The reason you are seeing a lot more written about the ISO 26262 requirements for automotive electronics is, to put it bluntly, this stuff is getting real. Driver assist systems are no longer only found in the realm of Mercedes and Tesla, almost every car in every brand offers some driver assist features. However, the heavy lifting required for ISO 26262 is coming with the advent of autonomous vehicles. This is where the risk of electronic system malfunction transforms from problematic to potentially lethal.
ISO 26262 is really a standard for completed systems, where the operation of the subunits is in a known context. Without an operational context, not enough is known to provide any meaningful qualification. Nevertheless, the components of these systems need to be designed, at each level, with consideration of the final qualification requirements.
ISO 26262 starts by identifying every anticipated failure event and assigning an ASIL to each. ASIL is a way of determining the severity of the failure. ASIL A being the least severe and easiest to recover from, and ASIL D being the most dangerous and also difficult to handle. A door lock mechanism failure is quite a bit different than a failure in a fully autonomous driving system. Indeed, the error checking and recovery methods for ASIL D are extensive and require a lot of forethought – even at the IP level during system design.
During the Linley Processor Conference in early October in Santa Clara, Michael Thompson, product marketing manager for Synopsys ARC HS processors, gave a presentation discussing how IP needs to be designed so that it can be incorporated into ASIL A to ASIL D qualified systems. He was quick to point out that even as reliability features are being added, the complexity and performance requirements are rising dramatically as well. For instance, by 2020 it is expected that the electronics content of an automobile will reach 35% and there will be ~100M lines of code. By 2030 the electronic content will be closer to 50% and there will be ~300M lines of code.
Michael mentioned that for ASIL C and D, fault injection testing is highly recommended. For ASIL D the expected single point fault detection rate should be 99% or better. Multipoint faults are also intended to be detected at better than 90%. Below is a slide from his presentation showing the expected effectiveness for a range of diagnostic methods.
To deal with high performance requirements and ISO 26262 safety features, Synopsys presented their ARC HS Quad Core targeted toward the automotive market. Michael gave an overview of its safety features. Synopsys has developed a dedicated safety manager unit that is responsible for the HS cluster bring up. It also manages boot time LBIST and MBIST. The safety manager additionally monitors and executes safety escalations on the SOC.
Synopsys also offers an integrated safety bus architecture. This is involved in passing error information and monitoring other ASIL ARC cores. The memories integrated into the HS Quad Core are ASIL D ready with support for ECC. Internally there is parity checking for processor registers and other safety critical registers. Each core has its own dedicated safety manager and watchdog timer. For bus transactions there is ECC protection on AXi/NoC for address and data values.
Safety monitoring is accomplished with error injection to verify and test the safety mechanisms. Tailored SW diagnostic tests are also supported. Power on and reset LBIST, SMS and SHS are part of the safety monitoring system. Michael’s presentation went into detail on the specifics of the integrated safety features.
Another key element of successful ISO 26262 qualification is component and system level documentation. Without adequate and proper documentation, no IP can be included in a system intended for ISO 26262 qualification. Furthermore, the same is generally true for the development tools used to build and integrate the IP – including software development tools used subsequently to complete the operational system. Synopsys has gone to great lengths to provide a tool chain suitable for ISO 26262 qualification. This extends to compiler, IDE and debugger support.
As the transition from assisted driving to autonomous driving takes place, both the performance and reliability of the onboard electronics will need to increase. Autonomous vehicles will call for much higher data processing requirements with zero room for functional failure. Certainly for autonomous vehicles to succeed, consumers will have to have full confidence in their safety. We used to think of automotive safety in terms of steering linkage, brake line and gearbox reliability. However, with increasing semiconductor IP content and its significant role in vehicle operation, it is this IP that will become the focal point of reliability concerns and activity. It is a good thing that ISO 26262 lays out a definite process for achieving the necessary quality goals. It is heartening to see products, such as the Synopsys ARC HS Quad Core IP coming to market to deliver on the needs of fully autonomous driving. For more information on the full line of Synopsys ARC HS cores, please visit their website.