Embed Size (px)
Citation preview
External Use
TM
Design Functional Safety
Compliant ECU
APF-AUT-T0644
A U G . 2 0 1 4
Yolanda Xi , Gavin Zhang
TM
External Use 1
Passive Safety
Active Safety
Predictive Safety
Evolution of Vehicle Safety Systems… And the Arrival of
Functional Safety
Functional Safety
Covers systems for
• Chassis & Safety
• Powertrain
• Body
Injury Free Accident Free Semi Autonomous
Driving
2000-2010 2010-2020 2020-2030
Market trends
1. Vision zero - no fatalities
2. Safe Comfort & Asssistance
3. Green Technology
4. Automation
TM
External Use 2
Functional Safety & Standard
Functional safety is the absence of unreasonable risk due to
hazards caused by malfunctioning behavior of electrical/electronic
systems.
IEC 61508 ISO 26262
Generic Industry Functional safety of electrical
/electronic/ programmable electronic safety-related systems, applicable to all kind of industry
.
Safety Integrity Levels
SIL 1, SIL 2, SIL 3, SIL 4
Publication date
More than 10 years ago
Automotive Industry Adaptation of the Functional Safety
standard IEC 61508 for Automotive Electric/Electronic Systems
Automotive Safety Integrity Levels
ASIL A, ASIL B, ASIL C, ASIL D
Publication date
Nov 2011
TM
External Use 3
Determination of ASIL and Safety Goals
• For each Hazardous event, determine the ASIL based on Severity, Exposure & Controllability
• Then formulate safety goals to prevent or mitigate each event, to avoid unreasonable risk
Reference ISO 26262-3:2011
TM
External Use 4
Target Metrics for ASIL
• Associate the following target metrics to each safety goal −Single-point fault metric (SPFM)
−Latent-fault metric (LFM)
−Probabilistic Metric for random Hardware Failures (PMHF)
Reference ISO 26262-5:2011
TM
External Use 5
History of Freescale Functional Safety Solutions
• Gen 1 Safety More than 10 years experience of safety development in the area of
MCU & SBC
• Gen 2 Safety First general market MCU, MPC5643L Certified ISO 26262!
• Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain are
being designed and developed according to ISO 26262
Ge
n 1
Sa
fety
Ge
n 2
Sa
fety
Ge
n 3
Sa
fety
MPC5744P/MPC5777K/etc 55 nm
2000
2008
PowerSBC
MPC5643L – 90 nm
Custom Safety Platform for Braking
Fun
ctio
nal S
afe
ty S
olu
tion
s
PowerSBC
2012
• Voltage Supervision
• Fail-Safe State Machine
• Fail-Safe IO
• Advanced Watchdog
• Voltage Supervision
• Fail-Safe State Machine
• Fail-Safe IO
• Advanced Watchdog
• 32-bit Dual-Core MCU
• Developed according to ISO 26262
• Target Applications for Chassis – ASILD
• 32-bit Dual/Quad-Core MCU
• Developed according to ISO 26262
• Target Applications Chassis & P/T for – ASILD
•Safe methodology, Architecture, SW and tools
• Started to ship in 2000 first safe MCU for braking
applications
• IEC 61508 / ISO 26262 compliance achieved at system level
(top down approach)
• MCU features are a key enabler for SIL3 / ASILD
Custom IC
TM
External Use 6
Automotive ISO 26262
Industrial IEC 61508
Safety
Support
Safety
Process
Safety
Software
Safety
Hardware
IEC 61508
Generic Industry standard,
applicable to electrical / electronic /
programmable electronic safety-
related systems.
