The automotive industry is evolving at a very rapid pace. With the shift towards electrification and autonomy, there is an ever-increasing demand for higher levels of computing power to run the growing number of software applications and workloads. Arm is fully invested in tackling this challenge and is driving innovation through our portfolio of Automotive Enhanced (AE) and Safety-Ready products and solutions.
Arm's processors are ubiquitous in every part of the vehicle. From high-performance systems in advanced driver-assistance systems (ADAS), automated driving (AD), in-vehicle infotainment (IVI) and digital cockpits to gateway, body, and microcontroller endpoints.
Many software applications running on the vehicle control highly safety-critical functions like the transmission, anti-lock braking systems (ABS), adaptive cruise control (ACC), radar, and LiDAR. A typical standard low-end vehicle can have close to 100 ECUs and execute over 100 million lines of code. Scaling this on a premium vehicle with ADAS and more advanced technologies, you will see how significantly the software increases in size and complexity.
As a result, the embedded software is required to meet higher reliability and safety, while still delivering performance and a reasonable memory footprint. Automotive software development uses industry standards, such as AUTOSAR (Automotive Open System Architecture) and ASPICE (Automotive Software Process Improvement and Capability Determination). Additionally, it must also comply to ISO 26262, an international standard for functional safety of electrical and electronic (EE) systems in road vehicles. ISO 26262 requires a functional safety development process from start to production. It defines an Automotive Safety Integrity Level (ASIL) that classifies the severity of safety risk into 4 levels A,B,C,D. ASIL D is the most severe as it relates to the potential for severely life-threatening injuries or fatal injury in the event of a malfunction. Implementing higher ASIL levels (ASIL C and D) introduces more stringent development processes, increasing the overall effort by 30-60 percent.
Another factor to consider is cybersecurity. The advancement in automotive technology and connected vehicles creates the risk of cyber-attacks. This new security challenge introduces new regulations requiring the compliance to ISO 21434 (cybersecurity standard in road vehicles), adding further requirements to the development process.
Software development teams have a massive challenge delivering high-quality, safe, and secure software. This is alongside ever-increasing pressures for a shorter time-to-market and shorter development times. As a result, it is crucial to have a robust software development and validation strategy that is supported by the right development tools. This ensures that the safety development activities are carried out efficiently and meet the product and delivery commitments.
ISO 26262 standard requires the user to provide sufficient evidence that the tools used in the development are reliable. The ISO 26262-8:2011 provides methods and guidance on assessment of the development tools to determine whether the tool needs qualification or not. The assessment proceeds by classifying the tools based on their Tool Confidence Level.
The TCL is determined by two factors:
A combination of Tool Impact and Tool Error Detection determines the Tool Confidence Level and then whether the tool needs to be qualified or not - see diagram below. There are three levels of TCL - TCL1, TCL2, and TCL3, with TCL3 relevant to the highest risk of undetected tool malfunction.
Generally, a compiler toolchain would classify as TCL3, while a debugger would be TCL2 and an editor is TCL1.
For TCL3 and TCL2, ISO 26262-8:2018 Clause 11.4.6 provides methods to perform tool qualification depending on the ASIL target, shown in tables 1 and 2.
Qualification of software tools classified as TCL3
Qualification of software tools classified as TCL2
To maximize the developer experience and focus on real safety development, Arm offers a range of tools and software that are dedicated to support safety development across our safety-ready IP.
The compiler is the center of any software development and for functional safety it is regarded as a TCL3 tool. The qualification of a TCL3 tool, like the compiler, can be extremely challenging, especially if the tool is not developed by the user. Moreover, it can be costly and time-consuming, taking several person-years of effort and does not offer any real differentiation to the final safety product. To save the user from performing unnecessary and non-differentiating tool qualification, Arm has gone above and beyond to qualify our flagship compiler toolchain in accordance with various functional safety standards that meet the highest safety integrity level, as shown in the table below:
Arm Compiler for Embedded FuSa offers a complete safety-qualified C/C++ embedded toolchain that enables you to develop your safety project with state-of-the-art compiler technology for Arm. The toolchain has a certificate from TÜV SÜD, one of the premier safety-accredited certification houses, which provides assurance that it meets defined safety-related criteria and processes. The toolchain is also accompanied by a Qualification Kit. This includes a Safety Manual that provides guidance on safe usage of the toolchain and a Defect Report that maintains a record of all known safety-related defects affecting the toolchain. Our qualified toolchains are derived from a safety branch, which are frozen snapshots from mainline taken every few years. This brings the support of new architecture extensions, optimization improvements and modern developer features under the qualification. With the long development lifecycles and requirements for automotive and safety project, each of our safety branches also offers a long-term support and maintenance guarantee to provide assurance for many years down the line.
