24
External Use TM Design Functional Safety Compliant ECU JULY.2015 Yolanda Xi APF-ACC-T1552
External Use
TM
Design Functional Safety
Compliant ECU
J U L Y . 2 0 1 5
Yolanda Xi
APF-ACC-T1552
TM
External Use 1
Passive Safety
Active Safety
Predictive Safety
Evolution of Vehicle Safety Systems… And the Arrival of
Functional Safety
Functional Safety
Covers systems for
• Chassis & Safety
• Powertrain
• Body
Injury Free Accident FreeSemi Autonomous
Driving
2000-2010 2010-2020 2020-2030
Market trends
1. Vision zero - no fatalities
2. Safe Comfort & Asssistance
3. Green Technology
4. Automation
TM
External Use 2
Functional Safety & Standard
Automotive Industry
Adaptation of the Functional Safety standard IEC
61508 for Automotive Electric/Electronic Systems
Automotive Safety Integrity Levels
ASIL A, ASIL B, ASIL C, ASIL D
Publication date
Nov 2011
Generic Industry Functional safety of electrical
/electronic/ programmable electronic safety-related systems, applicable to all kind of industry
.
Safety Integrity Levels
SIL 1, SIL 2, SIL 3, SIL 4
Publication date
More than 10 years ago
Functional safety is the absence of unreasonable risk due to
hazards caused by malfunctioning behavior of electrical/electronic
systems.
IEC 61508 ISO 26262
TM
External Use 3
Functional safety is the absence of unreasonable risk due to
hazards caused by malfunctioning behavior of electrical/electronic
systems.
IEC 61508 ISO 26262
Generic Industry Functional safety of electrical
/electronic/ programmable electronic safety-related systems, applicable to all kind of industry
.
Safety Integrity Levels
SIL 1, SIL 2, SIL 3, SIL 4
Publication date
More than 10 years ago
Automotive Industry Adaptation of the Functional Safety
standard IEC 61508 for Automotive Electric/Electronic Systems
Automotive Safety Integrity Levels
ASIL A, ASIL B, ASIL C, ASIL D
Publication date
Nov 2011
Functional Safety & Standard
TM
External Use 4
Qualitative approach to (A)SIL computation
Class of severity Class of probability
of exposure
regarding operational
situations
Classes of controllability
C1
(simple)
C2
(normal)
C3
(difficult,
uncontrollable)
S1
(Light and moderate
injuries)
E1 (very low) QM QM QM
E2 (low) QM QM QM
E3 (medium) QM QM A
E4 (high) QM A B
S2
(Severe and life
threatening injuries
[survival probable])
E1 (very low) QM QM QM
E2 (low) QM QM A
E3 (medium) QM A B
E4 (high) A B C
S3
(Life threatening
injuries,
fatal injuries)
E1 (very low) QM QM A
E2 (low) QM A B
E3 (medium) A B C
E4 (high) B C D
(QM: “quality managed” no requirements from standard applied explicitly)
TM
External Use 5
Quantitative ASIL Requirements for HW
ASIL
B
ASIL
C
ASIL
D
PVSG
[1/h]
<10-7
recom.<10-7 <10-8
• Probability of violation of safety goals
• Values are total budget for whole system!
• uC typically receives 1% of total budget, i.e.
<10-10 for ASIL D
SPFM >90% >97% >99%
• Single Point Fault Metric
• Robustness of the item to single-point (and
residual) faults by coverage from safety
mechanisms, or by design
LFM >60% >80% >90%
• Latent Fault Metric
• Robustness of the item to latent faults by
coverage from safety mechanisms, by the
driver recognizing fault before violation of
safety goal, or by design
TM
External Use 6
AutomotiveISO 26262
IndustrialIEC 61508
Safety
Support
Safety
Process
Safety
Software
Safety
Hardware
IEC 61508
Generic Industry standard,
applicable to electrical / electronic /
programmable electronic safety-
related systems.
