Reshaping Automotive Design

The entire automotive ecosystem is being reshaped by vehicle electrification, assisted and autonomous driving, and the connectivity needed to make it all work. So far, it’s not clear just how smoothly this will all come together.

In this redefined world, electronics and software will provide differentiation rather than mechanical engineering and possibly even brand name, creating change on a scale the automotive industry has never witnessed before—particularly in such a compressed time frame. The infrastructure, processes and methodologies in the automotive world that have been carefully constructed and refined over the course of more than a century are now undergoing massive disruption in the race toward autonomous vehicles.

These changes have big implications for the chip world, as well. Automotive has emerged as one of the big new opportunities for semiconductors. This market is well funded and highly motivated to adopt advanced electronics, but it’s also a very different world. Chips developed in cars need to work well for long periods of time under harsh conditions, and they need to adhere to a set of evolving standards and regulations unlike anything the majority of chip companies have ever dealt with.

“On the design side, you want to make sure you design with the latest design rules and implement those design rules,” said Ron DiGiuseppe, senior strategic marketing manager, solutions group at Synopsys. “You must have a good tool suite that can not just implement it, but do the verification. Part of that verification is how the product — either at the chip level or even at the IP level — reacts to possible failures. As such, you need to have a design flow where there are tools that can inject possible failures, then simulate to see how the product reacts to those failures in terms of safety critical. If you’re going to do ADAS or autonomous driving, those systems and the chips and the IP blocks that make up those chips have to be compliant with ISO 26262.”

This represents a big shift for chipmakers. In markets such as mobile phones or computers, if any part of a system failed, it typically was patched with software and replaced in the next rev of a product, which usually was sometime in the next few years. But with safety critical markets, such as automotive, industrial or medical, these parts need to function reliably for 10 to 15 years.

“Reliability and safety are the keys,” said Neil Stroud, director of technology strategy, embedded and automotive line of business at Arm. “EDA tools used to develop safety-related IP or software must undergo a tool qualification analysis that proves they are fit-for-use and do not introduce faults that could potentially violate safety goals.”

But this is something of a fast-moving target. Assisted and autonomous driving standards for the automotive ecosystem are evolving alongside the technology for electrification of vehicles. Consider the upcoming second version of the ISO 26262 standard, automotive designs and IP, for example, which will require constant runtime monitoring to achieve necessary safety levels, according to Steve Pateras, product marketing director at Mentor, a Siemens Business. “This will require the integration of monitor functions into the design. Examples of this include voltage monitors, ECC logic for memories, and logic BiST for random logic. Design flows will need to include tools that enable the integration and verification of these capabilities.”

Pateras noted that the ISO 26262 standard also specifies a number of hardware functional safety metrics and associated levels for the different device ASIL classifications. “These metrics include the single-point fault metric (SPFM), which is the probability that a single defect will not result in an unsafe state, and the probabilistic metric for random hardware failures (PMHF), which essentially represents the overall probability of failure per hour. The analysis necessary to calculate these metrics is quite complex, making the automated calculation of these metrics a critical requirement for large complex IP blocks and designs.”

That’s just one piece of the puzzle.

Commodity chips are no longer just commodities in the automotive world, because even an insignificant sensor that malfunctions—or which doesn’t function well enough—can cause an accident.

“A big challenge with autonomous vehicles is the accuracy of the sensors,” said Stephen Breit, vice president of engineering at Coventor. “There are a number of sources of error. One is manufacturing. Thermal sensitivity is an issue, as well. So you need to design these to be more precise, more linear and less temperature-sensitive. The precision requirements for autonomous vehicles are much higher than for an airbag or rollover, where you could just exceed the threshold and apply current.”

Fig. 1: What’s different about automotive design. Source: Tom Wong, Cadence

Security
Security adds a whole other wrinkle into automotive design. Chips need to be reliable, but they also need to be resistant to hacking and resilient in case they are hacked.

“People think of a car or an airplane from the brand name, but there are many suppliers involved,” said Asaf Ashkenazi, vice president, IoT Security Products in Rambus’ Security Division. “In the past the OEM was the supplier and they used their own components. Now people supply components to the manufacturer, and they don’t know which component will be used in the final product. The guy at the top doesn’t know which is which. And for each one in the food chain, it’s difficult to verify safety and security.”

This goes well beyond the chip, too. It involves the entire system, including data paths within a car and between the vehicle and other vehicles and infrastructure. Not surprisingly, significant progress has been made here in light of some very public hacks.

“There is very defined networking in a car,” said Donna Yasay, Marvell’s vice president of worldwide business development. “There is only a specific point to enter into a car. If the gateway is defined properly, it’s basically a closed system and one that is pre-defined. So in the home and industrial markets, you want plug and play so that you can plug in anything and connect it to the network. But with a car, you have a fixed architecture. You know that Port 3 will go to the tire sensor and that there can only be a maximum of 1 megabyte of data in this format, and you can do that same kind of management on a per-port basis. If anything else that tries to access the system, you can shut it out.”

In fact, the bigger problem may be less about security—even though this area has received a good amount of attention—than on the integration of the various chips and IP blocks that go into a system. At this point, IP is still being tracked on spreadsheets, which worked fine as long as cars were mechanical. With potentially hundreds of IP blocks in the AI brain of an autonomous vehicle, each with its own characterization, spreadsheets are grossly ineffective.

