Looking at automotive safety design from the Freescale SafeAssure functional safety assurance scheme

In less than ten minutes after you read this article, more than 20 people around the world have left the world due to car accidents, and about 90% of them are from developing countries like China (data refer to the statistics of the World Health Organization). ). While cars benefit mankind, in today’s world with unprecedented technological development, it is a tragedy for mankind to bring such a major threat to public safety because of traffic accidents.

Since the birth of the car, people have never stopped pursuing the safe driving of the car. The earliest passive safety measures such as seat belts and later airbags saved tens of millions of lives, and later developed ABS (Anti-lock Braking System), ESP (Electronic Stability Program), EBD (Electronic Brake Force Distribution System) ) and other active safety features have greatly improved car safety again. But despite this, traffic accidents remain one of the largest causes of unnatural deaths and injuries.
Looking at automotive safety design from the Freescale SafeAssure functional safety assurance scheme
Figure 1 World Health Organization statistics: 1.3 million people die in traffic accidents every year in the world,
and 50 million people were injured
“As the complexity of the system increases, and software and electromechanical devices are widely used, the risk of traffic accidents due to system failures and random hardware failures also increases. Therefore, in recent years, a new automotive safety concept – safety prediction has begun to appear. .” At the “2012 Industry and Technology Outlook Media Seminar” held recently, Dr. Yolanda, global product marketing manager of Freescale’s Asia-Pacific Automotive and Industrial Solutions Division, pointed out, “Safety predictions are some of the The system can detect faults in real time, and can give early warnings to prevent faults before they occur, which is the concept of automotive functional safety currently advocated by everyone.” To this end, Freescale has launched a safety assurance program named “SafeAssure”, which aims to Help system manufacturers more easily meet functional safety standards in the automotive and industrial markets, and greatly reduce the difficulty and shorten the development cycle.
Looking at automotive safety design from the Freescale SafeAssure functional safety assurance scheme
Figure 2 Evolution of automotive safety systems – the emergence of functional safety based on safety predictions
From IEC61508 to ISO 26262, see the evolution of automotive functional safety
Prior to the launch of ISO 26262 in November 2011, the functional safety standard to which the automotive industry complied was IEC 61508, the basic standard for functional safety of electronic, electrical and programmable devices. However, as a general basic safety standard, for the particularity of the automotive industry, this standard has many deficiencies, especially under the conditions of the increasing complexity of automotive systems in recent years. ISO 26262 derived from IEC 61508 is tailor-made for the current automotive industry, especially the requirements of ISO 26262 for hardware R&D and software R&D are suitable for the actual situation of the current advanced automotive industry.
The ISO 26262 standard determines the safety requirement level from A to D (Automotive Safety Integrity Level – ASIL) for the system or a certain part of the system according to the degree of safety risk, of which ASIL D is the highest level and has the most stringent safety requirements. For system suppliers, these higher design requirements due to increased safety levels must be met.
Security incidents are always accompanied by the usual functional, quality-related R&D activities and product production. ISO 26262 emphasizes all safety-related aspects of R&D activities and product production, and provides a life-cycle concept for automotive safety that provides the necessary support during these life-cycle stages. ISO 26262 covers the overall development process for functional safety, including planning, design, implementation, integration, verification, validation and configuration.
SafeAssure security solution
Two months before the launch of ISO26262, Freescale’s SafeAssure security solution was the first in the industry. “SafeAssure is a solution designed for functional safety standards in the automotive and industrial markets, helping companies simplify the compliance process, shorten development time and reduce complexity.” Yolanda pointed out, “Based on the SafeAssure functional safety assurance solution, manufacturers can easily achieve from ASIL- System safety standards A to D and SIL-1 to 4.”
Looking at automotive safety design from the Freescale SafeAssure functional safety assurance scheme
Figure 3: Freescale Xi Yunxia: Based on the SafeAssure functional safety assurance scheme,
Manufacturers can easily implement system safety standards from ASIL-A to D levels.
The SafeAssure assurance program covers Freescale’s family of technologies, including microcontrollers, analog and power management ICs, and sensors. The SafeAssure security solution supports manufacturers in four aspects, including:
Safety process: Select products that are defined and designed to meet the requirements of each standard and make functional safety an integral part of the product development process.
Safety Hardware: Fault control is achieved through safety features built into Freescale microcontrollers, power management ICs, and sensors, such as self-tests, monitoring, and hardware-based redundancy. Freescale automotive analog device solutions provide additional system-level safety features including checking microcontroller timing, voltage and fault management.
