Automotive safety isn’t a box you check. It’s not a feature. Safety is the whole point of autonomous vehicles. And it starts with a new class of computer, a new type of software and a new breed of chips.
Safety is designed into the NVIDIA DRIVE computer for autonomous vehicles from the ground up. Experts architect safety technology into every aspect of our computing system, from the hardware to the software stack. Tools and methods are developed to create software that performs as intended, reliably and with backups. Stringent engineering processes are developed to ensure no corners are cut.
“Safety-first” computer design is equal parts expertise, architecture, design, tools, methods and best practices. Safety needs to be everywhere — permeating our engineering culture.
Top Experts Agree – Xavier Is Architected for Safety
We didn’t stop there. We invited the world’s top automotive safety and reliability company, TÜV SÜD, to perform a safety concept assessment of our new NVIDIA Xavier system-on-chip (SoC). The 150-year-old German firm’s 24,000 employees assess compliance to national and international standards for safety, durability and quality in cars, as well as for factories, buildings, bridges and other infrastructure.
“NVIDIA Xavier is one of the most complex processors we have evaluated,” said Axel Köhnen, Xavier lead assessor at TÜV SÜD RAIL. “Our in-depth technical assessment confirms the Xavier SoC architecture is suitable for use in autonomous driving applications and highlights NVIDIA’s commitment to enable safe autonomous driving.”
Feeds and Speeds Built Around a Single Need: Safety
Let’s walk through what that means.
As the world’s first autonomous driving processor, Xavier is the most complex SoC ever created. Its 9 billion transistors enable Xavier to process vast amounts of data. Its GMSL (gigabit multimedia serial link) high-speed IO connects Xavier to the largest array of lidar, radar and camera sensors of any chip ever built.
Inside the SoC, six types of processors — ISP (image signal processor), VPU (video processing unit), PVA (programmable vision accelerator), DLA (deep learning accelerator), CUDA GPU, and CPU — process nearly 40 trillion operations per second, 30 trillion for deep learning alone. This level of processing is 10x more powerful than our previous generation DRIVE PX 2 reference design, which is used in today’s most advanced production cars.
These aren’t feeds and speeds we enabled just because we could. They’re essential to safety.
1 Chip, 6 Processors, 40 TOPS – Diversity and Redundancy Need Performance
Xavier is the brain of the self-driving car. From a safety perspective, this means building in diversity, redundancy and fault detection from end to end. From sensors, to specialized processors, to algorithms, to the computer, all the way to the car’s actuation — each function is performed using multiple methods, which gives us diversity. And each vital function has a fallback system, which ensures redundancy.
For example, objects detected by radar, lidar or cameras are handled with different processors and perceived using a variety of computer vision, signal processing and point cloud algorithms. Multiple deep learning networks run concurrently to recognize objects that should be avoided, while other networks determine where it’s safe to drive, achieving both diversity and redundancy. Different processors, running diverse algorithms in parallel, backing each other up, reduce the chance of an undetected single point of failure.
Xavier also includes many types of hardware diagnostics. Key areas of logic are duplicated and voted in hardware using lockstep comparators. Error-correcting codes on memories detect faults and improve availability. A unique built-in self-test helps to find faults in the diagnostics, wherever they may be on chip.
Xavier’s safety architecture was created over several years by more than 300 architects, designers and safety experts who analyzed over 150 safety-related modules. With Xavier, the auto industry can achieve the highest functional safety rating: ASIL-D.
Building for diversity and redundancy needed for safety demands a huge amount of extra processing. For self-driving cars, processing power translates to safety.
Measuring Up to the Highest Standards
Thousands of engineers writing millions of lines of code — how do we ensure Xavier does what we designed it to do?
We created DRIVE as an open platform so that the experts in the world’s best car companies can engage our platform to make it industrial strength. We also turned to TÜV SÜD, among the world’s most respected safety experts, who measured Xavier against the automotive industry’s standard for functional safety — ISO 26262.
Established by the International Organization for Standardization, the world’s chief standards body, ISO 26262 is the definitive global standard for the functional safety — a system’s ability to avoid, identify and manage failures — of road vehicles’ systems, hardware and software.
To meet that standard, an SoC must have an architecture that doesn’t just detect hardware failures during operation. It also needs to be developed in a process that mitigates potential systematic faults. That is, the SoC must avoid failures whenever possible, but detect and respond to them if they cannot be avoided.
TÜV SÜD’s team determined Xavier’s architecture meets the ISO 26262 requirements to avoid unreasonable risk in situations that could result in serious injury.
Our Journey to Zero Accidents
Inventing technology that will one day eliminate accidents on our roads is one of NVIDIA’s most important endeavors. We are inspired to tackle this grand computing challenge that will have great social impact.
We had to re-invent every aspect of computing, starting with the Xavier processor. We created processing power not for speed, but for safety. We benchmarked ourselves against the highest standards: ASIL-D and ISO 26262. And we engaged every expert — from the best car companies to TÜV SÜD — to test and challenge us.
The journey is long, but the destination is worth every step.