NetSpeed and Arm Partner to Create ASIL D Safety Islands for Autonomous Vehicle Applications

Co-authored by Andrew Hopkins, Arm, and Rajesh Ramanujam, NetSpeed Systems

Autonomous driving is a catalyst for revolutionary change in the automotive industry, where semiconductors are a decisive enabler. Elevated requirements for functional safety, large scale data and complex decisions are already motivating changes in System-on-Chip (SoC) design and processor architecture. Arm and NetSpeed recognize this technology shift and are working together to enable better systems.

Autonomous systems have massive computational requirements that are driven by several steps in the autonomous flow shown in Figure 1.

The four stages of autonomous systems

Figure 1. The four stages of autonomous systems

  1. Sensing
    The need to preprocess and extract meta data from the vast data from several imaging sensors, such as high-resolution cameras, RADAR and LiDAR, drives the need for very significant levels of matrix operations to support linear algebra and computer vision use cases.
  2. Perception
    Throughput computing is also required for perception, which typically starts by fusing the meta data provided from the sensing stage. Matrix operations feature significantly, and extensive use of machine learning leads to a demand for several 10s of Terra Operations Per second (TOPs).
  3. Decide
    Deciding what the autonomous system should do next is critical. It requires a combination of high-integrity functional safety and performance. Several TOPs of path planning algorithms, and machine learning (ML) must be executed to make reasoned decisions that avoid hazardous consequences.
  4. Actuate
    Deterministic real-time capability is essential for actuation tasks, which interface the autonomous controller with the vehicle chassis systems such as braking and steering controllers. High-integrity functional safety is paramount here. The need to process many small scalar variables to interact with peripherals also places a requirement on the memory system for ultra-low latency access to on-chip memory and peripherals.

Need for a safety island

Addressing these needs requires a variety of processing capabilities, each with an appropriate safety integrity. Writing large amounts of high-integrity ASIL D software is demanding and often impractical but are necessary because the early stages of the autonomous flow often have inherent redundancy. These factors often lead to mixed criticality systems, where much of the SoC is dedicated to high-performance processing with ASIL B capability, and an on-chip safety island is included to handle the computing with higher safety integrity, usually with ASIL D capability. Figure 2 shows the context of the safety island amongst a “sea” of performance-oriented components.

System architecture for autonomous systems

Figure 2. System architecture for autonomous systems

The safety island manages the safety of the whole SoC, acting upon reported faults to initiate further diagnosis, where possible drive recovery and, in any event, ensure unavoidable failures occur gracefully. Real-time operation is a characteristic necessary for safety management, the system must be able to act deterministically to contain faults within the fault tolerant time interval.

These responsibilities require that the safety island be always available and immune from faults propagated from the rest of the system. Several capabilities ensure isolation of the subsystem, making it truly an island:

  • Physical implementation with an independent clock source and its own power rails
  • Private memory located within the safety island
  • Independent connectivity, such as CAN FD interfaces and general-purpose input/output
  • Inability of the wider system to directly access the safety island’s private resources

Like safety management, actuation also requires real-time operation and the safety island must be effective for input/output tasks, either to directly perform actuations, which could be as simple as signaling a warning light, or indirectly to issue safety critical messages to another controller.

The decision stage in the autonomous flow requires significant processing and high safety integrity. Several approaches are possible, some rely on much of the processing to be performed with high safety integrity, which can lead to a safety architecture with straightforward argumentation. In practice, the level of computation is so high that alternative approaches are applied, segmenting the workloads into several levels of criticality. In this case, the safety island can be incorporated to provide additional high integrity checking. It ensures the vehicle is always instructed to perform safe actions.

Overall, the safety island architecture is a highly effective way of achieving requirements for high-performance and high-integrity. Compared to an external microcontroller it enables superior integration and visibility of the wider system and lowers the bill of materials.

Safety island design

The effectiveness and cost efficiency of a safety island are further improved when the components interoperate effectively, while retaining freedom of IP choice and subsystem design. Culturing the ecosystem is important. In this spirit, Arm and NetSpeed have partnered to enable interoperability of NetSpeed’s Orion interconnect and the Arm Cortex-R52 processor. Figure 3 illustrates a safety island combining the respective products.

Safety island enabled by NetSpeed Orion interconnect and Arm Cortex-R52 processor

Figure 3. Safety island enabled by NetSpeed Orion interconnect and Arm Cortex-R52 processor

For safety critical ASIL D applications, such as the safety island, real-time microcontrollers and safety SoCs, the Cortex-R52 adds value through its extensive range of safety enabling capabilities. Likewise, NetSpeed’s Orion interconnect is certified for the ISO 26262 automotive functional safety standard and ready for applications requiring ASIL B through ASIL D. The combination forms the foundation of an excellent automotive solution.

Cortex-R52 provides bus interface protection, fast MPU context switching, dual core lockstep and its own safety optimized interrupt controller to enable very fast interrupt servicing. Deterministic virtualization support and multicore capability also lower the cost of software deployment, maintenance and safety assessment by keeping software components isolated.

NetSpeed Orion provides a revolutionary ML-driven methodology that delivers an interconnect solution to meet the functional safety requirements for each part of the SoC. NetSpeed offers a design cockpit that allows architects to explore options and make tradeoffs to optimize the chip's Quality-of-Service (QoS), power, performance, area, latency and functional safety. For smaller subsystems, such as the safety island, an area efficient interconnect can be generated. This complements the capability for the rest of the SoC, where exceptionally high performance is increasingly required. 

Although a safety island can fallback to operation using its internal memory resources, it is able to operate using protected memory space held in DRAM. NetSpeed’s interconnect helps here, it has the advanced QoS features needed to isolate real-time and safety critical traffic from other activity.

Autonomous driving presents many significant social, legislative and technical challenges. One critical aspect for the electronics value chain to address is how to realize systems with requirements for very high computational capability and high safety integrity within a low-power budget. Safety islands are an important part of the solution, enabling safer and more efficient designs.

Learn more about NetSpeed Orion

Learn more about Arm Cortex-R52