2015 IEEE International Conference on Consumer Electronics (ICCE)

Resolving ADAS Imaging Subsystem Functional

Safety Quagmire
Rahul Gulati, Vasant Easwaran, Prashant Karandikar, Mihir Mody, Prithvi Shankar
Texas Instruments India
Email: {rahul, vke, prash, mihir, prithvi}@ti.com

Abstract— Nowadays it has become common practice to use multi
core SoCs in safety related Advanced Driver Assistance Systems
(ADAS). The ISO 26262 functional safety standard provides
requirements to avoid or reduce the risk caused by these systems. In
safety related systems, a comprehensive test strategy is required to
guarantee successful normal operation for the SoC throughout its life
cycle. Software based self-tests have been proposed as an effective
alternative to hardware based self-tests in order to eliminate area and
save new hardware IP development costs. This paper proposes
software based self-test scheme to ensure integrity of Imaging sub-
systems to prevent violation of the defined safety goals for several
camera based ADAS applications. The proposal uses a hand crafted
functional time triggered non-concurrent online test based solution,
The proposed solution covers permanent and intermittent faults in
imaging sub-systems by introducing a known golden reference image
processing run every fault tolerant time interval. For a sample
1080p30 input capture, considering a fault tolerant time interval of
300ms for a typical ADAS application and considering that this hand-
crafted test pattern is run after every 8 frames, the proposed solution
enables the hardware self-test at an additional 12.5% clocking
requirement for the imaging sub-system and an additional 12.5%
DDR throughput requirement.
Index Terms— ISO 26262, functional safety, non-concurrent
online self-test, ADAS, imaging
non-intrusive since it applies tests in the normal operational mode
of the circuit [5].
Faults are classified to design faults, which are made by
human designers or tools used during the design process,
fabrication faults, which result from an imperfect manufacturing
process and operational faults, which result from wear or
environmental disturbances during normal system operation [3].
Operational faults are usually classified by their duration, as
permanent faults, which exist indefinitely, intermittent faults,
which appear, disappear, and reappear repeatedly, and transient
faults, which appear irregularly and last for short time [3].
Time triggered non-concurrent testing occurs at
predetermined times in the operation of the system. This kind of
testing can detect permanent faults and intermittent faults. Such
tests can also identify latent design and manufacturing flaws that
appear only under certain environmental conditions [3].
Most ADAS systems rely on highly complex algorithms on
vision processing. As indicated in Figure 1 [6], automotive vision
systems use video input, which is then processed using various
algorithms in ADAS systems.

I. INTRODUCTION
Research and practical experience have shown the importance
of advanced driver assistance (ADAS) and other safety-related
systems in making Europe’s roads safer. The EU is phasing in
inclusion of ADAS such as automatic emergency braking, lane
departure warning systems, electronic stability control and ABS
brake assist as pre-requisites for new vehicles in certain four-
wheel passenger and goods categories. It is hoped that
compulsory fitting of these systems on all new vehicles and
vehicle types within the relevant categories will be introduced by
late-2015 [1]. The ISO 26262 functional safety standard [2] Fig. 1. Vision and radar based Automotive Driver Assistance Systems
provides requirements to avoid or reduce the risk caused by these
systems. II. ISO 26262
With an ever increasing demand for safety related ADAS The ISO 26262 standard [2] is an automotive-specific
applications, the development of monitoring functions to interpretation of the basic safety standard IEC 61508 [7] for
expeditiously detect critical hardware failures is gaining functional safety of electrical/electronic (E/E) systems. The ISO
momentum. 26262 standard provides an automotive safety lifecycle and
Online self-tests can be performed using hardware self-test provides a risk-based approach to determine Automotive Safety
approaches [3] or using software based self-test approaches [4]. Integrity Levels (ASIL). ASILs are used to specify the applicable
Unlike hardware based self-testing, software-based testing is

978-1-4799-7543-3/15/$31.00 ©2015 IEEE 291

 2015 IEEE International Conference on Consumer Electronics (ICCE)

requirements of ISO 26262 in order to avoid unreasonable As indicated in Figure 2, a typical ADAS camera based SoC
residual risk. would consist of a video input capture sub-system, a digital
signal processor, imaging sub-system and an optional display
Defined confirmation measures must be performed to ensure sub-system. Such a SoC may typically use an external memory to
that a sufficient and acceptable level of safety has been achieved. store image data and/or optionally use on chip memory as well.
The Residual Fault failure rate, λRF, is given as
λRF = (1 – KFMC,RF) x λPVSG (1)
where KFMC,RF is the failure mode coverage wrt residual faults
and λPVSG is the failure rate of the faults that have the potential to
directly violate the safety goal without considering any of the
safety mechanisms that can exist to prevent this.
The Multi-Point Fault failure rate is given as
λMPF = KFMC,RF x λPVSG (2)
Due to online self-tests, dangerous failures can be detected.
Hence, the KFMC,RF can be increased and this enhances the
probability of prevention of violation of safety goals.
Table 1 illustrates the current range of ASILs to which ADAS
systems need to comply with. ASIL B is typically seen as the
lowest level requirement for several ADAS systems with some
applications requiring up to ASIL D for certain vehicle functions.

