Planes, Cars, And Lagging Standards

Automotive and aerospace standards are struggling to adapt to pervasive connectivity, increased functionality, and new packaging approaches and architectures, leaving chipmakers and systems vendors unsure about what needs to be included in future designs.

Each of these markets has a reputation for being lumbering and unresponsive, in part because they deal with safety-critical issues and in part because historically the design cycle has been much slower than in the mobile or consumer electronics markets. But as systems vendors and chipmakers in these sectors strive to keep up with the kinds of connectivity and features that customers are demanding, the chasm between technology and existing standards is deepening.

In response, a number of standards organizations are discussing possible changes to existing standards. While this may help in the long term, in the short term it has increased the level of confusion because, at least so far, any potential changes are vague. That causes a problem for chipmakers working on designs today, because these designs typically are at least a couple years ahead of production. Updated standards could affect what gets adopted, and which vendors have guessed correctly about what changes will be implemented.

While not all of these standards are government-mandated—automotive and industrial standards, for example, are devised by industry as a way of self-policing their products and warding off legal liability—they could determine which designs win over others. Moreover, because much of this technology is supposed to be reliable for up to a decade or more, until these standards are updated they will continue to generate confusion about how to design chips.

Aerospace
DO-254 is the dominant standard for electronic hardware in airplanes. It was developed by the Radio Technical Commission for Aeronautics and adopted by the Federal Aviation Administration and the European Aviation Safety Agency (EASA). The standard addresses complex hardware, which it defines as FPGAs, PLDs and ASICs.

But the standard also is seriously out of date. Much has changed since the 2005, when the FAA adopted DO-254. FPGAs are now in widespread use, and multi-core FPGA/ASIC SoCs are beginning to gain traction.

“FPGAs are now the predominant technology,” said Louie De Luna, DO-254 program manager at Aldec. “But SoC FPGAs are a hot topic in the avionics industry right now. The big question is whether multicore functionality in a safety system will become a headache. With SoC FPGAs, you’ve got one core right now. With two cores you get non-deterministic behavior, which is much harder to verify.”

De Luna said the FAA and EASA are now reviewing whether and how to revise DO-254. “They need to advance the standard because FPGAs are advancing,” he said. “There are now high-speed interfaces, which didn’t exist in the past, and there are high-definition video interfaces that need to be supported, as well. The solutions come from the ASIC industry, but the guidance about those is pretty generic. They do not talk about certain technologies, tools or capabilities.”

What’s also changing in this market is the ability to combine more functionality into fewer chips. As electronics replace mechanical features and sensors, the number of more complex chips being produced will increase, but the actual number of designs may decrease to achieve economies of scale.

“Aerospace has always been done on a small scale,” said Joe Hupcey, Questa product marketing manager at Mentor Graphics. “Now you’re looking at doing this on a large scale, but with extra cost in terms of chip area because of redundancy and complexity. The general principles of DO-254, and for ISO 26262, which is similar, are proven. The main focus is around fault analysis. Is it fail-safe or is the fault detectable?”

Automotive
One big difference between the aerospace and automotive industries is that automotive standards are largely set by companies, not government agencies.

“The ISO standard is a set of recommendations,” said Steve Smith, senior director of marketing for automotive solutions at Synopsys. “The focus is on functional safety. It has nothing to do with regulating the functionality of chips. You can verify according to the spec with minimal error to cause injury. But it has nothing to do with quality or performance.”

In effect, ISO 26262 is a collection of industry best practices up to this point, Smith said. “Carmakers do use the standards to vet suppliers. It’s also a way to avoid laws being applied to the industry because the industry is self-regulating. Those kinds of standards are useful for communication between two or more participants in a design, as well.”

That communication will be critical because the big push underway in the automotive sector right now is to replace microcontroller-powered electronic control units with SoCs, which are capable of combining many more functions into a single chip.

“I call it computational consolidation,” said Kurt Shuler, vice president of marketing at Arteris. “If you look at the old days, you had different MCUs sprinkled all over the place monitoring everything, connected to a very slow bus, without any security features. What you’re seeing now are different ways to network within the car. You can have more centralized computational power, and at the edge less computational power. That should make things easier for the manufacturers to update over time.”

This will be necessary for the move toward autonomous vehicles, which likely will be rolled out in phases of increasing autonomy, such as automatic braking and lane departure control.

“The car will be able to sense if a driver is asleep, but it also must be able to sense that at different frequencies,” said Sundari Mitra, CEO of NetSpeed Systems. “That needs to be transmitted to an automatic control. And all of that will merge into one or two chips. If you compare what’s going on here with the mobile market, innovation in the mobile market is evolutionary, while innovation in the IoT and automotive markets is revolutionary. It will change how we think and how we put chips together.”

It also opens opportunities across a broad spectrum of companies that have never worked together before.

“There is a growing market, especially with ADAS, for high-performance receptors for images,” said Stefano Cadario, technical specialist for compilers at ARM. “The issue there is how do you deal with tool-chain certification. ISO 26262 has some gray areas with regard to tool-chain certification, but tool-chain certification is an important aspect of system-level certification. And as customers begin using more ARM processors in cars, this is an important aspect for ARM to address.”

ISO 26262 is outdated in other ways, too. There are so many changes coming into cars so quickly that no standards groups can hope to keep pace.

