Functional Safety Issues Rising

Cost and time spent in simulation and test grow as more chips are developed for automotive, industrial and medical markets.

popularity

Developing semiconductors for safety-critical markets such as automotive, industrial and medical involves a growing list of extra steps that need to be taken pre- and post-manufacturing to ensure product integrity, reliability and security.

This is causing several significant changes:

• Designs are becoming much more complicated because they require such features as failover and redundancy.
• Designs are undergoing multiple changes prior to production because specifications and standards are either still in development or constantly being updated.
• Systems involving functional safety are becoming much more expensive because the cost of verifying, testing and manufacturing these devices is going up.

Because these markets require more accountability, it also is taking longer for companies to see a return on their investments, and there are no guarantees that when a chip or a system is designed it will actually comply with requirements when it finally reaches production. This is particularly true for automotive, where much of the technology is brand new and constantly being reviewed and revised to optimize it or reduce costs.

“Automotive has the highest production numbers for any of these markets,” said Joe Dailey, functional safety manager at Mentor, a Siemens Business. “What they’re trying to do now is make a product that will work across multiple platforms to keep R&D down and add optimization and features to that. Time to market is shrinking, and they’re much more focused on re-use and optimizing IP.”

Still, there is no shortage of companies vying for a piece of this market. For companies that can win a socket or a place in the overall system, it can have a long-lasting payoff. But winning is another matter, because developing chip for automotive, industrial or medical markets is far different than developing a chip for a smart phone or a consumer device.

“Automotive is perceived to be a lucrative market, and we’re seeing new companies jumping in from the U.S. and China,” said Ty Garibay, CTO of ArterisIP. “Others are getting into new variants of the market who are historically familiar with automotive. The question for any of these companies is whether the skills they’ve developed in other markets, such as microcontrollers or deeply embedded processors, will be extensible to multi-core processors and accelerators, and whether any companies can keep up with changing specs.”

Ranjit Adhikary, vice president of marketing at ClioSoft, is watching a similar scenario unfold from the IP side. “A lot of these companies are using internal spreadsheets to track IP. There are a lot of intricacies of qualifying that IP. In automotive, integration is more rigorous and there are multiple vendors you have to work with.”

Security matters
Getting in the door of these markets is just the beginning. There are layers of new regulations being added into all of the functional safety markets on a regular basis. A key driver of those updates and changes revolve around security, an enormous and growing problem. While security is considered an add-on in many markets, it can have a direct bearing on safety in cars driving down the highway at high speed or machinery used in an industrial facility such as a nuclear power plant or an oil refinery.

“The biggest challenge we see is the software,” said Craig Hurst, executive director of FASTR (Future Of Automotive Security Technology Research), a non-profit industry research group founded last year by Intel, Aeris and Uber. “Can you even produce a full manifest of software’s origin? This is an extreme exercise for some OEMs. There are 100 million-plus lines of code in vehicles. The entire supply chain needs to be engaged in this.”

There also needs to be a definition of what is an acceptable level of risk, he said. “If you look at the medical industry, they have defined acceptable parameters. The automotive industry needs to quantify and comprehend what this entails because there may never be a 100% secure vehicle. It comes down to understanding risk factors and motivations.”


Fig. 1: Security risks across the automotive supply chain. Source: FASTR

Security in most systems is a function of limiting access to communications channels and making sure there are no aberrations in that data. And this is where the biggest opportunities are for chipmakers with deep expertise in this area.

“There are wired and wireless ways to infiltrate a system,” said Andrew Klaus, director of automotive business development and architecture at Marvell. “At the chip level, you want to make sure all the data gets through that’s supposed to get through, and that packets that are not supposed to be there do not get into the system—or that you cannot mess up packets that are there.”

He said this requires a combination of secure hardware configurations to close off outside access, deep packet inspection, as well as blacklisting and whitelisting of data. In effect, it requires a full security implementation of six of the seven layers of the OSI communications stack. The first layer is considered too hard to hack using today’s tools, although that could change.


Fig. 2: The Open Systems Interconnection (OSI) standard communications model. Source: Webopedia

“This is happening in other industries, as well,” Klaus said. “In the home, you already have network address translation where you put up a firewall. And in industrial, you want plug-and-play for anything you connect. But in automotive, you need a fixed architecture. There is no plug-and-play. You know that ‘port 3’ may go to the tire sensor and you only want a maximum of 1 megabit of data, for example, in this format. Anything else trying to access to the system needs to be shut out.”

There are a number of vendors providing solutions to these challenges. Marvell’s approach is hardware-based packet filtering. Arm’s is to secure the chip’s fundamental boot-up as well as the compiler software.

“People want adaptive cruise control and lane departure warning technology,” said Paul Black, product manager for Arm compilers. “On the other hand, there is a lot of legacy software. Every manufacturer has been developing engine control software for 20 years. But standards are changing, and security is one of the prime drivers of that change. If the software is not secure, the system cannot be safe.”

While it is impossible to completely eliminate the risk, most companies believe it will be manageable. The bigger problem will be on the machine learning/AI side for a system’s centralized logic.

