Solutions for Safety Critical Automotive Applications
1. Introduction
Over the last few years, automotive electronic systems have become a dominant factor in defining the driving experience of modern vehicles. Increasingly the automotive electronic systems need to fulfill functional safety requirements not only in active and passive safety systems, but also in chassis, powertrain and body applications. In this context functional safety is often considered as the part of the overall safety relating to the equipment under control (EUC) and the EUC control system which depends on the correct functioning of the electronic system.
The new MPC564xL from Freescale is a microcontroller family optimized for safety relevant applications such as electric power steering, vehicle stability control and driver assistance. It combines an industry leading functional safety architecture with new levels of performance and flexibility.
What do electronic stability control, power steering and adaptive cruise control have in common? Designing such systems while meeting state of the art functional safety requirements can be a pretty challenging job for system designers. Application functions increase in number and complexity, development cost pressure is high and time to market is shortening.
Design engineers targeting safety critical applications with complex control algorithms have a seemingly wide range of system architectures to choose from. However, most of the microcontroller solutions existing today either lack the flexibility to support varying functional safety concepts or require significant efforts in terms of safety software. Additional software again adds complexity and increases probability of systematic failures.
As a consequence following mantra has been established for development of the Freescale MPC564xL family of dual core microcontrollers:
Be Efficient – provide highest level of performance, but do more with less, lower clock rates and enable intelligent peripheral coordination
Be Flexible – build a dual core concept that supports multiple safety architectures and allows the user balancing of performance and safety levels
Be Safe – generate a safety concept which is ASIL_x certifiable and reduces software complexity by putting key safety elements and self-tests in hardware.
2. Functional Safety Concept
2.1 Industry Trends
Driven by the introduction of higher value functions in cars and the continuous trend to vehicle electrification, safety critical functions are increasingly carried out by programmable electronic systems rather than mechanical components. The complexity of these systems makes it impossible to fully determine all potential failure modes or to test all possible behavior.
Consequently, the challenge for system engineers is to architect control units in a way that dangerous failures are prevented or at least sufficiently controlled when they occur. Dangerous failures may arise from:
- Random Hardware failure mechanisms
- Systematic hardware failure mechanism
- Software errors
- Common cause failures
Being a challenge for electronic control unit design, these failure modes are also specifically relevant for complex components such as microcontrollers.
Therefore, industry standards such as the upcoming ISO26262 specify four safety integrity level, each corresponding to a range of target likelihood of failures of a safety function.
2.2 Freescale Safety Concept Fundamentals
Freescale can look back on more than a decade design experience in dual core controller technology for safety critical applications. Aiming for a holistic safety concept for its latest dual core processor families, third-party functional safety experts were engaged for monitoring and assessment of concept implementation as well as design processes.
On this basis, the MPC564xL family was developed. Focus was on:
Measures against single point faults
Single point faults can be immediately critical for system safety functions and typically require a fast detection. Typical examples of such faults are bit flips in cores or memories induced by external influences such as radiation or electromagnetic interference. Minimum requirement is the detection of these faults within the system safety time which typically ranges between 1ms and 30ms in automotive applications.
As key measure against single point faults the MPC564xL family introduces a so called ‘sphere of replication’ which allows the user to run key elements of the microcontroller in dual core lockstep mode.
Measures against latent faults
Latent faults are typically ‘hidden’. Already occurred these faults do not yet compromise system safety functions. An example is a fault in the ECC logic for memory error detection/correction. It would only become critical, when a memory bit flip (e.g. in a Flash module) occurs and consequently cannot be detected/corrected anymore.
The MPC564xL controller architecture offers hardware self test (BIST) mechanisms for detection of this fault category. These tests exercise the microcontrollers logic elements with a coverage of 90% and higher. Hence, potential latent faults can be identified even when the actual application is not triggering all hardware blocks.
Measures against common cause faults (CCF)
Common cause faults may result from the fact that redundant elements of the MPC564xL architecture still share a common die. Typical examples are system clock or the power supply issues which can influence chip-internal blocks in a similar way and potentially cause identical failures. Consequently, in lockstep mode, where both channels of the ‘sphere of redundancy’ execute the same software, such faults would not be detected.
The MPC564xL family provides hardware blocks for detection of clock deviations as well as hardware monitors for main voltages, e.g. internal core voltage, Flash supply voltage etc.
