Achieving ISO 26262 Certification With High-Performance Processors

Utilizing ASIL-ready IP processor designs is an important step toward functional safety.


Automotive technology has progressed rapidly and the day when fully autonomous vehicles are prevalent on the roadways is not that far in the future. For driverless vehicles to become the norm, however, safety is paramount, and advanced driver assist systems (ADAS) must adhere to the ISO 26262 functional safety standard for electrical and/or electronic systems in automobiles to ensure the safety of the passengers, as well as people in the vicinity. Advances in ADAS capabilities are being enabled by the growing volume and complexity of the electronics in cars and rapid developments in high-performance microprocessors. As processor architectures are refined and move down the process curve, performance capabilities increase, enabling the creation of sophisticated systems that can analyze conditions in and around the vehicle and make accurate decisions based on those conditions. The ISO 26262 standard, when applied to the microprocessors and systems in cars, can control or avoid systemic failures and control or mitigate random hardware failures and their effects.

ADAS: A requirement for the changing automotive market
An overwhelming majority of car accidents are caused by human error, which can be reduced by many of the automated tasks that are being integrated into automobiles. Today, ADAS systems alert drivers to potential problems (for example blind spot warning) and taking over control of the vehicle in some situations (collision avoidance). Adaptive cruise control and lane keeping assist are available in cars today to reduce driver stress. As these capabilities advance, they will take over more and more of the operation of cars until the driver is no longer needed. The availability of fully autonomous vehicles is not far away, and this will mean the deployment of thousands of processors in each car within just a few years.

Automotive ADAS design challenges
Electronics in cars today account for 35% of the cost to build the vehicle. By 2030 this will rise to 50%, with a large portion of that devoted to autonomous driving functions. With vehicles having more control over driving tasks, the safety of the occupants in the vehicle will be dependent on the proper functioning of the electronic systems. The increasing levels of electronics for functional safety need to be balanced against cost.

The ISO 26262 functional safety standard for electronic systems in cars was established in 2011 and defines four Automotive Safety Integrity Levels (ASILs) based on the hazard analysis and risk assessment that a system in a vehicle exposes the occupants to in the event it malfunctions. For example, an electronic steering system, whose failure would have a catastrophic effect on occupants, would carry an ASIL D classification (the highest level) while a rear-view camera might carry an ASIL A classification (the lowest level). The goal of ASIL classification is to minimize susceptibility to random hardware failures by defining functional requirements and then taking the necessary design measures to prevent them or minimize their impact if they occur. Devices developed under the ISO 26262 standard must meet specific goals for testing the hardware and the safety mechanisms implemented in that hardware, as well as in the software that run on it.

ASIL D implementation for critical systems
As systems in automobiles become more important for functional safety, they require higher levels of ASIL certification. Semiconductor and system developers can ease their certification efforts by using processor IP (and other IP in their design) that is either ASIL certified or ASIL ready for the level of ASIL certification that they need to meet for their product. An ASIL D implementation using ARC HS processors that was used in a vision application is shown in Figure 1. An HS38x4 quad-core processor configuration was used to meet the application’s very high-performance requirement. To meet the ASIL D coverage requirements the HS38x4 was lock-stepped with an HS38x4 shadow core. This pair was connected via a safety monitor to a safety manager that is outside the HS38x4 core. The safety manager monitors the core and other processors on the device and reports any problems to the host processor. The HS38x4 also included error injection hardware for safety testing.

Figure 1: ARC HS quad-core ASIL D Ready implementation

Error correction support is included for all the internal memories: L1 cache, L2 cache, close coupled memory, and the MMU Joint Translation Lookaside Buffers (JTLBs). The error correcting code (ECC) also protects the interface buses to the rest of the SoC. The ECC logic is non-intrusive to the processor pipeline, so performance is maintained.

The lockstep monitoring on the HS38x4 is implemented with a shadow secondary core that is used for comparison to the main core. The safety monitor that is connected to both the main and shadow cores continuously runs diagnostics with compare logic to verify functionality and report errors to the system.  The safety manager that is outside of the HS38x4 core gets input from the safety monitor in the HS processor and from other sources in the SoC and reports these to the host processor. The safety manager controls the HS38x4 cluster “safety” bring-up and the boot-time LBIST and MBIST control.

Adapting IP processor designs for ISO 26262
ASIL capabilities were added to the ARC HS processor during the initial development of the processor, as shown in Figure 2. An ISO 26262 safety plan was developed at the time that the core specification was written. The design team established the hardware safety requirements and safety goals, and designed the required hardware safety features into the HS processor RTL. The safety features are fully documented and included in the safety documentation for the core. Full ISO 26262 support for the processor requires module design verification and validation with fault injection/coverage analysis resulting in an FMEDA report that is also included with the safety documentation.

Figure 2: Adapting IP Processor Designs to ISO 26262

The HS processor needs to be programmed by the user for their application. This can be done using the MetaWare Development Toolkit that includes a C/C++ compiler, a debugger and an instruction set simulator. The MetaWare compiler is ASIL D Ready Certified, which simplifies the development of ISO 26262 compliant code. The compiler includes a MetaWare Safety Manual and MetaWare Safety Guide with the software tool creation evaluation report and software tool qualification report.

Automotive capabilities for advanced driver assist systems are advancing rapidly because of the potential they offer to enhance safety and simplify the driving process. ADAS systems are being enabled by advanced high-performance processors like Synopsys’ ARC HS family, which supports the ISO 26262 standard, and can be used to obtain the appropriate level of ISO certification for the systems into which they are built. By offering a range of ISO 26262 certified and certifiable IP and tools, Synopsys is making it easier for SoC designers and automotive OEMs to implement the full range of automotive products needed for advanced ADAS and autonomous applications.

Leave a Reply