Integrity levels
SIL 1, SIL 2, SIL 3, SIL 4
Pub date: More than 10 years ago
Continuous Improvement
Process evaluation, assessments /
audits and gap-analysis exist to
ensure processes are continually
optimized
Safety Analysis
Selected products defined &
designed from the ground up with
safety analysis being done at each
step of the process
Assessments / Audits
Safety Confirmation Measures
Automotive Software
AUTOSAR OS & MCAL
Core Self Test
Device Self Test; Complex Drivers
Software Partnerships
Partnering with leading third-party
software providers for automotive
and industrial
People
Regional functional safety experts
Documentation
Safety Application Notes / Safety
Manual / FMEDA
ISO 26262
Automotive Industry standard,
adaptation of IEC 61508 for
electrical/electronic systems within
road vehicles
Integrity levels
ASIL A, ASILB, ASIL C, ASILD
Pub date: Target end 2011
Quality Management
ISO TS 16949 Certified Quality
Management System
Hardware - Zero Defects
Software – SPICE Level 3
Organization
Safety is an integral part of the
Freescale world wide organization
Project Management
Configuration & Change
Management, Quality Management,
Requirements Management,
Architecture & Design, Verification
& Validation
Microcontrollers
Lockstep Cores, ECC on Memories
Redundant Functions, Internal
Monitors, Built In Self Test, Fault
Collection & Control
Analog and Power Management
Voltage Monitors, External Error
Monitor, Advanced Watchdog,
Built In Self Test
Sensors
Timing Checker, Digital Scan of
Signal Chains, DSI3 or PSI5 Safety
Data links
Functional Safety Standards
Freescale Quality Foundation
SafeAssure Approach: The Four Key Elements
TM
External Use 7
Safety Process – What does the product adhere to?
Freescale QM
• Development process addresses quality at
component level
• Deliverables created available to the customer
• Safety Analysis of Architecture: Safety FMEA or
FTA
• User Guide: Safety Application Note
• Development Process evidence: PPAP, Quality
Plan (Mapping to ISO 26262 / IEC 61508
checklists)
ISO 26262 or IEC 61508
• Development process addresses quality &
functional safety at component level
• Deliverables created available to the customer
− Safety Analysis of Architecture: FMEDA or FTA
− User Guide: Safety Manual
− Development Process evidence: PPAP, Safety Plan, Certificates
TM
External Use 8
Safety Hardware – Quickly understand main
Safety features?
Main MCU Safety Measure
• Dual Core
− Lockstep
− Decoupled Parallel Mode
• Sphere of Replication
• Clock & Power monitoring
• ECC
• FCCU
• STCU (LBIST, MBIST)
Main Analog Safety Features
• Voltage & timing monitoring
• Independent Fail Safe Sate Machine
• STCU (ABIST, LBIST)
• FCCU Monitoring
• Advanced Watchdog (challenger)
Main Sensor Safety Features
• Frame counters, cyclic redundancy checkers, error-corrected NVMs, & clock monitors
TM
External Use 9
Safety Software – AutoSAR based software
Safety-Related Functional Components
• safety MCAL (sMCAL)
• safety Motor Control Lib (sMCLib)y Service Components
Safety Service Components
• Safety Library (SafeLib)
• Microcontroller Error Management
• Software support for FCCU, MEMU, LBIST, MBIST
• Hardware error collection
• Safety Error Reporting and Reaction
• safety Operating System (sOS)
HW Safety ComponentsSoftwarrtnrships
• safety Core Self Test (sCST)
• safety Peripheral Test Library (sPTLib)Partnering with leading third-party software providers for automotive and industrial
microcontroller
Safe
ty lib
rary
Operating system
sMCAL
sC
ST
/sD
ST
RTE
MCAL
