer's for their specific application



### **ISO 26262-5** (Elements and Failure Models)



Table D.1 — Analyzed faults or failures modes in the derivation of diagnostic coverage

Reference ISO 26262-5:2011



### **ISO 26262-5** (Elements and Failure Models)

Table D.1 — Analyzed faults or failures modes in the derivation of diagnostic coverage

|            | Element              |                                                                                                                                                      | See                          | Analyzed failure modes for 60 %/90 %/99 % DC |                                                                                                |                                                                                                                              |  |  |  |
|------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------------------------------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--|--|--|
|            |                      | Element                                                                                                                                              | Tables                       | Low (60 %)                                   | Medium (90 %)                                                                                  | High (99 %)                                                                                                                  |  |  |  |
|            | ÷                    |                                                                                                                                                      |                              |                                              |                                                                                                |                                                                                                                              |  |  |  |
|            | Re<br>pu<br>ba<br>re |                                                                                                                                                      |                              |                                              |                                                                                                | d.c. fault model <sup>b</sup>                                                                                                |  |  |  |
|            |                      | ALU - Data Path                                                                                                                                      | D.4/D.13                     | Stuck-at <sup>a</sup>                        | Stuck-at <sup>a</sup> at gate level                                                            | Soft error model <sup>e</sup> (for sequential parts)                                                                         |  |  |  |
|            |                      | Registers (general<br>purpose registers<br>bank, DMA transfer<br>registers),<br>internal RAM                                                         | D.4                          | Stuck-at <sup>a</sup>                        | Stuck-at <sup>a</sup> at gate level<br>Soft error model <sup>o</sup>                           | d.c. fault model <sup>b</sup> including no,<br>wrong or multiple addressing of<br>registers<br>Soft error model <sup>e</sup> |  |  |  |
|            |                      | Address calculation<br>(Load/Store Unit,<br>DMA addressing                                                                                           | D.4/D.5/D.6                  | Stuck-at <sup>a</sup>                        | Stuck-at <sup>a</sup> at gate level<br>Soft error model <sup>o</sup> (for<br>sequential parts) | d.c. fault model <sup>b</sup> including no,<br>wrong or multiple addressing                                                  |  |  |  |
|            | Processing units     | logic, memory and<br>bus interfaces)                                                                                                                 | 0.50.0                       | Stuck-at                                     |                                                                                                | Soft error model <sup>c</sup> (for sequential parts)                                                                         |  |  |  |
| FMEDA      |                      |                                                                                                                                                      | terrupt bandling [1] //[) 10 | Omission of or<br>continuous interrupts      | Omission of or<br>continuous interrupts<br>Incorrect interrupt<br>executed                     | Omission of or continuous interrupts                                                                                         |  |  |  |
| Processing |                      | Interrupt handling                                                                                                                                   |                              |                                              |                                                                                                | Incorrect interrupt executed                                                                                                 |  |  |  |
| Unit       |                      |                                                                                                                                                      |                              |                                              |                                                                                                | Wrong priority                                                                                                               |  |  |  |
|            |                      |                                                                                                                                                      |                              |                                              |                                                                                                | Slow or interfered interrupt<br>handling causing missed or<br>delayed interrupts service                                     |  |  |  |
|            |                      | Control logic<br>(Sequencer, coding<br>and execution logic<br>including flag<br>registers and stack<br>control)D.4/D.10Configuration<br>RegistersD.4 | No code execution            | Wrong coding or no execution                 | Wrong coding, wrong or no execution                                                            |                                                                                                                              |  |  |  |
|            |                      |                                                                                                                                                      |                              | Execution too slow                           | Execution too slow                                                                             | Execution out of order                                                                                                       |  |  |  |
|            |                      |                                                                                                                                                      |                              | Stack<br>overflow/underflow<br>—             | Stack<br>overflow/underflow<br>Stuck-at <sup>a</sup> wrong value                               | Execution too fast or too slow                                                                                               |  |  |  |
|            |                      |                                                                                                                                                      |                              |                                              |                                                                                                | Stack overflow/underflow                                                                                                     |  |  |  |
|            |                      |                                                                                                                                                      |                              |                                              |                                                                                                | Corruption of registers (soft errors)                                                                                        |  |  |  |
|            |                      |                                                                                                                                                      |                              |                                              |                                                                                                | Stuck-at <sup>a</sup> fault model                                                                                            |  |  |  |
|            |                      | Other sub-elements                                                                                                                                   |                              |                                              |                                                                                                | d.c. fault model <sup>b</sup>                                                                                                |  |  |  |
|            |                      | not belonging to<br>previous classes                                                                                                                 | D.4/D.13                     | Stuck-at <sup>a</sup>                        | Stuck-at <sup>a</sup> at gate level                                                            | Soft error model <sup>c</sup> (for sequential part)                                                                          |  |  |  |