Integrity levels
SIL 1, SIL 2, SIL 3, SIL 4
Pub date: More than 10 years ago
Continuous Improvement
Process evaluation, assessments /
audits and gap-analysis exist to
ensure processes are continually
optimized
Safety Analysis
Selected products defined &
designed from the ground up with
safety analysis being done at each
step of the process
Assessments / Audits
Safety Confirmation Measures
Automotive Software
AUTOSAR OS & MCAL
Core Self Test
Device Self Test; Complex Drivers
Software Partnerships
Partnering with leading third-party
software providers for automotive
and industrial
People
Regional functional safety experts
Documentation
Safety Application Notes / Safety
Manual / FMEDA
ISO 26262
Automotive Industry standard,
adaptation of IEC 61508 for
electrical/electronic systems within
road vehicles
Integrity levels
ASIL A, ASILB, ASIL C, ASILD
Pub date: Target end 2011
Quality Management
ISO TS 16949 Certified Quality
Management System
Hardware - Zero Defects
Software – SPICE Level 3
Organization
Safety is an integral part of the
Freescale world wide organization
Project Management
Configuration & Change
Management, Quality Management,
Requirements Management,
Architecture & Design, Verification
& Validation
Microcontrollers
Lockstep Cores, ECC on Memories
Redundant Functions, Internal
Monitors, Built In Self Test, Fault
Collection & Control
Analog and Power Management
Voltage Monitors, External Error
Monitor, Advanced Watchdog,
Built In Self Test
Sensors
Timing Checker, Digital Scan of
Signal Chains, DSI3 or PSI5 Safety
Data links
Functional Safety Standards
Freescale Quality Foundation
SafeAssure Approach: The Four Key Elements
TM
External Use 7
SafeAssure Products
To view the latest SafeAssure product table visit www.freescale.com/SafeAssure
Target Market
Product Type
Product Target Applications Safety
Process Safety Hardware Safety Support
Automotive MCUs
Qorivva MPC5746M
Diesel Engine Management Direct Injection Engines Electronically Controlled Transmissions Gasoline Engine Management
ISO 26262 ASIL D
Integrated Safety Architecture e.g.; Multicore, delayed lockstep, e2eECC, replicated peripherals, LBIST & MBIST, FCCU
FMEDA Safety Manual
Qorivva MPC577xK
77 GHz RADAR System Adaptive Cruise Control Surround View Park Assist System Blind Spot Detection Cross Traffic Alert Autonomous Emergency Braking Systems Side Impact Assistance Sensor Fusion
ISO 26262 ASIL D
Integrated Safety Architecture: Multicore delayed lockstep, e2e ECC, replicated peripherals, LBIST & MBIST, FCCU
FMEDA Safety Manual
Qorivva MPC5748G
Battery Monitoring High End Body Control Module Infotainment Gateway Central Gateway / In-Vehicle Networking
ISO 26262 ASIL B
Integrated Safety Architecture e.g.: Multicore, e2eECC, LBIST & MBIST, clock and under voltage monitoring, FCCU
FMEDA Safety Manual
Qorivva MPC5777M
Direct Injection Engines Common Rail Diesel Injection Systems Electronically Controlled Transmissions Diesel Engine Management Gasoline Engine Management
ISO 26262 ASIL D
Integrated Safety Architecture e.g.; Dual core, delayed lockstep, e2eECC, replicated peripherals, LBIST & MBIST, FCCU
FMEDA Safety Manual
Qorivva MPC5744P
Electric Power Steering (EPS) Braking and Stability Control 77 GHz RADAR System Safety Domain Control
ISO 26262 ASIL D
Integrated Safety Architecture e.g.; Dual core, delayed lockstep, e2eECC, replicated peripherals, LBIST & MBIST, FCCU
FMEDA Safety Manual
Qorivva MPC567xK
77 GHz RADAR System Front View Camera
FSL QM Integrated Safety Architecture e.g.; Dual core, lockstep or dual parallel processing, replicated peripherals, FCCU
FMEDA Safety Manual
Qirovva MPC564xL
77 GHz RADAR System Electric Power Steering (EPS) Braking and Stability Control
