Over the last two years functional safety has become a “hot” topic, attracting the attention of the media and large investments from both venture capitalists and established computing businesses. They are perhaps fueled by a disruptive vision, potentially rewarded by huge revenues from robotic taxi services in the future, and nearer term from content delivered through an immersive digital cabin. It is not surprising that in this new and exciting world many organizations are keen to promote their presence and product offerings. This highlights their start on a journey to address key automotive or functional safety requirements.
Despite the recent hype, functional safety is not new. Standards like ISO 26262 for road vehicle electronics is often quoted, it was first published in 2011 building on concepts published by IEC 61508 from 1998 (1st revision) to 2010 (2nd revision). However, functional safety predates them both, with many of the safety principles for electronics that are first practiced in the aerospace, nuclear and rail industries.
Silicon vendors such as TI, NXP, ST, Renesas, Cypress, Infineon, and others have all addressed automotive and industrial electronics markets for several decades, with numerous designs predating ISO 26262. Arm has supported the automotive market continuously since 1996, with the heritage of our silicon partners running even deeper. The Arm partnership has enabled decades of success, leading to faster, lower cost and safer systems across industrial, aerospace, medical, and automotive applications.
In automotive, analysts estimate Arm to have over 85% market share of applications processors in the cockpit and about 55% of applications processors for Advanced Driver-Assistance Systems (ADAS). Many safety critical chassis and powertrain systems are also built on Arm processors. However, it is important to note that successful functional safety systems require so much more than just a CPU. In the last few years, Arm has developed Software Test Libraries (STLs) by working with chip design tool vendors to shape their products and establish advanced techniques to improve coverage and robustness. Again, it is important to note, STLs are just one part of Arm’s solution for functional safety. Besides a growing plethora of silicon IP products, Arm makes significant investments in the ecosystem, seeding developments and driving standardization.
The focus at IP and SoC level cannot be solely or primarily on the fault detection and reporting mechanisms. Too often we witness how the development efforts are skewed in the direction of having more safety mechanisms and less attention placed on what is considered to be the worst faults, the systematic ones. The avoidance of systematic failures is something that is normally addressed by having a state-of-the-art, highly traceable, development process. Functional safety standards go a long way to recommend methodologies that make the implementation of an IP more reliable, maintainable and, ultimately, safer. In practice, all this work tries to answer two questions:
To answer these questions, we need to ensure full control of the specifications and the validation arguments for it and having state-of-the-art verification methodologies. For CPUs, this translates into a rigorously defined architecture and microarchitecture specification that have to be traced as much as possible to the RTL implementation. For other IP, it needs to be ensured that the Safety Element out of Context (SEooC) definition (being the full definition of the safety requirements assumed to be allocated to the IP) is completely defined and validated by traceability, simulations, reviews, and safety analysis. The burden of uncovering design bugs cannot be left to verification activities only. Concepts of ‘right first time’ and ‘requirement validation’ have to be taken seriously when designing safety critical complex IP and systems in general. This is why Arm has deliberately decided to grow our functional safety culture from within and enable our products to be used in safety-related systems.
Arm offers a sound functional safety strategy that not only applies to the Automotive industry but reaches out to a range of other markets including industrial, aerospace and transportation. Arm addresses all these markets by taking a multi-standard approach to functional safety through its certification strategy for tools and IP.
Arm has formed an internal Functional Safety Standards working group whose sole purpose is to ensure that we keep our main functional safety policy up to date with respect to the standards relevant to our strategies and customer requests. Even though compliance to functional safety standards can often be proven without the need to involve a separate organization. Arm has taken steps to ensure we are always independently assessed by a third party as part of the lifecycle of our Safety Ready products. We normally seek and obtain independent certification to both ISO 26262 and IEC 61508 whereas our tools are qualified for use in developments compliant with, additionally, EN 50128 (SW Railway) and IEC 62304 (SW Medical). We believe this shows credibility and openness, as well as educating assessors in the industry as technologies (and the way functional safety applies to them) become more complex. All stakeholders in the supply chain above us will likely go to the same assessors, so there is value in Arm talking and exposing our solutions to their judgment.
