Automotive Safety in High-Volume Applications

By: Angela Raucher, ARC Product Marketing Manager, Synopsys

As the automotive market for electronics continues to expand and the volume of automobiles being manufactured increases, there is a growing need for tailored semiconductor devices, especially for safety-critical applications. With this competitive pressure brought by the new entrants into the automotive market, designers must focus on cost savings and quick time to market when selecting IP for their automotive ICs.

Selecting the Best Processor IP Solution for Automotive ICs

Automotive IC designers and architects are often faced with a hard choice related to selecting processors and IP for their safety-critical design. They can choose IP that is designed for automotive requirements but is not exactly the right fit for the specific application, which adds unwanted area and time to the IC design. Or they can choose IP that may be a better fit for the requirements of the design but that need to be retrofitted for the strict demands of automotive safety specifications, which leads to more resources and time to market penalties.

When designing an IC for automotive safety applications, designers need to understand which safety level is targeted, as it will impact the feature requirements for the IP. As ICs have a long life cycle in the automotive market, designers should examine market trends that may affect future ASIL requirements. For example, an ADAS IC today may be providing the driver with information to act upon, and therefore only require ASIL B certification; in the future it may make life-critical decisions in an autonomous vehicle, which would require ASIL D certification.

ASIL B ICs may be sufficient when they support parity alone on memories, but ASIL D ICs must support error correcting code (ECC). To meet the stringent >99% single point fault metric for ASIL D, a processor in the safety-critical path will need to operate in lockstep operation to provide redundancy. For ASIL B, this may not be necessary because the requirement is a little less stringent at >90% (Table 1). But lockstep implementations may provide other benefits, depending on the IP in the design.

Table 1 – Fault metrics associated with ISO 26262 ASIL levels.

Processor IP that is both certified for safety requirements and configurable will provide a huge advantage in achieving both stringent functional safety requirements and aggressive area targets. Using ASIL D Ready certified IP will provide the required safety features to meet the most stringent of functional safety requirements along with the necessary verification for systematic and random faults, saving 6-12 months of intensive design and verification effort. With configurability, designers can choose to implement parity or ECC, instantiate a lockstep interface or not, all depending on the ASIL requirement of the application. In high-volume production, the area savings will increase margin and improve competitive position.  Configurability also allows you to use the same processor with software compatibility across a line of products with different requirements, increasing return on investment while incurring no area/margin penalties.

Low-Power, Compact Processors for Safety-Critical Applications

As an example of a configurable safety processor, several years ago Synopsys introduced DesignWare ARC® EM Processors with a safety enhancement package to fill a hole for microcontroller-class processor IP designed and verified for the most stringent of safety standards. Prior to that introduction, there were limited commercial processor cores with safety features, but they were all in the high-performance, high-frequency category. If a design needed a compact, microcontroller class core, the designers had to make it themselves or adapt a core built for consumer applications, costing man-years of effort and requiring the right expertise in functional safety design and verification. An additional benefit of the ARC EM processors is their configurability, providing the designer with the ability to optimize each instance of the same code compatible core to the application requirements.

As mentioned earlier, for ASIL D applications, processor cores in the safety-critical path need to operate in a lockstep mode. This requires a second shadow core and a monitoring function that compares the outputs to detect if a fault has occurred. Of course, it’s not as simple as it sounds – there is shared memory, the signals need to be accessible to the monitor function, and the design needs to account for potential failures caused by events that could affect both cores at the same time. So even if the design uses a processor core with the required hardware safety features, there is still significant work to be done and experience needed to get to a lockstep implementation.  

Dual-Core Lockstep Safety Islands

This is another gap that Synopsys set out to fill. To reduce time to market further and simplify design complexity to achieve the highest automotive safety level, Synopsys introduced the ARC EM Safety Islands. The Safety Islands are pre-built, verified and ASIL D Ready certified dual-core lockstep processors with integrated self-checking safety monitor (Figure 1).

Figure 1 – ARC EM Safety Island: a dual-core lockstep implementation with integrated safety monitor

The safety islands are based on ARC EM processors with hardware features such as ECC and a programmable watchdog timer to detect system failures as well as runtime faults. The processors include a lockstep interface that is used by the integrated safety monitor to compare outputs and detect if a fault has occurred. The ARC EM Safety Islands are supported by comprehensive safety documentation, including FMEDA reports that facilitate chip- and system-level ISO 26262 ASIL D compliance. In addition, the MetaWare Toolkit for Safety eases the development, debugging, and optimization of ISO 26262 compliant software targeting ARC processors.

Like the ARC EM processors themselves, the safety islands are configurable and extensible to meet the unique safety, performance, and area requirements of each target application, including advanced driver assistance systems (ADAS), radar and sensor processing. The cores in the EM Safety Island can also operate in an independent dual-core mode to provide additional performance in applications that do not require lockstep execution, such as those targeting ASIL B safety standards. In addition, the processors offer options including a memory protection unit (MPU) and a microDMA engine to meet system-level protection and latency requirements (Figure 1). These options are tightly-coupled to each processor core to provide redundancy and further reduce single points of failure in the IC. The self-checking safety monitor includes time diversity with parity to protect system integrity if noise pulses hit both cores simultaneously.

Meeting the requirements of automotive safety-critical applications adds to the cost, complexity, and timeline of designing ICs. By selecting pre-verified ASIL D Ready certified processor IP solutions that are also configurable, like the ARC EM Safety Islands, designers will be able to meet aggressive area and time-to-market targets with a highly competitive automotive product.