Systems for Safer Vehicles
Safety features such as airbags and ABS are now fitted on some of today's most basic cars, reflecting increasing buyer demand for safer vehicles, as well as government concerns over the economic and social costs of road-traffic accidents. More sophisticated electronic stability control systems and electric power steering have already become standard. Still brake and steer-by-wire systems are only slowly being implemented in cars. In particular such applications completely decoupled from mechanical systems require a highly sophisticated safety mechanism to avoid accidents. Here microcontrollers (MCUs) with an advanced functional safety concept can help to realize new automotive applications and must continue to meet the established standards for use in safety-critical systems; namely IEC61508 (for SIL3 systems) and ISO26262 (for ASIL C and ASIL D systems).
The Safety Architecture of Toshiba Microcontrollers
The MCU uses an optimized combination of safety mechanisms, as summarized in Figure 1. The backbone of the safety architecture is implemented using a library of Intellectual Properties (faultRobust IPs or fRIPs as well as Toshiba Hardware Diagnostic circuits or ThwDs). This includes an extra network (fRNET) which allows fast fault signalling including exact fault context information.
Generic Example of a Diagnostic Circuit
Figure 2 shows the architecture of a typical diagnostic hardware circuit. Apart from comparing input and output Toshiba implemented a so called faultRobust diagnostic interface (fRDI) in order to achieve faster and more detailed fault information.
Those supervisors are architecturally and functionally diverse with respect to the MCU sub-block that they supervise: in this way, common-cause failures are intrinsically reduced without the need of additional layout/HW measures. Functional safety is guaranteed for the complete subsystem, i.e. latent faults (such as faults in the safety mechanisms that could mask a fault in the supervised logic) are detected thanks to HW/SW checking circuitry implemented in each fRIPs. Moreover, they deliver detailed diagnostic information, such as the type of error (load/store fault, register fault, memory bit flip, bus matrix fault) and context information (last instruction executed without errors, address of faulty location, bus slave addressed during the fault, etc…).
Centralized vs Distributed Architecture
A "centralized" safety architecture (figure 3) has a limited view about local failures and therefore it can just control input and outputs.
- Slow reactions to failures
- Poor knowledge of root causes
A "distributed" safety architecture (figure 4) detects and controls failures locally
- Fast reactions to failures
- Wide knowledge of root causes
Can be used to improve the system availability and to guarantee the correct behaviour of a function better than a centralized architecture.
Targeting safety but also availability
Dedicated hardware diagnostic circuits at each important MCU sub-block allow a high level of fault coverage, however an additional benefit is the possibility to build a fail operational or degraded fail operational system.
The example shown in figure 5 gives only one example of a possible procedure in order to reduce number of system resets or system shut downs.
Capture and calculation of angle information.
|Capture -> BUS -> RAM -> CPU
Possible HW failure:
- Capture unit
||CPU-SW detect cause of failure
Exist on capture unit in use
- not Bus
- not ROM/RAM
- not CPU
- not Others
CPU continues operation
Change capture channel
Several approaches exist to implement MCUs for life-critical equipment such as Airbags, Electric Power Steering (EPS), Hybrid and Electrical Vehicles, Engine Control and Electronic Stability Control (ESC). However, only some of them are capable of fulfilling the strict requirements of the functional safety norms, and most of them require additional costs in terms of overheads (area, power and performance) or development, validation and certification efforts. Toshiba's flexible MCU architecture guarantees compliance with IEC 61508 and ISO 26262 and at the same time it reduces HW/SW costs by using pre-certified HW fault supervisors, which are optimized by help of a specific FMEA methodology. Toshiba's approach – in which intelligent fault supervisors are distributed all over the MCU - allows both failsafe and fail-functionality operations - without compromising costs.