Reference ISO 26262-5:2011



PUBLIC 50

# **Dynamic FMEDA Metrics**



- FMEDAs must individually fulfill the target relative metrics (SPFM, LFM)
- **Sum** of individual PMHF must fulfill the absolute target

| SPFM                | SPFM                | SPFM                  |
|---------------------|---------------------|-----------------------|
| LFM                 | LFM                 | LFM                   |
| PMHF                | PMHF                | PMHF                  |
| SPFM<br>LFM<br>PMHF | SPFM<br>LFM<br>PMHF | Failure<br>rates only |



# **Dynamic FMEDA**

- Failure Mode, Effect and Diagnostic Analysis
- A systematic way to identify and evaluate failure modes, effects and diagnostic techniques, and to document the system.
- FMEDA can be tailored to application use-case:
  - FMEDA allows adaptation of temperature profile and ASIL level
  - FMEDA allows selection of package used
  - FMEDA allows selection / de-selection of modules
  - FMEDA allows selection / de-selection of diagnostic measures
  - FMEDA allows to change particular DCs

### Called "Dynamic FMEDA"

- FMEDA can generate a specific (static) "customer FMEDA"



### **Dynamic FMEDA**



### **Additionally - FMEDA Report**

• Summarizing the assumptions and the method of the inductive functional safety analysis activities based on the FMEDA carried out for the MCU



# Safety Plan, Safety Case & Confirmation Measures





# **Safety Plan**

- Describes the overall approach to functional safety management during the development of the hardware or software components in accordance with ISO 26262 requirements.
- The Safety Plan is based on ISO 26262:2011
- The Safety Plan follows the standard NXP BCaM7 Process, which defines the overall product lifecycle.
- The MCU safety activities are planned and tracked in the as part of standard project plans:
  - The safety deliverables are identified by "fs:"
  - Key safety activities addressed, including
    - safety requirements definition and review
    - safety analysis and review
    - design implementation and associated testing in verification simulation, silicon validation and qualification
    - key safety management activities of confirmation reviews, audit activities and assessment.



# Key Roles and Responsibilities for ISO 26262

### Functional Safety Architect

- Specification of Functional Safety requirements and performing Functional Safety analysis

### Project Functional Safety Manager

 Project specific set up and maintenance of Functional Safety activities according to organizational Functional Safety standards and product requirements

### Functional Safety Assessor

 Planning and execution of functional safety assessments according to ISO26262 standard and the NXP Functional Safety process

### Organisation Functional Safety Manager

- Implementation of ISO 26262 standard including training into the organization



### **ISO 26262 Safety Case**

- Lists the ISO 26262 Work Products applicable to the development, as well as
  progressively compiles the deliverables generated during the safety lifecycle which form
  the safety case along with the safety argument.
- The complete list of information exchanged between NXP (MCU Supplier) and the customer (System developer) is detailed in the ISO 26262 Safety Case, including how the information is exchanged:
  - Public Information available via the NXP Website
  - Confidential Information available under NDA
  - Internal Information available during onsite Audit
- In case NXP enters into a Customer Development Interface Agreement (Customer DIA) for a system, then the Customer DIA takes precedence over the ISO 26262 Safety Case.