2.3 Sphere of replication
The ‘sphere of replication’ is the logical part of the MPC564xL device architecture which can be configured to run in a ‘lockstep mode’. Lockstep mode means that this part of the controller runs the same set of operations at the same time in parallel. The output from lockstep operations can be compared via so called redundancy checking units (RCU). These units determine if there has been a fault. In the fault case, an error signal is forwarded to a separate hardware block, the Fault Collection and Control Unit.
In the past the principle of replication and lockstep mode was predominantly used for the cores. This allowed exceptional fast response to core faults typically in the range of a couple of clock cycles.
The MPC564xL family is going one step further and adds other key hardware blocks to the ‘sphere of replication’. Main elements are:
- Crossbar including memory protection units
- Interrupt Controller
- DMA Unit
- Software Watchdog Timer
Figure 1: MPC564xL Extended Sphere of Redundancy. For better resolution, please click here.
2.4 Memory ECC
The ECC scheme implemented for the MC564xL family can correct all single-bit errors, detects all dual-bit errors and detects several faults affecting more than two bits. ECC calculation does not impact the performance of the device.
Specifically for SRAM, the address information is included in the calculation and evaluation of ECC. This allows the detection of potential addressing faults in RAM arrays. Dual or multi-bit faults are forwarded to the Fault Collection and Control unit.
Figure 2: MPC564xL ECC scheme with SRAM address monitoring
2.5 Voltage and Clock monitoring
Voltage monitoring capabilities are an important aspect for design and implementation of safety critical systems. In order to simplify ECU power supply design and avoid additional failure sources with regard to power sequencing, the MPC564xL family builds on a 3.3V singly supply voltage concept.
A Power Management Unit (PMU) manages supply voltages for all modules on the device and provides respective on-chip monitors for low and high voltage detection. The fault indicators of these monitors are forwarded to the Fault Collection Unit and to the Reset Generation Unit.
MPC564xL voltage monitors are testable. Over/under voltage detectors for the internally generated core voltage provide a hardware-assisted self test. The test needs to be initiated by software during the boot process. Voltage monitoring during runtime is done in background without further software interaction.
For ISO26262 certifiable systems monitoring of clock signals is mandatory. The MPC564xL family uses a specific Clock Monitoring Unit (CMU) for supervision of clock source integrity.
Dedicated clock monitors are used for key elements of the microcontroller such as the ‘Sphere of replication’, peripherals for motor control and communication blocks such as the FlexRay module.
Clock faults are signaled to the Fault Collection Unit. In order to guarantee independence of the Fault collection unit in case other clock sources are erroneous, the module can run on a separate internal 16 MHz RC clock.
2.6 Built-in Selftest
Aiming at hardware solutions rather than software self test mechanisms, the MPC 564xL device architecture provides various Build-in Self Test (BIST) functions.
An automatic device BIST is performed with every boot sequence for example. The test is completed while the microcontroller is still in the RESET phase. Hence, the application boot process and startup software are not affected. The application software will only start when this initial self test finished without detection of a fault.
2.7 Fault Collection and Management
The Fault Collection Unit is a central element of the MPC564xL functional safety architecture. This hardware module is intended to simplify controller-level fault reporting and management in safety-critical applications. It offers a redundant hardware channel which allows controlled transitioning of the device in a safe state when a critical failure is present. No CPU intervention is requested for this operation.
The Fault Collection Unit can handle controller internal fault signals and allows the user to select how different fault signals will be treated.
The Fault Collection Unit logic is checked at the start-up by a self-test procedure, immediately after the unit is active based on a default configuration.
For external failure signaling the FCU provides two bidirectional signals.
In order to guarantee FCU independence in case other controller modules or the main core malfunction, the module runs on a separate internal 16 MHz RC clock. Hence, a deterministic computation of output signals and time outs is guaranteed.
3. Summary
The trend is alive! Specifically in the automotive chassis and safety domain application functions increase in number and complexity, development cost pressure is rising and time to market is shortening. Microcontroller features which help the designer to focus on the actual application and simplify challenges like safety concept development and certification are a clear added value for ECU architects.
Freescale has developed the MPC564xL family feature set to match these market requirements. A groundbreaking dual core concept gives the designer flexibility in the choice of the system safety architecture and allows optimal balancing of performance and safety requirements with a single controller family.
About the author: Marc Osajda isGlobal Automotive Strategy Manager for Freescale Semiconductor.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
