Intelligent connected vehicles have become a key trend leading future development. Among them, chips, as the core components of intelligent connected vehicles, have increasingly highlighted the importance of their functional safety and reliability. How to enhance their assurance has become a focal topic of concern in the industry.
Currently, the market scale of intelligent connected vehicles in China continues to expand, with infrastructure construction gradually improving. Many demonstration areas across the country are actively carrying out multidimensional and multi-scenario experimental verifications, providing strong support for technological innovation and product research and development. At the same time, enterprises are continuously increasing their R&D investment in fields such as autonomous driving, vehicle networking communication, and intelligent cockpits, achieving breakthroughs in various technologies and demonstrating a good momentum of industrial development.
On the afternoon of December 6, at the “Automotive Chip Functional Safety and Reliability Assurance Development Forum” during the 2024 Global Automotive Chip Innovation Conference, experts from the industry, including Ye Shengji, Chief Engineer of the China Automotive Industry Association, Cao Changfeng, Chief Engineer of Great Wall Motors, Wu Jun, Director of Connectivity and Safety Engineering at Aptiv, Shi Lei, Quality Director of Nexperia’s IC Solutions Division, Huang Zhongkai, PhD from the Key Laboratory of Electronics, Beijing Automotive Research Institute, and others, gathered to discuss the enhancement of automotive chip functional safety and reliability, contributing wisdom and solutions for improving the functional safety and reliability of automotive chips. This forum was hosted by Zhang Yao, head of the East China Branch of the Electronic Fifth Research Institute of the Ministry of Industry and Information Technology.
Zhang Yao, head of the East China Branch of the Electronic Fifth Research Institute of the Ministry of Industry and Information Technology (Moderator)
In his speech, Ye Shengji stated that the country attaches great importance to the independent research and development of automotive chips and technological innovation, aiming to enhance the global competitiveness of the industry and reduce dependence on foreign technology. However, domestic chips still face challenges in functional safety and reliability, especially in terms of stability in complex environments and testing verification technologies, showing a gap compared to international advanced levels.
Ye Shengji, Chief Engineer of the China Automotive Industry Association
In response, Ye Shengji proposed four suggestions. First, improve the standard system and strengthen innovation cooperation. The industry should actively participate in the formulation of functional safety standards, combine actual needs, form standards with independent intellectual property rights, and deepen cooperation between chip companies and automotive companies to ensure functional safety throughout the industrial chain; second, optimize the verification process and strengthen reliability monitoring. There should be increased investment in technology and equipment, and a sound verification system should be established to ensure chip stability in different scenarios through complex working condition simulations and strict testing, promptly eliminating hidden dangers; third, prepare for R&D and production to support mass production. During the R&D phase, follow the functional safety design process and use advanced tools; during production, strengthen quality management and process control to ensure chip quality and safety from the source; finally, Ye Shengji called for collaborative efforts across the industry to promote large-scale industrial development. Chip companies, automotive companies, and research institutions should integrate resources to jointly promote technological progress in functional safety and improve the industrial chain, enhancing the global competitiveness of China’s automotive industry.
Progress in Reliability Assurance and Quality Management
Cao Changfeng shared the efforts and achievements of Great Wall Motors in ensuring the reliability of domestically produced chips and stated that, thanks to the company’s continuous promotion of domestic substitution, the application rate of its domestically produced chips reached 17% in 2023.However, with the promotion of domestic chips, some challenges still exist, particularly the lack of uniformity in toolchains and software ecosystems, which not only increases R&D costs but also makes the reliability deficiencies of domestic chips pose greater difficulties for testing and verification.To address these issues, Great Wall Motors is actively exploring architectural solutions, attempting to adopt the RISC-V architecture to alleviate ecosystem fragmentation through standardized interfaces and improve system compatibility.
Cao Changfeng, Chief Engineer of Great Wall Motors
Today, in the field of automotive chips, functional safety and AEC-Q100 certification are regarded as core to ensuring chip reliability. In terms of functional safety reliability assurance, Great Wall Motors focuses on solving random and systematic faults, especially in addressing systematic faults, starting from chip IP selection, ensuring that the chosen IP version meets automotive standards, thus providing ample functional safety assurance for the chips.
