Powering the autonomous world: introducing the I6500-F for functional safety
The future: it’s not what it was. When I was young in the 1980s, the technology depicted in TV shows and movies seemed fantastically futuristic. What’s remarkable, and arguably slightly disconcerting, is how much of it is becoming a reality. No, we can’t yet beam-up anywhere, but Star Trek’s communicator has long since become an everyday object to billions of people in the form of the smartphone. We all remember KITT, the self-driving, talking car from Knight Rider and the communicator wristwatch that Michael Knight used to talk to him with. Now it’s all real. Our smartphones and speakers can reply to us when we ask them a question, we can take calls on our smart watches, and very soon our cars will drive themselves.
KITT brought self-driving AI-powered cars to TV screens in the 1980sCars have long used electronics for the basic safety systems we now take for granted, such as anti-locking brakes and air bags, but now more advanced systems, such as of infotainment controlled via gestures has already arrived in some high-end cars, while some use eye tracking to monitor drivers’ attentiveness to ensure they are alert. Meanwhile, the world is moving towards autonomous technology that can see and think for itself. In fact, it’s already available on some high-end vehicles that will let the driver take their hands off the wheels in certain circumstances. Cars such as the Tesla Model S and Mercedes–Benz E-class can drive down motorways and change lanes by themselves, while even more affordable cars such as the Nisan Qashqai and Ford Focus can reverse park without anyone having a hand on the steering wheel.
The need for safety
This is only the start, however, and cars will eventually be able to drive themselves in all scenarios, from heavy traffic to urban areas to highways. This will have manifold benefits, and the primary one will be saving lives. While safety systems such as seatbelts and airbags have made many improvements, according to figures from the World Health Organisation (WHO), deaths from road traffic accidents are still increasing worldwide. This is due to several factors. First, as more people become affluent enough to own a car or even a second one, there is an increase in the number of vehicles on the roads. Younger people are, particularly at risk. According to WHO figures, of the top ten causes of death among people ages 15-29 years, road traffic injuries are at number one.
Car occupants and pedestrians are the main victims of road accidents all over the world and despite the advent and widespread use of safety devices such as seatbelts, airbags and ever tougher crash protection; road deaths are still increasing at around 1.2 million people a year.
Globally, road traffic deaths are still on the riseWhat is also clear from the statistics is that the main cause of these road traffic accidents is human error. Take the fallible human out of the equation and there’s no doubt the fatalities will drastically fall.
The financial impact of accidents is huge, estimated at reaching 3% of the world’s GDP. Morgan Stanley estimates that potential savings from autonomous driving could be up to $1.3 trillion per annum after 2025. Pollution is another area greatly affected by vehicle congestion and is at levels considered dangerous in many parts of the world.
These are solvable problems. New infrastructure such as 5G will be fast and responsive enough that vehicles will be able to communicate with each other in near real-time. This will enable automated car control through vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication. This will allow for technology such as lorry platooning, where trucks will drive very closely together to reduce their drag and increase their fuel efficiency. And with no human drivers, they can also drive at night to reduce congestion on roads during the day.
Long term, we could move to fully integrated transport systems, where all vehicles are aware of each other and can move about in an efficient, and accident-free manner – with the only victim likely to be the traffic light.
It’s clear then that self-driving cars are the only way to go for a forward-thinking society that wants to take care of its population. ‘Petrolheads’ and thrill seekers will likely have to get their kicks on dedicated tracks as real, manual driving becomes limited to motorsports and enthusiasts – or even via virtual reality.
There is then going to be an ever greater reliance on electronic automotive components to be functionally safe. However, as we move to these new technologies, there is a requirement to make them as reliable and as safe as possible. Consumers must inherently trust in these technologies if they are going to be widely adopted. Safety and reliability of these systems are paramount.
There is a precedent for trusting technologies. Airbags are now a mature technology and we rely on them to deploy only when we need them, yet operate exactly as required in those critical milliseconds after an impact. We will have to develop that same confidence in our cars when they are braking for us, changing lanes for us, and eventually driving us around amongst bustling streets filled with unpredictable pedestrians.
What is functional safety?
To achieve this level of trust the automotive industry conforms to a safety standard called ISO 26262, an automotive specific brand of the generic IEC 61508 standard that describes safety across many industries.
ISO 26262 calls for electronics to be functionally safe. This refers to the need for a system to operate safely and reliably without causing injury. ISO 26262 contains four critical safety levels, known as the Automotive Safety Integrity Level, or ASIL. ASIL A is the lowest level, while D is the highest. At ASIL B a part is required to regularly check itself that it is functioning, while ASIL D requires redundancy, typically achieved through dual-core lock-step – using two processors in parallel and comparing the output to detect if they are consistent – and if not, then take appropriate action.
However, while ISO 26262 is a standard, complying with it is not actually a legal requirement today. Any manufacturer can sell its vehicles in Europe providing they meet the Type Approval regulations and obtain a certificate of conformity. However, to then avoid liability in the event of a component issue, they have to demonstrate that any theoretical malfunction could not be detected, according to what is considered the ‘technical state of the art’ at the time of development. This implies they will have adopted the most widely accepted and used automotive standard – of which ISO 26262 is a clear example. Therefore, while not legally required, complying with ISO 26262 is necessary by default to protect any car OEMs from any potential liability issues should something unforeseen go wrong. As such, they will look to ensure that all of a system’s components are sourced from suppliers that comply with the required safety standards and processes.