ISO 26262 ASIL D
Integrated Safety Architecture e.g.; Dual core, lockstep or dual parallel processing, replicated peripherals, FCCU
FMEDA Safety Manual System Level Application Note
Qorivva MPC5604P
Airbags Electric Power Steering (EPS)
FSL QM Single core, SEC/DED ECC, Clock Monitoring Unit, Low Voltage Detector, FCU
FMEDA Safety Application Note
TM
External Use 8
SafeAssure Products (Continue)
To view the latest SafeAssure product table visit www.freescale.com/SafeAssure
Target Market
Product Type
Product Target Applications Safety
Process Safety Hardware Safety Support
Automotive
Analog and Power Management
MC33907 Electric Power Steering (EPS) Safety critical motor control Vehicle dynamic and chassis control
ISO 26262 ASIL D
Integrated Safety Architecture e.g.; Voltage Monitoring and Fail Safe state Machine (ABIST, LBIST), FCCU Monitoring for Dual Core Lock Step Mode, Several HW diagnostic to cover SPF, LT
Safety Manual FMEDA System Level Application Note
MC33908 Integrated Chassis Domain Safety Critical Motor Control
ISO 26262 ASIL D
Safety Manual FMEDA System Level Application Note
MC33789 PSI5 Airbag System FSL QM 4x PSI5 Host Safing Block
Safety FMEA
MC33926 Valve control in Powertrain applications
FSL QM Output state flag Thermal Shutdown
Safety FMEA
Sensor
Xtrinsic MMA16xx and Xtrinsic MMA26xx
Airbags, DSI2.5 Satellite FSL QM DSI2.5 safety bus Triggered self test, Over-damped MEMS
FTA
Xtrinsic MMA17xx and Xtrinsic MMA27xx
Airbags, DSI3.0 Satellite FSL QM DSI3.0 safety bus Triggered self test, Over-damped MEMS
FTA
Xtrinsic MMA51xx and Xtrinsic MMA52xx
Airbags, PSI5 Satellite FSL QM PSI5 safety bus Triggered self test, Over-damped MEMS
FTA
Xtrinsic MMA65xx and Xtrinsic MMA68xx
Airbags, Main ECU FSL QM SPI w/ CRC Triggered self test, Over-damped MEMS
FTA
Xtrinsic MMA69xx Braking and Stability Control FSL QM SPI w/ CRC Triggered self test, Over-damped MEMS
FTA
Industrial MCUs
Qorivva MPC564xL
Aerospace Anesthesia Unit Monitor Input-Output Control (I/O Control) Process Control, Temperature Control Programmable Logic Control (PLC) Motor Drivers Robotics Safety Shutdown Systems
ISO 26262 ASIL D
Integrated Safety Architecture e.g.;: Dual core, lockstep or dual parallel processing, replicated peripherals, FCCU
FMEDA Safety Manual System Level Application Note
Qorivva MPC567xK Ventilators and Respirators FSL QM FMEDA Safety Manual
TM
External Use 9
HW Example:
MPC5643L Safety Mechanisms
9
Fault Collection Unit
• detects when errors
have occurred
• indicates error to
external
• independent of
software operation
Flash
• ECC
RAM
• ECC
Temp Sensor
• redundant
CRC Unit
• Application Signature
Flexray
PMU
• internal Vreg
• redundant Vmonitor
Sphere of Replication:
• Replicated e200Core
• replicated eDMA
• redundant INTC, SWT, etc
• redundant MMU
• RC Units at Gates to non
redundant sphere
Clock Monitoring
• Detects and mitigates
clock disturbances
• PLL
Timer
• eTimer0 channels
“isolated”
ADC
• On Line Assisted
Hardware BIST
XBAR + MPU:
• redundant
• RC Units at Gates to non
redundant sphere
Cross Bar Switch
I/O Bridge
BA
M
Memory Protection Unit
Cross Bar Switch
Memory Protection Unit
FlexRay
RC
FlexRay
RC
RC RC
FLASH (ECC)
SRAM (ECC)
RC
I/O Bridge
SS
CM
FL
PLL
FM
PLL
IRC
OS
C
CM
U
CM
U
CR
C
PIT
MC
XO
SC
SIU
WA
KE
TS
EN
S
TS
EN
S
AD
C
AD
C
CT
U
Fle
xP
WM
eT
IME
R
eT
IME
R
eT
IME
R
Fle
xC
AN
Fle
xC
AN
LF
LE
X
LF
LE
X
DS
PI
DS
PI
DS
PI
FC
CU
SWT
MCM
STM
INTC
eDMA CACHE
PowerPC ™ e200
MMU
VLE
CACHE
FPU Nexus
JTAG
Debug
Nexus
JTAG
Debug PMU
SWT
MCM
STM
INTC
eDMA CACHE
PowerPC ™ e200
MMU
VLE
CACHE
FPU
TM
External Use 10
MPC5643L and the Failure Classes
• Single Point Failure (SPF) − Structural redundancy