TABLE I. ADAS ASIL MARKET REQUIREMENTS

Automotive Safety Integrity Levels (ASIL)
ASIL D >99% faults detected
ASIL C >97% faults detected
ASIL B >90% faults detected
ASIL A NA
III. SOFTWARE BASED SELF TEST METHODOLOGY
TARGETING PERMANENT AND INTERMITTENT FAULTS
A. Typical ADAS SoC architecture
Unlike hardware based self-testing schemes, software based
functional self-testing schemes are generally non-intrusive. This
is primarily because the software test vectors utilized in the
software based schemes are applied in the normal functional
operating environment of the design.
Most ADAS systems rely on highly complex algorithms on
vision processing. Imaging sub system is one of the hardware
accelerators that are typically used to apply high quality, state of
the art image processing algorithms with high performance and
low power consumption. This sub-system can typically receive
RAW or YUV data from multiple cameras concurrently. The
processing outcome can be displayed, pre and/or post processed
by other hardware accelerators or by software, encoded as still
images or be encoded as video.
Fig. 2. A typical ADAS SoC consisting of a video input capture sub-system,
display sub-system, DSP and the Imaging sub-system
Such camera based ADAS systems need to meet the specific
functional safety requirements as specified in the ISO 26262
functional safety standard for road vehicles weighing up to 3.5
tons. Based upon the hazard analysis and risk assessment of such
a system implementing a function at the vehicle level, safety
goals related to the prevention or mitigation of the hazardous
events are formulated. The ASILs (Automotive Safety Integrity
Levels) determined for the hazardous events are assigned to the
corresponding safety goals.
In order to ensure correct functionality of the system at all
times, self-tests must be performed. So, depending upon the
targeted ASIL for an ADAS system, in addition to the event
triggered non-concurrent online tests, which are typically
initiated by key events such as system start-up or shutdown, one
is also required to perform time-triggered non-concurrent online
tests, also called periodic tests. Whereas the event triggered self-
test mechanisms help to detect permanent faults, the time
triggered periodic self-tests, in addition to detecting permanent
faults, help to detect intermittent faults. Additionally, any latent
design faults that may appear only under certain operating
conditions are also identified by periodic self-tests.
Depending upon the targeted ASIL for the ADAS system, it
may be necessary to run the periodic self-tests once every fault
tolerant time interval (FTTI). The fault tolerant time interval is
the time-span in which a fault can be present in a system before a
hazardous event occurs. For ADAS systems, FTTI varies

292
 2015 IEEE International Conference on Consumer Electronics (ICCE)
anywhere from 70ms to around 500ms, depending upon the
targeted end application.
For the self-test of the Imaging sub-system, this paper
proposes a hand crafted golden reference image data that is
processed by the imaging sub-system. The achievable diagnostic
coverage for the Imaging sub-system is highly dependent upon
the quality of the chosen test pattern.
B. Test Pattern Generation
As shown in Figure 3, the Imaging sub-system typically deals
with the processing of the pixel data coming from an external
image sensor or data from memory. Image Signal Processor (ISP)
and Still Image Co-processor (SIMCOP) are the key components
of the Imaging sub-system [8].
Fig. 3. A typical Imaging sub-system block diagram
Figure 4 depicts the detailed block diagram of the IPIPE sub-
block within the ISP block.
Fig. 4. Imaging sub-system IPIPE block diagram
From the blocks depicted in Figure 3 and Figure 4 above, the
several sub-blocks of the Imaging sub-system can be broadly
classified into three categories:
 Look-Up Table (LUT) based processing blocks [e.g.
DPC],
293
 Multiply and Add (MAC) [e.g. RGB2RGB] based
processing blocks and
 Blocks that are responsible for conditional
processing based upon certain threshold values [e.g.
Edge Enhancer].
This information wrt various sub-blocks involved in image
processing is critical to test pattern generation to ensure an
appropriate diagnostic coverage for the Imaging sub-system for
the targeted ASIL. In general, the ranges of look-up entries are
usually known. For a lookup table based processing sub-block,
care needs to be taken to ensure that the test pattern exercises a
majority of input combinations which in turn results in exercising
a majority of output combinations for a particular look up table.
For a MAC based processing block, the test pattern needs to
ensure that multiply and add factors are chosen such that the
chosen values help cover any stuck at faults for data lines used
during the MAC operation e.g. as shown in Figure 5 below, the
choice of gain_** values can have a huge impact on the
diagnostic coverage.
Fig. 5. Imaging Sub-system IPIPE RGB2RGB conversion formula
Similarly, the edge enhancement intensity is looked up from
the LUT through the formula shown in Figure 6 below.
Fig. 6. Imaging Sub-system IPIPE 2D Edge Intensity formula
It is estimated that such a carefully hand crafted functional
test pattern for the Imaging sub-system may provide a greater
than 90% diagnostic coverage for the Imaging sub-system.
Depending upon the targeted ASIL for the ADAS system, it
may be necessary to run the periodic self-tests once every fault
tolerant time interval (FTTI).
So, for an Imaging sub-system, every ith frame would need to
be the hand crafted functional self-test frame to ensure the
integrity of the imaging sub-system at all times. The processed
output from the imaging sub-system is then compared against the
golden reference output data/cyclic redundancy check signature
of golden reference output data that has been pre-computed and
stored in external memory.
 2015 IEEE International Conference on Consumer Electronics (ICCE)

