Written in conjunction with Arm

Every new vehicle model year brings new designs for digital instrument clusters.  Digital clusters include safety content along with mechanisms to ensure that the electronics driving the display adheres to ISO 26262 ASIL B safety standards.  These designs have served the purpose very well for the same safety content that was present with analog instrument clusters, which has primarily been telltales and gear position rendered by a smaller safety microcontroller. The safety mechanisms in place for current instrument cluster designs are on the display side and have been adequate for this safety content. Next generation vehicle displays will start to incorporate more complex safety content based on sensor data, driven primarily by advanced driver assistance systems (ADAS) that provide the operator with real-time perception system feedback. An example of this might be in the form of a bounding box around an object or obstacle that is detected.  This type of display will provide the driver with enhanced situational awareness.

To keep pace with the inevitable demand for more complex safety content, Arm is introducing its new high performance Graphics Processing Unit (GPU) with new Flexible Partitioning feature and added support from the safety software stack, VkCore Functional Safety Suite. Developed with support from Arm, CoreAVI brings to market a comprehensive suite of graphics and compute drivers and libraries that will be certifiable for use in ISO 26262 ASIL D applications, for Arm’s latest Mali-G78AE GPU IP.  Complemented by safety-capable application processors, Mali-G78AE and VkCore Functional Safety Suite will provide the foundation for automotive Tier 1s and OEMs, enabling them to design safe cockpit HMIs with safety capable GPU hardware acceleration.  Next generation vehicle HMIs built on this foundation of safety capable hardware and software is what vehicle designers will use to build consumer confidence in ADAS and autonomous systems.

The automotive industry and the vehicle cockpit have gone through a similar evolution.  Multifunction touchscreen displays have replaced the gauges and indicators of the past.  High performance SoCs are being used to not only convey basic information to drivers but to achieve augmented vision and improved situational awareness in a human-machine-interface (HMI) that allows the driver to visually interpret large amounts of disparate information. Similar to the evolution in the avionics industry, GPUs and related software drivers used in these high reliability and safety critical automotive systems will adopt more safety qualified electronics over time. These new systems will be fit for purpose, designed to meet functional safety standards, enable deterministic computing (i.e. sequence of states consistently provide the same output given the same input) and software will be written in conformance with the MISRA-C guideline for safety critical software in accordance with safety standards such as ISO 26262.

Application use cases

A current trend in automotive is to consolidate multiple cockpit functions into a cockpit domain controller (CDC).  A CDC is the platform where multiple traditional vehicle ECUs can consolidate as software workloads on a single ECU.  Running safety and non-safety workloads alongside each other (mixed criticality) on a single system is another value proposition of a CDC.  Provisioning workloads on a CDC with the appropriate resources to meet performance and safety requirements is always a challenge for a system architect.  It is important to have the appropriate system quality of service (QoS) features for shared resources such as memory controllers and devices.  Often times, workloads that have deterministic compute deadlines may not have the luxury to share resources with other workloads. This is true for deterministic safety HMI workloads.  The Arm Mali-G78AE Flexible Partitioning feature is an innovative feature that allows boot time HW separation of the GPU into 1, 2, or 4 appropriately sized GPUs. These GPUs can be allocated to the different workloads.  In the example below at boot time the Mali G78AE GPU can be configured as 4 GPUs.  One GPU can be allocated for safe rendering of the instrument cluster, the second GPU could be allocated for safe rendering of an augmented reality heads-up display (HUD), a third GPU could be allocated for safe compute supporting a driver monitoring system (DMS) and the fourth GPU could be allocated for the IVI OS such as Automotive Grade Linux (AGL) or Android Automotive.

Safe HMI architectures

Use cases for ISO 26262 ASIL B certified graphics are not new and are supported in existing designs.  The integration of safety content with non-safety content on an instrument cluster is commonplace.  In current systems rendering may be performed by ASIL Quality Managed (QM) hardware and software. The safety mechanism in place is an ASIL B safety monitor that is used to confirm correct rendering and display of the safety content. The most common method to achieve this is using dedicated hardware in the display controller that generates a CRC for a small region of the screen. This CRC is compared with a refence CRC value supplied by the application. If they match, you know the QM graphics system is working correctly and the safety related content is displayed correctly.

This approach works well for very simple content like tell tales and drivetrain gear position. In these cases, the safety content is predictable in output, location and rendered in a dedicated screen area. Unfortunately, this approach does not scale well if this criterion is not met.  Examples that would not meet these criteria are animated telltales, telltales over a custom background and new use cases on HMIs where safety content is dynamic. This will be common in future ADAS and autonomous perception systems that will communicate to the operator bounding boxes around objects detected and identified.

