The automotive industry is entering a huge technological shift. Electrification is rapidly being introduced as the industry looks to adopt sustainable energy solutions. Autonomous driving is forecast to save countless lives and reduce the number of incidents on the road. Car makers are looking to deliver improvements and new experiences to customers after the vehicle has left the forecourt through future software defined vehicles (SDVs).
All these automotive trends have one thing in common; they require robust, safe systems to be successful. The goal for everyone in the automotive supply chain, including Arm, is to build systems that are suitably safe for the next generation of vehicles.
The Arm Cortex-M family is widely used as the primary core in automotive microcontrollers (MCUs), and as a companion core in many automotive system on chip (SoC) designs. These cores have a multitude of safety features that partners can utilize to achieve their safety goals in an efficient way. Recently Cortex-M55 joined the long list of safety assessed processors. This provides our partners with the additional level of assurance that our market-leading product has been developed to the highest safety standards.
Automotive and industrial segments rely on functional safety standards to deploy safety relevant components into end products. The Arm safety ready strategy is geared towards providing comprehensive artefacts based on the ISO 26262 and IEC 61508 standards. These provide key frameworks, requirements, and guidelines for the development of safety critical systems. The standards also provide varied ASIL/ SIL levels based on a risk assessment analysis, with specific target metrics that need to be achieved for compliance.
To enable best in class solutions in the automotive sector, Arm provides up to ASIL D systematic capability on safety relevant products, as well as ASIL B/D diagnostic capability based on specific configurations.
ASIL D represents the highest level of potential risk and requires the most stringent approach to managing faults. For example, braking systems, battery management systems, on-board charging in electric vehicles (EVs) and airbag systems are classed as ASIL D, as faults in these systems can have grave consequences.
One approach for achieving this high level of integrity is redundancy, with this approach generally accepted as the most effective route to ASIL D. If a system can perform a task and be checked for correctness against another identical system completing the exact same task, this provides confidence that the system is behaving as expected. Should the result differ, there has been an error in one of the systems. Therefore, an approach can be taken to deal with that error, such as restarting the system or re-performing the task.
For applications that require ASIL D, having a CPU core with this capability means you can bake in safety from the lowest level with ease. Cortex-M55 provides a configurable option to implement dual-core lockstep (DCLS), which designs in another copy of the core. The feature is an effective approach to create the fault detection necessary to achieve the ASIL D hardware metrics at the core level. This means partners can focus on safety at the system level.
Cortex-M55 has been assessed with Exida for ASIL D Systematic and Diagnostic faults in a DCLS configuration. Arm partners can integrate this into their system level assessment, which enables them to achieve up to ASIL D in their designs with greater confidence. This means automotive designs can be achieved at a quicker pace, reducing the time to market, and enabling car makers to safely deploy vehicles on the road.
ASIL B systems have a lower level of risk, but still need to have the mechanisms in place to ensure that various faults are dealt with. For example, applications like body control, lighting and engine control functions, if faulty, increase the probability of a hazard occurring.
DCLS is one approach chip integrators can take to achieve ASIL B, but if you duplicate the cores, you also duplicate power and area. These are vital design parameters, so while the cost is generally accepted for ASIL D, what if DCLS breaches the area constraints for an ASIL B level design? This is where several mechanisms, when combined, could be a more cost-effective approach.
To help partners achieve ASIL B metrics and enable their users to achieve their safety goals, Cortex-M55 has a variety of features that do not require the full replication of the cores. These are:
In addition to STLs, Cortex-M55 has more safety features that can benefit both dual-core and single core configurations:
Depending on the application, one or more of these features will be suitable, and could be combined with system level functional safety features to meet the ASIL B metric requirements. The beauty of the Arm Cortex-M family is the flexibility, so partners can choose features to turn on and off in their designs. All the functional safety features are optional, providing choice to partners on how they approach their safety goals to meet the needs of car makers.
From high performance to power-efficient CPU cores, safety is fundamental to automotive applications. Our commitment to power-efficient functional safety features is shown throughout our Cortex-M family. Through achieving the formal, industry recognized certification of Cortex-M55, we will give our partners and the wider industry even more confidence to move forward with their designs, products and applications built on Arm. This is yet another important milestone in the journey towards automotive vehicles, now and in the future, on Arm.
Arm's functional safety strategy