Mission-critical applications involve higher levels of abstraction than automotive and often need to meet safety-critical requirements, as well.
Chips destined for the skies or armed forces need extra everything. They require higher layers of abstraction to simulate all the moving parts in the field, high-reliability testing for harsh environments, in addition to system-level test. They also need radiation-hardening and ceramic materials for space, extra safety layers, and advanced security techniques.
As in the automotive sector, the safety-critical designation means lives are at risk. With mission-critical applications, lives could be lost, but a significant amount of time and money is also on the line if a chip fails during a military or space operation. Any communication lag poses significant risks, and autonomous technology adds another layer of complexity.
One way to approach mission-critical design is through Mission Engineering, as defined by the U.S. Department of Defense and summarized by Siemens:
A key difference between automotive and mil/aero design is that the latter requires a higher level of mission simulation.
“When you talk about sophistication in terms of modern fighter aircraft, it is orders of magnitude more complex than anything in any vehicle today, because of the mission,” said Todd Tuthill, vice president for aerospace and defense industry at Siemens Digital Industries Software. “We’re going to do it at Mach 2, or faster than Mach 5 if we’re talking about hypersonic weapons, and we’re going to do it over the horizon of the earth. And we’re communicating with the satellites in low Earth orbit, or maybe even higher, in geosynchronous orbit, as well as with people on the ground.”
Fighter jets drive some of the most complex mission simulations.
“A fourth-gen fighter had two crew — someone to fly it and someone to operate the weapon systems,” said Tuthill. “A fifth-gen fighter has someone to fly it, and a lot of the weapon systems are operated by the electronics. Sixth-gen fighters are now operating drones. They need no crew at all, and that progression of fewer number of crew has a direct impact of more software and more electronics.”
The U.S. Air Force recently selected Boeing to produce its Next Generation Air Dominance (NGAD) fighter platform, which includes collaborative combat aircraft (CCA). “This is a fancy name for drones,” said Tuthill. “These NGAD manned fighters will fly with a swarm of drones around them to do a lot of things that the manned fighters used to do. You can imagine very sophisticated communication systems between the crewed fighter and all the drones, and then where you had all the sensors and all the stuff inside one aircraft before, you’ve now farmed that out to all these individual drones that do individual pieces.”
Reprogrammable, reusable drones can have a number of capabilities such as attack force, reconnaissance, aerial refueling, and thermal or radiation detection.
“That’s why we talk about software-defined products, or software-defined vehicles, which is a big term in automotive. That’s exactly what’s happening in aerospace, and has been for a while,” Tuthill said. “This is because you’re going to have this generic type of airframe with a generic propulsion flight control system in it, and you’re going to fill it based on the mission, with different pieces of electronics, and different pieces of software. Tomorrow, I’ll change the software and change the mission.”
Other types of drones include “killer drones” that hunt other drones, and military cargo drones, which carry equipment and drop it to infantries so they don’t have to carry anything, said Helmut Puchner, vice president and fellow of aerospace and defense at Infineon Technologies. “And the drones they’re building are going 150 miles an hour, so there’s a lot of development there. Here, AI is especially needed, and image detection is needed to make autonomous decisions. Is this my friend or is this my foe?”
CFD and simulation
Simulation and computational fluid dynamics have been important tools in aerospace design for many years. What’s changing is that more sophisticated computing and software greatly expands what is possible to do with the tools, especially in aerospace.
“Automotive is a very specific application. It is pre-bounded in what is possible,” said Marc Swinnen, director of product marketing at Ansys. “When you look at aerospace and government systems engineering, it’s much wider open.”
For instance, in regular product development there might be separate simulation models for the jet, the missile, and the satellite, but that doesn’t solve the mission because they’re all siloed. “How do you simulate this whole scenario together so the missile and the plane and the satellite and the truck are all at the right place at the right time so that everything works out?” Swinnen said. “That’s mission simulation. You can’t have a full detail of every part of the engine and the jet being simulated. It’s a higher level of abstraction and deals with many, many different types of systems. You might have to model water flow, you might have to model wind conditions. There are a lot more physics involved that have to be dealt with.”
Fig. 1: Aerospace CFD. Source: Siemens
Simulation of chips also has changed.
The old philosophy was, “Fly, fix, fly,” said James Chew, senior global group director for Aerospace and Defense at Cadence. “It’s funny how you leverage other technologies to increase what you want to do with your core technology. The reason we’re so excited we have these Millennium [emulation] machines that do computational fluid dynamics is that they’re GPU-based, not CPU-based. That means suddenly you can expand the boundary conditions of the Navier-Stokes equations that you can solve. We’ve been able to show some very interesting things, and it cuts down the amount of test time you need to verify that this design will work.”