In ensuring the functional safety and reliability of chips, Great Wall Motors pays special attention to resolving random and systematic faults, particularly in handling systematic faults. They start from chip IP selection, ensuring that the selected IP version meets automotive standards, thus providing reliable safety assurance for the chips from the source. In this process, AEC-Q100 certification has become a core requirement for ensuring chip reliability. Great Wall Motors emphasizes that reliability assurance for chips must cover the entire process from concept requirements to production, particularly strict management of temperature, humidity, aging processes, and DPPM indicators, ensuring that these standards far exceed those required for consumer-grade chips.
To further improve the reliability of domestically produced chips, Great Wall Motors has also established a scientific verification process and selection mechanism. This includes creating a domestic chip selection library, evaluating suppliers’ sustainability, and conducting verification and grading management. Through these measures, Great Wall Motors effectively ensures the quality and long-term supply capability of domestically produced chips, ensuring their stability and reliability in the entire vehicle.
With the rapid development of intelligent connected vehicle technology, quality management of automotive-grade analog chips has gradually become a focus of industry attention. Shi Lei stated that quality management of automotive-grade chips involves the entire lifecycle from design, manufacturing to mass production supply. Nexperia strengthens process monitoring and continuous reliability monitoring by combining functional safety with the Advanced Product Quality Planning (APQP) model, ensuring high quality and reliability of chips. In this process, Nexperia has established a comprehensive quality management system that closely links all aspects of design, manufacturing, and supply, forming a closed-loop management.
Shi Lei, Quality Director of Nexperia’s IC Solutions Division
During the design phase, Nexperia combines functional safety with the APQP model to ensure that chips have reliability and safety assurance during the design phase. In the manufacturing phase, they ensure process stability through Statistical Process Control (SPC), maintaining key process indicators within a reasonable range, particularly ensuring that the CpK value reaches above 1.67. During mass production, Nexperia conducts periodic sampling inspections of mass-produced products through a Continuous Reliability Testing (ORT) mechanism to verify their long-term reliability. If anomalies are found, the company will initiate the Material Review Board (MRB) mechanism for strict handling and, if necessary, halt shipments to prevent issues from escalating.
Functional Safety Design and Verification under Intelligent Automotive Architecture
In the design of intelligent automotive architecture, Wu Jun shared the concept of mixed functional safety level design for domain controllers.He emphasized that functional safety design should be deeply integrated into the development process to ensure that it can guarantee safety while achieving efficient and stable system development.Functional safety should not be viewed as an independent step; it should be a core part of product development. Delaying its handling may lead to increased costs and affect product quality.Therefore, Wu Jun pointed out that functional safety must proceed in sync with development, ensuring seamless connections at all stages.He particularly highlighted the important role of functional safety managers, who not only need to promote and coordinate projects but also ensure that safety objectives are implemented in design and development, optimizing overall design rather than merely completing formal tasks.
Wu Jun, Director of Connectivity and Safety Engineering at Aptiv
In design, Wu Jun mentioned numerous challenges faced by domain controllers, especially timing interference issues. Under the SOC architecture, the increase in software code volume significantly raises execution difficulty, often requiring hundreds of people to collaborate synchronously, making timing issues more complex. To address this challenge, functional safety requirements have also become stricter, imposing higher demands on the precision and coordination of design. Therefore, reasonable division of system functional safety levels is crucial, with the base, operating system, and underlying drivers needing to meet the highest safety requirements, while application parts are divided according to actual needs.
At the same time, Lü Zhiwei introduced the design requirements for functional safety of automotive chips in intelligent connected vehicles, particularly in power system design. He explained that the functional safety design of the power system stems from the needs of intelligent driving and chassis systems, aiming to ensure that all electronic systems can continue to operate stably in the event of power failure, thereby avoiding safety risks caused by power failures. In the design of redundant power supplies, the key is to clarify input requirements rather than fixed design forms. Intelligent driving systems typically require a D-level safety rating, while safety ratings for functions such as lane changing and parking vary.
Lü Zhiwei, Head of the Functional and Safety Technology Department of the Electronic and Electrical Architecture Division at Beijing Automotive Research Institute
Currently, communication chips play a crucial role in intelligent connected vehicles, as various controllers interact via protocols such as CAN, LIN, and ETH, which requires their design to comply with AutoSAR standards to ensure secure transmission and information security, covering aspects such as identity authentication and key management. Lü Zhiwei emphasized that all these requirements should be synchronized during the design phase to ensure the security of data transmission. Meanwhile, with the increasing complexity of functions, communication chips face higher functional safety and performance requirements. In addition to meeting communication security, communication chips also need to consider hardware security protection and electromagnetic interference (EMC) resistance.