Core, cache, bus, DMA, INTC, watchdog, RAM-Ctrl, Flash-Controller
− Information redundancy
ECC on system RAM and Flash
• Latent Failure (LF) − HW-Self test
Memory, logic, some peripherals
90% coverage
• Common Cause Failure (CCF) − Measures according to IEC61508-2 Ed.2 Annex E
− Supervision of clock, power and temperature
− Independent safety clock
− Independent failure signaling
inp
ut
wro
ng
ou
tpu
t
Component
inp
ut
Component
Co
mp
ara
tor
Component
OK
inp
ut
co
rrec
t
ou
tpu
t
Component LF
TM
External Use 11
First ISO 26262 Certified MCU – Qorivva MPC5643L
• Certified by exida – an independent
accredited assessor
• Certificate issued based on a
successful assessment of the
product design, applied
development & production
processes against requirements
and work products of ISO 26262
applicable to a MCU
• MPC5643L MCU certified for use
for all Automotive Safety Integrity
Levels (ASIL), up to and including
the most stringent level, ASIL D
TM
External Use 12
Defining the MCU Safety Concept
• Objective − Define MCU ASIL derived from system level assumptions
• Application Assumptions − Safety Goals Associated “mini” HARA, ASIL
− Fault Tolerant Time Interval (FTTI / L-FTTI)
− System Safe State
• MCU Assumptions − MCU Safety Functions Associated ASIL from safety goal
− Portion of FTTI % of safety goal
− Define portion of ASIL target allocated to each safety function % of safety goal
− MCU Safe State Compatible with System Safe State
TM
External Use 13
Example – EPS System
• Application Context
− Safety Goal 1 (SG1): The EPS does not apply unintended force to the steering system (ASIL D).
Hazard: Unintended steering assist
Risk Assessment
− S3: Life threatening injuries (survival uncertain), fatal injuries
− E4: High probability
− C3: Difficult to control or uncontrollable
• MCU Assumptions
− Safety Function 1 (SF1): Execute software instructions, process data, write back result (ASIL D) -> mapped to SG1
− Portion of FTTI: 10 ms
50% of SG1 FTTI for HW safety measures
− Define portion of ASIL target allocated to each safety function
SPFM: 99%, LFM: 90%, PMHF: 10-10 hour-1 (1% of safety goal ASIL target)
− MCU Safe State (fail safe, fail indicate)
Reset, indicating an error
TM
External Use 14
Example Interaction Between Car OEM, Tier 1 & Tier 2
(Freescale)
OEM
• Safety Architecture
• Safety Concept
• ASIL Classification of Functions
Tier 1
• HW / SW offering
Tier 2 Supplier - Freescale
• Item definition
• Hazard analysis and risk assessment
• Safety Goals
• Functional Safety Concept ISO26262 Safety
Requirements &
DIA
Safety
Requirements &
DIA
Safety Manual &
Safety Analysis
Relevant
scope of
ISO26262
high
Fou
nd
atio
n
Product Safety Measures (implemented in
offering, described in Safety Manual,
quantified/qualified by Safety Analysis)
Development Process & Methods
Quality & Quality Data
Relevant
scope of
ISO26262
medium
Overall ISO 26262 compliance is achieved
together, we each own a piece of the puzzle
Freescale Functional Safety Focus
Safety Element out of Context
Safety Manual &
Safety Analysis
TM
External Use 15
Defining the MCU Safety Concept
• Objective
− Define how MCU ASIL targets will be achieved between a mix of on-chip HW
safety measures and system level safety measures (HW/SW)
• ISO 26262-5 Annex D – Elements related to MCU
− Low application dependency: Power, Clock, Flash, SRAM & Processing Unit
− High application dependency: Digital IO & Analog IO
Reference ISO 26262-5:2011
MCU Module Classification
TM
External Use 16
Realizing the MCU Safety Concept – Qorivva MPC5744P
Redundant use of IO & Application checks
Power Monitoring
Clock Monitoring
ECC on
SRAM &
Flash
Processing Unit - Dual Core Lockstep
ECC
on
buses
Fault
Tolerant
Com.
