Building In Functional Safety At The Lowest Hardware Levels Supports Autonomous Driving’s Future

Adoption trends in current ADAS design blaze a trail for resilient, high-performance computing using a distributed, configurable SoC interconnect.


Long before automotive electronic system designers chose artificial intelligence and machine learning as the path toward the future of autonomous driving’s future, it was clear that high-performance computing platforms typically found in data center systems clearly were not going to provide all the answers. Automotive system designers place more emphasis on functional safety and resilience, which are aspects that data centers generally do not require to the extent that vehicle manufacturers demand.

To provide a balance between both high performance and functional safety, system-on-chip devices (SoCs) designed for autonomous driving and advanced driver assistance systems (ADAS) required a new approach. Software-only safety solutions proved inadequate because they consumed too much processing power that could be used for other functionality, and they increased system latency which made it difficult for automotive systems to deliver near real-time responses. Implementing safety and resilience mechanisms within the lowest level of SoC hardware addresses these weaknesses in software-only solutions, and is the most scalable means to ensure functional safety and the performance of passenger vehicle electronic systems.

Safety Enabler: The SoC Interconnect

The on-chip interconnect in the SoC design blazes a path for designers to deliver high performance and functional safety in equal proportions to meet the requirements of ISO 26262, the functional safety standard for automotive electrical and electronic systems followed by all companies participating in the supply chains of high-volume production passenger vehicles. As more electronics are added to cars, more SoCs are being designed to reduce the price of and increase the performance of electronics functions. The most extreme example of this has been in the invention of ADAS, which use highly complex, supercomputer-like SoCs to perform millions of near real-time calculations in parallel.

Fig. 1: On-chip interconnects provide communications between all the IP blocks on a chip. They can handle both coherent and transactional semantics, and they provide ideal opportunities to implement functional safety mechanisms that protect the entire chip.

Several leading ADAS systems have implemented functional safety mechanisms by using the on-chip interconnect. The designers of those systems have learned that the next generation of designs, which will be the “brains” for autonomous driving systems, will be even more complex than ADAS. These future autonomous driving systems will require the following:

1. Hardware Acceleration–Even more types and numbers of specialized hardware accelerators. Optimizing the communications between these disparate processing elements in a way that keeps the on-die memory area within reason will require interconnects that implement heterogeneous cache coherency.
2. Higher Safety–Even greater safety, including increased diagnostic coverage through novel hardware safety mechanisms, to reach the next level of safety required for autonomous systems, which is known as ISO 26262 Automotive Safety Integrity Level D (ASIL D).

Heterogeneous cache coherence
As the leading ADAS design teams have advanced into the autonomous driving frontier and created systems with tens or hundreds of different hardware accelerators, they have found that cache coherency can be extended throughout the SoC design with innovative interconnect technology. This approach has been preferred over a single, stationary cache controller IP block because it is both distributed throughout the design and highly configurable. Therefore, implementing within the existing floor plan channels during place-and-route and physical synthesis processes is easier.

Fig. 2: Cache coherent interconnects can provide communications between previously incompatible hardware accelerators and CPU processing clusters. Integrated functional safety mechanisms increase safety and diagnostic coverage for the entire SoC.

Cache coherence is gaining momentum in automotive SoC design because of the system requirements demanded by automobile manufacturers. To balance performance, safety, and power consumption, SoC interconnect IP should implement coherency using the following technologies:

• Proxy caches, which allow non-coherent processing elements (e.g., hardware accelerators for machine learning) to participate as coherent peers in the cache coherent system. This capability is used by design teams to simplify software and hardware scaling when using multiple custom processing elements for pipelined hardware architectures, such as those commonly implemented in neural networks.
• Coherent memory cache (CMC), which is a configurable cache that can be applied as the last level cache (LLC). CMCs use significantly less area than a traditional inclusive LLC. However, they provide the same benefits.
• Multiple configurable snoop filters can optimize the snooping bandwidth based on the latency and bandwidth requirements of the system.

Functional Safety Mechanisms for ISO 26262 Compliance
Even after implementing heterogeneous cache coherency, designers of autonomous driving SoCs and ADAS SoCs must still meet the ISO 26262 specification. Designers are learning that specific hardware capabilities implemented within highly complex systems help them achieve the highest automotive safety integrity level, which is ASIL D.

These capabilities include the following:

Data protection. This is required for data links and internal memories, including ECC (SECDED) and parity. Die area tradeoffs are made during implementation, but some designers are finding that a balanced and distributed approach with just ECC or parity protection is sufficient to meet lower ASILs.
Intelligent hardware duplication. Compared to a system that duplicates nearly 100% of SoC functionality, an intelligent approach only duplicates the hardware elements of the interconnect that affect the content of data communication. Substantial die area, bandwidth, and latency benefits are involved in implementing the intelligent option. Hardware duplication within an interconnect is usually required to meet the highest ASILs.
Integrated hardware safety controller. With sophisticated built-in self-test (BIST) and error reporting capabilities required by automotive system designers, this capability is required to meet any ASIL. It analyzes and reports errors found by the data protection and hardware duplication safety mechanisms within a system.

Fig. 3: Interconnect logic can be protected by comparing the outputs between two instances of a logic block. The key to area, power, and performance efficiency is to only duplicate specific logic that is required to guarantee safety.

The elements of successful SoC architectures for automotive systems are changing and evolving. Much like homogeneous cache coherency for similar processing clusters changed the game for mobile systems, heterogeneous cache coherency and functional safety features implemented in the SoC interconnect will propel the industry forward into the era of autonomous driving.

Leave a Reply