It seems apt to mention Arm’s involvement in shaping ISO 26262 (both :2011 and :2018) and ISO/PAS 21448 through the Functional Safety Standards working groups. Although that contribution is small compared to our partnerships with commercial software vendors, our many enabling contributions to open-source projects, and work to make open source easier to deploy in functional safety systems. Moreover, Arm recently published updates to the widely adopted AMBA AXI and CHI specifications to address resilience and functional safety. AMBA specifications enables common interfaces between silicon IP components that are open to any IP vendor. This standardization enables free selection of interoperable IP that leads to better systems and functional safety at a lower cost.
Arm’s Safety Ready portfolio of IP and functional safety technology can be applied to many other markets in addition to automotive. The aerospace market is a great example of one of these.
Recently, aerospace companies have started to license Arm Safety Ready IP and the related safety documentation package. This could have only been made possible through the demonstration of how Arm’s functional safety development lifecycle process can be mapped against the objectives of the DO-254, the HW development standard in aerospace. Furthermore, we have looked at the most up to date guidance in terms of Commercial Off The Shelf (COTS) IP for aerospace and multicore CPUs [CAST-32A], [CAST-33], [EASA CM - SWCEH – 001] and [NPA 2018-09]. Arm has shown how it is taken such guidance on board in the Arm Functional Safety Process definition document. It should be said, nothing in the journey Arm has taken comes easily and without having the knowledge and the support that comes with the experience of having implemented IP at the highest level of integrity for years.
IP and silicon verification are very much advanced these days. So much in fact, that a lot of it can increasingly be carried out using prolonged cycles of formal verification, therefore minimizing the chances of failure to verify any requirement. The concept of requirements for traceability and validation, as well as the requirement of ‘supporting processes’ for example, Configuration management, change control, archival and retrieval, are not new to aerospace, industrial, railway, or medical. What can be different at times is the language. For example, having received queries from different players in aerospace about safety claims on Arm IP, the Functional Safety Standard working group that is worked on a common ‘glossary’ for Arm processes that could help with requests and ‘translate’ them into a consistent and understandable format.
In recognition of Arm’s continuing commitment and development to functional safety technology, Arm has been invited to join the Multicore for Avionics (MCFA) as a contributing member. The MCFA initiative and working group were launched by Freescale (now NXP) in 2008 bringing together SoC designers, ecosystem software partners, and avionic system developers with the scope of addressing challenges around the certification of multicore-based systems. Since then, MCFA has been regarded as one of the main interlocutors with certification bodies like the Federal Aviation Administration (FAA) and European Aviation Safety Agency (EASA) to define and provide a consistent set of data to support multiple certification projects.
Continuing to look beyond automotive, there is a growing desire and requirement to have humans increasingly working alongside autonomous, connected and robotized equipment within factories. This versatility will have an impact on safety as well as scalability and power requirements. The number of safety systems from OEMs needs to grow as factories become more flexible in nature and will house a diverse number of products in one big ‘Smart factory’.
Industrial is now a place of disruptive technology and Arm and the Arm ecosystem can help provide the innovative functional safety technology and expertise to help build and enable the smart factories of the future.
As with the automotive industry, the success of Arm in other markets would not be possible without a strong ecosystem of partner companies who make innovative products and technologies that unlock tremendous potential in applications such as autonomous vehicles and robotics. Arm recently launched the Arm Functional Safety Partnership Program which is a community of partners who provide functional safety products, services and training based on Arm technology. They also help to address the needs for the following markets:
The response to the launch of this program has been extremely positive and the number of partners joining continues to grow with each new partner bringing valuable functional safety expertise and services to the ecosystem. To see the full list of partners in Arm’s Functional Safety Partnership Program and the functional safety services and products they offer for specific markets, please visit the webpage here.
Arm has moved a long way from the days where our only ‘safety’ requirement was to provide ECC or parity protections on CPU RAMs and we are now able to offer a number of System IPs, GPUs, ISPs and NPUs as Safety Ready products. With Arm’s extensive portfolio of Safety Ready IP that suit many different applications, it is only natural that we now look at how solutions can be created to satisfy common requirements amongst customers in the different segments.
Visit the Arm Safety Ready page for more information.
Arm Safety Ready