Customer
Applicatio
ns
BSW
Com
p
lexsBSW
TM
External Use 10
Safety Support – FMEDA, Documentation & More
Freescale QM Products - Typical Deliverables
• Safety Analysis of Architecture: Safety FMEA or FTA
• User Guide: Safety Application Note
• Development Process evidence: PPAP, Quality Plan
(Mapping to ISO 26262 / IEC 61508 checklists)
ISO 26262 or IEC 61508 Products – Typical
Deliverables
• Safety Analysis of Architecture: FMEDA, CCA or FTA
• User Guide: Safety Manual
• Development Process evidence: PPAP, Safety Plan,
Certificates
Local Support
• Functional Safety Field Experts
Learning
• Field Training / workshops – delivered by Local
Functional Safety FAE Experts
TM
External Use 11
Safety Support – Safety Manual
Objective
• Enables customers to extract the full value of
Freescale’s functional safety offering
• Simplify integration of Freescale’s safety products
into applications
• A comprehensible description of all information
relating to FS in a single entity to ensure integrity of
information and links with datasheet
Content
• SoC Safety Concept description
• System level assumptions of use (Safety specific
usage considerations)
• Pseudo-code or C-Code to simplify adoption of safety
application requirements
• FMEDA results
− Latent Fault Matrix (LFM)
− Single Point Fault Matrix (SPFM)
− Probabilistic Metric for random Hardware Failures (PMHF)
• Provisions against Dependent Failures
Safety Manual for Analog Solution
Safety Manual for MCU Solution
Safety Manual for MPC574xP
TM
External Use 12
Safety Support – System Level Application Notes
Design Guidelines for
• Integration of Microcontroller and Analog &
Power Management device
• Explains main individual product Safety
features
• Uses a typical Electrical Power steering
application to explain product alignment
• Covers the ASIL D safety requirements that
are satisfied by using both products:
− MPC5643L requires external measures to
support a system level ASIL D safety level
− MC33907/08 provides those external measures:
External power supply and monitor
External watchdog timer
Error output monitor
TM
External Use 13
Target Market Product Type Product Target ApplicationsSafety
ProcessSafety Hardware Safety Software Safety Support
Automotive
Processors S32V230
Front View
Reverse View
Surround View
Data Fusion
ISO 26262
Targets ASIL B
Integrated Safety
Architecture:
ECC, LBIST & MBIST,
replicated peripherals,
clock and voltage
monitoring, Memory
protection, FCCU
Core Self Test
AUTOSAR
MCAL
FMEDA
DFA
Safety Manual
Microcontroller
s
MPC577xK
77 GHz RADAR System
Adaptive Cruise Control
Surround View Park Assist
System
Blind Spot Detection
Cross Traffic Alert
Autonomous Emergency Braking
Systems
Side Impact Assistance
Sensor Fusion
ISO 26262
Targets ASIL D
Integrated Safety
Architecture:
Multicore delayed
lockstep, e2e ECC,
replicated peripherals,
LBIST & MBIST, FCCU
AUTOSAR
MCAL
Structural Core
Self Test
FMEDA
Safety Manual
MPC5748G
Battery Management
High End Body Control Module
Infotainment Gateway
Central Gateway / In-Vehicle
Networking
ISO 26262
Targets ASIL B
Integrated Safety
Architecture e.g.:
Multicore, e2eECC,
LBIST & MBIST, clock
and under voltage
monitoring, FCCU
FMEDA
Safety Manual
MPC5777M
Direct Injection Engines
Common Rail Diesel Injection
Systems
Electronically Controlled
Transmissions
Diesel Engine Management
Gasoline Engine Management
ISO 26262
Targets ASIL D
Integrated Safety
Architecture e.g.;
Dual core, delayed
lockstep, e2eECC,
replicated peripherals,
LBIST & MBIST, FCCU
FMEDA
Safety Manual
