The electronics content of cars is increasingly rapidly. Ten years ago, perhaps 20% of the value of a car was made up of electronics. Today it is more like 35%, and in ten years’ time electronics could represent half of a car’s value – as well as enabling 90% of its innovative features. You only have to look at a Tesla, with its innovative electric powertrain, evolving autonomous driving capabilities and iPad-like controls to see where we’re heading.
More electronics means more systems-on-chip (SoCs) to design and verify, and greater competition to supply this rapidly growing market. Companies from Silicon Valley to Shanghai can design and verify SoCs, but serving the automotive market introduces constraints that IC vendors attempting to migrate from, for example, the mobile-phone sector may not be familiar with. To compete, new entrants will either have to learn very quickly, or get some help from a trusted IP vendor.
One key challenge in serving the automotive sector is incorporating functional safety for those SoCs in the safety-critical path. The automotive industry has worked long and hard to understand safety and reduce risk, in part through the development of the Automotive Safety Integrity Levels (ASIL) defined in the ISO 26262 standard. These combine the probability of exposure to a hazard, the extent to which it is controllable by a driver, and the severity of a failure to control such a hazard, into four categories, A thru D. Of these, ASIL D represents the integrity level necessary in the most safety-critical circumstances.
Managing automotive safety is a holistic process – everything has to work together correctly for the system to offer the expected levels of safety protection. This means that foundational components such as embedded processors must meet the requirements of the specified ASIL. To meet ASIL D this includes a system level requirement of fewer than 1% single points of failure. In practice this means that a processor going in to an ASIL D certifiable chip must implement error checking and correction (ECC) on caches and closely coupled memories, include a watchdog timer, and operate in lockstep with a redundant core. In a lockstep implementation, two cores run the same code and include a mechanism for comparing the outputs of the two cores and flagging any discrepancies. Extensive safety documentation is also required to demonstrate that risks have been clearly identified and assessed: these documents then become a key part of the ISO 26262 certification process.
Several years ago, Synopsys introduced a Safety Enhancement Package for its ARC EM licensable processor cores, which includes hardware safety features such as ECC on memories and a lockstep interface through which users can build their own monitoring logic to check that redundant processors are in agreement at every step of program execution. While this is a help, it still leaves the SoC development team to design the comparison logic and then run it through a full verification process to demonstrate its ability to meet ASIL D standards, with documentation to match.
To accelerate the development, verification and certification process for automotive SoCs, Synopsys has now introduced the DesignWare ARC EM Safety Island IP, a set of pre-built and verified dual-core lockstep processors with integrated safety monitor. a. There are four variants. The ARC EM4SI uses two 32bit ultra-compact ARC EM4 processors, working in lockstep, with support for up to 2Mbyte of single-cycle closely coupled memories. The ARC EM6SI adds up to 32Kbyte of instruction and data caches to this spec. The ARC EM5DSI adds more than 150 DSP instructions and a MAC unit for signal processing, while the ARC EM7DSI adds up to 32Kbyte of instruction and data caches to the EM5DSI spec.
The self-checking safety monitor ensures lockstep operation, and can delay the activity of one of the redundant cores relative to the other but still compare results in the correct program counter order, to avoid potential issues related to glitches that affect both cores at once (e.g. a signal transient).. There’s also hardware stack protection to check for overflow and underflow of reserved stack space – to prevent data corruption and program crashes – and a watchdog timer to help recover from deadlocks and enable countermeasures against tampering.
The ASIL D ready certified ARC EM Safety Islands have been verified for both systematic and random faults to meet ISO 26262 ASIL D requirements using Synopsys’ functional safety verification tools. These tools, including Certitude qualification and VCS simulation, are available for use by customers of the ARC EM Safety Islands for full SoC verification. The Safety Island IP also comes with safety documentation, including a failure modes, effects and diagnostic analysis (FMEDA) report that ease chip- and system-level ISO 26262 ASIL-D compliance.
On the software side, an ARC MetaWare Development Toolkit for Safety, including an ASIL D ready certified compiler, is available to simplify development of ISO 26262-compliant software for the processors. The toolkit includes an LLVM based C/C++ compiler, debugger and instruction-set simulator. It also includes a safety manual and a safety guide to help developers meet ISO 26262 requirements and prepare for the compliance testing of their safety-critical systems.
As the opportunity represented by the automotive sector grows, and the rate at which it innovates accelerates, competition to provide the key SoCs can only intensify. Although well-designed, carefully verified hardware is critical to achieving ISO 26262 certification, what will really set competitors apart in the automotive market will be how quickly they can meet evolving market requirements and bring a differentiated solution to the market.
The ARC EM4SI and EM5DSI Safety Islands and the MetaWare Development Toolkit for Safety are available now. The ARC EM6SI and EM7DSI Safety Islands will be available in Q2, 2017.
Company infoSynopsys Corporate Headquarters 690 East Middlefield Road Mountain View, CA 94043 (650) 584-5000 (800) 541-7737 www.synopsys.com