The value of i is calculated using equation (3) below Table II indicates external memory requirements and other
trade-offs of the proposed scheme.
i= ⌊ ((tFTTI * N)/1000) ⌋ - 1 (3)
TABLE II. EXTERNAL MEMORY REQUIREMENT AND OTHER TRADE-OFFS
where
N = Number of Frames processed by the Original Additional Area Fault At- Exte
external external Required Cover- speed rnal
Imaging sub-system Per Second, memory memory on SoC age Test
tFTTI = Fault Tolerant Time Interval in bandwidth Bandwidth er?
requirement required due
milliseconds (KB) to software
test pattern
So, if the Imaging sub-system needed to be run at a frequency (KB)
forig, this would then translate into an additional clocking
requirement, resulting into fiss given by the following equation 124416 16588.8 0 > 90% Y N
i.e. 13.33%
fiss = forig x (1 + (1/ (i - 1) ) )MHZ (4)
Additionally, if the data used for processing was being picked V. CONCLUSION AND FUTURE DIRECTION
from external memory, the external memory would also have an In conclusion, we propose a new hand crafted test pattern
additional clocking requirement as indicated for the Imaging sub- technique that enables us to achieve the targeted diagnostic
system in equation (4) above. coverage for an imaging sub-system used in several functional
safety critical camera based ADAS functions. This hand crafted
IV. RESULTS test pattern technique can be run at-speed during the normal
Figure 7 illustrates percentage increase required in additional functional operating environment of the design using a time
clocking requirement for Imaging sub-system and external triggered approach, thereby providing the targeted diagnostic
memory across various FTTI values used in ADAS applications. coverage for permanent and intermittent faults for the targeted
ASILs.
Future steps in this direction will include detailed safety
analyses, including fault injection, in order to confirm the
estimated diagnostic coverage achievable by the use of the
proposed software self-test mechanism.

Fig. 7. Additional clocking requirement (%age increase) for Imaging Sub-
system and external memory vs FTTI
It is evident that the percentage increase in clocking
requirement for imaging sub-system and external memory
decreases with increase in FTTI.
For a typical ADAS application with a fault tolerant time
interval of 300ms and a 1080p30 YUV422 input capture, we can
achieve a diagnostic coverage of > 90% through a hand-crafted
test pattern that is run after every 8 frames of captured input at
the cost of the following additional external memory
bandwidth/clocking requirement.
Additionally, we see the following additional clocking
requirements for the Imaging sub-system as given in equation (5)
fiss = 1.125 * forig (5)
VI. REFERENCES
[1] European Commission, March 2012, Newsletter 8: “Smarter transport
systems mean safer roads”
[2] ISO 26262:2011, “Road vehicles – Functional safety,(2011)
[3] H. Al-Asaad, B. T. Murray, and J. P. Hayes. Online bist for embedded
systems. IEEE Des. Test, vol. 15, pages 17–24, October 1998.
[4] N. Kranitis, A. Paschalis, D. Gizopoulos, and G. Xenoulis. Software based
self-testing of embedded processors. IEEE Trans. Comput., vol.54, pages
461–475, April 2005.
[5] L. Chen and S. Dey, “Software-based self-testing methodology for
processor cores,” IEEE Trans. Computer-Aided Design Integr. Circuits
Syst., vol. 20, no. 3, pp. 369–380, Mar. 2001
[6] Kisacanin, B., "Automotive vision for advanced driver assistance
systems," VLSI Technology, Systems and Applications (VLSI-TSA), 2011
International Symposium on , vol., no., pp.1,2, 25-27 April 2011
[7] IEC 61508:2010. Functional safety of E/E programmable electronic safety-
related systems.
[8] Texas Instruments, “OMAP4470 Multimedia Device silicon: TRM”,
http://www.ti.com/product/omap4470

294