Article: Assessing The Safety Of Automotive Chips

The safety and comfort of cars have increased dramatically over the past decade. Nowadays, even economy class vehicles feature advanced driver-assistance systems (ADAS) that in certain conditions can control not only acceleration and braking, but also steering. Fully autonomous vehicles are at the horizon. Although it is not clear when and how deployment will start, technology is moving fast. All the established car manufactures are investing heavily in machine learning (ML) and other artificial intelligence (AI) fields. Many new players are crowding this space, attracted by what is unanimously expected to be a booming, disruptive technology.

 

 

Complex electronic systems are at the heart of automotive innovation. While traditional car manufacturers have enormous experience in “bending metal” and designing combustion engines, they rely on automotive original equipment manufacturers (OEMs) and their Tier 1 suppliers for the tens of electronic control units (ECUs) and associated software that make vehicles safe, secure, energy-efficient, comfortable, and generally “smart”. Automotive application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), and systems-on-chip (SoCs) designed and produced by companies like Infineon, Renesas, NXP, and Bosch are ever more crucial in ensuring the long term commercial success of car manufacturers.

 

 

Tesla, one of the most innovative company in the world, has recently made headlines in the semiconductor industry. Despite not having previous hardware development capabilities, it decided to develop its own, highly-specialised chip (see Figure 1). Tesla’s full self-driving (FSD) chip, presented in April 2019, includes two neural network accelerators (NNAs) developed in house. It also integrates third-party intellectual properties (IPs), including a graphics processing unit (GPU) and an Arm-based central processing unit (CPU) subsystem. Tesla claims that the FSD computer, already deployed in production and based on a board that includes two FSD chips, is 21X faster than its previous, NVIDIA-based solution, and capable of processing 2300 frames per second within a tight power envelope. According to Tesla, the FSD computer will be able to support autonomous driving once software catches up.

 

 

 

 

Analysing and quantifying the risk of silicon failures

 

Shrinking transistor geometries, aggressive power consumption targets, and complex functional requirements increase the risk of integrated circuits (ICs) malfunctioning in the field. Electromigration, cosmic rays, aging, and other physical effects, may permanently or temporary corrupt the behaviour of hardware functions. Random hardware failures may give raise to hazardous events that could result in damage to property or even loss of human lives.

 

 

The ISO 26262 functional safety standard defines requirements that encompass development, production, and decommissioning of electronic systems for road vehicles. The standard specifies 4 automotive safety integrity levels (ASILs), from ASIL A to ASIL D, with ASIL D being the most stringent. A central concept in ISO 26262 is that of safety goals. Random hardware failures may lead to violation of safety goals. Automotive ASICs/FPGAs/SoCs include safety mechanisms that prevent or control random hardware failures. Engineers must list potential failure modes and provide evidence that the target ASIL has been achieved. As a chip may be used in a variety of applications, it is often referred to as safety element out of context (SEooC), and it is accompanied by a safety manual that specifies its assumptions of use.

 

 

The safety architecture of modern automotive chips is complex and typically features a variety of safety mechanisms, including software self-test, redundancy, lock-step processors, parity or error-correcting code (ECC) for memory protection (see Figure 2). Failure modes, effects, and diagnostic analysis (FMEDA) is an analytical method to assess the safety architecture and implementation. The FMEDA process has three crucial steps: (1) validation of the safety architecture and partitioning of hardware functions and faults according to failure modes; (2) determination of the diagnostic coverage, which measures the ability of safety mechanisms to prevent safety goal violations; and (3) computation of the ISO 26262 hardware safety metrics, namely the single-point fault metric (SPFM), the latent fault metric (LFM), and the probabilistic metric for random hardware failures (PMHF).

 

 

 

 

Automating FMEDA

 

SoC and IP developers often use sub-optimal FMEDA flows. They rely on manual analysis from expert engineers, and effort-intensive fault injection and simulation of design models at the register-transfer level (RTL), or gate-level netlist. Some large companies develop in-house tools to automate portions of the flow. These methods are error-prone, require excessive computational resources, and entail long iteration cycles. Internal tools are hard to maintain and produce, as that requires providing high-quality documentation, training, and support. Engineers demand structured, systematic approaches to identify failure modes, perform a quick analysis of the safety architecture to detect shortcomings and areas of low diagnostic coverage, and estimate failure in time (FIT) rates and the other safety metrics.

 

 

While manual analysis and “brute-force” fault simulation could have been acceptable in the early days of ISO 26262, first released in 2011, as methods mature and reach widespread adoption, there is a need for high-quality tools and automated solutions that are easy to use, rigorous, and scalable. Electronic design automation (EDA) companies have extensive expertise in automated processing of chip design models for functional verification, implementation, and other hardware development steps. They are well positioned to also automate FMEDA and other safety compliance tasks. In fact, certain EDA companies have recently started commercialising FMEDA automation solutions that can be applied out of the box, or customised to fit specific needs and enhance existing flows. Under the hood, they leverage expertise gained from supporting multiple automotive customers, particularly valuable as that gives access to a variety of projects, and multiple design analysis engines, including fault injection, formal methods, and structural analysis.

 

 

High-integrity automotive chips Modern ASICs/FPGAs/SoCs are exposed to the occurrence of faults during operation. FMEDA and ISO 26262 compliance are crucial to develop high-integrity automotive ICs that are not only functionally correct and secure, but also safe with respect to random hardware failures. Automated solutions, enabled by EDA tools specifically developed for this purpose, can make the FMEDA process more rigorous, while reducing its cost. New providers of automotive hardware can deploy commercial FMEDA solutions out of the box. Established players may customise the technology and integrate it into their existing flows. For more information on how to automate the FMEDA process and reduce expensive fault simulation, visit onespin.com/fmeda.