Toshiba Electronic Components.

Contact Us Keyword Search
Home
Products
Applications
Support
About Us
 

Automotive Microcontrollers

Fig. 1 The safety mechanisms used in the microcontrollerSystems for Safer Vehicles

Safety features such as airbags and ABS are now fitted on some of today’s most basic cars, reflecting increasing buyer demand for safer vehicles, as well as government concerns over the economic and social costs of road-traffic accidents.  More sophisticated electronic stability control systems and electric power steering has become a standard already as well.  Still brake- and steer-by-wire systems find only slowly implementation in cars.  In particular such applications completely decoupled from mechanical systems require high sophisticated safety mechanism to avoid accidents.  Here microcontrollers (MCUs) with an advanced functional safety concept can help to realize new automotive applications and must continue to meet the established standards for use in safety-critical systems; namely IEC61508 and ISO26262.

 

The safety architecture of the microcontroller

The MCU uses an optimized combination of safety mechanisms, as summarized in Figure 1.  The backbone of the safety architecture is implemented using a library of Intellectual Properties (faultRobust IPs or fRIPs).

They are architectural and functional diverse with respect to the MCU sub-block that they supervise: in this way, common-cause failures are intrinsically reduced without the need of additional layout/HW measures.  Functional safety is guaranteed for the complete subsystem, i.e. latent faults (such as faults in the safety mechanisms that could mask a fault in the supervised logic) are detected thanks to HW/SW checking circuitry implemented in each fRIPs.  Moreover, they deliver detailed diagnostic information, such as type of error (load/store fault, register fault, memory bit flip, bus matrix fault) and context information (last instruction executed without errors, address of faulty location, bus slave addressed during the fault, etc…).

Figure 2 shows the error handling strategy of a Toshiba MCU, achieved thanks to the detailed diagnostic information provided by the fRIPs.

In case a fault is detected by one of the fRIPs (e.g. fRCPU), the fRNET is informed and diagnostic information are read.  Based on the (configurable) severity of the occurred error, the MCU can directly switch to a hard-wired safe-state (in which all the outputs are fixed to a safe value) or it can continue the operations by using the diagnostic information (e.g. which instruction went wrong, which CPU registers were corrupted etc) to implement SW-based recovery/retry tasks and restarting the operations without entering the safe-state.  The possibility to “quickly and cleanly” restart the Cortex-M3 and fRCPU is one of the key advantage of the proposed architecture compared to dual-core lockstep, because it always requires a full reset of the lock-step pair after a detection of a fault (otherwise the alignment is lost): that reset procedure will easily take several ms and therefore the availability could be seriously affected.

 

 

Many solutions exist in the market and literature to provide safety and/or availability.  In the dual-core lock-step architecture (see Figure 3), there are two identical CPUs in lock-step configuration, where the first CPU controls the system when no faults occur.

The second CPU is used to provide a clock cycle by clock cycle check of the primary CPU, for what concerns addresses, data, and control signals on the bus.  To ensure that the two CPUs are healthy, both CPUs must respond to the same data in the same way.  Such architectures have cost or performance penalties.

Toshiba now introduces a flexible MCU architecture able to guarantee safety and availability by introducing as much robustness as needed and not more.  This is done by avoiding unnecessary redundancies and reducing at the minimum the impact on system performances, therefore maximizing the usage of the available resources.

 

Targeting safety but also availability

The small gate count overhead of the fRCPU (less than 40% of the CPU gate count) allows the implementation of a fail functional architecture (see Figure 4).

Each channel is performing its own tasks and in case of a fault in one of the two cores, the other core can execute tasks of that core (reduced operation or fail graceful degradation). Or it can be used in a configuration in which both channels are performing the same tasks and in case of a fault in one of the two cores, the mission can be performed by the other channel (full fail operational, HFT=1). See Figure 5.

Conclusions

Several approaches exist to implement MCUs for life-critical equipments such as Airbag, Electric Power Steering (EPS), Hybrid and Electrical Vehicle, Engine Control and Electronic Stability Control (ESC). However, only some of them are capable to fulfil the strict requirements of the functional safety norms, and most of them require additional costs in terms of overheads (area, power and performance) or development, validation and certification efforts. The presented flexible MCU architecture guarantees compliance with IEC 61508 and ISO 26262 and at the same time it reduces HW/SW costs by using pre-certified HW fault supervisors, which are optimized by help of a specific FMEA methodology. The proposed approach – in which intelligent fault supervisors are distributed all over the MCU - allows both failsafe and fail-functionality operations - without compromising costs.
 

Further Information
   
To Top
Site Map | Terms and Conditions  Copyright 2009 TOSHIBA Electronics Europe GmbH, All Rights Reserved.