TM
External Use 17
SafeAssure MCU Product – Qorivva MPC5744P
ISO 26262 ASIL D
• Safety assessment of MCU architecture and
development process (ISO 26262)
• helps to reduce effort and time on ECU
functional safety assessment
Integrated Safety Architecture (ISA)
• Saves development effort and time as no
complex diagnostic SW required
• CPU processing power available for running
applications
• High diagnostic coverage in HW to detect
random faults
SW deliverables provided by Freescale and
partners
• Enable support for ASIL D applications with
minimized performance degradation
• sMCAL & sOS, Selftests, SW Safety Manual
Safety enablement provided by Freescale
• Safety Manual
• FMEDA
• System Level Appication Note
TM
External Use 18
Safety Process – What does the product adhere to?
FSL QM
• Development process addresses quality at
component level
• Deliverables created available to the customer
• Safety Analysis of Architecture: Safety FMEA or
FTA
• User Guide: Safety Application Note
• Development Process evidence: PPAP, Quality
Plan (Mapping to ISO 26262 / IEC 61508
checklists)
ISO 26262 or IEC 61508
• Development process addresses quality &
functional safety at component level
• Deliverables created available to the customer
− Safety Analysis of Architecture: FMEDA or FTA
− User Guide: Safety Manual
− Development Process evidence: PPAP, Safety Plan, Certificates
TM
External Use 19
Safety Hardware – Quickly understand main
Safety features?
Main MCU Safety Measure
• Dual Core
− Lockstep
− Decoupled Parallel Mode
• Sphere of Replication
• Clock & Power monitoring
• ECC
• FCCU
• STCU (LBIST, MBIST)
Main Analog Safety Features
• Voltage & timing monitoring
• Independent Fail Safe Sate Machine
• STCU (ABIST, LBIST)
• FCCU Monitoring
• Advanced Watchdog (challenger)
Main Sensor Safety Features
• Frame counters, cyclic redundancy checkers, error-corrected NVMs, & clock monitors
TM
External Use 20
Safety Software – AutoSAR based software
Safety-Related Functional Components
• safety MCAL (sMCAL)
• safety Motor Control Lib (sMCLib)y Service Components
Safety Service Components
• Safety Library (SafeLib)
• Microcontroller Error Management
• Software support for FCCU, MEMU, LBIST, MBIST
• Hardware error collection
• Safety Error Reporting and Reaction
• safety Operating System (sOS)
HW Safety ComponentsSoftwarrtnrships
• safety Core Self Test (sCST)
• safety Peripheral Test Library (sPTLib) Partnering with leading third-party software providers for automotive and industrial
microcontroller
Safe
ty lib
rary
Operating system
sMCAL
sC
ST
/sD
ST
RTE
MCAL
Customer
Applicatio
ns
BSW
Com
p
lex sBSW
TM
External Use 21
Safety Support – FMEDA, Documentation & More
FSL QM Products - Typical Deliverables
• Safety Analysis of Architecture: Safety FMEA or
FTA
• User Guide: Safety Application Note
• Development Process evidence: PPAP, Quality Plan
(Mapping to ISO 26262 / IEC 61508 checklists)
ISO 26262 or IEC 61508 Products – Typical
Deliverables
• Safety Analysis of Architecture: FMEDA, CCA or
FTA
• User Guide: Safety Manual
• Development Process evidence: PPAP, Safety Plan,
Certificates
Local Support
• Functional Safety Field Experts
Learning
• Field Training / workshops – delivered by Local
Functional Safety FAE Experts
TM
External Use 22
What is an FMEDA?