Cadence recently utilized NVIDIA’s Blackwell platform to help solve one of CFD’s biggest challenges — a massive simulation of a complete aircraft during takeoff and landing.
Today, there are things that can be done with supercomputers, digital twins, and integration that just weren’t possible 20 years ago, Siemens’ Tuthill explained. “For example, a new digital twin facility at Wright-Patterson Air Force Base in Ohio is enabled by a supercomputer. It’s going to have the ability to do a whole lot of the work we were doing in ground test and in-flight test in a digital form before we ever have to build something physically. That’s an incredible capability. If you think about how testing was done in the past, where we created electronics and there were requirements for electronics and software, in order to put together the mission systems for the cockpit of an aircraft, we had to do it physically. We had to put it together in a real lab, and we tested it on the ground as best we could, then we put it in a real aircraft and we flew it. That’s how we integrated the software, and that’s a really expensive thing to do.”
In the days of Chuck Yeager, who broke the sound barrier, there wasn’t anything digital. “If you go back and look at the interesting aerodynamic problems, a lot of people died because of this phenomenon that happened right around Mach One, where the control services did things we didn’t expect because we didn’t have a digital simulator or an even wind tunnel to simulate supersonic flight,” Tuthill said. “Yeager was able to figure out that the control services just weren’t large enough, and that crazy things happened in the control of aircraft. Basically, he became famous because he survived where so many people before him died. We’ve since developed and see a lot of computational fluid dynamics around a space flight, modeling ships, and all sorts of things, and that replaces a lot of that dangerous work. Now they’re basically using digital wind tunnels.”
As for space applications, the more simulation the better. “If you remember the Starliner launch a few years ago — the one that barely got back in one piece — the rocket took off and immediately the clock reset,” said Ansys’ Swinnen. “It was a disaster, but NASA did a review after that and published about 80 recommendations for Boeing to improve. Even though some of them were redacted because of security, the number one recommendation was more simulation. You can’t fix these things by building the rocket, firing, and figuring out if it works or not.”
At the end of the day, a function is a function, whether it’s autonomous driving or deploying a weapon system, said Cadence’s Chew. “Either way, you’re going to want to get in there to try to figure out, ‘Is this thing really going to do what I wanted to do when it has to do it?’ If you can satisfy yourself by modeling simulation to say, ‘I can actually accomplish this mission without having to do a lot of flight tests, or without having a lot of caveats,’ that’s really the payoff you’d want to look for.”
Solving these issues will require industrywide effort and partnerships. An example of this is the partnership between Siemens and IoT Tribe, which recently launched the Flywheel Program to support early-stage startups that are developing agentic AI and advanced technologies for the AD sectors.
Design and manufacturing challenges
The relationship between the aerospace, defense, and commercial sectors remains in flux as they borrow best practices and technological innovations from each other, while the AD sectors continue to benefit from a mix of government and industry funding.[1]
“For the longest time, the defense sector was the one that drove technology,” said Chew, citing products that were invented when NASA went to the moon, like Velcro and Tang powdered drink mix. “But something funny happened in the ’80s, where all those technologies that were started by the defense world, by defense investment, and government investment, were suddenly taken over by the private sector. Silicon Valley [grew out of] a government investment in a high-speed integrated circuit, and because free market competition demands that you have a great product that’s reliable, high value, and works right the first time, a lot of investment came into that, and it surpassed what was going on in the defense area. Meanwhile, the defense folks still had the mindset that, when we developed a product, we had to invent the technology also.”
The defense sector used to follow a design cycle of block upgrades, where a design was created, a list of issues was made, and then the product was redesigned. “Meanwhile, companies like Apple put out a product that could last a certain time and everything is done via software upgrade until they overwhelmed the amount of memory and processor that’s in that phone, and then they have to do a redesign,” he explained. This led the defense sector to ask why they couldn’t do the same thing.
Then, in the 2018 National Defense Strategy, Secretary of Defense Mattis said to design electronics to be like commercial, with no more block upgrades. “It was a cultural change,” Chew said. “They thought you had to do three spins of an ASIC to get a successful design.”
Although the first-pass success rate is dropping significantly across the chip industry, this isn’t necessarily the case at 5nm. “A lot of commercial companies are turning chips around the first time, maybe with some firmware changes,” Chew said. “But the mentality in aerospace and defense was, ‘We’re going to have to spin it more than once anyway before they even start.’ And they do physical tests to validate more often than the commercial world.”
