• ISO 26262.
• Validation
• Fault coverage
• Safety

Today's trend in automotive field is to integrate more electronic systems on vehicles to offer more efficient on-board service and functionalities. Such embedded electronic devices are called ECU, Electronic Control Unit, and it is possible to count up to 100 of them on a car.

Many of these electronic systems are directly related to the safety of drivers and pedestrians, like assisted braking or electronic stability control, and with the market moving toward autonomous driving the importance of severe metrics to evaluate the safety of a system is growing.

This work focuses on functional safety for automotive, regulated by the standard ISO 26262.

ISO 26262 represent the standard reference point for the automotive safety lifecycle, from development to decommisioning, and provides a risk-based approach specific for automotive to determine safety integrity levels, the Automotive Safety Integrity Level (ASIL). Each ASIL level is associated with a set of requirements and safety measures to apply to avoid risk of danger, with ASIL D being the most stringent and ASIL A the least stringent.

ISO 26262 provides also metrics to evaluate if a system is compliant with a certain ASIL level requirements.

The first step of the thesis work is the development of a python-based fault injection and simulation tool for the evalutaion of safety mechanisms.

The tool is capable of guiding the analysis flow from the creation of a fault database selected by the user to the compilation of a diagnostic coverage report, one of the fundamental parameters needed in functional safety evaluations.

Furthermore have been designed two safety mechanism for an AES Core. The mechanisms were developed following the guidelines of ISO 26262 and validated using the fault injection tool previously realized.

The first safety mechanism relies on a Built In Self Test that is designed to perform a check for faults at the startup of the system, stimulating the AES Core with predefined test vectors and comparing the AES core module outputs against the expected ones.

This solution, with a latency at start-up of 1.6 microseconds at 500 MHz and an area overhead of 11% is capable of reaching a diagnostic coverage of more than 97%.

The second safety mechanism, called Smart Hardware Redundancy, consist in two identical instance of the AES Core which work in parallel while their output is always compared when any encryption or decryption process is performed. In case a fault is detected, a dedicated control unit performs a routine check based on the previous BIST solution and move the system into a safe state, disabling the faulty AES core unit and allowing the usage of the only working one.

This solution has significant cost in area overhead (110%), but it offers a very high protection against both permanent and
transient faults, with a diagnostic coverage of 97%, without affecting the AES Core latency.

Both the safety mechanisms have been designed using the Verilog HDL language and validated by means of the developed fault injection tool, resulting in an AES Core able to comply with ASIL C requirements when either one of the two safety mechanism is adopted.