For self-driving cars, safety will start in semiconductors. The hundreds of complex chips inside cars must be protected against electrical faults that could undermine the code behind advanced features like collision avoidance and lane-change warnings.
To defend against failures in automated safety and driving systems, automakers took pages from manufacturing and aerospace’s playbooks. The industry has drafted the ISO26262 standard to make an industry rooted in mechanical engineering more safety conscious. The chip industry is adjusting, partly to avoid liability for self-driving car malfunctions and partly to hedge against costly recalls.
ISO26262 has strict guidelines for creating chips impervious to faulty signals as well as the random effects of constant overclocking, age, sunlight, and other types of radiation that could trip up transistors. The standard defines safety ratings from A to D—more commonly known as Automotive Safety Integrity Levels or ASILs—based on their ability to do so.
With automakers aiming for fully autonomous cars within the next five years, software firms are under pressure to provide functional safety tools, while chip suppliers must sell products that meet ISO26262. On top of that, automotive engineers still need to meet reliability standards—which define how chip packages tolerate heat and vibrations.
OneSpin Solutions, a former unit of the automotive chip maker Infineon, has thrown its weight behind formal verification, which uses statistics instead of simulations. The largest EDA firms have also been active in recent years: Both Cadence and Mentor Graphics have recalibrated tools for ISO26262, while Synopsys moved into fault simulation last year with its acquisition of WinterLogic.
“Before we got seriously into automotive, reliability was related to the number of power-on hours that your SoC worked and that is anywhere between 8,000 and 22,000 kilowatt hours” for consumer devices, said Navraj Nandra, a senior marketing director for Synopsys, which also employs an internal team of nine safety engineers.
“That is essentially a New York cab driving all day,” Nandra said. “You are talking lots of ‘on’ time and that will impact the reliability of your chips.”
Meeting reliability and functional safety standards could pay off. Luca De Ambroggi, a principal analyst for IHS Markit, estimates that the market for automotive semiconductors will generate $48 billion in 2022, up from $32 billion last year. He also predicts that $460 of the $6,000 worth of electronics inside high-end cars by 2022 will be semiconductors.
OneSpin’s thesis is that formal verification is ideal for testing automotive chips. The ISO26262 standard also sets the bar high for safety, requiring that the billions of transistors inside chips be fault-free. To meet another requirement for diagnostic coverage, chips must be 99% protected against environmental effects that could cause, for example, bit flips in memory and accidentally engage the car’s brakes.
"About 10 years ago, everyone realized that simulation didn't have the horsepower anymore," said Dave Kelf, vice president of marketing for OneSpin, in a recent interview. "Now, we are into incredibly complex chips, these simulations run for weeks, and designers would check in every morning after getting their coffee to see where they are."
To prune faults from hardware, OneSpin expanded its formal verification software with fault injection apps, which intentionally insert errors to ensure that chips can stumble but keep working. In May, it released two new apps that insert and detect random faults within chips that control everything from front-facing cameras to automatic braking.
“In automotive systems, it is difficult to inject faults into physical devices,” said Robert Bates, chief safety officer of Mentor Graphics' embedded software unit, in a recent interview. "It’s kind of destructive. You can do fault injection testing once, then you have to go out and buy new boards.”
Entire startups have been built around the tenants of fault injection. Austemper Design Systems, based in Round Rock, Texas, recently released what it called an end-to-end automotive tool suite that tests chips against functional safety standards, automatically adds fault tolerance to memory, handles safety synthesis, and runs parallel fault simulations on design files.
With roots in automotive chips, OneSpin is making the most of the autonomous driving movement. The company’s revenue has grown 75% every year in the four years since one of its founders, Raik Brinkmann, took over as chief executive. Its customers include Infineon, Robert Bosch, and Renesas.
In addition to verifying that chips will not incur systematic errors, ISO26262 demands that companies prove that their tools don’t insert safety errors into devices and that errors falling through the cracks can be corrected. For example, a company needs to know that compilers will not add mistakes when turning C into Object code. It would take too long for an engineer sift through all the compiled code.
That is the reason for the Mentor Safe qualification program, which provides documentation to show that its simulation, debugging, and other automotive tools are certified for ISO26262, so that Mentor Graphics’ customers don’t have to. Bates said that it plans to continue certifying tools, including a defect simulator for analog and mixed-signal chips as well as fault injection tools.
Preventing physical faults still dominates the conversation, but security is another aspect of safety causing deep concerns. The ISO26262 standard lacks guidelines for these updates but experts, including Bates, are also increasingly worried about poorly protected cloud infrastructure, which could give hackers access to entire fleets of connected cars.
Karamba, a start-up that raised $12 million in a May funding round, offers software that seals off electronic control units used for navigation and other functions, checking that only factory code is running inside them. At the Design Automation Conference last month, researchers proposed using runtime enforcers called safety guards to dampen the effects of transient errors and hacking.
Though companies are aiming to improve security within cars, most experts preach regular wireless software updates to stop hackers from hijacking your steering wheel or brake pedal. Hackers and other malicious software will "poke and prod and find openings that no amount of verification is going to find," Bates said in an interview.
Over the last two years, Intel has telegraphed that strategy most clearly. Intel’s Wind River unit, which bought a DAC booth last month, now sells technology for wirelessly updating software and firmware in cars. Last year, the company acquired Yogitech, whose technology adds functional safety to chips embedded in factory robots and cars.
“There is this classic thought process, you can have security without safety but you can’t have safety without security,” Bates said. “A security flaw could expose modifications that then render whatever effort you put into safety useless.”