Auto Reliability At The System Level

Carmakers and chipmakers are approaching autonomous vehicle design from very different perspectives, and while they both talk about safety and reliability as the end goals, they have widely divergent ideas about how to get there.

All of this is just beginning to come into focus as carmakers vie for leadership in the autonomous vehicle space, and much of it appears to hinge on the definition of a system and the starting point for how to build that system. For automotive companies, a vehicle is a collection of electronic subsystems that can be updated and easily replaced by something equivalent. The ability to swap out electronics ultimately will allow them to play off one supplier against another, which traditionally has been their approach to driving down the cost of cars and making them affordable to consumers. If a base model vehicle requires $30,000 worth of electronics to adhere to ISO 26262 and ASIL D standards, that will put it well out of the reach of most consumers.

This becomes particularly important with autonomous vehicles because differentiation will be based on comfort, cabin electronics and cost. If vehicles are only traveling at the speed limit, then it really doesn’t matter if it can go from zero to 60 MPH in less than two seconds. What matters is the ride, the range per charge, and the cool new features. In fact, buying a car may be more like choosing a smart phone than a car today. And if one carmaker offers better features than another for the same or less money, they win.

Chipmakers are concerned about cost, too, although for a different reason. They want to sell more electronics into vehicles. But they’re equally concerned about reliability of systems on a much larger scale. Most chipmakers point to the avionics industry as the example of how to build a safety critical system, where redundancy has been remarkably effective in preventing accidents. (Contrary to best practices, one of the issues under investigation in the recent Boeing 737 crashes is whether those jets had a single point of failure.)

But redundancy is expensive. In the case of a jet, which sells for millions of dollars, adding an extra $10,000 into a design for safety reasons is a modest price to pay. In the case of cars, it can make the difference between a successful model and a market disaster. Moreover, redundancy adds weight, and weight reduces range in electric vehicles. This is why carmakers are considering removing bumpers from cars as autonomous vehicles begin to dominate the roadways. There shouldn’t be any accidents.

But failover into other systems is an unproven approach. While ISO 26262 requires electronics to fail gracefully, it’s not entirely clear if another electronic control unit can drive a car or take over the engine functions in case of a malfunction or defect. What may make more sense is breaking up these units into collections of smaller processors, so in case of a failure in one area there is still enough processing power left to drive in “safe” mode.

This can be done using heterogeneous processors, or with homogeneous processors, and it can be done with error-correcting memory or redundant banks of memory. The question is how tightly these can be integrated, and what kinds of packaging will be required to avoid a performance hit.

In a presentation at the Autonomous Vehicle Hardware Summit this week in San Jose, Hideki Sugimoto, CTO of HSITEXE (a wholly owned subsidiary of Denso, a tier-1 automotive supplier), said that efficiency is important, but performance is critical. He also said that chips need to be more generic in order to reduce the cost, and stressed that solutions need to be done at the system level.

There are plenty of options in the semiconductor world, from new materials to advanced packaging to custom and generalized failover options. But ultimately this may come down to system-level priorities and architectures. At this point, it’s not at all clear which approach will win.