Car functional safety through IP design

Today, the automotive industry is changing rapidly, and the design, use and sales models of cars are rapidly evolving. Driver safety technology, traffic congestion, environmental issues and the basic premise of the car as a means of transportation affect the development of a new generation of cars. To solve these problems, many automakers are trying to strengthen computing power to optimize vehicle control. The new standards issued by the European Union's New Car Safety Assessment Association (EuroNCAP) stipulate that safety assistance functions such as lane change support are necessary for obtaining a five-star safety rating. The number of in-vehicle processors has steadily increased in all market segments, currently averaging 40-50, while some high-end models already have nearly 120 processors. According to Semicast

This article refers to the address: http://

Research predicts that by 2022, only the electronic control unit (ECU) components under the engine hood will reach a market size of nearly $86 billion, a compound annual growth rate of 7% compared to 2015. Semiconductor manufacturers will have the opportunity to tap a large barrel of gold in the automotive electronics arena.

High-tech chips can improve power system emissions, enhance safety, and use cellular networks to interconnect vehicles and road infrastructure. However, as the system becomes more complex, ensuring driver safety becomes even more critical, and it is necessary to create a more automated, systematic, and unpredictable solution – what we usually call “functional safety.”

What is functional safety?

In short, the ultimate goal of functional safety is to ensure that the product operates safely and can continue to escort even if there is a problem. Based on this concept, ARM will ensure safety as a top priority, rather than simply follow the market direction, continue to strengthen research and development, and introduce more functional safety related products.

Standards are set in all walks of life to guide future development and limit minimum entry barriers. In the automotive electronics industry, this standard is ISO 26262, which defines functional safety as:

“avoid unreasonable risks due to electrical/electronic system failures”.

Standards in different fields are not completely consistent. For example, IEC 61508 for electrical and electronic systems and DO-254 for aircraft electronic hardware have their own definitions. It is also worth noting that they all have specific terminology and provide engineering development guidance including target parameters. Therefore, it is important to determine the target market and develop a suitable process before starting product development, because modifying the R&D process midway will inevitably lead to inefficiency. Figure 1 shows the different application criteria for silicon IP. In actual operation, if you need to meet multiple sets of standards, you can seek common ground while reserving differences, first list exclusive requirements, and then implement general guidelines such as quality management;

QQ screenshot 20160926165026.jpg

Figure 1: Functional safety standards for silicon IP

In practice, the functional safety system must be certified by an independent evaluator to comply with all safety standards. To achieve functional safety, a fault mode with predictive capability is required. The system status is judged to be functionally complete, some functions are damaged, or the system must be shut down for restart or reset.

Not all faults can cause serious accidents immediately. For example, a car power steering system failure can lead to sudden false steering, but due to the natural time delay of electrical and mechanical design, the fault does not immediately have a consequence, which is usually a few milliseconds or more, as defined by ISO 26262. For fault-tolerant time intervals, the length of the interval depends on the type of potential accident and system design. Therefore, it is not difficult to understand that the higher the system security requirements, the more the failures that cause unsafe events should be avoided.

Ideally, functional safety does not affect system performance; but in real life, many of the current security measures can seriously affect system performance, power, and area (PPA). How to reduce the adverse effects on system performance and the increase of design and manufacturing costs under the premise of ensuring functional safety is a major problem faced by designers.

Why do you need functional safety?

The functional safety of chip IP has been a very small area, with only a few chip and system developers interested in automotive, industrial, aerospace and other similar markets. However, with the rise of various types of automotive applications in the past few years, the situation has changed dramatically. In addition to cars, there are many other industries that can benefit from the increase in electronic devices. Of course, ensuring functional safety is a major prerequisite. Medical electronics and aviation are two typical examples.

Automated driving has attracted the attention of many people in the past few years, but it has always been a fog; now, with the popularity of Advanced Driver Assistance Systems (ADAS) and rich media in-vehicle infotainment systems (IVI), despite the highly automated driving The times are still far away, but the prospects for self-driving cars have become clearer. UAVs with different sizes and shapes and the growing popularity of the Internet of Things are also areas where functional safety is a must. ARM technology will be a big boost.

