Why automotive safety starts with component design
We recently caught up with our friends at ON Semiconductor, who are looking forward to a major presence at AutoSens with an exhibition stand and speaker slot. We spoke to one of the AutoSens conference’s guest speakers – Michael Brading, Technology Strategist, and his colleague Kenneth Boorom, Functional Safety Manager at the company’s facility in Corvallis, Oregon.
It seemed fitting to focus on the ISO standard which underpins the company’s dedication to safety standards in component design, as that’s the focus of Michael’s conference session at AutoSens.
ISO 26262, the standard describing Functional Safety for Road Vehicles (A short guide to ISO 26262 is also available on Wikipedia), provides an organizational bible for a robust methodology which pushes the boundaries of electronic systems and components within the various industries served by the company.
Why is ISO26262 important and relevant to ON Semiconductor?
“The two main reasons are that it assists us in having an industry standard focus on both random hardware failures (caused by anomalous events, such as the impact of cosmic rays) and normal wear of the integrated circuit. Additionally, it really provides a great structure to help us design the system, to find systemic but nominal differences in how the components behave.
With integrated circuits that go into an automotive product, especially high-reliability ones, it’s necessary to consider that several thousand failure possibilities are present at any moment. That becomes especially important in systems with millions of components, like a large server farm, or cars, where a failure might trigger a catastrophic event”
“This ISO standard gives us a state-of-the-art structure for safe operation of a system. We’re building systems that save lives and that helps to make ON Semiconductor a great place to work.”
Can you describe some system trends that are leading to the demand for greater safety requirements?
“More and more image sensors are going into vehicles, covering applications from backup-cameras to pedestrian detection and lane keeping. Combining that mix of signals into an integrated single system is a challenge. “
Why is ISO26262 implemented in image sensors?
ON Semiconductor has developed a deep technical understanding and knowledge of CMOS image sensors. But like most types of electrical circuit, CMOS chips have weaknesses.
“One example of a failure mode that we have identified is concerned with the readout mechanism. CMOS sensors are essentially designed around a CMOS memory architecture. The data flows off the chip one row at a time and that means that these can be susceptible to duplication – at first glance, the visual output might seem OK, but the net effect is that an error on multiple rows might obscure an object in the field of view.
In this illustration, a row address aliasing fault can lead to a failure in which the full scene is replaced by a subset of the scene replicated several times, creating an image of a road which does not include the vehicle ahead.
“It’s necessary to use bit-accurate sensor model simulations to effectively understand the failures we’re interested in, particularly in the design of high reliability systems
The safety design process, common in industry and also established within ISO 26262, helps us find the problems that otherwise might not be detectable: A defect invisible to the human eye could upset the behavior of an algorithm. And critically, a defect in the behavior of an algorithm could impact the resulting data.”
How can you be sure these safety mechanisms are appropriate and provide the necessary coverage?
“ISO 26262 is a detailed process which evolved from medical and aerospace systems and that’s driven how we have worked for decades, eliminating single point faults. “
Within ISO 26262, risk is classified with a system referred to as the Automotive Safety Integrity Level (ASIL), which assesses the risk of an incident occurring within the system, based on factors of severity, likelihood and controllability. In short, a risk matrix.
“System requirements are much more exacting for an ASIL-D application, such as an autonomous vehicle, than they are for a backup camera, which might be classified as ASIL-A or B.”
Tell us about some component failures that couldn’t normally be detected?
Image sensor safety mechanisms that ON Semiconductor provides in support of the ISO 26262 design process can detect some random hardware failures which can result in image quality degradation, such as that shown here, where a ‘bit flip’ in the design signal timing, produces noise in the second image.
Typical street-view scene, including a stop sign – this image down not exhibit any unexpected noise artefacts. The image is slightly distorted from use of a wide-angle lens in front of the sensor.
Why are you getting involved in AutoSens?
“Quality. Our customers and OEMs will be there, it’s going to be an important industry forum and will help us meet vendors and suppliers in lots of different disciplines.
We’re also part of the IEEE 2020 Working Group – that’s important work because the biggest challenge we face, across the industry, is that we all have a different perspective on the total problem [i.e. multiple systems connecting with one another to achieve a range of outcomes] and that could stand in the way of progress.
The organisers appreciate the problems we must all deal with and are doing something about it – that’s important for everyone in the industry.”
Find out more
We will be delving deeper into all of these areas and a host of extra content at the AutoSens conference, held in September 2016 at AutoWorld in Brussels, Belgium.
Carefully selected experts will discuss the shared challenges, innovation, standardisation and supply chain collaboration involved with the development of the latest ADAS technologies and self-driving cars via panels, presentations and conversations.