ISO 26262 is a functional safety standard applied to the development of electrical and/or electronic (E/E) systems in automobiles. It is aimed at reducing risks of physical injury or of damage to the health of people in the event of an unplanned or unexpected hazard. The standard requires that every tool used within the design and verification flow, that can either insert errors into the final product or prevent errors from being detected, be analyzed within the context of its use in the flow, and qualified if necessary. As our current and prospective customers see the rapid growth of E/E systems in automobiles, they also see the need to comply with the ISO 26262 standard and are looking to IP and EDA vendors for help. Failing to provide customers with acceptable responses to their functional safety needs puts Cadence at risk of being excluded from respective business opportunities.
In order to justify freedom from unreasonable risk, our customers need to develop a safety argument in which the safety requirements are shown to be complete and satisfied by the evidence generated from the ISO 26262 work products. One customer alone states that the annual spend for developing safety cases for its automotive products is in the millions of dollars. In order to pass a functional safety audit, they need to provide valid safety arguments for the tool chain and development processes used, supported by appropriate evidence that shows that no single failure in any tool could leave an undetected critical flaw in the system. Providing the safety argument and documenting the requisite evidence is challenging for our customers to do without direct help from Cadence.
With respect to EDA tools, in an effort to reduce the complexity, time, and cost associated with tool qualification, Cadence will provide Functional Safety Documentation to our customers, comprised of the following:
- Safety Manual
- Tool Classification Analysis
- Technical Report issued by an independent Functional Safety Auditor
The Safety Manual presents a typical tool-chain sub-flow that could be used for design and/or verification of safety-related products. It describes a base use case; examines input, execution, and output of the software tools; and specifies fault mitigation and/or error detection methods, which drive the specified tool-chain to Tool Confidence Level (TCL) 1. TCL1 reflects the highest confidence that tool malfunctions will not cause violations of safety requirements, and subsequently, no further qualification of the tool-chain would be necessary. Therefore, a tool-chain that evaluates to TCL1 will reduce the complexity, cost, and time required of our customers to certify their work products.
For each of the products described in a Safety Manual, a Tool Classification Analysis (TCA) document is created, which describes an assessment, including typical use cases, and an analysis of possible faults with corresponding potential impact on functional safety goals. Additionally, the TCA document can describe methods to increase error detection of possible faults and provide a rationalization for a predetermined tool confidence level. Since a product can be used in more than one tool-chain sub-flow, the TCA document should describe the relevant use cases within each sub-flow such that a single TCA document can be used for multiple Safety Manuals. In the long run, the goal is to have the majority of Cadence products covered in one or more sub-flows.
The combination of Safety Manual and TCA documents form the Functional Safety Documentation In order to reassure our customers that this documentation set is adequate and suitable for use in their safety audit, it is to be reviewed by an independent Functional Safety Expert/Auditor. The results of this independent review are then documented in a Technical Report, which serves as validation of the fitness for use of the documents in a safety case, and of the suitable uses of the tool-chain for developing safety-related products. Cadence has selected TÜV SÜD to provide this validation. They established a functional safety team more than 30 years ago and have accumulated a strong track record. They participated in the establishment of the ISO 26262 standard and are an internationally accredited ISO 26262 testing body for development tools, development processes, and safety-relevant products or systems.
Automotive development presents a unique challenge in terms of safety, security, and reliability of embedded systems. End-to-end testing for automotive applications is too expensive and too complex. However, the cost of failure should serve as motivation for finding a way to mitigate risks. The Functional Safety Documentation set is one of the ways in which Cadence is helping customers comply with the ISO 26262 standard. For more details about how Cadence supports ISO 26262 qualification, read my white paper, Enabling ISO 26262 Qualification By Using Cadence Tools.
Randal Childers