Safety software: Comprehensive automotive functional safety software products, including AUTOSAR OS, MCAL, driver and kernel self-test functions, and partner with leading third-party software providers to launch more safety software solutions.
Safety Support: Freescale leverages its extensive technical capabilities to provide customer training and system design reviews on functional safety architectures, as well as extensive safety documentation and technical support.
The main goal of SafeAssure is to simplify the complexity. In order to simplify the failure failure analysis, Freescale also provides an important analysis tool-Failure Mode, Effect and Diagnostic Analysis (FMEDA). This tool analyzes the entire customer data, and finally calculates whether the result is not meet the requirements required for functional safety. FMEDA tools can help customers calculate the final functional safety results according to their application, thus making the SafeAssure scheme effectively simplify the functional safety design work.
Looking at the Functional Safety Mechanism from the MPC5643L MCU
“The idea of ​​hardware security is primarily achieved by detecting and eliminating random hardware failures, utilizing built-in security mechanisms, including self-tests, monitoring, and hardware-based redundancy,” Yolanda noted. , Functional safety mechanisms built into power management ICs and sensors to achieve effective fault control, thereby fulfilling target market requirements for functional safety design.
Functional safety design requires prediction of possible functional failures, including single point failures, potential failures and common cause failures. According to the requirements of ISO 26262, the highest level of ASIL D, the system should be designed to detect single point failure rates greater than 99%, and potential failure detection to exceed 90%. For example, if a system has a failure rate of less than 10-8 per hour, the failure-per-hour rate falling to the microcontroller must be less than 10-9. “In our microcontroller design process, it is more stringent and the probability of errors is smaller.” Yolanda said, “MPC5643L is a microcontroller product Freescale launched for functional safety. The design of this product reflects the design concept of functional safety.”
Redundant design is one of the effective measures to effectively improve system failsafe. MPC5643L makes full use of redundant design to ensure strict functional safety standard requirements. MPC5643L adopts dual e200Core core lockstep (lockstep) working mode, one core is working while the other core is monitoring. In addition, the MPC5643L also provides redundancy for major modules such as watchdog timers, memory-related control units, buses and peripherals. Moreover, in order to prevent single-point failure, the built-in flash memory of MPC5643L also has automatic error correction function.
Usually, many systems can work normally at the beginning, but after a few years, some failures may occur due to some external factors. This is the concept of potential failure, and functional safety design needs to consider potential failures. “In the past, the prevention of potential failures was implemented by software, and the software would check all memory or logic every time after the microcontroller resets. In MPC5643L, the check function is implemented by hardware, that is, built-in self-test, This is a very important requirement of functional safety for single-chip microcomputers, and this self-test function can achieve more than 90% error detection coverage of memory or logic and peripherals.” Yolanda pointed out.
In addition to this, common cause failures also need to be considered. “What is the common cause failure? For example, the clock will be supplied to many modules, and the voltage will also be supplied to the entire microcontroller. In addition, temperature is also an important consideration. If the chip temperature is too high, it may also cause the chip Failure.” Yolanda explained the definition of common cause failure, “These common cause failures need to be detected, MPC5643L has detection of clock, voltage and temperature.” Considering the cost and the application environment, the MCU does not have These functional characteristics of temperature sensors consider common cause failures.
In addition, MPC5643L also integrates a CPU-independent error collection and response module (FCCU), which is also independent of the CPU in the clock, and can operate completely independently, collect these errors and make corresponding responses measure. This functional module is also not available in traditional single-chip microcomputers.
Looking at automotive safety design from the Freescale SafeAssure functional safety assurance scheme

Various fail-safe mechanisms
Summary of this article
According to Yolanda, the current safety forecast based on functional safety has developed very maturely in developed markets such as Europe, America and Japan, and many related products are about to enter the market, but it has just started in China. As a landmark application of safety prediction, advanced driver assistance systems have entered the research and development process of many high-end vehicles. Taking Freescale as an example, it provides a complete set of solutions for advanced driver assistance systems, including rear-view parking assistance, panoramic assistance, and foreground safety prediction (lane departure warning, automatic cruise system, etc.). In fact, many of the world’s leading automotive semiconductor solution providers are currently targeting advanced driver assistance systems, and the widespread application of functional safety-based automotive safety predictions is just around the corner.

The Links:   MHPM7A20A60A SKKH330-16E