“It’s becoming much more of a headache for automotive companies,” said Ranjit Adhikary, vice president of marketing at ClioSoft. “They don’t understand the intricacies of qualifying IP. Integration is more rigorous and there are multiple vendors supplying the IP.”

This gets particularly difficult when it comes to characterizing libraries involving IP developed at different process nodes, Adhikary said. “We’re seeing small variations across a large number of IPs.”

Safety
Also key to the entire automotive system design moving forward is safety, which has some commonalities with security.

“Operational scenarios that would normally be deemed either not possible or not sensible by hardware designers and architects, and thus likely to be overlooked, suddenly become relevant. Both hardware failures and malicious attacks may drive the chip and the car into forbidden territory. Formal verification enhanced with fault injection systematically uncovers all these hard-to-foresee scenarios,” said Sergio Marchese, technical marketing manager at OneSpin Solutions.

Planning for change
It may seem somewhat ironic that automotive standards are a moving target. For an industry that was comfortable with product cycles that lasted five to seven years, this provides more than a mild jolt of acceleration. In effect, it requires planning for the future without knowing all of the specifics.

This plays well for programmable devices such as programmable processors and memories, as well as some flexible packaging architectures. The reality is that not everything designed now will comply with future standards, but what does work really has to last for a long time.

“What we’re designing for is graceful degradation,” said Raymond Nijssen, vice president of systems engineering at Achronix. “Performance and quality change, and standards change. So there is a requirement to reliably recognize a child crossing the street. But no one really knows what form this technology will take. It will have to be tested, and it will have to be a system test. But how do you test for standards that are not known? You need error correction to absorb these changes.”

He’s not alone in this thinking. Resilience and recovery are gaining mindshare as the way forward for autonomous systems in particular, and machine learning and artificial intelligence in general.

“You can get systems to work fine in a lab, but as you go out into different use models and environments, it’s difficult to know how long they will last,” said Michael Schuldenfrei, CTO at Optimal+. “Building deterministic software with products and pre-determining a response is not feasible. This is all about the notion of adaptive, flexible system requirements, and it’s the next big wave of machine learning and AI.”

So what does this mean for chip companies? The answer isn’t entirely clear, other than the fact that it will be chips and software that increasingly differentiate one car from another rather than braking and acceleration. It will involve a system of systems, all of which have a heavy emphasis on electronics.

“This is not to say mechanical and design aspects are not important,” said Raja Tabet, corporate vice president for emerging technologies at Cadence. “But many of the car developers and product developers recognize there is growing importance and equal differentiation that’s coming from electronics and software. This is probably one of the key reasons why the OEMs and Tier Ones are rethinking what their positions in the market need to be. The traditional value chain where the semiconductor companies supply the Tier Ones, and the Tier Ones aggregate the semiconductor products into a sub-solutions or solutions that go into the OEMs, is changing. With ADAS and some of the newer infotainment/ADAS technologies, the traditional value chain is breaking up where OEMs now work directly with hardware platform suppliers. OEMs are also working with the many startups in the market both on the hardware platform side but certainly on the autonomous driving software side. Tier Ones are currently stepping back and trying to figure out how they can continue to be key players in the value chain.”

Getting specific wherever possible
In stark contrast to a somewhat perpetual level of uncertainty about standards, when those standards are established they tend to be very specific in the automotive world.

“ISO 26262 mandates an SOA (state of the art) process,” said Joe Dailey, global functional safety manager at Mentor, A Siemens Business. “It also mandates what we refer to as a SOA design architecture. It is a typical V-cycle approach, starting at defining the vehicle or system and those hazards that may harm someone. This is not unique to automotive, but when it comes to required traceability from design requirements to verification and validation tests, the only industry that compare would be aerospace for flight criticality.

What is unique is the safety analysis down to the IC level. While many industries evaluate systems, or systems of systems, no industry has the production numbers for cost effective customization of silicon for use in their designs, Dailey said. “Other industries rely on redundant systems or redundant ICs to assure proper and safe operating conditions. When one vehicle platform can number in the millions, and then multiple lines of vehicles can be modified using that same platform, redundant ICs are cost prohibitive. So now what is very unique to the automotive industry is the customization of ICs. The development cost of an IC can run a millions dollars and up. This means ICs are largely single-sourced. This means the evaluation or failures of an IC must be closely examined, and safety measures must be put in place early in the design. The one type of failure that concerns automotive makers the most is radiation-induced soft errors. Typically referred to as random failure or soft failure, they are single-event upsets and single-event transients caused by an alpha particle from a decaying package, a cosmic ray, or electromagnetic interference.”

Further, when an IC developer designs an IC, they evaluate all of the possible faults that may cause a random failure, Dailey continued. “They then determine the safety criticality of the failure and put in safety measures to assure any failure results in a safe outcome. Testing is the biggest problem in the industry. Yes, we can test these failures, the safety mechanisms, and their results, but this is a very manual process to date. The biggest enhancement the automotive IC designer would like to see today in their tool chain is an automated method for testing random failures to assure the proper implementation and effectiveness of their safety measures.”

Conclusion
This is a unique time in the automotive industry, marked by upheaval but also plenty of opportunity. OEMs, Tier Ones and all manner of additional ecosystem players are coming together in the name of vehicle electrification, autonomous driving, mobility, safety and security.

What is emerging is a picture of a massive reshaping of an enormous ecosystem that increasingly includes the system and semiconductor design process, from architecture all the way through to manufacturing. The next few years will bring new design solutions to market to enable differentiated automotive products. It’s time to buckle up.

—Ed Sperling contributed to this report.