Suppliers looking to enter this market pay a premium in design time, certification and verification requirements.
A revolution is occurring under the hoods of vehicles today, as the automotive industry continues to add sophistication via electronics to vehicles at a pace never seen before. But because of the automotive ecosystem’s tiered structure, system companies, IP and embedded software developers and tools vendors must invest more just to participate.
Robert Bates, chief safety officer in Mentor Graphics’ Embedded Systems Division, said there are many changes underway in the automotive industry today that appear to be headed in two orthogonal directions.
“There is a push for more and more formalism, through ISO 26262, and the revamp that’s coming,” said Bates. “What that’s doing is asking the OEMs, the Tier 1s and the Tier 2s, to design and develop in a more standardized way than they were used to. Ten years ago, Volvo would have its own way of asking its Tier 1s to do things in terms of safety and reliability. And if you went to work with Daimler or Toyota, they’d have their own ways of asking their suppliers to do things. Now, with everything that’s gone wrong in the industry, and with this formalization in ISO 26262, they’re asking them to be much more standardized and complete from a quality standpoint.”
At the same time, he said a more pragmatic approach is developing. “Before 2020, self-driving cars will be a reality on the roads, not just as a mode in a Tesla. That’s going much, much faster than the formality. So at the same time we’re going this way with formality, we have to go this way with pragmatism: ‘If we can show heuristically that features are safer than the human, then perhaps all of that formality doesn’t mean as much, and we’re going to pick and choose from this side, and from this side where we are going.’”
Layered across these shifts are changes in the ecosystem itself.
“There are the traditional players that are building more and more sophisticated chips,” said Mike Stellfox, a Cadence Fellow. “And then there are a lot of new players in the market, especially as the mobile sector has kind of settled out, which was the last big wave. In terms of new and interesting chip design, we see ADAS is really driving the complexity and some of the more advanced players into building chips for this market.”
So there are companies that are entrenched, such as Tier 2s, which have done such things as MCU design. Many of those companies are maturing, Stellfox said. “They understand the rigor of verification that’s required and the safety aspects of it. Then there are the companies that are used to building much more sophisticated chips. They are used to the rigor of verification for a mobile phone, which is pretty rigorous, but not the same level as automotive. And then there is the whole functional safety aspect.”
Follow the money
For EDA tools providers, this opens up opportunities in verification and software bring up, albeit with a new set of concerns.
“Especially for the more complex chips, functional safety is bringing a whole new level of verification requirements. Similarly, on the IP side, it’s putting much more rigor in terms of getting our IP qualified with ASIL to be ready for ASIL compliance,” Stellfox said.
In fact, verification is one of the big beneficiaries of automotive reliability concerns. Ansys already has 60 automotive customers for its chip-package-system simulation technology. The driver, according to Vic Kulkarni, Ansys vice president and general manager, is a concern about physical effects such as heat and EMI interference.
“Antennas are a huge part of the equation because of V2X (vehicle-to-everything) communication, and all the new standards which are coming from vehicle to vehicle, as well as within the vehicle,” Kulkarni said. “For example, when there are four passengers within a vehicle, what happens when each has their own smartphone, there is a car infotainment system, a GPS, and the car talking to something else for control systems? All of these have very high interference patterns that can create major safety hazards beyond the classic interference, low-level music, and so on. The real problem we see is automotive safety in terms of that. From the view of embedded systems, there are typically 20 million to 100 million lines of code in an automobile. Compare that to an F32 fighter jet that has about 30 million lines of code. It’s an unbelievable amount of embedded code.”
Complying with safety standards as well as the ISO standards is not optional. In addition, looking at where the car is driving, what is happening in the surroundings in terms of road conditions, and feeding that information back, requires antennas to be in perfect shape for that communication.
Additional requirements for IP providers
IP providers have their own set of stringent regulations, particularly around defect densities and extended temperature ranges. That requires silicon, which is expensive, as well as some strong partnerships.
“For our type of IP, we always have to go through silicon qualification,” said Bernd Stamme, vice president of business operations at Kilopass Technology. “Standards that we use for commercial or industrial customers are tough already, but they’re not even close to the automotive standards. For us, the qualification cycle is longer, requires different test chip packaging that can handle these type of temperatures, and yet we still have to rely for automotive quality on the qualification of the end product because it is very package-dependent.”
In addition, he said that sales and support cycles for automotive customers are very different compared to commercial customers. Kilopass normally tests for 10 years of data retention, but for a lot of automotive customers 20 years is required. That doubles the test time.
“Further, we do a lot of different ports and a lot of different qualifications, so it’s disruptive because it doesn’t line up with other products that people use us for, like secure boot,” Stamme said. “Some of them are MCUs. All are name-brand customers that you know. So secure boot is required also for things like calibration, and in sensor chips. If the calibration goes wrong, then it could have very dramatic effects on automatic steering, for example. Data retention and extremely low failure rates are crucial for that market segment.”
Increasing effort with ISO 26262
All of these extras come at a price. “Even if there are companies which have done IC development for automotive for a long time, the formalism of ISO 26262 imposes easily a 30% increase in effort,” said Joerg Grosse, product manager for functional safety at OneSpin Solutions.
As if that increase in effort isn’t staggering enough, Bates pointed out that the 30% increase is on the hardware side, but the increase on the software side is at least as high because a lot of the formalism that really wasn’t in the software development process is required now with ISO 26262.
Today, that formalism is rather complex.
“In the automotive world, a lot of the software is generated through tools, but the verification has to occur through simulation at the model level, at the end level, and then all of the more formalized steps that you have to take with anything handwritten,” Bates explained. “Before, each company would do things their own way and say, ‘We are convinced that this is good enough.’ But the formalism that’s imposed by ISO 26262 basically requires an all-inclusive approach. Yes, ISO 26262 says you don’t have to do this, but then you have to argue with your certifier, your OEM, and sometimes it’s just easier to just change the way something is done. It is adding a lot of effort, especially at the Tier 2 level, with the suppliers of software stacks to the Tier 1s, and to the Tier 1s, as well.”
That formalism is expensive, Grosse noted. “It’s a lot more expensive, and for people who have IP and want to enter the market — let’s say a company has a camera interface and wants to enter the automotive market — it’s maybe even more expensive because they don’t have the experience.”
Finally, Bates relayed a conversation he had in April while attending SAE World Congress, during which he talked with an academician who was trying to get his tools into the automotive world—and finding it almost impossible. “He’s caught in this chicken-and-egg problem, where on the one side he’s got really interesting technology that people want to use, and on the other side he can’t afford $50,000 to $100,000 just to certify something.”
How will these processes evolve as vehicles include ever more sophisticated algorithms with the eventual goal of autonomous driving? It may be that the standards keep us all safer on the roads, but suppliers will take some time to get up to speed and incorporate them into their design and verification processes.
Related Stories
New Drivers For Test
Pressure is mounting to reduce test costs, while automotive is demanding more ability for circuits to test themselves. Could this unsettle existing design for test solutions?
Autonomous Vehicle Disruptions Ahead
When self-driving cars actually reach the market is still not clear, but the automotive ecosystem is preparing for huge changes.
Tech Talk: ISO 26262
What can go wrong in designing to this automotive standard.
Leave a Reply