GM has just announced that it will introduce a car with no steering wheel or pedals in 2019. According to their statement, they have already planned four phases of their autonomous driving system, and they will plan many more. However, before we jump into this latest car and not grab the wheel for a spin, it is reasonable to ask about the reliability of the driverless electronics.
However, to put the safety of automotive automation in perspective we should look at the safety of how cars operate today. The largest single cause of automobile accidents is distracted driving. A related statistic is that one third of all accidents involve straying from the driving lane. Autonomous driving systems will be hands down better at sustained vigilance than humans. Indeed, this is the impetus for self-driving cars – we won’t have to try to focus on driving during our trips, and can be as distracted as we wish. I for one look forward to this.
The lingering question is how well will these systems operate. Advances in AI have helped improve the software element of these systems. As software quality improves, it reveals system hardware as the next area of focus. As I have written before, there are standards to help ensure reliability. The two main standards of interest are ISO26262 and AEC-Q100. Anyone building a system or a chip intended for automotive use needs to be thoroughly acquainted with both of these standards.
Safety in these systems relies on the biggest and the smallest components. Each need to be designed and assessed with the ultimate application in mind. One of the most poignant examples of how a very small but important component can lead to system failure is the Challenger explosion in 1986. In that case O-rings on the solid rocket booster were operated outside of their designed operation specifications, leading to catastrophic failure of the spacecraft and a loss of life.
Silicon Creations, a leading supplier of high performance analog IP, recently presented at the Reuse 2017 conference in Santa Clara on the topic of developing IP suitable for use in safety critical systems in automobiles. Andrew Cole, Silicon Creations’ VP, presented the session.
Andrew started off with a review of Silicon Creations, highlighting their strong growth since their founding in 2006. They have development groups in Krakow and Atlanta and their products span 180nm down to proven silicon at 7nm.
Because IP such as PLL’s and SerDes are ultimately used as part of larger designs, they cannot be certified by themselves. Andrew spoke about two fundamental concepts in automotive safety, Safety Element out of Context (SEooC) and Fault Time Tolerance Interval (FTTI). SEooC basically says that you must understand the use case for a sub-unit such as a PLL before you can properly assess its safety performance. To harken back to the Space Shuttle failure, we can see a similarity with the O-rings performance. They worked adequately for launches above 54 degrees, but at freezing temperatures they failed. The operating environment is an essential consideration when evaluating safety.
Once we are given a specific use case it is then possible to talk about failures and the allowable time to detect and correct them. Once again, without a use case we cannot really have a meaningful discussion of system level reliability. FTTI is concerned with system level design to detect failures and given the severity and criticality of the failure, how long the system can tolerate the malfunction, until it can be corrected. A failure in the entertainment system is nothing like a processor failure in the autonomous driving system. The former can wait for a visit to the dealer, the latter must be corrected or dealt with in fractions of a second.
The presentation, which can be downloaded from the Silicon Creations website, also discusses several design approaches and considerations for assuring system level certification of systems that use IP blocks such as their PLL’s and SerDes. Another topic he grapples with in the presentation is AEC-Q100 grading and testing. AEC-Q100 can be a sore point for products with small production volumes because it requires destructive testing of costly quantities of fabricated parts. Additionally, some care must be used when defining the mission profile for a chip, and its consequently incorporated IP.
The hope is that autonomous vehicles with lead to fewer accidents and improved safety. This cannot come about unless the entire supply chain is ready to step up and participate in a meaningful effort to meet and exceed safety standards. Silicon Creations is clearly making the effort and reaping favorable results. The slides used in Andrew’s talk can be found on their website. I highly recommend looking them over.