ARM functional safety technology

As with other technology markets, emerging functional safety applications also require semiconductor drivers; this is not a piece of paper, and the ever-changing product innovations have already attracted the interest of ARM partners. Most functional security embedded systems require two core elements: security protection and real-time processing. The ARM Cortex-R series processors are tailored to this need to provide high-performance computing solutions for embedded systems to ensure high reliability. , high availability, fault tolerance, and/or powerful real-time self-determination capabilities. These features lay the foundation for the high security integrity of ADAS and IVI systems, enabling not only critical behavior processing, security-related outage events, communication with other systems, but also complex functions with low integration.

What is a malfunction?

Failures can be systemic (such as human factors in the specification and design process); they may also be related to the tools used. One way to reduce failures is to implement a rigorous quality control process that must include detailed planning, review, and quantitative assessment. Proper planning and use of tool certification is very important, and the ability to manage and track changes in requirements is equally critical. ARM's Compiler 5 compiler has been certified by TÃœV SÃœD to facilitate security R&D without the need for additional certification by the compiler.

There is also a type of failure called a random hardware failure. They may be permanent faults as shown in Figure 2, such as short circuits; they may also be soft faults due to natural radiation. This type of failure can be handled with solutions integrated in hardware and software, so system-level technology is equally important. For example, the Logic Built-in Self Test (BIST) can be applied to system startup and shutdown to distinguish between soft and permanent failures.

QQ screenshot 20160926165038.jpg

Figure 2: Type of fault


The choice and design of fault detection and control measures is a favorite part of the process designer because they can use both system-level and micro-architectural technologies. Establishing a Failure Mode Concept and Effects Analysis (FMEA) is a good place to start, listing all possible failure modes and the severity of their consequences. With this information and the designer's in-depth understanding of complex systems, the most serious failure modes can be identified and countermeasures designed.

There are many ways to deal with potential failures. Here are some of the most common techniques:

· Diversified checker: Use another circuit to check if the main circuit has failed. For example, the inspector can count interrupt controllers and keep track of the total number of interrupts caused by humans and systems.

Full lockstep replication: This technology is mainly used in the Cortex-R5 processor to instantiate multiple IP components (such as a processor), use loops to generate operational delays, and generate time and space redundancy. Bulk storage is typically shared by multiple instances to reduce the required area. Although this technology is very reliable, it is also extremely expensive.

· Selective hardware redundancy: In this scenario, only critical parts of the hardware can be replicated, such as an arbiter.

· Software redundancy: Hardware redundancy is often very complex and incurs indirect costs, which is an unreasonable use of resources. An alternative to hardware operations is to run the same calculation on multiple processor cores to check if the results match.

· Error detection and correction codes are another well-known technique that is commonly used to protect memory and bus. There are many different types of code, but there is only one target, which allows for more redundancy with a small number of additional bits, without having to copy all of the underlying data. In automotive systems, this cutting-edge technology can detect a 2-bit error in a memory word with enough redundancy; and support error correction.

Fault log

Once a fault is detected, it must be recorded to help the supervisory software determine the health and safety of the system. Safety faults (such as memory corrections) and dangerous faults (such as irreparable hardware faults) must be recorded separately.

The fault log usually starts with the fault count and can be recorded by the system level architecture with the number of signal events (similar to interrupts) or by the IP counter. In order to understand the causes of these events, it is best to use past events as a reference to determine the cause of the current time. To support this requirement and debug error correction, some IPs can be allowed to capture additional information, such as the storage address being investigated. Because this address is usually saved by a soft reset, it can be read during system startup and system self-test.

One thing to keep in mind is that failures can also occur in the security architecture itself. The difference from the hardware failure is that the latter can usually be discovered very quickly during use, but the fault in the security checker may be latent, it has been unable to detect dangerous faults, but the fault has spread quietly. . Such a fault is called a latent fault and it is a good idea to test the checker regularly.

Safety integrity level

Different standard systems have different methods for reflecting safety levels, but their main purpose is to intuitively reflect the criticality of the function. For example, the ECU that controls the windshield wiper, airbag, or brake must have a higher integrity than the ECU that controls the speedometer or parking sensor, because the front view is critical, and sudden braking or airbag inflation can have fatal consequences, driving The number of members will be fierce; the speedometer or parking sensor is much less important for safe parking.

