New Shifts In Automotive Design
April 13, 2018
Four big shifts in automotive design and usage are beginning to converge—electrification, increasing connectivity, autonomous driving and car sharing—creating a ripple effect across the automotive electronics supply chain.
Over the past few years the electronic content of cars and other vehicles has surged, with electrical systems replacing traditional mechanical and electro-mechanical subsystems. That has been a key driver for semiconductor growth, and autonomous vehicles are the poster child of this effort. But the emergence of this market also will result in profound technological and sociological changes.
From the design side, this is already apparent. Automotive electronics fall into the realm of functional safety, which previously was limited to medical devices and military/aerospace applications. Vehicle manufacturers are requiring that everyone in their electronics supply chain be certified as complying with relevant standards, which means that chips developed for parts of a vehicle that are not directly tied to safety now must comply with the most stringent regulations.
“The ISO 26262 standard sets a high bar for functional verification and elimination of systematic faults, as well as the ability to handle random fault effects in operating devices,” said David Landoll, solutions architect at OneSpin Solutions. “Some EDA vendors are obtaining external certification for compliance to this standard. This makes it easier for their customers, semiconductor suppliers, to meet functional safety compliance requirements and, in turn, for subsystem and vehicle manufacturers to do the same.”
SoC designers typically target a 10-year lifetime when it comes to reliability metrics that are based on the current usage model and mission profile, said Thomas Wong, business development director in the IP group at Cadence. “If you look at the usage model today, we drive to work, park our cars, and we drive home at 6 p.m. So you drive about 20 miles to work, park your car for 8 hours, and then drive 20 miles to go home. This is your mission profile. Adopting design constraints to reflect a changing mission profile in the automotive industry is nothing new. Consider police patrol cars or taxis. Their usage model is quite different from how the average person uses their car. For police cars and taxis, there will be heavy duty tires, beefed up suspensions, better brakes, larger batteries, different gear ratios, stronger gearboxes, and more robust starters, among other things. The main reason for including more robust mechanical and hydraulic systems on these types of vehicles is to make the vehicle last longer. With the upward trend in electric vehicles and autonomous driving, the systems that have to be more robust are not just the mechanical bits. We now have to ensure that all the semiconductor chips and SoCs that are truly the brains of the vehicles fulfill their mission based on the new usage model and mission profile,” he said.
Add to that the combination of autonomous driving and car sharing. “With autonomous driving, you may want to send your car home so someone else at home can use it while you are at work,” said Wong. “Then at 5 p.m. you summon your autonomous vehicle to go to the office and pick you up, and you go home. With electrification, your cost per mile drops, so you are likely to see this scenario becoming a reality. Instead of two 20-mile trips, now your car will travel 4 times 20 miles, for a total of 80 miles per day.”
A second scenario could be a car-sharing arrangement, he said. “This may be a driverless car service, and your car is making money for you while you are at the office. Therefore, your car is being used 10 hours per day. Think about the wear and tear on the vehicle. More importantly, how will that impact semiconductors used in the various systems in your car? How will these two scenarios impact semiconductor design and reliability assessment?”
With any of these new driving scenarios emerging, more attention must be paid to use cases that were not a concern in the past. That brings in chip foundries, which now must develop process and design rules that are more robust to withstand this new level of use. And that, in turn, translates into more robust transistors, new materials for metallization, better aging models, along with more stringent guidance on design for reliability (DfR) and design for manufacturing (DfM), Wong said. “Designers may need to work more closely with foundries to understand failure mechanisms. Extended reliability models need to be developed to enable EM/IR analysis, and there must be considerations to improve SoC reliability and robustness, such as accommodating larger via coverage and a methodology for implementing redundant vias.”
Then, requirements stipulated in AEC-Q100 must be revisited to determine if this specification needs to be updated to reflect the intensified usage models resulting from car sharing and autonomous vehicles. “We are already seeing the impact of these trends. Semiconductor foundries have deployed automotive-qualified processes. Design for reliability and design for manufacturing rules have been created. Chip companies have invested in training their engineers to be conversant in functional safety. ISO 26262 and ASIL-readiness are the new must-have buzzwords. Automotive OEMs and fabless companies are learning how to build more robust SoCs that are needed as we approach Level 3, 4 and 5 autonomous vehicles—redundancy, lock step, active safety features, functional safety verification, ASIL-ready IP blocks, more advanced EM/IR tools and more advanced fault injection tools are being deployed to keep pace with the fast-moving trend toward a driverless world.”
Higher bandwidth required
Alongside these shifts is a concurrent shift toward more connectivity. While much of the attention initially was focused outside the vehicle with vehicle-to-vehicle and vehicle-to-infrastructure communications, there is an increasing amount of attention being paid to moving huge volumes of data around inside of these vehicles. Automotive cameras, radar and LiDAR will be generating streaming video data, and at this point it’s uncertain where all of this data will be screened and processed. But one thing that is clear is that large amounts of data will have to be moved quickly for autonomous vehicles to avoid accidents.
