Why You Need ASIL Certified Processor IP For Automotive Safety Applications

The long life cycle of automotive ICs means keeping future functional safety requirements in mind.

popularity

As the electronics content in automotive safety-related systems continues to grow, there are also an increasing number of new entrants into the automotive semiconductor market. To achieve automotive safety certification, specialized hardware and software is required. With this competitive pressure and consumer demand for safer vehicles, it is more important than ever to focus on cost savings and quick time to market.

Selecting the best processor IP solution for automotive ICs
IC designers and architects of safety-critical automotive designs often start with a difficult choice:

  1. Choose IP that is designed for automotive but isn’t an exact fit for the specific application, which adds unwanted area and development time to the IC design, or
  2. Choose IP that meets the requirements of the design but that then needs to be retrofitted for the strict demands of automotive safety specifications, which leads to more resources and development time

The safety level required for an IC targeting automotive safety applications determines the features needed in the selected IP. It’s also important to keep an eye on trends that may impact future ASIL requirements, since ICs have a long life cycle in the automotive market. For example, an advanced driver assistance system (ADAS) IC today that is simply providing the driver with information only requires ASIL B certification. However, if in the future that IC is making safety-critical decisions for the driver, it is likely to require ASIL D certification. The fault metric requirements for ASIL D are more stringent than they are for ASIL B, which impact the design requirements (see Table 1).

CS7918_ARC_SAFETY_Table1

Table 1 – Fault metrics associated with ISO 26262 ASIL levels.

Using ASIL D Ready certified processor IP will provide the required safety features to meet the most stringent functional safety requirements, along with the necessary verification for systematic and random faults. Certified IP can save 6-12 months of intensive design and verification effort. Processor IP that is highly configurable offers automotive chip designers additional flexibility in meeting the various levels of ASIL certification, such as whether or not to implement parity or ECC, or the option of instantiating a lockstep interface. A high degree of configurability also allows the same processor to be used in multiple applications and across a line of products with different technical requirements, all while maintaining software compatibility. Since software development, verification and maintenance is such a large portion of overall development costs, maintaining compatibility increases return on investment while incurring no area/margin penalties.

Low-power, compact processors for safety-critical applications
In the past, if designers needed a compact, microcontroller class core they had to either make it themselves or adapt a core built for consumer applications. This came at the cost of many staff-years of effort and required the right expertise in functional safety design and verification. Synopsys’ DesignWare ARC EM processors with Safety Enhancement Package (SEP) fills this gap by providing processor IP designed and verified for the most stringent ASIL safety levels to ensure compliance to the ISO 26262 standards. Like all ARC processors, EM processors are also highly configurable and extensible (e.g., user-defined instructions can be added), giving designers the ability to customize and optimize each instance of the same code-compatible core to the application requirements.

For ASIL D applications, processor cores in the safety-critical path typically need to operate in a lockstep mode. This requires a second “shadow” core and a monitoring function that compares the outputs to detect if a fault has occurred. Of course it’s not as simple as it sounds – there is shared memory, the signals need to be accessible to the monitor function, and it’s important to account for potential failures caused by events that could affect both cores at the same time. Even a processor core that has the required hardware safety features still requires the user to perform a non-trivial amount of work to implement and validate a lockstep implementation.

Dual-core lockstep safety islands
Synopsys is addressing this need with ARC EM Safety Island IP, a dual-core processor lockstep implementation that includes an integrated self-checking safety monitor to check that the cores are operating in lockstep and are delivering identical results (Figure 1). The EM Safety Islands are pre-built and verified, simplifying design effort and accelerate the certification process.

CS7767_ARC_SAFETY_Fig1_2

Figure 1 – Example dual-core lockstep implantation with integrated safety monitor.

Meeting the requirements of automotive safety-critical applications adds to the cost, complexity, and timeline of designing ICs. By selecting pre-verified ASIL D Ready certified processor IP solutions that are also configurable, designers will be able to meet aggressive area and time-to-market targets with a highly competitive automotive product.