New MCU functionalities in light of ISO 26262
Safety aspect are not only relevant for new automotive systems such as advanced driver assistance systems but also for established systems, such as power steering, and even seemingly simpler systems, such as various lighting controls, to name just a few examples. When looking at such systems it soon becomes evident that a malfunction of such an E/E system could be a source of harm in the form of physical injury or damage to the health of persons. In late 2011 the ISO 26262 standard was released as a sector specific functional safety standard for the automotive sector intended for – but not limited to – E/E systems in series production passenger cars. The objective of functional safety according to the ISO 26262 is to circumvent potential harm to persons that could be caused by malfunctioning E/E systems. In this sense the standard defines functional safety as the "absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems".
The ISO 26262 standard distinguishes between two main categories of failures that can lead to malfunctioning behavior of E/E systems. The one category focuses on systematic failures, which are defined as “related in a deterministic way to a certain cause that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors”. Typical examples for systematic failures are failures such as those caused by SW bugs, manufacturing defects, flawed system design, or similar. Systematic failures can originate in HW as well as in SW. Due to their nature systematic failures will typically be evident across a broader scope of a mass produced product population. The other category focuses on random hardware failures, which are defined as occurring “unpredictably during the lifetime of a hardware element and that follows a probability distribution”. Typical examples for random hardware failures are failures such as those caused by alpha particles, neutrons, or similar. Random hardware failures originate in hardware.
Addressing such systematic failures and random hardware failures involves three main types of measures: procedural measures that relate to the design and manufacturing lifecycle of the system, functional measures that provide dedicated services during run-time and structural measures that involve the physical layout and partitioning of the system. Table 1 lists typical procedural, functional and structural measures.
Table 1: Typical procedural, functional and structural measures. For better resolution click here.
The procedural measures are the main line of attack against both systematic SW failures and systematic HW failures. The reason for this is simple. Procedural measures focus on avoidance and are therefore far more efficient than functional measures that are executed during run-time. Functional measures typically serve as the main means to address random HW failures. The same set of measures can also help to address residual systematic failures that remained undetected by the procedural measures. The combination of HW processing redundancy combined with SW diversity and I/O monitoring often yields a preferable balance of techno-economical constraints that need to be met for commercial viability. Last but not least structural measures are important to address the issue of spatial proximity failures and are often the key to limit the amount of redundancy needed to address random HW failures.
In light of the needs of functional safety systems a new class of microcontrollers (MCUs) is emerging with an extensive offering of safety measures targeting the avoidance and control of systematic failures (i.e. failures potentially introduced during the design, development or manufacturing process) as well as the detection and control of random hardware failures (i.e. failures that can occur unpredictably and that follow a probability distribution).
- From a procedural perspective these MCUs have been designed under special consideration of the requirements set forth in the ISO 26262 standard for the avoidance of systematic HW failures and offered with related collateral, such as FMEDA and the dependent failure avoidance measures and other relevant information documented in dedicated safety manuals.
- From a functional perspective these MCUs offer integrated safety mechanisms for the computational infrastructure, such as dual-core lock-step execution of code, clock monitoring, power monitoring, ECC protection of RAM, ROM and interconnection structures, special considerations of peripheral I/O interfaces, etc.
- From a structural perspective these MCUs provide special architectural considerations, such as partitioning of the die into separate lakes and column multiplexing of memory structures to improve the effectiveness of ECC.
With these safety measures in place the dual-core lock-step MCUs typically follow the applicable ASIL-D requirements from the ISO 26262 and are therefore often referred to as “ASIL-D MCUs”. (This is strictly speaking incorrect as the ASIL D notation characterizes the specific safety related ability of the system, but not how it is achieved. Nevertheless, the industry has adopted this usage of ASIL and those savvy in the field of functional safety understand how it is meant.)
