Agnisys – Certified Safe for ISO 26262 Design

Agnisys has customers designing all sorts of intellectual property (IP) blocks, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), and system-on-chip (SoC) devices across a wide range of industries worldwide. We provide specification automation solutions for registers, sequences, testbenches, assertions, standard IP, block interconnection, documentation, and more. Every chip needs these elements, and every chip can benefit from our products. However, designs for certain applications have additional requirements that are also amenable to specification automation.

Safety-critical designs are a prominent example. There are many applications in which a chip failure could lead to catastrophic results. At a minimum, these designs should detect that something has gone wrong and take a safe course of action. If possible, they should continue to operate normally even after a fault occurs. This is especially important for applications such as satellites where repair or replacement of a failed component is difficult or impossible. It’s easy to think of cases in which safe operation in the presence of a fault is critical, including:

• Offensive and defensive weapons systems
• Vehicles for travel over road, track, air, and water
• Nuclear power plants
• Industrial applications where humans are at risk
• Implanted medical devices

For this post, I’d like to focus on road vehicles, especially automobiles. This is the safety-critical application with which everyday users have the most contact. Cars are a particularly challenging environment for electronics, with constant vibration and regular exposure to temperature and humidity extremes. Aging chips can fail, solder joints can break, cables can disconnect, alpha particles can flip memory bits—there’s no shortage of things that can go wrong. Accordingly, in 2011 the industry created a standard to guide the functionally safe design of electrical and electronic systems in road vehicles: ISO 26262.

Functional safety is the technical term for just what I’ve been describing: proper and predictable fault response to avoid catastrophic system failure. For road vehicles, this means that the risk to driver, passengers, pedestrians, and other vehicles is minimized. If a fault can be corrected, a car might continue driving with no effects other than a red light on the dashboard and an entry logged into an onboard computer. If a serious fault is detected but cannot be corrected, the vehicle might slow and glide safely to a stop. Either response avoids damage to property and injury to humans, which is one of the goals of ISO 26262 and related safety standards for other industries.

Automotive electronic chips are among the many different applications targeted by our customers. We’ve had users working on all sorts of interesting designs, from simple controllers to incredibly complex artificial intelligence (AI) processors for self-driving cars. These users have been asking about ISO 26262 for some time, so we launched an investigation. We learned that the standard has many requirements for designing and verifying vehicular electronic systems, and some of these are directly applicable to us. The electronic design automation (EDA) tools used by automotive engineers must be qualified for use in developing functionally safe IP and chips. We also learned that this can be a big effort that consumes significant extra cost and schedule delay on these projects.

Fortunately for users, an EDA vendor can qualify its own tools as suitable for ISO 26262 design and have them certified by an independent testing organization. Such a certification eliminates a lot of work for developers of automotive electronics. They need to take no additional steps to qualify or certify the products used in their flows. Of course, we want to save our customers time and money whenever and however we can, so we embarked on the arduous process of certification by the internationally known testing and inspection organization TÜV SÜD.

I am pleased to announce that TÜV SÜD has certified that the Agnisys software products and development flow have achieved the stringent tool qualification criteria defined by ISO 26262 as well as the related underlying functional safety standard IEC 61508. I think that this is a big deal for both us and our users. We now offer the IDesignSpec™ Tool Qualification Kit (TQK) for developers of IP and chips for automotive applications. They can meet the requirements of the standards and satisfy the demands of their customers who insist that they comply with these requirements. I expect a lot of interest in our TQK as ISO 26262 continues to grow in importance.

I should note that achieving this qualification was not a trivial exercise. TÜV SÜD doesn’t simply hand out certificates to anyone who pays a fee. In accordance with the standard, they conducted a highly detailed, months-long investigation of our tools, our team, and the processes we use to develop our products. This included audits of our product verification and validation flow, quality assurance (QA) procedures, configuration and release management, and even the way that we support users and respond to any reports of issues with our tools. They also evaluated our actual products, resulting in TÜV SÜD certification of our complete IDesignSpec Suite:

• IDS™
  • IDSBatch™
  • IDSExcel™
  • IDSWord™
  • IDSCalc™
• IDS NextGen™ (IDS-NG™)
• ISequenceSpec™ (ISS™)
• ARV™
  • ARV-Sim™
  • ARV-Formal™
  • ARV-C™
• Specta-AV™
• ASVV™
• SoC Enterprise™ (SoC-E™)

In summary, ISO 26262 certification is really important for many users, and I am proud that we have achieved this milestone. If you’re designing safety-critical IP or chips, I think you’ll really appreciate how much work we will save you with our pre-certified tools. To learn more, please visit: https://www.agnisys.com/iso-26262-compliance/ and https://www.agnisys.com/an-update-on-functional-safety-and-iso-26262/