# ISO26262-10 Table A.8 Checklist

- ISO 26262-10 Annex A.3.7 deals with techniques or measures to detect or avoid systematic failures during MCU design
- It proposes a checklist according to table A.8 to provide evidence that sufficient measures for avoidance of systematic failures are taken during MCU design

| Design phase                               | Design owner for:                       |        | ISO 26262-5 requirement                         | ISO 26262-10 Table A.8 Checklist Conform |          |
|--------------------------------------------|-----------------------------------------|--------|-------------------------------------------------|------------------------------------------|----------|
| besign phase                               | ARM IP                                  | FSL IP | 130 20202-5 requirement                         | ARM IP                                   | FSL IP   |
|                                            | ARM (IP-level)                          | FSL    | 7.4.1.6 Modular design properties               |                                          | FSL: YES |
| Design entry                               |                                         |        | 7.4.2.4 Robust design principles                | ARM: YES                                 |          |
|                                            |                                         |        | 7.4.4 Verification of HW design (IP-level)      |                                          |          |
|                                            | FSL (SoC-level)                         |        | 7.4.4 Verification of HW design (SoC-level)     | FSL: YES                                 |          |
|                                            | FSL                                     | FSL    | 7.4.4 Verification of HW design                 |                                          | FSL: YES |
| Synthesis                                  |                                         |        | 7.4.1.6 Modular design properties               | FSL: YES                                 |          |
|                                            |                                         |        | 7.4.2.4 Robust design principles                |                                          |          |
| Test insertion and test pattern generation | FSL                                     | FSL    | 7.4.1.6 Modular design properties (testability) | FSL: YES                                 | FSL: YES |
| Test insertion and test pattern generation |                                         |        | 7.4.4 Verification of HW design                 | FSL. TES                                 |          |
| Placement, routing, layout generation      | FSL                                     | FSL    | 7.4.4 Verification of HW design                 | FSL: YES                                 | FSL: YES |
| Chip production                            | FSL FSL 7.4.4 Verification of HW design |        | FSL: YES                                        | FSL: YES                                 |          |
| Qualification of HW component              | FSL                                     | FSL    | 7.4.4 Verification of HW design                 | FSL: YES                                 | FSL: YES |

Checklist summary

- Checklist complied with for each NXP design.
- When integrating 3<sup>rd</sup> party IP, for example from ARM, then major design steps to integrate the 3<sup>rd</sup> party IP like synthesis, test
  insertion, backend etc. is in NXP's responsibility and NXP provides the data for the checklist.
- 3<sup>rd</sup> party IP providers give the data for the IP-design part to enable NXP to fill in the checklist



## **NXP ISO 26262 Confirmation Measures**

NXP performs ISO 26262 Confirmation Reviews (CR), Audit and Assessment as required by ISO 26262 for SEooC development

| Confirmation<br>Measures | ASIL A | ASIL B | ASIL C | ASIL D |
|--------------------------|--------|--------|--------|--------|
| CR Safety Analysis       | Yes    | Yes    | Yes    | Yes    |
| CR Safety Plan           |        | Yes    | Yes    | Yes    |
| CR Safety Case           |        | Yes    | Yes    | Yes    |
| CR Software Tools        |        |        | Yes    | Yes    |
| Audit                    |        |        | Yes    | Yes    |
| Assessment               |        |        | Yes    | Yes    |

Note: The following confirmation reviews are not applicable: hazard analysis and risk assessment, item integration and testing, validation plan & proven in use argument

- Confirmation Measures (CM) performed depending on ASIL
  - All checks executed with **independence level 13** by NXP Quality organization
  - NXP Assessors certified by SGS-TÜV Saar as Automotive Functional Safety Professional (AFSP)
  - NXP CM process **certified** by SGS-TÜV Saar as ISO 26262 ASIL D



Autonomous driving leading to Fail-operational systems

a





# Functional Safety Autonomous Driving – SAE Levels

### SYSTEM CONTROL



 SYSTEM AVAILABILITY

 FAIL-SAFE
 DEGRADED MODE
 FAIL-OPERATIONAL

 PUBLIC
 61

# Conclusion

- ISO 26262 addresses functional safety in automotive
- $\bigcirc$
- NXP applies ISO 26262 across Automotive developments
- Faults & Safety Mechanisms are determined for HW
   & SW components, NXP safety concepts enable
   customers to design their safety systems



ISO 26262 evolving to address the requirements for safe autonomous vehicle





# SECURE CONNECTIONS FOR A SMARTER WORLD

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2017 NXP B.V.