Professional Documents
Culture Documents
Resolving ADAS Imaging Subsystem Functional Safety Quagmire
Resolving ADAS Imaging Subsystem Functional Safety Quagmire
Resolving ADAS Imaging Subsystem Functional Safety Quagmire
Abstract— Nowadays it has become common practice to use multi non-intrusive since it applies tests in the normal operational mode
core SoCs in safety related Advanced Driver Assistance Systems of the circuit [5].
(ADAS). The ISO 26262 functional safety standard provides
requirements to avoid or reduce the risk caused by these systems. In Faults are classified to design faults, which are made by
safety related systems, a comprehensive test strategy is required to human designers or tools used during the design process,
guarantee successful normal operation for the SoC throughout its life fabrication faults, which result from an imperfect manufacturing
cycle. Software based self-tests have been proposed as an effective process and operational faults, which result from wear or
alternative to hardware based self-tests in order to eliminate area and environmental disturbances during normal system operation [3].
save new hardware IP development costs. This paper proposes Operational faults are usually classified by their duration, as
software based self-test scheme to ensure integrity of Imaging sub- permanent faults, which exist indefinitely, intermittent faults,
systems to prevent violation of the defined safety goals for several which appear, disappear, and reappear repeatedly, and transient
camera based ADAS applications. The proposal uses a hand crafted faults, which appear irregularly and last for short time [3].
functional time triggered non-concurrent online test based solution,
The proposed solution covers permanent and intermittent faults in Time triggered non-concurrent testing occurs at
imaging sub-systems by introducing a known golden reference image predetermined times in the operation of the system. This kind of
processing run every fault tolerant time interval. For a sample testing can detect permanent faults and intermittent faults. Such
1080p30 input capture, considering a fault tolerant time interval of tests can also identify latent design and manufacturing flaws that
300ms for a typical ADAS application and considering that this hand- appear only under certain environmental conditions [3].
crafted test pattern is run after every 8 frames, the proposed solution
enables the hardware self-test at an additional 12.5% clocking Most ADAS systems rely on highly complex algorithms on
requirement for the imaging sub-system and an additional 12.5% vision processing. As indicated in Figure 1 [6], automotive vision
DDR throughput requirement. systems use video input, which is then processed using various
algorithms in ADAS systems.
Index Terms— ISO 26262, functional safety, non-concurrent
online self-test, ADAS, imaging
I. INTRODUCTION
Research and practical experience have shown the importance
of advanced driver assistance (ADAS) and other safety-related
systems in making Europe’s roads safer. The EU is phasing in
inclusion of ADAS such as automatic emergency braking, lane
departure warning systems, electronic stability control and ABS
brake assist as pre-requisites for new vehicles in certain four-
wheel passenger and goods categories. It is hoped that
compulsory fitting of these systems on all new vehicles and
vehicle types within the relevant categories will be introduced by
late-2015 [1]. The ISO 26262 functional safety standard [2] Fig. 1. Vision and radar based Automotive Driver Assistance Systems
provides requirements to avoid or reduce the risk caused by these
systems. II. ISO 26262
With an ever increasing demand for safety related ADAS The ISO 26262 standard [2] is an automotive-specific
applications, the development of monitoring functions to interpretation of the basic safety standard IEC 61508 [7] for
expeditiously detect critical hardware failures is gaining functional safety of electrical/electronic (E/E) systems. The ISO
momentum. 26262 standard provides an automotive safety lifecycle and
Online self-tests can be performed using hardware self-test provides a risk-based approach to determine Automotive Safety
approaches [3] or using software based self-test approaches [4]. Integrity Levels (ASIL). ASILs are used to specify the applicable
Unlike hardware based self-testing, software-based testing is
requirements of ISO 26262 in order to avoid unreasonable As indicated in Figure 2, a typical ADAS camera based SoC
residual risk. would consist of a video input capture sub-system, a digital
signal processor, imaging sub-system and an optional display
Defined confirmation measures must be performed to ensure sub-system. Such a SoC may typically use an external memory to
that a sufficient and acceptable level of safety has been achieved. store image data and/or optionally use on chip memory as well.
The Residual Fault failure rate, λRF, is given as
λRF = (1 – KFMC,RF) x λPVSG (1)
where KFMC,RF is the failure mode coverage wrt residual faults
and λPVSG is the failure rate of the faults that have the potential to
directly violate the safety goal without considering any of the
safety mechanisms that can exist to prevent this.
The Multi-Point Fault failure rate is given as
λMPF = KFMC,RF x λPVSG (2)
Due to online self-tests, dangerous failures can be detected.
Hence, the KFMC,RF can be increased and this enhances the
probability of prevention of violation of safety goals.
Table 1 illustrates the current range of ASILs to which ADAS
systems need to comply with. ASIL B is typically seen as the
lowest level requirement for several ADAS systems with some
applications requiring up to ASIL D for certain vehicle functions.