controlled
Gates
each gate may have various
possible failure modes
unused by
safety
function
failure
switches to
safe state
failure
detected by
diagnostic
failure avoided
by design or
usage
failure rate
various failure reaction
catastrophic
event
uncontrolled FMEDA calculates
absolute:
and relative values
Uncontrolled Failure per hour
Controlled / Total Failure per hour
TM
External Use 23
How to setup FMEDA - Template
Gates
apply for each element
typical failure modes
divide circuitry in elements Gates Gates
Diagnostic
coverage
measures 1
Diagnostic
coverage
measures 3
Diagnostic
coverage
measures 4
Diagnostic
coverage
measures 2
apply for each failure model
of an element typical
diagnostic coverage
elements listed in
ISO26262-5 Table D.1
failure models listed in
ISO26262-5 Table D.1
DC assessed by engineering
judgment or analytic calculation
Approach used in FMEDA Template
TM
External Use 24
ISO 26262-5 (Elements and Failure Models)
FMEDA Supply
FMEDA Clock
FMEDA Flash
FMEDA
SRAM
Failure Rate
Table
Reference ISO 26262-5:2011
TM
External Use 25
ISO 26262-5 (Elements and Failure Models)
FMEDA
Processing
Unit
Reference ISO 26262-5:2011
TM
External Use 26
Tailor Made FMEDA
FMEDA enables temperature profile
adaptation
FMEDA enables selection of package used
FMEDA enables selection of enabled
diagnostic measures (tailor to application)
FMEDA automatically generates a specific
customer FMEDA
Called “Dynamic FMEDA”
TM
External Use 27
Dynamic FMEDA
• Additionally - FMEDA Report
− Summarizing the assumptions and the method of the inductive functional safety analysis activities based on the FMEDA carried out for the MCU
…
TM
External Use 28
Safety Support – Safety Manual
Safety Manual for Analog Solution
Safety Manual for MCU Solution
Safety Manual for MPC574xP
• Objective − Enables customers to extract the full value of
Freescale’s functional safety offering
− Simplify integration of Freescale’s safety products into applications
− A comprehensible description of all information relating to FS in a single entity to ensure integrity of information and links with datasheet
• Content − MCU Safety Context description
− MCU Safety Concept description
− System level hardware assumptions
− System level software assumptions
− Pseudo-code or C-Code to simplify adoption of safety software requirements
− FMEDA summary Full details provided in FMEDA Report
− Dependent Failures Analysis summary Full details provided in DFA Report
TM
External Use 29
Safety Support – System Level Application Notes
Design Guidelines for
• Integration of Microcontroller and Analog & Power Management device
• Explains main individual product Safety features
• Uses a typical Electrical Power steering application to explain product alignment
• Covers the ASIL D safety requirements that are satisfied by using both products: − MPC5643L requires external measures
to support a system level ASIL D safety level
− MC33907/08 provides those external measures: External power supply and monitor
External watchdog timer
Error output monitor
TM
External Use 30
Supporting Material for Functional Safety
• SafeAssure @ www.freescale.com/SafeAssure
• Certification Package under NDA
• App-Notes, White Papers, Articles
• On-demand Training
TM
© 2014 Freescale Semiconductor, Inc. | External Use
www.Freescale.com
