Ensuring Functional Safety For Automotive AI Processors

Safety is critically important across the automotive, industrial, and aerospace and defense industries. For instance, Cadence’s work with Hailo illustrates how advances in semiconductor technology and EDA deliver safe electronics without compromising low power and cost.

Hailo’s automotive webpage starts with the words “The pursuit for ‘vision zero,'” reflecting that European road fatalities—while having decreased to about 25,000 per year in 2017—are still primarily caused by human errors, which account for 90%. EDA and advances in semiconductor technology are critical components for increasing safety capabilities, including automated driving assistance systems (ADAS) and the trend towards autonomous vehicles. Safety ratings like the EURO NCAP are great examples of how consumers demand safety and make it part of their priorities in adopting new technologies.

The Hailo-8 AI processor is an advanced device for AI acceleration in automotive, providing up to industry-leading 26 TOPS while maintaining an unprecedented area and power efficiency. Achieving the area and power goals was of prime importance while also achieving ASIL-B functional safety goals required to qualify for the automotive market. The reason being, Hailo-8’s main role in an ADAS ECU is to act as a co-processor (or co-processors), boosting performance to handle AI-centric tasks, such as perception, while fully meeting functional safety requirements.

Fig. 1: Centralized/zonal ADAS ECU architecture featuring Hailo-8.

Hailo and Cadence partnered closely to develop innovative mechanisms to achieve the safety goals with minimal area and power overhead using the specifics of the Hailo-8 architecture. The initial requirements analysis uncovered some significant challenges to attaining ASIL-B and AEC-Q100 certification. Hailo’s proprietary NN (Neural Network) core dominated the design and contained on-chip memory which required special attention. Patented unique safety provisions were implemented in the Hailo-8 design.

The teams assessed and refined the intended safety architecture in close collaboration and developed a technical safety concept. The four-phase project included preparation, architecture development, design, and transfer of information for follow-on projects.

During the preparation phase, Cadence provided a safety plan template and adjusted it to the needs of the design in collaboration with Hailo.

In the architecture phase for failure modes, effects, and diagnostics analysis (FMEDA), the team developed early estimations of metrics for random HW failures. They created an innovative and efficient memory protection scheme with significantly less area consumption than parity and ECC schemes added to the NN core. In addition, the team developed a protection scheme for the logic reducing redundant processing within the NN core to a minimum. The safety concept included safety elements out-of-context (SEooC) for the design, including safety measures for non-automotive qualified IP. At the end of the architecture phase, the external certification organization reviewed the concepts, confirming no gaps in the proposed safety architecture.

Next, during the design phase, the team verified the safety implementation with Cadence’s simulation and formal verification offerings. It corrected all defects uncovered with fault injection runs before freezing the design. Management tracked the progress using ongoing safety reports and regular review, eventually resulting in a safety manual for documentation. Finally, Cadence transferred all FMEDA safety planning, simulation, and formal analysis tools to Hailo for ongoing tracking and maintenance.

Fig. 2: Safety flow diagram.

The team was able to do early estimates of the safety metrics for the Hailo-8 based on a predecessor design, which enabled proper planning of the required safety mechanisms. It helped ongoing updates with relatively low effort, keeping track of safety metrics during chip development. In partnering closely, the Cadence services experts de-risked the tool adoption for Hailo and ensured the quality of results and know-how transfer.

In supporting the verification of standards compliance like ISO 26262 for automotive and IEC 61508 for industrial applications and providing certified building blocks for SoCs, EDA is a key enabler to achieve safe and secure electronics. Ori Katz, VLSI director and safety manager at Hailo, stated that “ASIL-B process and safety architecture were critical requirements in the development of our advanced AI processor when addressing automotive applications. The Cadence Safety Solution helped us achieve these goals by allowing us to perform early estimations of the safety metrics based on a predecessor design, enabling proper planning for safety mechanisms.”

Users can find more information on the Hailo-8 AI Edge processor on their website. It is an AEC-Q100 Grade 2 automotive AI accelerator, which is compliant with ISO 26262 ASIL-B specifications.