« Previously: Industry veterans pioneer ASIL D-certified MCU dev't  

In short, ASIL certification isn’t just a one-off test. It’s about the development process to which additional safety activities and rigorous checks need to be applied and incorporated. This is about the “overall safety culture in the organisation, safety management within product development and production, safety plan, safety case, safety assessment, safety concept, safety analysis, safety manual and others,” explained an NXP spokesperson.

Shortening the process

IP core suppliers such as ARM and Synopsys are striving to cut drastically the time that it takes for chip vendors to design, certify and launch safety-critical ADAS/autonomous car SoCs.

Angela Raucher, product line manager, ARC EM Processors at Synopsys, explained that automotive-safety SoCs demand additional testing for as long as six months beyond a typical verification process.

Typically, the SoC verification process would first look at “systematic faults” resulting from silicon or software bugs and incomplete or incorrect specs. Additional automotive-safety SoC testing must focus on “random faults” triggered by silicon failure (transistor, metal connection, etc.) or software failure (such as alpha particle) and to determine whether these are permanent, transient, or latent.

It would be helpful to offer “pre-built” and “verified” processors [which will go into ASIL D-certifiable chips] with caches and tightly coupled memories. These would require error correction and detection, a redundant (or shadow) core running the same code, logic to monitor and compare results from redundant cores, and extensive safety documentation for ISO 26262, Raucher said.

Both ARM and Synopsys offer similarly designed ASIL D-certified dual-core lockstep processors with an integrated safety monitor.

ARM describes its Cortex-R52 as featuring “dual-core lockstep with comparators to monitor the processors and many other fault detection features—and it has been designed to address ASIL D requirements.” Phil Burr, senior product marketing manager at ARM, also added that the company provides “the safety documentation required for partners to document the design process in line with ASIL D requirements, which simplifies the certification process when the full solution is sent for ASIL D certification.”

ARM Cortex 52 (cr) Figure 1: ARM Cortex 52 block diagram (Source: ARM)

ARM’s biggest claim to fame is its abundance of ARM-based safety-certified devices in the market, even if not using Cortex-R52 yet. “As an example, the TI TMS570LS10206 is a dual-core lockstep device based on ARM that is certified to SIL3 (equivalent to ASIL D),” according to ARM's Burr.

Meanwhile, Synopsys’ Raucher claims that the company’s ARC EM Safety Islands offer “the smallest processor IP with the hardware safety features and lockstep capability to meet ASIL D requirements.”

Synopsys is also hoping to capture business from consumer-chip vendors familiar with ARC cores. It is planning to design SoCs that can address both automotive and consumer markets. ARC EM Safety Islands offer “the ability to support ASIL D lockstep or ASIL B (or even non-automotive) independent modes,” she added.

In Strategic Analysis’ Riches view, “ARM is certainly seeking to expand its automotive footprint and, in our view, has a significant headstart on Synopsys/ARC.”

He added, ARM “already has devices in market from volume automotive-specialist semiconductor vendors. One challenge that Synopsys will face is building up an ecosystem of third-party support in terms of OSes and development tools to rival that which ARM offers.”

 
Next: Why ASIL D now? »