“It’s clear to the automotive industry that legacy networking solutions in the car were really challenged from a bandwidth and security perspective moving forward looking into next generation architectures from 2020 to 2025 and beyond,” said Tim Lau, senior director of product marketing for automotive Ethernet at Marvell. “That’s why the entire automotive industry has really started to look at other technologies and most specifically realized that the optimal solution for high bandwidth network connectivity in the car is automotive Ethernet.”
This, in turn, is causing significant changes inside the automotive industry. It affects what OEMs and tier-one suppliers look for, as well as how they engage with other companies in the supply chain for next-generation ECUs, said Lau.
Processing requirements changing
All of that data has a significant impact on the processing requirements for automotive systems, as well. “As more decisions are made by a vehicle rather than a driver — which is becoming a requirement for some ride sharing robo-taxis — then more intelligence, and hence processing performance, is required in the vehicle’s computing platforms,” said Robert Day, director of automotive solutions and platforms for the Embedded & Automotive Line of Business at Arm “In some cases this leads to more centralized vehicle computers that take large amounts of sensor information and do the detailed perception and decision processing, which leads to the actuation function required to take action.”
So there is a big jump required in performance, but it still has to within the strict power, space and thermal requirements of a modern vehicle. “Other designs are pushing the perception function closer to the sensor, with the central computing engine making decisions based on information that is fed from the intelligent sensor nodes,” Day said. “In both cases, increased computing performance is required without compromising the power available in a vehicle, which leads to higher performance application CPUs provided in multi-core clusters, with additional acceleration engines such as GPUs, vision processors and machine learning processors all being built into automotive SoCs. All of these compute functions also need higher levels of safety, as the decisions and actions must be held to the same or higher safety levels as driver-initiated functions.”
Fig. 1: Compute functions required in autonomous vehicles. Source: Arm
And while the ISO 26262 standard is discussed freely, there are additional regulatory or safety concerns that must also be captured in semiconductor design IP.
“In addition to the ISO 26262 second revision that will be released later this year, and all the other established functional safety standards like IEC 61508, IEC 61511, EN 5012X series, DO-254, etc., a new regulatory framework is emerging.
This is called SOTIF (Safety Of The Intended Function), which will be released under the ISO naming PAS 21448. The aim of this document is to cover the validation and the verification of systems with complex sensing and algorithms, whose limitations in performance could cause safety hazards in the absence of a malfunction. While most of the activities defined by this new guideline are at the vehicle and system level, these will have a direct effect on the requirements for SoCs and IP, driving the capturing of performance requirements directly to be allocated on these elements,” Day noted.
Advanced nodes play a role in automotive
There are additional impacts on the semiconductor design process from the automotive ecosystem that is barreling down the road to autonomous and connected, electric vehicle sharing.
“We are starting to see companies planning to do tapeouts on 7nm (the most advanced finFET node today), and they are planning to do automotive chips on that technology,” said Navraj Nandra, senior director of marketing for the DesignWare Analog and MSIP Solutions Group at Synopsys. “That’s very surprising because typically people think about automotive as very stable, using technologies with very long development and qualification cycles. But that whole supply chain has totally been redone because companies like Nvidia, for example, are now providing chipsets into the automotive industry. But they’re not coming from the traditional automotive supply chain, so they’re not encumbered with all that huge overhead that the traditional suppliers have had to follow. For them, they need the latest and greatest in a very short timeframe, which has been typical of the consumer market.”
So from an IP standpoint, automotive is driving the next generation of technology nodes, Nandra said. “As well, the amount of software and digital implementations in automotive chips has grown phenomenally. What this means is that with the digital part and the software part, you’ve still got to meet all of the functional safety requirements. People used to talk about failure-safe functional safety in the context of semiconductor chips, and now it has to do with your software, which is a very interesting topic. How do you make your software that sits on your SoC that drives some of the IP blocks functionally safe to meet the ISO26262 requirements?”
Reliability, security requirements
Advanced automotive applications have additional requirements beyond what many other customers do in terms of their reliability needs, or testability needs, Rob Aitken, Arm Fellow, pointed out. “For reliability, it’s divided into categories liked soft error immunity and how it performs over time, which can include how the circuit ages. Those are requirements that are often less strict than some other areas. For example on an automotive design, if it is going to sit in the car and the expected lifetime is 10 or 20 years, then you need to make sure that the memory will have enough residual performance that, as it ages and the device performance degrades, it is still going to work.”
