Technical

Article
ISO26262 in automotive IC development: is it just a tickbox exercise, or does it induce manufactur-ers to make
safer components?
Thomas Mueller

Technical
Article

ISO26262 in automotive IC development: is it just a tickbox exercise, or does it induce manufactur-ers to make
safer components?
Thomas Mueller
Car manufacturers started using ICs to control safety applications as early as the 1980s. First used
in anti-lock brakes and airbags, electronics devices were soon implementing complex functions
such as vehicle stability control and, more recently, active safety systems. ICs are now relied on not
only to mitigate the consequences of crashes, but to prevent them from happening in the first place.
It is fair to say that electronics components are absolutely critical to the safety of all road users today.
These electronics systems, used in tens of millions of cars on the road today, have operated with a
remarkable level of reliability, despite the absence of formal industry standards requiring compliance with safety processes. In general, IC manufacturers have deployed no more than a combination of FMEA (Failure Mode and Effect Analysis) and a good deal of engineering judgement. The
results, in terms of automotive safety, have been very successful.
The introduction of formal safety standards governing the design and fabrication of automotive ICs
might, then, seem to be a bureaucratic imposition which will do nothing to improve an already impressive safety record while adding time and cost to the product development process. Are the
standards really helpful either to the automotive industry or to road users?
The new rules for automotive IC manufacturers
The first attempt to standardise the approach to safety in automotive ICs was around the turn of the
century, when the existing IEC61508 standard was applied to microelectronics systems. This was
originally a functional safety standard for application in industrial systems such as railways and
power plants. IEC61508 introduced hazard analysis, followed by safety specifications such as the
Safety Integrity Level (SIL) and the concept of a maximum failure rate.
The next development, an extension of FMEA called FMEDA (Failure Mode Effect and Detection
Analysis), proved to be an easy tool for designers of safety ICs to use. FMEDA requires the classification of IC failures as either safe or unsafe. The designer then has to implement a sound process for estimating the probability of each failures occurrence, and to use diagnostic techniques to
detect failures. The result is a quantitative analysis derived from empirical evidence. The ratio of
safe to unsafe failures the main output of FMEDA determines, together with the failure rate,
whether an SIL can be achieved or not.

Page 2 / 7

Technical
Article

Here, then, was a method which could underpin or even supersede the engineering judgement
on which design engineers had previously been relying to ensure the safety of their products.
The ISO26262 standard, developed in the middle of the first decade of this century, took the application of safety design processes a step further. In many respects it follows the IEC61508 standard,
but with the difference that it is specifically focussed on automotive electronics and software.
Quantities such as the safe failure ratio, applied in the IEC standard, were replaced by more complex metrics taking into account in addition latent failures (that is, failures which are dependent on
the occurrence of direct failures). The safety integrity level specifications were renamed ASIL (Automotive Safety Integrity Level), and their conditions were changed slightly.
New requirements for the development process were also introduced: in particular, a safety manager for each IC under development must conceive, validate and document the safety methodology
underlying the ICs design.
How ISO26262 is being applied today
The specifications for automotive safety ICs laid down by car manufacturers now in most cases
include a reference to the ISO26262 standard. Often, however, the SIL is defined for the electronic
module (such as an accelerator pedal or electronic control unit) of which the IC is a component,
rather than for the IC itself.
The ISO standard defines the specifications at a system level (for instance, two redundant systems
with an ASIL B rating are equivalent to an ASIL D), but deriving safety goals for an IC from the safety specifications of a module remains difficult.
Furthermore, specifying an ASIL for the IC in isolation, in addition to an ASIL for the module or system, might lead to the design of extra diagnosis features which will increase chip size and test time,
and therefore increase cost, without improving safety.
This means it is important to consider the diagnosis capabilities of the host system carefully. For
example, in crash avoidance systems that use a laser to detect other cars, a camera can be used in
parallel to check the plausibility of the output of the system. This would enable the ASIL level for the
systems main IC to be lowered, which would in turn reduce its cost.
Generally speaking, in fact, car makers will not pay component suppliers more for increasing the
safety level of features in their cars. This means that suppliers must make an intelligent and lean
implementation of their parts safety requirements.

Page 3 / 7

Technical
Article

Example of application of ISO26262

So how in practice does the implementation of ISO26262 affect the design and operation of an automotive IC? This is best illustrated by reference to an application example.
Electronic technology has become more prevalent in braking systems with the proliferation of hybrid
cars that recover electrical energy in braking. Precise measurement of the brake pedals position
within its travel enables an ECU to decide whether to use the electric motor to brake the car, or the
conventional mechanical brakes.
A typical safety requirement for this application is ASIL B. Since there is no parallel, redundant
method for sensing brake position, the IC therefore has to meet the requirements of ASIL B.
The latest generation of hybrid vehicles use a magnetic Hall-effect position sensor ASIC to measure
the position of a ring magnet affixed to the brake pedal mechanism. Advanced position sensors use
a 3D Hall sensor array which can measure magnetic fields both in the plane of the IC and perpendicular to it (see Figure 1).