SafeAssure Products
To view the latest SafeAssure product table visit www.freescale.com/SafeAssure
TM
External Use 14
HW Example:
MPC5643L Safety Mechanisms
14
Fault Collection Unit
• detects when errors
have occurred
• indicates error to
external
• independent of
software operation
Flash
• ECC
RAM
• ECC
Temp Sensor
• redundant
CRC Unit
• Application Signature
Flexray
PMU
• internal Vreg
• redundant Vmonitor
Sphere of Replication:
• Replicated e200Core
• replicated eDMA
• redundant INTC, SWT, etc
• redundant MMU
• RC Units at Gates to non
redundant sphere
Clock Monitoring
• Detects and mitigates
clock disturbances
• PLL
Timer
• eTimer0 channels
“isolated”
ADC
• On Line Assisted
Hardware BIST
XBAR + MPU:
• redundant
• RC Units at Gates to non
redundant sphere
Cross Bar Switch
I/OBridge
BA
M
Memory Protection Unit
Cross Bar Switch
Memory Protection Unit
FlexRay
RC
FlexRay
RC
RC RC
FLASH(ECC)
SRAM(ECC)
RC
I/OBridge
SS
CM
FLP
LL
FM
PLL
IRC
OS
C
CM
U
CM
U
CR
C
PIT
MC
XO
SC
SIU
WA
KE
TS
EN
S
TS
EN
S
AD
C
AD
C
CT
U
Fle
xP
WM
eT
IME
R
eT
IME
R
eT
IME
R
Fle
xC
AN
Fle
xC
AN
LF
LE
X
LF
LE
X
DS
PI
DS
PI
DS
PI
FC
CU
SWT
MCM
STM
INTC
eDMACACHE
PowerPC™e200
MMU
VLE
CACHE
FPUNexus
JTAG
Debug
Nexus
JTAG
Debug PMU
SWT
MCM
STM
INTC
eDMACACHE
PowerPC™e200
MMU
VLE
CACHE
FPU
TM
External Use 15
MPC5643L and the Failure Classes
• Single Point Failure (SPF)− Structural redundancy
Core, cache, bus, DMA, INTC, watchdog, RAM-Ctrl, Flash-Controller
− Information redundancy
ECC on system RAM and Flash
• Latent Failure (LF)− HW-Self test
Memory, logic, some peripherals
90% coverage
• Common Cause Failure (CCF)− Measures according to IEC61508-2 Ed.2 Annex E
− Supervision of clock, power and temperature
− Independent safety clock
− Independent failure signaling
inp
ut
wro
ng
ou
tpu
t
Component
inp
ut
Component
Co
mp
ara
tor
Component
OK
inp
ut
co
rrec
t
ou
tpu
t
ComponentLF
TM
External Use 16
First ISO 26262 Certified MCU – Qorivva MPC5643L
• Certified by exida – an independent
accredited assessor
• Certificate issued based on a successful
assessment of the product design and
applied development and production
processes against all requirements and
work product definitions of ISO 26262
identified as applicable to an MCU part
• MPC5643L MCU certified for use for
all Automotive Safety Integrity Levels
(ASIL), up to and including the most
stringent level, ASIL D
Released on 6th September, 2012
TM
External Use 17
ISO 26262 Assessment and Audit Summary
• Assessment of the MPC5643L Safety Case
• Assessment and audit of Freescale’s
development processes used for the
MPC5643L
• Assessment of the FMEDA (Failure Modes
Effects and Diagnostic Analysis) of the
MPC5643L to confirm it satisfies the SPFM,
LFM and PMHF metrics required for ASIL D
• Assessment of the MPC5643L hardware
design, implementation and verification
activities
• Over 50 work products were provided to
exida during the assessment and on-site
audits
MPC5643L MCU
TM
External Use 18
Flexible FMEDA
…
TM
External Use 19
ASIL-D System Design with Freescale
• MCU with Highly integrated Safety architecture
• Power SBC separate watchdog, fail safe check
• FMEDA-FTA-Safety manual
• AutoSar developed as per ISO26262
Safety Functions: Locked Steering or Unintended Steering
MPC5643L
Qorivva
Core
Sin-Cos Physical Layer
Ucos
Usin
q
Uref
Vd
c3-Phase
Low
Voltage
Power
Stage PWM Isa
Isc
U_Dc bus
Isb
U_D
c b
us
Motor
Dif ferential
Amplif ier + Filter
ADC
TIMER
PWM
Cross Triggering Unit
FCCU
NVMRAM
=
Qorivva
Core
IO bridge
Bus Bus
PowerSBC 2010 Failsafe Outputs
