AI pushes functional safety further to the fore
In a world of increasing machine automation, driven by artificial intelligence (AI), functional safety is an essential part of the engineering process for autonomous vehicles, industrial IoT, robotics, and many other areas.
It can – and indeed must – be considered an essential part of the development process for systems and their respective IP components.
The IP business model
Reusable IP is a critical element in the SoC design business.
SoC integrators benefit in two ways: they save money by licensing IP for significantly less than the cost of developing and supporting that IP themselves and they save time as the IP is already designed and verified.
IP developers can focus their business on IP where they have specialist knowledge and experience.
They license the IP at a cost less than the development costs of that IP, but they license it to many SoC integrators to make a sufficient return on their investment.
To maximise the value of the IP the SoC integrator must be able to use it without having to invest time and effort in understanding the details of the design.
To enable this, the IP vendor supplies a package to assist in the integration and use process, including:
- support and maintenance including documentation
- simulation environment.
- Scripts to support: power analysis; simulation; timing analysis; synthesis; functional safety.
Advances in AI, especially using artificial neural networks, have launched a dramatic growth in demand for intelligent electronic systems.
Where these systems use that intelligence to understand their environment and use that knowledge to control equipment in an autonomous fashion, the potential risk to life must be managed to acceptable levels.
One of the places where this consideration is most prominent is in the automotive industry, with advanced driver assistance systems (ADAS) and the move towards fully autonomous vehicles.
The management of risk is achieved through the adoption of functional safety considerations in the design of these automated systems, with the ISO 26262 functional safety standard as a specific derivative of the IEC 61508 generic functional safety standard for electrical and electronic systems.
Functional safety
Functional safety is intrinsically end-to-end in scope to ensure that the system operates to minimise risk of injury in the presence of faults that can occur. These faults fall in two main categories: systematic and random.
Systematic faults are present in all implementations, possibly due to a design flaw. These errors are addressed through effective development methodologies driven by a quality management system which is documented to allow independent traceability and audit, and applies to both the overall system and each IP.
Random faults are transient faults, such as soft errors due to radiation and interference resulting from EMI or power glitches; permanent faults as a result of shorts; dependent faults due to failures or related elements in a system; and latent faults where the impact of the fault may not be observed for some time. These errors are addressed through a combination of self-test capability, hardware safety mechanisms and functional redundancy.
The level of functional safety at the system level is determined through detailed failure modes, effects and diagnostic analysis (FMEDA), and is dependent on the analysis of each IP.
The FMEDA technique considers:
- all elements of the design;
- the functionality of each element;
- the failure modes of each element;
- the effect of each component’s failure mode on the product functionality;
- the ability of any automatic diagnostics to detect the failure;
- the design strength (de-rating, safety factors); and
- the operational profile (environmental stress factors).
The ISO 26262 functional safety standard defines automotive safety integrity levels (ASILs) to support this analysis from ASIL A through to the most robust level, ASIL D.
At the system level, the safety requirements can be mapped into independent elements. This enables the system to achieve a high functional safety level such as ASIL D with components that independently achieve a lower decomposed functional safety level such as ASIL B [D].
The ISO 26262 functional safety standard in part 2, 9 allows this ASIL decomposition to ease the development process for each of the independent elements.
This mechanism is especially useful for complex IP such as the MIPS I6500F high-performance, multi-core processor, which is designed to ASIL B decomposed from D: ASIL B(D).
The use of FMEDA at the system level requires its use at the component level and it therefore needs to be part of the IP package.
Safety element out of context
The IP business model relies on licensing the same IP to many customers.
Much of the value of the IP is based on the ability of the customer to use it without requiring detailed knowledge of that IP or the requirement to modify that IP.
The ISO 26262 functional safety standard describes a safety element out of context (SEooC) in ISO 26262 – 10, Clause 9 as a safety-related element that is not developed for a specific item (ie in the context of a particular vehicle).
A SEooC can be a system, an array of systems, a sub-system, a software component or a hardware component.
Qualifying an IP core as an SEooC to a specific functional safety level such as ASIL B[D], as Imagination has done with the high-performance, heterogeneous MIPS I6500F multiprocessor, enables functional safety to be supported with reusable IP.
There are two significant advantages for an SoC integrator from the use of third party IP as an SEooC:
- The SoC integrator can use the documented FMEDA analysis supplied as part of the SEooC IP package directly in their system-level analysis, saving considerable time and cost, and preserving the benefits from third-party IP use.
- The IP developer has full knowledge and access to the IP design so they can implement the functional safety capabilities much more efficiently and effectively than the SoC integrator.
Functional safety must be an integral part of the development process for both the system and each IP component. Delivering IP as a SEooC enables this, while preserving the mutual benefits from the reusable IP business model.
