Measuring ISO 26262 Metrics of Analog Circuitry in ICs

The goals for automotive electronics are zero defective parts per million (0 DPPM), and safe operation during the expected lifetime of the vehicle. The ISO 26262 standard¹ provides procedures and metrics required before delivery to ensure systems can be expected to operate without unreasonable risk.

Different functions have different safety needs. ISO 26262 specifies different automotive safety integrity levels (ASILs) A, B, C, and D, with D being the safest, for different systems within vehicles. For example, those that affect steering and braking require ASIL D. The primary approach to ensuring safety is firstly minimizing the likelihood of failure and secondly designing the system such that when a function within a system fails, the system fails safely.

ISO 26262 specifies for circuits metrics and minimum values that are design requirements. Since the focus of the standard is minimizing the likelihood of unsafe failures, the likelihood of each fault/defect must be estimated to be able to compute these metrics.

ISO 26262 Metrics

A “safety mechanism” in ISO 26262 terminology is a technical solution that monitors, tests for, or controls faults in a safety-related function to assert or maintain a safe state. It could be a digital, built-in self-test (BIST) that runs scan tests on logic circuitry during power-up, or an analog voltage monitor that continuously checks whether a voltage regulator’s output is within its specified range. For example, if a safety-related function of a regulator is the delivery of a supply voltage between 4.5 and 5.5 volts, a pair of comparators and a bandgap reference voltage could continuously monitor that the voltage is within that range. Since the comparators could fail, a BIST is usually implemented for them too. A fault is deemed ‘tolerated’ if it does not lead to a system failing a safety-related specification, or a safety mechanism detects the fault and activates a safe state of the system.

• In electronic circuits, “defect” typically means an observable random flaw, such as a short, open, or extreme variation caused during manufacture, or by stress (physical, electrical, or thermal), or by aging. “Fault” means a low-level circuit block not meeting one of its performance specifications, for any reason (including defects and intermittent events such as alpha particles); for example, a flip-flop output stuck-at-1 or an unstable amplifier. ISO 26262 only discusses faults, but within ICs it is also common to speak of defects. In this paper, both terms will be used.

The single point fault metric (SPFM) is the likelihood-weighted percentage of potential single defects that can be tolerated. To measure this metric, DefectSim injects a single fault or defect at a time and monitors whether a safety-related function fails. The probabilistic metric for random hardware failures (PMHF) is a failure rate target for single point and residual (untolerated) faults. For ASIL D, the target is to have less than one failure per hundred million hours of operation. For IC technologies that do not inherently have that level of reliability, safety mechanisms can be added to achieve it.