Using a safety-qualified compiler is not sufficient, you also need certified toolchain libraries. This is because a good portion of the safety software links in pre-compiled C/C++ library binaries are created by the toolchain vendor. Arm currently provides a Certified C library that is a subset of about 200 C-library functions. This library supports the Arm architecture run-time ABI, portions of the ISO C language specification and compiler helper functions. The library is developed as a Safety Element out of Context (SEooC) as defined in ISO 26262-10 and is fully compatible and validated with Arm’s FuSa compiler toolchains. The library has a TÜV Certificate that follows the same functional safety standards and safety integrity levels as the FuSa compiler toolchain and a Safety Manual that documents the usage and safe boundaries of the library functions. Besides the Certified C library, Arm is working towards certifying a subset of the Arm C++ library. This is because we are seeing a growing adoption of C++ in embedded and AUTOSAR development.
The Arm FuSa toolchain and libraries are also used in the development and certification of our software offerings - Arm Software Test Library (Arm STL) and CMSIS (Common Microcontroller Software Interface Standard).
Arm STL provides certified software routines written in assembly that provide boot-time and run-time checks and diagnostics of the safety system. This complements Arm’s safety-ready processors through supporting the systematic capability for ISO26262 ASIL D. It offers a C language API that allows developers to quickly scale the library to add more test coverage.
CMSIS is a set of software building blocks for Cortex-M based applications that offers a standardized framework to simplify software reuse and reduce the learning curve for microcontroller applications. While CMSIS is open source, it is highly modular, and its components can be integrated directly into the microcontroller application and qualified as part of the final safety application. Arm has also certified a subset of CMSIS (CMSIS-Core, CMSIS-RTOS) to offer a small safety-certified run time system called FuSa RTS. Currently FuSa RTS is available for Cortex-M0/M0+, M3, M4, and M7. CMSIS/FuSa-RTS has been used across many automotive applications. These include motor control, Ethernet switches, head-up display controllers and other small controller applications based on Cortex-M.
The compiler and libraries make up only one part of the tools story. Arm also provides fully featured development tool suites that integrate the Arm C/C++ Compiler and its safety-qualified variants. This provides a seamless developer workflow when developing on Arm.
Arm Development Studio is Arm’s most comprehensive development suite that supports development across all of Arm processors and architectures. It is the perfect choice for developing a complex SoC based on Cortex-A or Cortex-R or a heterogenous system that involves different Arm processors. It supports all SoC configurations: from single core to more complex multiprocessors. The Arm debugger offers assurance during SoC bring-up activities, such as emulation, simulation, FPGA, or real silicon bring-up. Arm Development Studio also includes a system performance analyzer called Streamline that can find hotspots and compute bottlenecks in the system. It also includes a library of instruction-accurate Fixed Virtual Platforms (FVPs). These are reference simulations that support the integration of Arm IP with memory and peripherals into the virtual hardware target. FVPs can be used to speed up software development and verification activities ahead of the real hardware availability.
Keil MDK is another development tool suite primarily designed for microcontroller development on Cortex-M. It integrates all the tools needed to help expedite the development of embedded applications. Keil MDK includes software components as building blocks for creating applications. These software components are delivered as software packs that can contain device drivers, CMSIS libraries and royalty-free middleware components designed to support peripheral communications in microcontrollers. FuSa RTS is available as a licensed software pack.
While Arm Development Studio and Keil MDK are not safety-qualified, they are mature tools that are widely used across all markets. They are both fully validated with Arm's FuSa toolchain and safety-certified software, demonstrating increased confidence for use in safety development.
The use of static code analysis tools to perform continuous code inspection is another important practice that must be carried out in safety development. Arm does not offer its own static analysis tools, but can integrate third-party tools as plug-ins into Arm Development Studio and Keil MDK.
The Arm software tools can be easily deployed in continuous integration (CI) workflows and cloud environments, bringing in automation, quick feedback, and efficiency to software development. This builds confidence, creates shorter development times and reduces the risk. Aside from the software tools mentioned here, Arm offers tools that support the SoC design workflow that are not covered in this blog.
On a final note, developers can scale their development activities through using Arm-based servers in the cloud, such as AWS Graviton3. Being able to build natively on Arm instead of traditional cross-compilation delivers significant developer performance and efficiency while reducing potential errors. Moreover, the ability to host virtual hardware targets in the cloud when integrated into a CI/CD framework enables a powerful end-to-end workflow to build, test, and optimize workloads on the Arm architecture. Through the SOAFEE initiative, Arm is working with its cloud and ecosystem partnerships to unlock the potential of cloud-native development. This leverages the Arm servers in the cloud to deliver a cloud to edge execution and environment parity in the age of software-defined vehicles.
You can read all of Arm's functional safety resources on developer.arm.com by clicking the following link.