In other words, the safety integrity level is related to the necessity and ability of people to avoid dangerous situations; and the role of the standards is to guide people on how to define safety integrity levels and provide relevant parameters to help them to system integrity. Quantify.

IEC 61508 classifies the Safety Integrity Level (SIL) into 4 levels, with Level 4 being the highest integrity. Similarly, ISO 26262 proposes an Automotive Safety Integrity Level (ASIL) with a minimum of ASIL A and a maximum of ASIL D. In addition, as shown in Table 2, for ASIL B to ASIL D, ISO 26262 proposes suggested parameters for single point of failure, latent fault and hardware failure probability indicator (PMHF, also known as timely failure in the industry). The proportion of detectable faults is called diagnostic coverage.

QQ screenshot 20160926165049.jpg

Table 1. Recommended standards for ISO 26262

Although these indicators are usually considered as standard requirements, in practice, they are generally only considered as recommendations, and suppliers can set their own target parameters. The most important goal is to create a safe product, rather than adding a few more numbers to the product data sheet. Let us borrow again the examples mentioned above – windshield wipers, brakes and airbags. These components may have a safety level of ASIL D, while the speedometer and parking sensor may be ASIL B or lower, depending on the level. Designed for overall system security.

Regardless of the high diagnostic coverage, you must follow the right process when building a functional safety application – this is the biggest benefit of the standard system. In addition, strict quality processes can improve the overall quality of any application, regardless of the functional safety measures.

Functional safety IP design flow

When developing functional security applications, it is very important to “follow the rules”. This process must take safety into account from the outset, and it must also create a culture that supports security.

The complete development process must include the following important aspects:

· Security management: including the team organization structure, such as: define the definition and responsibilities of different positions, create a security culture, define the security life cycle, and define the functional security support level. The setting of the safety lifecycle includes developing a successful plan, selecting the right development tools, and ensuring that the team is fully trained.

· Traceability of requirements management and fault detection and control measures (responses). In order to accurately implement demand traceability, the definition of the requirement itself must be clear, precise, and unique. The traceability level depends on the integrity requirements, the documents can be high-level; the products need to be comprehensively covered from fault detection to verification – the planning process must not be groundless and must be verified in detail.

· Quality management is the expansion and extension of demand traceability. Errata must be properly managed and used. ARM has extensive experience in this area. In addition, the recording and communication of processes is equally important.

Security package

IP development is a way for ARM to support partners, and our partnership will not stop at the moment when customers receive IP. For functional safety related IP development, ARM defines two security file package levels:

· Standard support up to ASIL B

· Extended support up to ASIL D

Each security package contains a security manual detailing the processes followed, fault detection and control functions, applicable scenarios, and other information. We also provide "failure mode and performance analysis reports" and provide case studies on how to achieve higher diagnostic coverage with IP; we also provide more chip-level support for independent analysis of customers. In addition, the package is clearly defined by the development interface of ARM and the authorized party.

Independent security unit

The establishment and use of security status reports requires step-by-step progress. The report is provided by the chip developer, and all vendors' information must be considered together and finally delivered to the customer for use. The most licensed chip IP is called the “Independent Security Unit” (SEooC), and its designers do not need to know how the chip will be used later. Therefore, the safety manual must explain the IP developer's recommendations and instructions for using the chip to avoid misuse. Similarly, OEM Level 1 controller vendors can also use the SEooC model to develop security features. Therefore, IP-level security packages are available throughout the value chain and are an important part of IP development.

Functional safety will gradually become a rigid requirement

From cars to medical to industrial equipment, there are more and more applications that rely on electronic devices, and functional safety is becoming more important and will become a regular requirement. Functional safety is a requirement that IP vendors must meet and is a necessary condition for the smooth operation of models built on this IP. Therefore, IP vendors must award each research result to as many chip partners as possible, and vice versa. With solid quality and reliability, functional safety delivers a wider range of benefits that drive quality and reliability across the industry. Functional safety, including driver safety, fuel economy, comfort, and in-vehicle infotainment systems, is the foundation for chip designers to solve higher-level automotive challenges.


Membrane Switch Polydome Sheet ,Membrane Switch Polydome,Membrane Panel Switch,Capacitive Membrane Switch

zhejiang goldcity technology co,ltd ,

Posted on