“With the code that is built, there is an audit trail, so you can analyze how it was built and test it,” Black said. “But with code generated in other ways, it will be very challenging. You have a vast resource of test cases in automotive. The question is how well has it been tested and how sure are you that you’ve covered a sufficient number of test cases. There is a lot you can do with simulation, even with a unique sequence of events, and you can build up a mass quantity of corner test cases, particularly in automotive. But this also will apply to train lines, robotics and medical devices, where there are fewer test cases.”

Another challenge, and one that is less obvious, is getting companies to utilize security when it is available.

“Many chip providers are including decent security in their hardware, but OEMs aren’t using it,” said Asaf Ashkenazi, senior director of product management in Rambus‘ Security Division. “Almost all chips today provide some level of security for free, such as encrypt capabilities. But how to translate that into software, and especially how to integrate that into the cloud, is difficult. So what you see is a lot of dead silicon because people aren’t using it.”

Redundancy
Redundancy has always been an expensive but effective way to solve problems in electronics. Redundancy dates back to the early 1950s in computing with the introduction of fault-tolerance, where magnetic drums were connected using relays. But even redundancy has its limits. In 1998, a PanAmSat communications satellite suddenly went quiet due to tin whisker growth after its third redundant processor shorted out, silencing tens of millions of pagers in North America.


Fig. 3: Tin whiskers. Source: ReMAP Networks

Building redundancy into safety critical systems is considered essential. The big questions are where that redundancy should be placed and how much of a system actually needs to be redundant?

“In automotive, any critical path has to have active and passive safety,” said Jeff Hutton, senior director of the automotive business unit at Synopsys. “So ECC is required for the buses. If you flip a bit, it will self-correct. But there are also passive things that have to happen. So it might not correct the bit, but you may need to determine if it’s a valid signal or not. Every critical system has to have a failover mechanism. If the middle of the die has contacts that are only 25% effective and it breaks down after three or four years, the chip’s self-testing should flag that. If a contact is broken, a car should be able to put itself into a safe state. The big question is how that will behave when a car is fully autonomous because the danger is when there is a mix of both autonomous and manually driven cars on the road. Autonomous cars in front or back of a car will know if a car is not in a safe state, but a driver may not.”

This raises the price of systems, of course. Industry experts say these costs can increase between 20% and 50% due to redundancy and extra testing and verification.

“There are more design costs because there is more silicon, higher reliability in the package, the bonding wire and the metal spacing is larger,” said Hutton. “If you go to redundancy, that could be more than two times larger.”

The general consensus is that any roadmap here is a good thing, however.

“For automotive, we need to follow the ISO 26262 standard,” said Wei Cong, director of product engineering at Kilopass . “We see that as a trend as the market shifts to autonomous driving. That includes the tools, the end results management and quality assurance. On top of that, we need to provide security. That is becoming more important. Security is very important to keep the root of trust and to prevent all sorts of problems with autonomous vehicles.”

Unique requirements
So far, it’s unclear if devices developed in one safety-critical market will be applicable in another. The general concepts are the same, but the standards are different. And it’s too early to tell if the problems being solved are the same in an industrial operation and an autonomous vehicle, for example.

However, from the tools and processes side there is definitely overlap, and this is where economies of scale can be achieved across markets.

“You still want to test airbags, ADAS and other safety-critical systems separately,” said Mentor’s Dailey. “That requires a stringent testing program, and with security you need that for high-value targets. You also need to optimize devices like MCUs for specific functionality. And you need more focus on test, because test time costs money. Test time needs to go down because the overall R&D is going up. And you need the proper architecture to go with all of this.”

But it’s also harder to quantify costs based upon standard metrics for semiconductor or even automotive development, said FASTR’s Hurst. “The benefits of autonomous driving can be quantified, and that will offset the cost of development because you’ll start seeing more vehicles as a service. The question is how much are people willing to pay for different levels of service. You’ll see this in other markets, too, such as mining, trucking and logistics. The market will completely absorb these costs, just as they have in mass transit and agriculture.”

Conclusion
Safety-critical markets typically have been managed by laws and standards, put in place to protect public safety. What’s changing is the amount of safety being managed from within devices. The percentage is growing significantly through functional safety electronics rather than mechanically or an external set of rules and human oversight.

This has far-reaching implications that go well beyond the semiconductor industry. Liability in an accident involving functional safety, for example can shift from people to manufacturers or design houses, and courts will have to decide whether best practices were followed or whether negligence was involved. But for the immediate future, the focus is on making systems more reliable, more secure, and much safer than they are today. And there appears to be plenty of opportunity for years to come for those companies that can find a place in this swirl of change.

Related Stories
Rethinking Car Design
Functional safety in self-driving vehicles requires big shifts in methodologies, tools, business practices and risk assessment.
Quality Issues Widen
Rising complexity, diverging market needs and time-to-market pressures are forcing companies to rethink how they deal with defects.
What’s New In Connected Autos
Internet of Things technology will be crucial to automobiles, but connectivity comes at a price.
Rethinking Verification For Cars
Second of two parts: Why economies of scale don’t work in safety-critical markets.
Safety Plus Security: A New Challenge
First in a series: There is a price to pay for adding safety and security into a product, but how do you assess that and control it? The implications are far reaching, and not all techniques provide the same returns.