Fails
afe
Inp
uts
VCORE
VCCFCCU[0]FCCU[1]
FS[0]
RST
MOSI
SCLK
MISO
PMC/ RGM
Sphere of redundancy
SPI
FAlL SAFE Machine, Voltage
Monitor & Watchdog
TM
External Use 20
SafeAssure MCU Product – MPC5744P
ISO 26262 ASIL D
• Safety assessment of MCU architecture and
development process (ISO 26262)
• helps to reduce effort and time on ECU
functional safety assessment
Integrated Safety Architecture (ISA)
• Saves development effort and time as no
complex diagnostic SW required
• CPU processing power available for running
applications
• High diagnostic coverage in HW to detect
random faults
SW deliverables provided by Freescale and
partners
• Enable support for ASIL D applications with
minimized performance degradation
• sMCAL & sOS, Selftests, SW Safety Manual
Safety enablement provided by Freescale
• Safety Manual
• FMEDA
• System Level Appication Note
TM
External Use 21
Panther 2.5 MB
Core
• Dual up to 180 MHz PowerTM ISA e200 zen4 core ( Z420)
• 32 bit Reg File, 64 bit BIU with E2E ECC,
• 64kB RAM of D-LMEM with MPU for fast context switch + local data
• 8KB 2-way I-cache / 4KB 2-way D-Cache
• 1x Scalar FPU (compiler supported) per core
• Safety enhanced Cores – VLE only
• No Signal processing unit extension + NO MMU
• Delayed Lock Step configuration only
Memory
• 2.5 MBytes NVM with ECC (with add. Safety measure for address).
• 64kB EEE (Data Flash) available incl. ECC
• Up to 384 Kbyte global system SRAM with ECC (Addr + Data)
I/O
• 3 x FlexCAN (64+2x32 message buffers)
• 1 x FlexRay (Dual Channel 64 msg. buffers)
• 2 x LINFlex (Uart/Lin protocol driver)
• 4 x DSPI (4 cs each)
• 2x FlexPWM (2x 12ch for 2 independent Motors Controlled)
• 3 x eTimer modules (18 channel total)
• 4 x SAR ADC – 1MS/s target 5V input capable
• 2 x Cross-triggering unit for motor control automatism
• 2x SENT
System
• Interprocessor I/F SIPI (– approx 300Mbaud)
• Safe DMA
• Fault Collection unit, WDG, T-sens, & CRC computing unit
• Nexus debug interface – Aurora
• Dual-PLL (Peripheral + System Core)
• 3.3 V Single supply: internal regulator with external power stage or External supply
• 3.3 V I/Os (ADC 5 V capable)
• 144 LQFP / 257 MAPBGA 0.8 mm pitch
• Tj = 150°C . Extended Temperature at 165”C Option (separate P/N)
Cross Bar Switch –E2E ECC (Addr+Data)
Memory Protection Unit – 32 regions
2.5 M
FLASH (I/D)
(A+D ECC)
PMU
SWT
MCM
STM
INTC
CACHE
PowerPC™
e200
VLE
S-FPU
DLMEMNexus/
Aurora
JTAG
Debug
CACHE
PowerPC™
e200
Safety
CheckerVLE
S-FPU
2 x
LIN
Fle
x
4 x
DS
PI
4 x
AD
C
3
Fle
xC
AN
3 x
eT
imer
FC
CU
2 x
Fle
xP
WM
2x C
TU
2 x
TS
EN
S
I/D-cache
384 KB
SRAM
(A+D ECC)
FlexRaySIPI
2 x
SE
NT
Safe
eDMASafety Lake
I/O
BridgeSRAM Ctrl
Multi Ported
Flash ctrlI/O
Bridge
I/O
Syste
m
Crossbar Slaves
Ethernet
TM
External Use 22
Summary
• The automotive industry are increasingly requiring functional safety solutions.
• Freescale is the right expert safety partner for our customers next-generation
safety-critical applications
• Freescale’s SafeAssure program are conceived to simplify system-level
functional safety design and cut down time to compliance
• Freescale’s SafeAssure program is built on four key elements: safety process,
safety hardware, safety software and safety support.
• The SafeAssure program is about the complete functional safety solutions, it
includes microcontrollers, sensors, analog and power management ICs.
• MPC5643L is the first ISO 26262 Certified MCU
• For more information, visit www.freescale.com.
TM
© 2015 Freescale Semiconductor, Inc. | External Use
www.Freescale.com