Dual-core lock-step MCUs do not alleviate the need to implement safety measures at SW level and at system level, such as sufficiently independent monitoring of output values calculated by the SW path. However, among other aspects, such as higher integration, these MCUs do offer a separation of concerns for validation. In solutions based on multiple single-core MCUs the ability to detection and control of random hardware failures depends largely on the SW. Hence, the ability of the complete system to meet the targets set forth by the ISO 26262 requires at least knowledge of this SW, if not the complete development and integration.
For a dual-core lock-step MCU it is possible to verify and validate key functional safety related properties of the computational infrastructure at the hardware level independently from the SW since the computational infrastructure is offered in an integrated form and represents an integrated safety mechanism. This is a significant benefit within the HW/SW co-design process. Furthermore the separation of concerns facilitates faster location of issues. If the safety mechanisms monitoring the dual-core lock-step trigger then the cause can most likely be attributed to random hardware failures at the HW level, while if the SW monitoring triggers then the cause is most likely to be a fault at system level or a systematic fault within the SW.
The dual-core lock-step MCU approach offers a potential availability advantage. In modern MCUs the core area is diminishing well below 5% of the overall MCU, while the MCU as a whole is typically allocated a budget of approx 1% contribution to the Probabilistic Metric for random hardware failures (PMHF). Hence, the contribution of the core is at first approximation in the region of 0.05%. However, certainty about the correct operation of the cores is key for any forward recovery technique implemented in SW to address the remaining 99.95% of contributions to the PMHF in order to maintain availability of the system. Additionally the dual-core lock-step MCU provides an appropriate infrastructure to implement multiple sufficiently independent channels. The need for such channels can typically arise from ASIL decomposition (as laid out in ISO 26262 Part 9, clause 5) and coexistence (as laid out in ISO 26262 Part 9, clause 6).
Freescale has summarized it’s initiatives to support the functional safety needs of the market under the SafeAssure brand. It covers safety support, safety hardware, safety software and a safety process to ensure that procedural aspects are covered adequately during the development phase of the various products. The objective is to reduce the time and complexity required to develop safety systems that comply with ISO 26262 and IEC 61508 standards and to simplify the process of system compliance, with solutions designed to address the requirements of the specific automotive and industrial functional safety standards.
The lead product of the SafeAssure brand is the Qorivva MPC5643L 32-bit MCU that is centered on a dual-core lock-step architecture with error correction coding on RAM and flash memory. A set of dedicated safety measures allows deployment in a variety of functional safety related systems, including electric power steering, active suspension, anti-lock braking systems and radar-based advanced driver assistance systems (ADAS). The MPC5643L is the first microcontroller to achieve a formal ISO 26262 certificate for ASIL D functional safety capability by an independent third-party accredited certification body. It is suitable for use for all automotive safety integrity levels (ASIL), up to and including the most stringent level, ASIL D.
In light of advanced driver assistance systems and the electrified vehicle, in which most functions operate under the control of SW, the need for functionally safe systems is growing at a rapid pace. The ISO 26262 standard has set the bar for the automotive industry. While the standard provides normative guidance for the key functional safety related attributes and properties of such systems it still facilitates significant degrees of freedom in how functional safety is achieved. This poses interesting challenges for the HW/SW co-design of such systems. Emerging dual-core lock-step MCUs offer an encapsulated computational infrastructure with numerous beneficial properties. Technical details on the SafeAssure program as a whole and on the MPC5643L in particular are available at https://www.freescale.com/safeassure.
About the author: Dr. Christopher Temple has been leading Freescale Semiconductor’s Automotive Systems Technology team in Munich, Germany since 2004. With a focus on emerging systems technology the team is responsible for developing and contributing to opportunities across the automotive segments body, chassis & safety and powertrain with a focus on functional safety and in-vehicle networking. Dr. Temple has been active in the field of functional safety in general and distributed dependable systems in particular since 1995. At Freescale he is a Managing Member of Technical Staff and Distinguished Innovator.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