Different automotive components require varying levels of functional safetyComplying with ISO 26262 is involved work which requires a complete ‘safety culture’ within organisations. Meeting the standard is arguably straightforward but requires consistent effort to keep to guidelines. It demands evidence of safety work, with traceability of all decisions made with regards to hardware and software. Products have to undergo a technical safety assessment and a QA process compliance audit.
For many years, component suppliers for car manufacturers did not require this work to be done by their IP suppliers. Rather, they conducted this work themselves and were effectively taking on their liability. However, with the volume and complexity of IP designs, it has become too burdensome for SoC vendors to operate in this way. ISO 26262 has adapted to this. When introduced in 2011 it consisted of 10 parts, but Part 11 is currently in draft and refers to the requirement for IP suppliers to achieve compliance with the standard. The burden then is for the IP supplier to take on the thorough work involved and this is exactly what MIPS has done with the MIPS I6500-F.
The MIPS I6500-F: Smart, speedy and safe
The MIPS I6500-F is functional safety update to the MIPS I6500 released last year. Importantly, in addition to the hardware itself, MIPS is making a full safety work product package available to our customers. Our work, however, does not go untested. In fact, our due diligence is independently audited with an FMEDA safety analysis report by ResilTech, an independent third-party assessor on international safety standards. This will help support customers meet ISO 26262 safety compliance.
The MIPS I6500-F offers high-performance functional safety across areas such as automotive, industrial robotics, and commercial dronesOn top of this, MIPS is also able to provide a Safety Consultancy Support package to help customers integrate our IP into their SoCs and prepare a safety analysis at the SoC level, to ensure customers achieve target ISO 26262 compliance.
From a hardware perspective, the I6500-F’s internal safety mechanisms include ECC implemented in cache memories, parity implemented in buses, redundant logic and support for run-time LBIST.
Where the I6500-F differs from other functional safety CPUs is in performance. It is highly scalable thanks to its ‘Heterogeneous Inside and Out’ architecture. You can read more about this architecture in this blog post, but it boils down to how it is designed to be varied and flexible both inside a core, inside a cluster, and across clusters. SoC builders will be able to configure the CPUs, and clusters of CPUs and other accelerators in a system in a way that suits them best, giving them the ideal solution depending on their needs.
Inside a cluster an SoC builder can configure the CPUs as it sees fit, varying the size of the level 1 memory caches, adjusting the number of supported threads and choosing whether to implement a SIMD or FPU or not. Cores within a cluster can even be run at different voltages and clock speeds, enabling the most energy efficient system possible. The designer can choose a combination of cores to address their high performance, single-threaded, efficient multi-threaded and efficient power optimised requirements, all within a single cluster. With a shared level 2 cache and hardware coherency with all local level 1 caches, task transfer between cores is speeded up.
Outside the cluster, the heterogeneity comes from the fact that the I6500 uses industry standard Amba ACE coherent fabric, enabling it to be integrated with other IP such as, for example, dedicated accelerators, including those for graphics.
In essence, the overall heterogeneous architecture of the I6500 lends itself to emerging intelligent applications such as AI, where additional efficiency through dedicated acceleration is critical to ensure effective performance.
Multi-threading and virtualization
The MIPS architecture also benefits from its status as the only embedded CPU IP today to offer hardware multi-threading, supporting up to four threads and able to run two instructions similtaneously during every clock cycle. When developers optimise their applications to make use of this, enabling an additional concurrent thread offers a typical performance increase of 40% over a single threaded core.
SMT in the I6500-F delivers an average performance boost of 40% over single-threaded coresThe benefits of multi-threading aren’t just theoretical: customers such as Mobileye and many others report tangible results. Mobileye employs multi-threading to give them control and data management in their EyeQ4® and upcoming EyeQ5® vision processing systems for autonomous vehicles.
In addition, support for hardware virtualization in the I6500-F enables the CPU to run multiple partitions to protect data, which could be critical in scenarios such a compromised connected autonomous vehicle.
What is also unique about the I6500-F is that it is what is known in the industry as a ‘Secure Element out of Context’ (SEooC). What this means is that this is reusable IP and rather than only working with one particular customer solution it has been designed to work with any system that requires functional safety. Our I6500-F is deemed as achieving ASIL-B decomposed from D: and as such can be part of an ASIL-D rated SoC.
A case in point is the forthcoming EyeQ®5 from autonomous vision company Mobileye.
Not only does this dramatically simplify the task of the automotive customers to achieve their required safety level, but it also reaches this goal more efficiently.
Combining performance with safety
With the MIPS I6500-F then, MIPS has introduced a unique option in the safety-critical space. While other IP suppliers have been able to offer either a functionally safe CPU or a high performance embedded CPU, the I6500-F is the first in the industry that can deliver both at the same time. We have dubbed this new class of embedded, high-performance, functionally safe CPUs with the title, ‘FortifAI’ (pronounced like ‘fortify’) processors that will be able to meet ever more complex needs of FuSa compliant systems across automotive, industrial IoT, robotics and other emerging safety critical applications.
It is a testament to the abilities of the I6500-F that a customer such as Mobileye has entrusted the CPU to beat at the heart of its next generation EyeQ5 SoC. This will be used to bring sight and understanding to fully autonomous vehicles from 2020, and, for some at least, will mark the time when our childhood dreams of riding in a self-driving car will move from fantasy to everyday reality.
If you are interested in talking to us further about the I6500-F, then you can get in touch with us here.