What is ISO 26262?
ISO 26262 is the international standard for functional safety of electrical and electronic systems in road vehicles. It provides a framework for ensuring that automotive systems, including those implemented in FPGAs and ASICs, meet stringent safety requirements throughout their lifecycle.
ISO 26262 Key Concepts
- Functional Safety: Absence of unreasonable risk due to hazards caused by malfunctioning behavior
- ASIL: Automotive Safety Integrity Level (A, B, C, D)
- Safety Lifecycle: Concept through decommissioning
- Hardware Metrics: SPFM, LFM, PMHF
Understanding ASIL Levels
ASIL (Automotive Safety Integrity Level) classifies safety requirements from A (lowest) to D (highest):
| ASIL | SPFM | LFM | PMHF (FIT) | Example Application |
|---|---|---|---|---|
| QM | N/A | N/A | N/A | Entertainment system |
| ASIL A | N/A | N/A | <1000 | Rear light control |
| ASIL B | ≥90% | ≥60% | <100 | Cruise control |
| ASIL C | ≥97% | ≥80% | <100 | Power steering |
| ASIL D | ≥99% | ≥90% | <10 | Braking system, airbag |
Key Metrics Explained:
- SPFM (Single-Point Fault Metric): Coverage of single-point faults by safety mechanisms
- LFM (Latent Fault Metric): Coverage of latent faults by safety mechanisms
- PMHF (Probabilistic Metric for Hardware Failures): Residual risk in FIT (Failures In Time)
FPGA-Specific Challenges for ISO 26262
FPGAs present unique challenges for functional safety certification:
1. Configuration Memory (CRAM) Errors
SRAM-based FPGAs are susceptible to soft errors that can alter circuit functionality:
- SEU (Single Event Upset): Radiation-induced bit flips
- MBU (Multiple Bit Upset): Multiple bits affected
- Impact: Can change logic function, routing, or I/O configuration
2. Tool Chain Qualification
FPGA synthesis and implementation tools must be qualified per ISO 26262 Part 8:
- Tool Classification Level (TCL)
- Tool Confidence Level (TCL1, TCL2, TCL3)
- Tool qualification requirements based on ASIL level
3. Verification Completeness
Higher ASIL levels require more rigorous verification:
- Structural coverage requirements (statement, branch, MC/DC)
- Formal verification for safety-critical logic
- Fault injection testing
Safety Mechanisms for FPGA Designs
1. Error Detection and Correction
- ECC on Memory: SECDED for internal RAMs
- CRC on Configuration: Detect CRAM corruption
- Parity Checking: For data paths and registers
2. Redundancy Techniques
- TMR (Triple Modular Redundancy): Three copies with voting
- DMR (Dual Modular Redundancy): Two copies with comparison
- Temporal Redundancy: Execute same operation multiple times
3. Self-Test and Monitoring
- BIST (Built-In Self-Test): Periodic logic testing
- Watchdog Timers: Detect stuck or hung conditions
- Alive Signals: Periodic heartbeat between components
TMR Implementation Example
// Triple Modular Redundancy with voting
module tmr_voter #(parameter WIDTH = 8) (
input logic [WIDTH-1:0] in_a,
input logic [WIDTH-1:0] in_b,
input logic [WIDTH-1:0] in_c,
output logic [WIDTH-1:0] out,
output logic error
);
// Bitwise majority voting
assign out = (in_a & in_b) | (in_b & in_c) | (in_a & in_c);
// Error detection (any disagreement)
assign error = (in_a != in_b) | (in_b != in_c) | (in_a != in_c);
endmodule
FMEDA for FPGA Designs
Failure Modes, Effects, and Diagnostic Analysis (FMEDA) is essential for calculating hardware metrics:
FPGA Failure Mode Categories
| Failure Mode | Description | Typical Detection |
|---|---|---|
| CRAM SEU | Soft error in configuration memory | CRC check, readback |
| Register SEU | Soft error in flip-flops | TMR, parity, ECC |
| RAM SEU | Soft error in block RAM | ECC, parity |
| I/O Failure | Stuck-at, open, short | Loopback test, monitoring |
ISO 26262 Development Process for FPGA
V-Model Lifecycle
- Requirements: Safety goals, functional safety requirements, technical safety requirements
- Architecture: Hardware-software interface, safety mechanisms allocation
- Design: RTL development with safety features
- Implementation: Synthesis, place and route
- Integration Testing: Hardware-software integration
- Validation: System-level safety validation
Documentation Requirements
- Safety Plan
- Technical Safety Concept
- Hardware Design Specification
- FMEDA Report
- Verification Report with coverage metrics
- Safety Case / Safety Manual
Conclusion
Achieving ISO 26262 compliance for FPGA designs requires careful planning, appropriate safety mechanisms, rigorous verification, and comprehensive documentation. While challenging, it is essential for deploying FPGAs in safety-critical automotive applications.
Vcores provides ISO 26262-compliant IP cores with safety mechanisms, FMEDA documentation, and verification packages ready for integration into automotive ASIL B/C/D designs. Our functional safety expertise helps customers navigate the certification process efficiently.