Increasingly, there is also the security requirement. That’s both a research topic as well as a practical application for many designs and encrypted memory. “Depending on the application, you don’t want somebody being able to steal the data,” Aitken said. “From an SRAM standpoint, that’s not always important because the chance that somebody is going to break in and steal your SRAM data is low. First of all that’s really hard to do. And second, it’s not obvious for a lot of IOT-ish applications why anyone would want to do that. But for things like DRAM, there have been situations where somebody actually freezes the DRAM chip, they take it off the board and decrypt it at their leisure. In those situations, if the contents of the DRAM are encrypted, you get useless information. But if they are in plain text, you get all kinds of interesting stuff.”
Not all of this has to be done from scratch, though. Market segments including networking and enterprise servers have the same kinds of reliability requirements as automotive.
“Based on the quality that is required in those networks, the equipment chips in networking must run for 10 years, so a long life,” noted Frank Ferro, senior director of product management at Rambus. “We’ve already developed our IP for very high extended temperature ranges, and have done extensive testing, so it was an easy step to move into the automotive market. The requirements are very similar, and in some cases the automotive requirements were maybe not even as stringent, depending on the types of certification as some of the networking markets.”
The opportunities in the automotive segment in general also are driving suppliers to rethink technology in other ways, and how it can be applied here. One such area is data mining and data analysis. Automotive brings some of the most complex system design challenges to multidisciplinary engineering teams, and as such, all of the stops must be pulled out to be a success here.
“The challenge now is not only automotive, now you not only have to verify that a design works properly, you have to flip it on its head and simulate/emulate improper behavior of the design so that in the cases that it might actually happen, the design can be modified to be able to gracefully exit from an error,” said Mark Olen, a product marketing manager at Mentor, A Siemens Business. “The mathematician in me says this is an N squared problem, and I’ll be really curious to see as we try to tackle this at what sigma level [designs get to.] Everybody realizes it’s really not practical to truly prove 100% quality, but can you do 99.9999%? The economics start playing out there at some number of one in some million. But now what happens when you’re talking about a whole network of flying cars that are self-driven?”
Further, the only way to solve some of these problems algorithmically on the road to fully autonomous vehicles is with neural networks or non-deterministic algorithms, said Kurt Shuler, vice president of marketing at ArterisIP. “However, that is combined with functional safety, so there must be bounds because this is F=MA, and there is a heck of a lot of M in a car, and at times there is also a lot of A, too. There are real time constraints on this and it includes the traceability problem. Everybody says with software the system will get better, but then the question becomes, ‘Oh, you changed the software, you changed the system. Now you’ve got to have that car go and get certified to get running through that track all by itself.’ Is the industry going to do that? No. There is a lot that we need to do prior to this really being real.”
This shift in thinking includes determining the best way to have the system perform the actual computing.
“The advent of the autonomous driving sector portends, in many ways, a return to the past while making a clean break in others,” said Srikanth Rengarajan, vice president of products and business development at Austemper Design Systems. “Correct computing, for instance, has always been the assumed imperative with no variance or tolerance for deviation. DSP and similar tasks were largely ancillary tasks. In the car, the bulk of the processing for, say an ADAS chipset, is heuristic in nature. The dominant neural algorithms are based on stochastics and tolerance and deviation is assumed. For a chip designer, this shifts the focus from absolute correctness to approximate computing. Total accuracy is sought via system-level cross-checks, multi-channel computing and modular redundancy providing greater leeway to the chip designer. Since no system is completely fail-proof, designers shifted left to fail-safe, again by resorting to probabilistic interpretations of correct operation,”
Nowhere is this more apparent than in the functional safety segment, where incorrect operation is tolerated so long as it is probabilistically limited or can be detected within a failure tolerance interval. This approach is being ingrained into the industry via the ISO26262 and related standards, Rengarajan said.
Supply chain disruptions
Given the number of moving pieces in the connected, electric, autonomous car-sharing model, in addition to solving the technical challenges, there may be business ramifications as well.
“The pace of innovation for autonomous systems is increasing dramatically, which is very much changing the delivery time for new silicon for the automotive industry,” said Arm’s Day. “This change could be seen as disruptive to the supply chain, and could possibly lead to new players in the market. The growth in the amount of software in a vehicle as autonomous functions are introduced also means that Arm needs to understand and support that new ecosystem, ensuring that these huge software stacks are optimized for the Arm architecture and looking at new functions that Arm can produce to increase the performance and efficiency of the system.”
While some believe the industry has the horizon in its line of sight, Magdy Abadir, vice president of marketing at Helic, pointed out that the full brunt of any of this has not been seen yet. “Automotive has always been an area where people are worried about reliability and safety,” he said. “Historically, it’s been more about higher quality standards, higher reliability standards, more risk-averse and conservative in adopting new technology. This is because of the fear of some disaster happening, which could end up costing someone’s life or the liability is too high and the warranties are too expensive.”
As the technologies continue to be developed and refined, stringent standards, requirements and specifications will be put in place such that by the time connected, electric ride-sharing cars are ready, semiconductor and systems designers will have worked many of the kinks. But at least for the foreseeable future, big shifts will bring other shifts, and the result will be both significant and widespread.