Automotive Safety: Achieving ISO 26262 Compliance with Processor IP (Part 2)

Part 2 of 2

By Paul Garden, Product Marketing Manager, ARC Processors, Synopsys


The proliferation of electronic systems in automobiles has resulted in the creation of new automotive standards to ensure safety. The ISO 26262 standard is an adaption of the more general International Electromechanical Commission (IEC) 61508 functional safety standard. ISO 26262 defines functional safety for automotive equipment and addresses possible hazards caused by the malfunctioning of electronic and electrical systems in passenger vehicles. Components of automotive electrical/electronic systems play a critical role in achieving compliance to the ISO 26262 standard. This is part two of a two part article, which examines ISO 26262 compliance from a processor IP perspective, describing the role processor IP plays and the processor features that facilitate the certification process.

In the first part of this two-part article, we defined functional safety and the Automotive Safety Integrity Levels (ASILs) that determine the minimum testing requirements for safety-critical systems. We will now discuss how processor IP should be designed and the processes that must be followed to facilitate ISO certification of the safety-critical systems designed by OEMs.

ISO 26262: A Processor IP Perspective

Processor IP is at the heart of many, if not most, automotive safety system controllers and system-on-chips (SoCs). The processors run the software that determines the functions of the ASIC or SoC and ultimately, the safety performance of the whole system. The relationship between the processor IP, the software running on it and how it achieves certification now becomes a much more complex mapping of responsibility of safety compliance across the supply chain, which consists of the OEM, the component supplier and now the processor IP provider.

This means that the processor IP provider also needs to be knowledgeable in the requirements of ISO 26262 compliance and ASIL awareness. To become a valued processor IP provider in the automotive safety market, the provider must integrate hardware features into their processor IP to enable the component supplier to build a more complete safety-compliant SoC. These features are required to raise the integrity of safety levels within a chip design.

Figure 4: Advanced Driver Assisted Systems (ADAS) - Semiconductor Demand 

Creating an ISO 26262-Ready Processor Core

The dramatic growth in processors used in Advanced Driver Assisted Systems (ADAS) semiconductors can be seen in Figure 4. The need for more intelligence and programmable control means there is now an even bigger demand for using a programmable processor in place of either discrete logic or pre-programmed state machines.

To enable semiconductor vendors to build processor-based chips targeted at ISO 26262 safety-critical applications, a new approach is needed in the development of processor IP for that market. Not only does the technology in the product have to change, but the development process and safety culture within the company has to align with the goals of the ISO 26262 standard.

Synopsys has a quality management system that helps deliver the highest quality IP to our customers. To adhere to the specific requirements of building processor IP for ISO 26262-based systems, Synopsys consulted with third-party automotive safety certification experts such as SGS-TÜV Saar to help ensure that our existing development processes and product lifecycle management were aligned with ISO 26262 compliance.

To address the needs of ISO 26262 applications, Synopsys also added hardware safety features into the processor core itself. These features provide the hooks to facilitate the design of a safety-oriented chip architecture at the IP level. This safety-oriented chip architecture becomes an ISO 26262-friendly baseline to run the safety-critical software. All of these integrated features ease the chip design process and ultimately shorten the development time and cost of safety systems.

Here is a list of the hardware features that enable the DesignWare® ARC® EM Safety Enhancement Package (SEP) processor to achieve ASIL D readiness:

  • Error detection and correction logic
    • ECC: Detects single-bit and double-bit data and address errors with the option to correct
    • Parity: Detects single-bit errors
  • Hardware stack protection: Checks overflow and underflow of reserved stack space
  • Code protection: Hardware means to block read and write to code space
  • Programmable watchdog timer: Safety-related version of timer 0/1 used to detect and recover from a deadlock situation
  • Lock-step interface: Can be used to implement a dual-core lock-step architecture
  • Memory protection unit: Defines variable regions and assigns access attributes. The different protection schemes may be combined to achieve several levels of protection against malicious or misbehaving code in critical applications

Synopsys also provides the DesignWare ARC MetaWare Development Toolkit for software development. The ARC MetaWare Compiler, a part of the toolkit, includes a Software Safety Manual and Software Safety Guide that are certified ASIL D-ready by SGS-TÜV Saar for ISO 26262-compliant software development. This eases the development and certification process for silicon vendors and/or the OEM. Software developers complying with Synopsys’ safety documentation during product development do not need to further qualify the compiler themselves, saving them effort and cost.

Synopsys provides other products to ease the development of an ISO 26262-compliant design, including tools to help with simulation, requirements tracking and automated documentation creation. For example, Synopsys’ Saber is used for simulating automotive electrical system and subsystem applications and helps automotive companies achieve compliance with the ISO 26262 standard through automated fault analysis as well as a robust design verification flow.

Synopsys’ VCS® functional verification solutions includes Verification Planner, which offers continuous requirements tracking throughout the design and verification process to help provide comprehensive documentation for projects requiring certification support. Verification Planner supports safety certification by:

  1. Allowing low-level data from a design verification environment (such as whether tests pass or fail, functional and code coverage, assertion results and other metrics) to be associated with user-defined features;
  2. Enabling user-defined features to be linked with sections of documents maintained within a requirements management process; and
  3. Using verification overlays to enable the encapsulation of higher level certification requirements such as ISO 26262. When a specification identifies a rule such as ‘all tests must pass’, that goal can be applied to Verification Planner features. The results of those goal evaluations can then supply the information needed to determine which requirements are adequately verified.

By leveraging Verification Planner’s metric analysis and tracing process, designs have the audit information required to achieve ISO 26262 compliance.

Growth in ADAS and ISO 26262 are a Safe Bet

Figure 5: Growth of ADAS outpaces almost every other automotive system in the car 

Combining the growth in ADAS with the growth in demand for more silicon IP in these safety-related systems, makes a strong case for building and maintaining more ISO 26262-targeted IP. The need for more safety certified systems has an effect throughout the entire supply chain, from IP providers to the system integrators and automotive OEMs. Being able to provide more ISO 26262-compliant IP, including processors, will ultimately make it easier for automotive OEMs and their tier 1 suppliers to achieve ISO 26262 certification. 

For more information on DesignWare ARC Processor IP solutions, visit:


[1] ISO 26262: From Wikipedia, the free encyclopedia

[2] Automotive Advanced Driver Assistance Systems – Challenges and Opportunities: Ian Riches, Director Global Automotive Practice

[3] Understanding ISO 26262 ASILs, July 9, 2013: Chris Hobbs and Patrick Lee | Electronic Design

[4] Functional Safety: How to Comply with ISO 26262: TÜV SÜD