In general, the automotive industry is trying to get ahead of the curve in terms of designing at the most advanced node possible to avoid longer design cycles, whereas in the past it was customary to hold back a couple process nodes to make sure that the design was going to work as expected for a long time.
In defense, the issue is the manufacturing source, said Charlie Schadewitz, vice president, aerospace and defense at Cadence. “You can go down to 12nm with Global Foundries, while some of them will want to go to Intel 18A, but that’s a pretty big job. It’s more on the availability side than anything else.”
High reliability testing, safety, and standards
Aerorspace/defense sector chips need to address high reliability requirements to ensure a mission is successful and lives are not lost, while potentially being exposed to extreme temperatures, radiation from space, or a nuclear event. For example, radiation-hardened products are common in this sector compared to other applications.
“90% of commercial microelectronics have no high-reliability requirements,” said Scott Best, senior principal engineer at Rambus. “If the system is forced to reboot because of a single event upset, then it reboots. Our stuff reboots all the time. But for that 10% of segments that are safety-critical systems, if your analog breaks, or if they’re in a strategic rad-hard military environment, you can’t afford the time to reboot in a system like that. For those 10%, that’s where a lot more cost and effort is focused to secure those type of microelectronic systems.”
Overall, automotive is more structured than classical space components, because automotive has ASIL design requirements, said Infineon’s Puchner. “Avionics guys have DO-254 requirements, basically where firmware, hardware, and software all need to play together and be reviewed, then audited by external consultants. It’s explainable because there are human lives involved in cars, so it needs to be safe. And to the same extent in space, there is a difference whether it’s human space flight or satellites. If human space flight is involved, historically, the requirements were always dictated or defined by NASA to use the highest-level-reliability components, which are the Defense Logistics Agency– certified QML [Qualified Manufacturers List] components.”
Drones are usually short-term usage and companies are using industrial, commercial components. “But if there are special requirements, like for lifetime or temperature requirements, then typically it’s automotive, industrial components,” said Puchner.
Space companies may also choose to use automotive standards, such as ISO 26262 for functional safety or AEC-Q100 for testing scenarios such as temperature cycling phase, high temperature operation, life test, stress test, corrosion test, and contamination test, said Varadan Veeravalli, principal functional safety engineer at Imagination Technologies. “If we are doing that for automotive, you can assume how much more they will do for aero and space components.”
A key difference is that while automotive users can get an over-the-air update or visit a mechanic if certain components fail, this is not an option for many AD applications. Rather, it means the types of safety analysis conducted would be different.
“In automotive we do FMEDA [failure modes, effects, and diagnostic analysis] or DFA [dependent failure analysis], and these types of analysis to ensure that we have reached our goal,” said Veeravalli. “But in space and aerospace, they have to calculate the mean time between failure.”
This means whatever IP a company develops, if it follows everything to the rigor of a system-level design, automotive designs technically could be used to produce space chips, Veeravalli noted. “Maybe some approximation has to be done. The delta would not be quite as high. But we could still manage it, as long as we do the same level of rigor as followed in automotive.”
Once they are in production, mission-critical chips are more likely to need system-level test to drive down escape rates to acceptable defective part per million levels.
Conclusion
While there is an overlap between safety-critical and mission-critical applications, and automotive and aerospace, there are also some key differences.
“It really comes down to the finance and business aspect of automotive versus aerospace,” said Siemens’ Tuthill. “Automotive has volumes that are many orders of magnitude beyond aerospace since you’re creating things for which the change cycle is faster. You’re creating far more of that product, so there’s more automation of how things are made because they’re made at scale. While a case could be made that some simulation has been done at a higher level in automotive, and maybe sooner than aircraft, this is simply because aircraft is orders of magnitude more complex in terms of the mission they perform, and the performance they meet. There are things that couldn’t be done at an aircraft level until now that could be done in an automotive level simply because of the power of the computers.”
For automotive chip designers entering the aerospace/defense sector, “If they’re coming from commercial, it shouldn’t be a big deal if they can bring the commercial best practices, plus the security layer on top of that,” said Cadence’s Schadewitz. “They’ll be ahead of the game in aerospace and defense.”
Related Reading
Mission-Critical Devices Drive System-Level Test Expansion
SLT walks a fine line between preventing more failures and rising test costs.
ISO 26262’s Importance Widens Beyond Automotive
The international standard has been proven effective in automotive functional safety and has begun to spread to other markets.
Why Chips Fail, And What To Do About It
Improving reliability in semiconductors is critical for automotive, data centers, and AI systems.
Leave a Reply