To support a scalable approach for the future, designs will transition to system architectures that support safety applications running on safety qualified applications cores.  This will include graphics subsystems that are ASIL B qualified, i.e., safety qualified GPU hardware and software drivers. This provides a foundation for limitless innovation in HMIs with ASIL requirements. User interfaces can be safely rendered with GPU acceleration in their proper domain (ASIL B or ASIL QM) then the final HMI can be safely composited for safe display.

Safe HMI application development

Safety applications in avionics take advantage of GPU acceleration enabled by the ­­OpenGL® Safety Critical (SC) API.  The VkCore Functional Safety Suite for Mali-G78AE will support OpenGL SC 1.0.1, 2.0 and the Vulkan SC 1.0 API that is under development by the Khronos organization.  At the moment, state of the art vehicle HMIs take advantage of OpenGL ES and Vulkan APIs.  Transition to safe rendering will be strictly for the safety content.  HMI designers will take advantage of HMI tools that support a workflow allowing for tagging of certain data and/or surfaces for safety and non-safety rendering domains.  The ecosystem of HMI tool partners will support workflows for an easy transition from ASIL QM HMIs to Safe HMIs that are composited safely with non-safety HMIs.  Arm’s ecosystem of HMI partners is very fortunate to include but not limited to the following:

Jason Lewis, Embedded Software Engineer at Altia, Inc. says:

“Software safety standards add significant value to software development, but they also add cost.  Altia is well positioned to take advantage of Arm’s safe rendering innovations to reduce the cost and complexity of deploying safe HMI solutions.”

Xavier Fornari, Product Marketing Manager at ANSYS says:

“Working closely with industry leaders CoreAVI and Arm, Ansys is able to offer model-based qualified code generation technology in a complete solution stack for safe and certified embedded displays which require more safety critical & mission critical software in the context of ADAS and Autonomous vehicles.”

Christopher Giordano, Vice President UX/UI Technology of DiSTI Corporation says:

“We are excited about the impact Arm’s new Mali G78AE and VkCore Functional Safety Suite will have on the automotive industry.  Having over 20 years of functional safety expertise, DiSTI was honored as a charter member of the Arm Automotive Developer Community with our GL Studio UI tool, which led the market as the first to certify to ISO 26262 ASIL D over five years ago. In conjunction with our recently renewed ASIL D certification, we look forward to continuing our long and successful collaboration with Arm and CoreAVI on their industry-leading GPU and Drivers release in an effort to bring cost-effective safety-critical UX/UI development to automotive OEMs and their suppliers.”

Jussi Lehtinen, CTO at Rightware says:

“Automotive systems are becoming more complex, while at the same time customer expectations for rich graphics and an intuitive user experience are growing. Standard, certifiable APIs such as Open GL SC simplify migration to new systems and enable visualization of more advanced use cases when compared with systems relying solely on validation. Safe rendering allows seamless integration between ASIL and non-ASIL UI content and improves the user experience with richer graphics and smoother animation of dynamic content, ultimately driving HMI innovation.”

Strong Partnerships

Partnerships in the aerospace world have been essential in meeting the ambitious requirements of safely flying millions and millions of people around the world each year.  Technology has become so complex that no one company or entity can “know it all” or “do it all”.  In the aerospace world, governments, Original Equipment Manufacturers (OEM) and a litany of suppliers work in close collaboration to achieve common goals.  On the other hand, partnerships in the automobile industry have focused more on supply chain coordination rather than harmony in the world of technology.  As automotive systems become more autonomous and as artificial intelligence and machine learning becomes more pervasive, technology partnerships in the automotive world will become more commonplace.  As an example, CoreAVI (in its role as a supplier of platform IP for safety critical applications) has formed partnerships throughout the avionics supply chain. CoreAVI’s work with Arm follows in this same tradition for the automotive market.

Summary

The shared history of airplane cockpits and automotive cockpits and the evolution of technology adoption is based upon the fundamentals of the interaction of humans and machines.  As pilot/driver tasks become more complex and as safety becomes more important, technology is called upon to assist with achieving these goals.  As technology becomes more complex, the certification processes associated with the development of these systems also, out of necessity, becomes more rigorous.  These two markets (automotive and aerospace) have always learned from one another but today’s technologies have become so sophisticated and operator “reliance” on these systems has become so pervasive that the sharing of knowledge and experience between automotive and aerospace is more important than ever.

Automotive platforms that support safe rendering, safe compute, safe compositing and safe display will enable the transition to safer application processing for HMIs and other use cases.  Having a scalable, safety certifiable hardware and software architecture with standards based application APIs will become increasingly important for automotive UI designers responsible for communicating safety relevant situational awareness information to vehicle operators.  The technology and system design patterns using ASIL B capable hardware and software will help deliver safer system designs without limiting the pace of innovation.  Arm is committed to fostering an ecosystem with open standards and the necessary hardware and software enablement for low cost, scalable and safe automotive cockpit and vehicle electronics.