“The rate of new, differentiating features being added by the automotive companies, along with the pace of change toward completely autonomous vehicles, is staggering,” said Jorg Grosse, safety critical verification specialist at OneSpin Solutions. “Keeping the regulations up to date with this trend has proven difficult, but it is essential. This has driven groups from across the industry to regularly meet to consider how the regulations must keep up with the technology. The end result is a moving target for ISO 26262 revisions and a new chapter of the standard, focused on ‘the application of concepts for semiconductors,’ is currently under development. Tool vendors must stay current with the standard and many of them have teams involved in its development to feedback changes from their engineer teams for inclusion. It is this collaborative mechanism that is essential to allow the design flow to keep up with market forces.”

Tools, automation and integration
As the automotive and aerospace begin adding SoCs into designs, they also begin adding third-party IP. Integrating different vendors’ IP has not been simple in the consumer and mobile markets, despite the introduction of standard approaches such as IP-XACT. It will be even tougher in automotive and aerospace markets, because if something malfunctions it can have disastrous effects.

“IP integration is a problem,” said Anupam Bakshi, CEO of Agnisys. “Even with IP-XACT, often people don’t create the proper IP-XACT register and pin information. And when they do, they don’t address how to use it. You also have to look at this as a committee-driven flow. Our philosophy has been to solve the problem, and when the standard comes along, we will follow it. But there is a gap between the standard and what is needed. And even when there is a standard in the IP industry, not all of the IP vendors take advantage of it. That means more integration problems and it leads to more debug.”

How much more is vague, but some industry estimates put the number as high as 2.5 times more effort and cost for chips being designed for safety-critical markets.

“Verification becomes more important, and it becomes important to show more things can go wrong,” said Frank Schirrmeister, group director for product marketing for the System Development Suite at Cadence. “It’s also more expensive to design and verify. That could add 20% to 30% more just to make an IP block more automotive-compliant. You’re adding layers of complexity to the design.”

That carries over into other areas of the design process, as well. “We’ve been getting questions about whether tools are safe to use for ISO 26262. The answer is yes, but when you’re doing logic synthesis and layout, there are different ways of looking at that for these markets. You may have to change the code, which raises the question about whether bugs can be introduced.”

There need to be changes to the flow, as well. “First, the existing DV flow has to be made ever more rigorous to handle the ‘systematic’ problems that occur with any ASIC development, namely human design error and tool failure,” said OneSpin’s Grosse. “Although safety-critical devices use the same tools as any other IC, their application and the corresponding verification process inevitably is more intense. Verification requirements are created and tracked carefully based on the ISO 26262 ‘V Model,’ with the resulting verification coverage quantified as accurately as possible at all implementation levels.”

On top of that, Grosse said new new classes of design and verification techniques must be applied to guard against “random” errors— problems that arise during the normal operation of the device. “All automotive ICs must be failsafe, and this requires additional components to be designed into the IC that can trap operational problems and allow the overall device to recover. These might include error correction codes in the input and output of memory to correct bits that might be flipped or redundant components that might be invoked in the case of failures. These components are verified by demonstrating that faults inserted across the design are correctly handled. A high level of ‘diagnostic’ coverage of these faults must be achieved if the device is to meet the highest, Automotive Safety Integrity Level (ASIL) D, requirements of ISO 26262.”

Security
So far, there are no standards for security, but most chipmakers expect those will become requirements in anticipation of future standards. “These have been required in the mobile market for years, but it is a relatively new requirement for the automotive industry,” said ARM’s Cadario. “From the compiler/tool side, what that means is we need to make sure we have all of the necessary support in tools to use hardware-supported security features such as TrustZone. So we need different structures and instrinsics, different instructions to make sure it’s all secure, done correctly, and that whatever code the compiler is generating is secure and complies with the architecture.”

While everyone recognizes the importance of security in a connected car—particularly in light of highly publicized videos about how to hack into vehicles—doing something about it is another matter. Hacking into airplanes is something most people don’t even want to think about.

“For hardware engineers, this is a whole new world,” said Avidan Efody, automotive solutions architect at Mentor Graphics. “They’ve been building safety-critical systems for years, but security is a new area no one know anything about. ISO has some things that could be interpreted as security, but it has not been treated seriously. Hardware engineers need to understand what is required of them.”

Most EDA companies believe formal tools will play a big role here. “Fault analysis is not there yet, but we think we see a way to breaking down the walls between the front and back ends,” Efody said. “The biggest problem is getting tools to the quality level that is needed. That requires a different mindset, though, as well, and that’s a real challenge.”

Synopsys’ Smith agrees. “One wrinkle with the connected car is cyber security threats. This is very much like in the consumer market, where you have standards for encryption and software testing. But it’s all advanced technology. These are the same kinds of chips, but they might require additional work.”

As OneSpin’s Grosse notes, the German word for security and safety is the same—Sicherheit. “Automotive companies, particularly those in Germany, see them as tightly coupled with equal importance. Now that many automotive components are interlinked, and some can be accessed externally to the vehicle, security against malicious intent is absolutely critical, and a key part of safety assurance. Also included under the security umbrella is the accidental interaction between components, where an unexpected operational artifact in one has an adverse affect on another.”

Whether standards will include a focus on security, or whether this is handled by the tools—particularly formal—remains to be seen. The problem with standards in these markets is that the standards bodies always move more slowly than the market.

“There is a permanent problem there,” observed Mike Gianfagna, vice president of marketing at eSilicon. “The time constant for standards is totally inconsistent with innovation, regardless of the market. No matter who owns the standard, it puts everyone in a deadlock for a long time.”

That’s evident in the automotive and aerospace markets, where change is happening very quickly. And it leaves a lot of people making very costly guesses about what comes next, what they need to do, and how much business they potentially can win or lose when standards are finally updated.

Related Stories
Designing SoCs For Hybrids
Enabling Self-Driving Cars
Tech Talk: ADAS
Tech Talk: ISO 26262