Every engineer I know tracks NASA, its space programs and aeronautics and aerospace research, and secretly longs to work on mission-critical systems.
He may have found one. The latest mission-critical challenge is automotive electronics. Of course, automotive electronics has irresistible appeal. Engineers who previously designed all forms of consumer electronic devices such as smart phones and digital cameras, are steering themselves to semiconductor companies driving the autonomous vehicle trend. It’s an exciting new field filled with enormous promise and gigantic challenges suitable for clever, inquisitive engineers.
What engineers moving into this area don’t realize is that while their skills are transferable, they need to develop a whole new set of other skills. A specialized skillset is nothing new. Mission-critical systems engineers have long grappled with verifiable functional safety and reliability of their designs, something a smart phone designer wouldn’t prioritize. He or she would have a specialized skillset for managing the multi-app congestion of a smart phone.
The automotive sector, piloted in large part by the explosive growth of Advanced Driver Assistance Systems (ADAS), is going through a particularly critical phase of defining a safety process for a smarter and safer driving experience. That means an understanding of the ISO 26262 standard is critical, for example. It mandates traceable and documented design and verification methodologies backed up by quantitative measures of failure rates of the underlying hardware. For an engineer in automotive electronics, mastery of the standard and functional safety and the tool solutions is a must.
Design tool providers offer a variety of safety analysis and hardening techniques to solve automotive functional safety. Some support traceability and related front-end flows, while others improve their simulation capabilities for “fault-campaign” methodologies. Meanwhile, a few companies offer custom circuit intellectual property (IP) and techniques so designs meet the automotive safety (ASIL) criteria. All are good efforts but makeshift. Instead, an automated end-to-end flow to take the guesswork out of functional safety is what a mission-critical systems engineer needs. A design should be able to go from the safety requirements analysis through functional analysis, hardening and fault-injection campaign to generate an auditable and verifiable collateral that enables the system to obtain the required safety Integrity certification level.
Consider, for example, the real-world example of an Asian electronics major whose CMOS imaging modules are well known for providing the stunning pictures in some of the leading smartphone brands in the world today. While the camera module, with its 16K+ resolution, HDR-support, low-light capabilities and MIPI-CSI3, is an impressive feat, deploying that technology into a car-vision system while meeting the required ASIL B or C rating poses a few challenges.
Defined as the “Absence of unreasonable risk due to hazards caused by malfunctioning behavior of Electrical/Electronic systems,” functional safety is embodied in 11 separate volumes in the ISO 26262 specification covering the lifecycle of automotive electronics. The engineer is expected to retool his or her process flow to demonstrate resilience of the design to systematic faults. For probabilistic random failures, the standard specifies precise metrics that form the basis for the all-important ASIL classifications. Here is where, a tool-based approach returns dividends in the form of repeatable and demonstrable results.
Step one is to evaluate legacy design from a safety perspective. The goal is to meet maximum failure rates (FITs) allowed for the design’s ASIL target and the minimum level of coverage against random failures mandated by the standard. Arriving at these numbers is a combination of design knowledge, failure-rate information for process and packaging combined with architectural use-case input.
Gap analysis forms the basis for the next stage, safety hardening. Sensor control inputs, algorithmic stages or even the CSI module controller may be subject to safety mechanism oversight. Simple hardware options include adding error-correcting codes or parity bits. More complex mechanisms like duplication of entire portions of logic with comparison logic, watchdog timers for runway code or thresholding algorithms are tricks of the safety trade that a transitioning engineer is expected to master. Hand optimizations are possible but a tool-driven addition of safety mechanism is an increasingly popular trend in the automotive industry.
The final press on the accelerator is to demonstrate the resilience of the sensor module to random failures, typically done through injecting faults into critical portions of the design using a fault injection tool. Multiple options are on the market but scalability and ease of use persist. While functional verification deals with exposing structural design flaws, safety verification takes the design and injects multiple faults at each safety-critical node, exploding the verification state-space by orders of magnitude. Innovative fault propagation tools are coming online that solve this problem. Add design-centric challenges such as requirements tracking, training and qualification of engineers, tools and designs and process management as well.
A solid understanding of tool-driven safety will go a long way toward easing the transition of a newly minted safety engineer from a non-mission critical systems application segment.
Welcome to automotive electronics, this era’s mission-critical challenge!