Fig 1: position sensing with a 3D Hall sensor. (1) centre position of the magnet (2) off-centre position

Centred over the IC, the magnetic field is strongest in the same plane as the IC, whereas the field
perpendicular to the IC is almost zero. At an off-centre position, the situation reverses: the field in
the ICs plane is near to zero, whereas the perpendicular field reaches its maximum. Thus moving
the brake pedal and magnet from left to right yields a cosine for the in-plane field and a sine for the
perpendicular field. These signals can be used to calculate the position using an ARCTAN function.
Page 4 / 7

Technical
Article

Test coil

Since all the fields diminish to zero in the extreme off-centre position, linearisation is required for the
outer positions to be measured precisely. Linearisation data is stored in an on-chip EEPROM (see
Figure 2).

Fig 2: simplified block diagram of a brake pedal position sensor ASIC from ams

Once the architecture of such an IC, the core technology and its function are clear, and the functional blocks are defined, work on the FMEDA can begin.
ASIL B requires a failure rate of <100FIT and a single-point fault metric of 90%. FIT Failure in
Time is a unit for measuring reliability. 1FIT = 1 failure in 1 billion hours of operation. The FIT rate
is a function of the wafer fabrication process technology used, the IC area and operating temperature, and can thus be calculated for the operating conditions of any given application.
Each block of the IC is analysed in turn in terms of its failure modes and the effect of failures. Consider for example a common functional block in analog and mixed-signal ICs: an amplifier. The engineer must consider those parameters which determine the amplifiers performance, such as gain,
offset and stability. Gain could fall below its specified value, causing the amplifier to fail completely,
or it could rise above its specified value, leading to measurement errors. A similar analysis of the
ways in which stability, offset and other parameters could be compromised must also be carried out,
and the probability of failure (based on the FIT rate calculation described above) determined.
All of the failure modes will then be assessed for their impact on the specified safety level (whether
the failure mode in itself is safety-critical or not). For any of the failure modes, a check is performed
to determine whether one or more of the existing diagnosis features can detect the failure and bring
Page 5 / 7

Technical
Article

the system to a safe state, for instance by switching the output to a signal failure band. Standard
diagnosis features in a magnetic position sensor will include:

Measurement of the external and internally-generated supply voltages, providing a warning

flag and eventually a reset if preset thresholds are breached

Memory integrity check at start-up

Secure communication by CRC or parity bit

The analysis is weighted by the area of the block under investigation, taking into account that failures are equally likely to be triggered at any location during normal operation. Large blocks therefore require proportionately more lengthy examination.
The output of the analysis of any one block is a ratio of the FIT rate for that block, and a residual
FIT rate for the dangerous and undetected (DU) faults. Summing up this analysis over all blocks
leads to the safe failure fraction (SFF). (ISO26262 uses the term single-point fault metric):
SFF = safe faults/(safe plus DU faults)

Failure
Mode

Effect

FIT
split

safety
FIT rate
area
Diagnostic FIT rate
residual latent
Diagnostics
relevant associated share in coverage
dangerous failures failures
to block
mm2
(SPF)
1,54

residual
faults

0,51

Regulation
loop fail

output
40%
voltage
too high

100,00% 0,62

90%

0,62

0,06

Regulation loop
fault detection

0,062

Regulation
loop fail

output
voltage
too low

100,00% 0,62

99%

0,62

0,01

V33 UnderVoltage
detector

0,006

40%

Fig 3: simplified FMEDA example for one block. The total FIT rate of the block is 1,54FIT according to its share of total die
area. The dangerous and undetected FIT rate is 0,062+0,006 FIT (column: residual faults). Thus the metric for this isolated
block would be 1-(0,006+0,062)/1,54 = 95%.

The method seems formal, which might explain why many engineers have been reluctant to follow
this approach! But on the other hand, the method takes the probability of faults into account by
weighting attention towards the large blocks with a high failure rate. This provides a kind of ranking
which raises the quality of the analysis far higher than pure engineering judgment can possibly
achieve. (It should, however, be noted that engineering judgement alone informs the block analysis
which underlies the entire FMEDA process.)

Page 6 / 7

Technical
Article

When FMEDA was implemented by ams on the position sensor shown in Figure 2, the result of the
first iteration revealed that a large share of the dangerous and undetected faults originated from the
EEPROM and the signal path from the Hall sensor to the CORDIC processing unit a path that
occupies a relatively large area of the die.
Furthermore, faults in the protected high-current output driver could not be diagnosed, contributing
a large proportion of the undetected faults.
As a result, monitoring and diagnosis features were implemented features that would not have
been added had ams not carried out the FMEDA process:

Continuous EEPROM content check, through calculation of the CRC and comparison with a
reference CRC

Magnetic self-test of the signal-processing chain. A micro-coil is employed to generate a

test magnetic field. The test measurement is scheduled in the main measurement cycle.
The resulting output is compared with a stored value.

Read-back of the status of the output drivers using a comparator.

If a failure is detected, the output is switched to a failure band (1-4% PWM duty cycle).
These features, together with many others implemented during the development of the device, have
resulted in a successful ASIC which boasts a single-point fault metric of 90%, and which is thus
qualified for ASIL B.
Conclusion
Development and design according to ISO26262 is becoming a standard requirement for ICs for
automotive safety applications. The use of the FMEDA helps development teams to focus on those
IC functional blocks with the highest failure rates and largest chip area a contrast with traditional
design-for-safety methods which relied much more on engineers judgement. Close collaboration
between the IC developer and the user, for instance by using diagnosis functions external to the
chip to support the ICs operation, supports the more cost-effective implementation of safety features.
For further information
ams AG
Tel: +43 (0) 3136 500
info@ams.com
www.ams.com
Page 7 / 7