A Deeper Dive into IP Core Considerations for Safety-Critical Applications

Philipp Jacobsohn, Senior Staff Applications Engineer, SmartDV

This Tech Talk article is follow-up to my
previous blog on the same topic.
I also recently spoke on this subject—
watch the video of my presentation on SmartDV’s YouTube Channel.

Safety-critical chip designs of all kinds require foresight and serious planning. The intention of this article is to shed some light on the benefits of using predefined circuit functions—that is, IP cores—in safety-critical applications, and also to provide some guidance on the selection and incorporation of IP into your chip design.

Unfortunately, designers often underestimate the importance and benefits of getting the manufacturers of third-party IP on board for their projects at an early stage. The lack of close, intentional collaboration with IP suppliers can lead to misunderstandings, time pressure, tapeout delays, and mutual frustration. Naturally, you want to avoid all of this in your chip design project—so let’s get started.

What are safety standards?

Before we dig into IP selection for safety-critical chip designs, let’s first take a quick look at the different industry standards at play.

The applicable standard in the automotive sector is ISO 26262, which is a subgroup of the IEC 61508 standard. DO-254 (Design Assurance Guidance for Airborne Electronic Hardware) and AMC 20-152A (which is basically an addition to DO-254) are the common standards that provide requirements for engineers developing airborne electronic hardware. Other end uses and design applications have their own specialized standards that may apply. One example would be ISO 21434 for cybersecurity, which plays an increasingly integral part in today’s automotive and avionics designs. (For the purpose of this article, I’ll constrain my focus to safety, rather than security.)

Why do we need safety standards? And why so many different ones?

Let’s discuss the question of why standardization is needed in the context of circuit development. To be frank, this topic is not something that can be considered new or even exciting! Safety standards are often even viewed as a necessary evil—and yet the operation of electronic circuits is no longer possible without clearly defined rules of reliability and operational safety.

Similar to how an airline pilot must work through a standard protocol of all safety-related procedures for the aircraft before taking off, this also has to happen as part of circuit development. Even if a pilot has already gone through the same process hundreds of times, this procedure must be carried out again before each new flight. The goal is to avoid errors. Likewise, predefined standards like ISO 26262 and IEC 61508 provide a firmly defined structure that helps discover possible errors and classify problems, enabling the design to react adequately to unforeseen situations. If a tire is damaged, the aircraft must be prevented from taking off. If the onboard kitchen is defective, a flight may still proceed.

Fundamentally, the goals of a ship’s captain and an airplane pilot are identical: to convey passengers and cargo safely to their destination. Owing to the vast differences between sea and air travel, different criteria are relevant. Specialized safety standards therefore exist—and any supplier must know the end environment in which a subsystem is used. That’s also why an IP vendor needs to understand the context in which their predefined circuit function will be used.

What do safety standards define?

Safety standards define the phases of design process requirements: planning, implementation, verification, and documentation.

Design process requirements phases illustration

This procedure is largely uniform across standards, but each defines the required rigor slightly differently. The tenets of each step must be met for compliance.

End use and allowed probability of failure

Potential hardware failures must be categorized to define appropriate error-handling mechanisms. An error in a car’s infotainment system might be acceptable; an error affecting automated braking is not.

Different requirements are therefore classified. IEC 61508 uses SIL 0–4; ISO 26262 uses ASIL A–D. Higher categories have stricter requirements (SIL 4 / ASIL D are the most stringent).

A product’s end use determines the design and verification approach. A chip in infotainment failing is a nuisance; a chip in an airbag or lane management failing is dangerous. For safety-critical end uses, appropriate integrity levels and proactive measures are essential.

Understanding and reacting to malfunctions

Systems must either prevent failures or react to them appropriately. Distinguish between systematic errors (design/verification gaps) and random errors (external influences). Systematic errors can be reduced with strong verification and tools—but 100% coverage is unrealistic, especially for corner cases. Random errors require error detection and correction mechanisms, and verification must also validate those mechanisms.

How is IP development impacted?

Even if certification is for the final product, each component must still meet system-level requirements. Subcomponents must be implemented in conformance with strict rules, anticipate safety-relevant end uses, and follow the applicable development processes.

For ISO 26262, process requirements include:

Detailed planning for functional safety requirements
Hazard and failure-mode analysis
Implementation informed by those steps

Verification and validation follow. To achieve certification, every step must be documented: tools, methods, coverage, and more. Under DO-254, clear definitions and full traceability from the start are mandatory.

Obtaining industry standards body certification

Certification requires working with an independent organization (e.g., TÜV SÜD). The process is time-consuming and requires audits and trained personnel, but it can bolster customer confidence and product quality. Certifying individual IP cores rarely makes sense; the final system is the context—but subcomponents must still follow the rules.

Final considerations

Certification is challenging but often worthwhile. Even if only the final product is certified, third-party IP must meet the system’s requirements and follow the strict tenets of the applicable standard. Choose an IP partner with relevant experience and proactive support.

SmartDV is ready to be your trusted IP partner in automotive and avionics designs. Our VIP is built by seasoned verification engineers. We also offer standards-based design IP for a variety of applications. Below is a selection of IP cores applicable to safety-critical designs.

Selection of SmartDV IP cores for safety-critical designs

As chip complexity grows, verification consumes 60–80% of resources. It pays to work with a trusted partner who collaborates to solve problems along the way.

Whether you’re sourcing design IP for your next SoC, ASIC, or FPGA, or seeking VIP to put your chip through its paces, SmartDV can quickly and reliably customize our portfolio to meet your needs. Our SmartCompiler™ technology makes it easy to get IP Your Way™—define your specs and let us handle it.

We look forward to seeing the results of your chip design efforts on the road or in the skies!

About Philipp Jacobsohn

Philipp Jacobsohn is Senior Staff Applications Engineer at SmartDV, where he supports users of design IP and verification IP in North America and Europe. Prior to SmartDV, he held engineering and field roles at J. Haugg, Synopsys, Synplicity, Epson Europe Electronics, Lattice Semiconductors, EBV Elektronik, and SEI-Elbatex. Philipp is based in Switzerland.

This Tech Talk article was originally published on ChipEstimate

See All Media Coverage