292
2015 IEEE International Conference on Consumer Electronics (ICCE)
anywhere from 70ms to around 500ms, depending upon the Multiply and Add (MAC) [e.g. RGB2RGB] based
targeted end application. processing blocks and
For the self-test of the Imaging sub-system, this paper Blocks that are responsible for conditional
proposes a hand crafted golden reference image data that is processing based upon certain threshold values [e.g.
processed by the imaging sub-system. The achievable diagnostic Edge Enhancer].
coverage for the Imaging sub-system is highly dependent upon
the quality of the chosen test pattern. This information wrt various sub-blocks involved in image
processing is critical to test pattern generation to ensure an
B. Test Pattern Generation appropriate diagnostic coverage for the Imaging sub-system for
As shown in Figure 3, the Imaging sub-system typically deals the targeted ASIL. In general, the ranges of look-up entries are
with the processing of the pixel data coming from an external usually known. For a lookup table based processing sub-block,
image sensor or data from memory. Image Signal Processor (ISP) care needs to be taken to ensure that the test pattern exercises a
and Still Image Co-processor (SIMCOP) are the key components majority of input combinations which in turn results in exercising
of the Imaging sub-system [8]. a majority of output combinations for a particular look up table.
For a MAC based processing block, the test pattern needs to
ensure that multiply and add factors are chosen such that the
chosen values help cover any stuck at faults for data lines used
during the MAC operation e.g. as shown in Figure 5 below, the
choice of gain_** values can have a huge impact on the
diagnostic coverage.
293
2015 IEEE International Conference on Consumer Electronics (ICCE)
The value of i is calculated using equation (3) below Table II indicates external memory requirements and other
trade-offs of the proposed scheme.
i= ⌊ ((tFTTI * N)/1000) ⌋ - 1 (3)
TABLE II. EXTERNAL MEMORY REQUIREMENT AND OTHER TRADE-OFFS
where
N = Number of Frames processed by the Original Additional Area Fault At- Exte
external external Required Cover- speed rnal
Imaging sub-system Per Second, memory memory on SoC age Test
tFTTI = Fault Tolerant Time Interval in bandwidth Bandwidth er?
requirement required due
milliseconds (KB) to software
test pattern
So, if the Imaging sub-system needed to be run at a frequency (KB)
forig, this would then translate into an additional clocking
requirement, resulting into fiss given by the following equation 124416 16588.8 0 > 90% Y N
i.e. 13.33%
fiss = forig x (1 + (1/ (i - 1) ) )MHZ (4)
Additionally, if the data used for processing was being picked V. CONCLUSION AND FUTURE DIRECTION
from external memory, the external memory would also have an In conclusion, we propose a new hand crafted test pattern
additional clocking requirement as indicated for the Imaging sub- technique that enables us to achieve the targeted diagnostic
system in equation (4) above. coverage for an imaging sub-system used in several functional
safety critical camera based ADAS functions. This hand crafted
IV. RESULTS test pattern technique can be run at-speed during the normal
Figure 7 illustrates percentage increase required in additional functional operating environment of the design using a time
clocking requirement for Imaging sub-system and external triggered approach, thereby providing the targeted diagnostic
memory across various FTTI values used in ADAS applications. coverage for permanent and intermittent faults for the targeted
ASILs.
Future steps in this direction will include detailed safety
analyses, including fault injection, in order to confirm the
estimated diagnostic coverage achievable by the use of the
proposed software self-test mechanism.
VI. REFERENCES
[1] European Commission, March 2012, Newsletter 8: “Smarter transport
systems mean safer roads”
[2] ISO 26262:2011, “Road vehicles – Functional safety,(2011)
[3] H. Al-Asaad, B. T. Murray, and J. P. Hayes. Online bist for embedded
systems. IEEE Des. Test, vol. 15, pages 17–24, October 1998.
Fig. 7. Additional clocking requirement (%age increase) for Imaging Sub-
system and external memory vs FTTI [4] N. Kranitis, A. Paschalis, D. Gizopoulos, and G. Xenoulis. Software based
self-testing of embedded processors. IEEE Trans. Comput., vol.54, pages
It is evident that the percentage increase in clocking 461–475, April 2005.
requirement for imaging sub-system and external memory [5] L. Chen and S. Dey, “Software-based self-testing methodology for
processor cores,” IEEE Trans. Computer-Aided Design Integr. Circuits
decreases with increase in FTTI. Syst., vol. 20, no. 3, pp. 369–380, Mar. 2001
For a typical ADAS application with a fault tolerant time [6] Kisacanin, B., "Automotive vision for advanced driver assistance
interval of 300ms and a 1080p30 YUV422 input capture, we can systems," VLSI Technology, Systems and Applications (VLSI-TSA), 2011
International Symposium on , vol., no., pp.1,2, 25-27 April 2011
achieve a diagnostic coverage of > 90% through a hand-crafted
test pattern that is run after every 8 frames of captured input at [7] IEC 61508:2010. Functional safety of E/E programmable electronic safety-
related systems.
the cost of the following additional external memory
[8] Texas Instruments, “OMAP4470 Multimedia Device silicon: TRM”,
bandwidth/clocking requirement. http://www.ti.com/product/omap4470
Additionally, we see the following additional clocking
requirements for the Imaging sub-system as given in equation (5)
fiss = 1.125 * forig (5)
294