As the technology of intelligent connected vehicles continues to develop, functional safety standards are also advancing. Recommended and mandatory standards involving hardware and software need to be strictly followed. Chips must possess high computing power, high safety ratings, low power consumption, and good scalability. All parties in the industry should work together to promote the design of chip functional safety, ensuring that chips can be efficiently and reliably applied in vehicle systems, driving the high-quality development of intelligent connected vehicles.
Huang Zhongkai introduced the automotive chip functional safety fault injection testing technology and emphasized its key role in verifying the integrity and accuracy of ISO 26262 functional safety levels. He pointed out that semiconductor manufacturers must introduce functional safety mechanisms according to standards to ensure that chips meet ASIL level requirements and verify them through functional safety testing and fault injection testing.
Huang Zhongkai, PhD from the Key Laboratory of Electronics
Fault injection testing can be divided into simulation-level and physical-level types, verifying safety mechanisms at different levels. Simulation-level testing mainly targets RTL/netlist-level designs, injecting tools to change simulation signals, simulating fault environments, verifying safety mechanism functions, and calculating diagnostic coverage. Physical-level testing focuses on verifying safety mechanisms in physical chips, especially when testing fault tolerance mechanisms and fault response times, ensuring that the system can still operate normally in the event of hardware failures.
Currently, the industry has various fault injection tools, such as Synopsys, Z01X, and Siemens Austemper, which support ISO 26262 and IEC 61508 standards, capable of testing permanent faults and transient faults, providing strong support for functional safety certification. As an important means of automotive-grade chip certification, fault injection testing ensures that chips have sufficient reliability and safety through the collaborative verification of simulation-level and physical-level tests, meeting the functional safety requirements of automotive electronic systems.
More Discussions on Chip Functional Safety Topics
In the functional safety design of automotive chips, Jin Xin emphasized the consistency between failure analysis and safety mechanism granularity.He believes that failure modes must align with safety concepts to ensure the practical significance of analysis results.According to ISO 26262-Part11 4.3.2 standards, for example, dual-core lock-step mechanisms can undergo overall analysis, while in the absence of safety mechanisms, hardware or software testing must be conducted, combined with fault injection, to assess failure modes and diagnostic coverage.Through this analysis, the goal is to accurately identify the coverage of failure modes to evaluate functional safety levels, ensuring the safety and reliability of onboard systems.
Jin Xin, Senior Engineer at the Certification Center of the Electronic Fifth Research Institute of the Ministry of Industry and Information Technology
Currently, chip failures can be divided into permanent faults (hard errors) and transient faults (soft errors). The calculation of their failure rates comes from multiple aspects, including supplier data, rework data, experimental testing data, and failure rate manuals. The calculations consider the failure rates of bare chips, packaging, and over-stress failure rates, which together constitute the total failure rate of the chip. The calculation of bare chips needs to consider various factors such as transistor count and manufacturing year. Jin Xin further mentioned that the task profile significantly impacts failure rate calculations. Different usage scenarios, temperatures, and switching frequencies can all affect failure rates, thus requiring a comprehensive assessment combining technological processes and temperature coefficients to ensure the accuracy of failure rate calculations, thereby providing a comprehensive evaluation of the reliability of onboard chips.
On the other hand, Lin Zhongyu introduced the design of a new generation of ASIL-D grade automotive high-precision battery management system (BMS) AFE chips. As a core component of the three-electric system in new energy vehicles, the BMS is responsible for monitoring key parameters such as the temperature, power, and current of the power battery, with the AFE chip being the only component that contacts high voltage and large current, bearing the important responsibility of ensuring the functional safety and performance of the entire vehicle. Lin Zhongyu pointed out that the design of AFE chips is complex and varies according to different vehicle models and requirements. Its built-in high-voltage sampling switch and analog-to-digital converter (ADC) can reuse battery voltage and temperature data, providing important support for the entire vehicle.
Lin Zhongyu, Senior Engineer at Zhongke Xin Integrated Circuit Co., Ltd.
Additionally, Wang Yu shared the current status of automotive electronic functional safety. Particularly in airbag systems, the safety requirements for detonation and mis-detonation are extremely stringent, requiring ASIL-D level compliance. To achieve this requirement, the airbag system design employs complex analog and digital functions, combined with self-checking functions to ensure prevention of misfire or improper activation. In the system design, a multi-layer watchdog mechanism is employed, referencing the EGAS concept, ultimately achieving ASIL-D level functional safety standards.
(Source: China Automotive Association Industry Development Department)
