Implementation of safety measures is on the rise in today’s automotive world in order to minimize the hazards in case of system malfunction. Today’s automobiles run various safety critical applications like ABS, electronic power steering, air bag sensors, Radar sensing, and other chassis related applications. All these safety critical automotive operations need compliance with ISO 26262 (ASILx) and IEC 61508 (SILx) standards as their safe operation is directly linked to human and social safety.
This article discusses the key functional safety features present in modern semiconductor devices, allowing customers to run safety relevant tasks in their applications. Later we will give some examples using Freescale Semiconductor devices such as the MPC5675K, MPC5643L, and MPC574xx.
Functional safety requirements
Functional safety is related to minimizing the hazards resulting from a faulty system. The faults in a system may occur because of hardware/software errors, permanent/transient errors, or because of random/systematic errors. The following are the possible reactions when an error occurs:
- Fail-dangerous: Possibly causes a hazard in the case of a failure
- Fail-inconsistent: Provided results will be noticeably inconsistent in the case of a failure
- Fail-stop: Completely stops itself in the case of a failure
- Fail-safe: Returns to or stays in a safe state in the case of a failure
- Fail-operational: Continues to work correctly in the case of a failure
- Fail-silent: Will not disturb anyone in the case of a failure
- Fail-indicate: Indicates to its environment that it has failed
The implementation of functional safety in a system typically means "mapping" the first three types of reactions above into any of the last four reactions which ensure minimal hazards results from the system failure.
The next section discusses various functional safety implementations available in system-on-chips (SoCs) that allow device operation in any of the last four reactions listed above in case of system failure. General safety implementation
Before discussing the key modules related to functional safety, let us first briefly discuss general industry standard implementations:
1) Checker core:
Ensuring safe operation of the core in an SoC is one of the prime requirements for functional safety. Generally, this is taken care of by implementing a checker core which executes the same instructions as the main core and the address and data bus from the cores are compared in a checker unit to detect operational deviations. Depending on the nature of errors, there may be a reset or maskable/non-maskable interrupts generated by the system. From a software view point, the system behaves as a single-core. (See figure 1 below for a block diagram.)
Apart from the core, other safety relevant modules like eDMA (enhanced direct memory access), interrupt controller, cache, RAM, etc. can be similarly replicated in system maintaining the physical separation on the die so that common cause faults (CCFs) do not affect the operation of both the modules similarly.
2) Safe clock mechanism:
In order to keep the system independent of external clocks during safe operation, there is an implementation of safe clock in Freescale automotive SoCs. This safe clock is provided by an internal RC oscillator which is available as soon as the device comes out of reset. The availability of this clock ensures that the system has a clock to operate even if the internal PLL fails for some reason. For the same reason, all the safety critical modules should run only on the safe clock. This IRC oscillator is trimmable for maintaining the clock consistency across PVT (process, voltage, and temperature).
3) ECC implementation in memory:
All memory storage operations can be protected by implementing ECC (error correction code) with SECDED (single error correct and double error detect) with a Hamming distance
of 4. The ECC is implemented on data, address, and control signals and is stored along with the data in the memory during writes. When the read operation is initiated, the ECC is re-calculated on the address, data, and control signals and is verified with stored ECC.
Key safety implementation
Let us now discuss in-depth the key safety features available on some Freescale devices meant for automotive safety applications.End-to-end ECC (E2EECC) protection
In Freescale MPC574x devices, for instance, instead of the general ECC implementation, there is an E2EECC implementation which allows detection of data corruption on all data paths between the "masters" and any "client" with at least 99% coverage. The mechanism is as follows:
- Data from the masters is encoded using ECC-SECDED code. This data encoding includes coverage of addressing information.
- At the client side, the control signals and address decoding are monitored to verify the correctness of data initiated from master.
The above approach ensures that there is no data corruption occurring on the data paths. There is a central Memory Error Management Unit present in the system which collects and reports error events associated with ECC logic used on SRAM, peripheral system RAM, and flash memory. When any correctable (single-bit ECC) or uncorrectable (multiple-bit ECC) errors occur, the MEMU receives an error signal which causes an event to be recorded and corresponding error flags to be set and reported to FCCU (fault collection and control unit).
Fig. 1. Implementation of checker core and E2EECC