Semiconductor & Storage Products Company

Contact Us Part Number Search Keyword Search
Cross Reference Search
Home
Products
Applications
Support
About Us
 

Functional Safety for Industrial SIL3 and Automotive ASIL D applications

Systems for Safer Vehicles

Safety features such as airbags and ABS are now fitted on some of today's most basic cars, reflecting increasing buyer demand for safer vehicles, as well as government concerns over the economic and social costs of road-traffic accidents.  More sophisticated electronic stability control systems and electric power steering have already become standard.  Still brake and steer-by-wire systems are only slowly being implemented in cars.  In particular such applications completely decoupled from mechanical systems require a highly sophisticated safety mechanism to avoid accidents.  Here microcontrollers (MCUs) with an advanced functional safety concept can help to realize new automotive applications and must continue to meet the established standards for use in safety-critical systems; namely IEC61508  (for SIL3 systems) and ISO26262 (for ASIL C and ASIL D systems).

The Safety Architecture of Toshiba Microcontrollers

The MCU uses an optimized combination of safety mechanisms, as summarized in Figure 1. The backbone of the safety architecture is implemented using a library of Intellectual Properties (faultRobust IPs or fRIPs as well as Toshiba Hardware Diagnostic circuits or ThwDs).  This includes an extra network (fRNET) which allows fast fault signalling including exact fault context information.

Figure 1

Figure 1: The Safety Architecture of Toshiba Microcontrollers

Generic Example of a Diagnostic Circuit

Figure 2 shows the architecture of a typical diagnostic hardware circuit.  Apart from comparing input and output Toshiba implemented a so called faultRobust diagnostic interface (fRDI) in order to achieve faster and more detailed fault information.

Those supervisors are architecturally and functionally diverse with respect to the MCU sub-block that they supervise: in this way, common-cause failures are intrinsically reduced without the need of additional layout/HW measures.  Functional safety is guaranteed for the complete subsystem, i.e. latent faults (such as faults in the safety mechanisms that could mask a fault in the supervised logic) are detected thanks to HW/SW checking circuitry implemented in each fRIPs.  Moreover, they deliver detailed diagnostic information, such as the type of error (load/store fault, register fault, memory bit flip, bus matrix fault) and context information (last instruction executed without errors, address of faulty location, bus slave addressed during the fault, etc…).

Figure 2

Figure 2: Diagnostic Circuit Example

Centralized vs Distributed Architecture

A "centralized" safety architecture (figure 3) has a limited view about local failures and therefore it can just control input and outputs.

  • Slow reactions to failures
  • Poor knowledge of root causes

Figure 3

Figure 3: Centralized Architecture

A "distributed" safety architecture (figure 4) detects and controls failures locally

  • Fast reactions to failures
  • Wide knowledge of root causes

Can be used to improve the system availability and to guarantee the correct behaviour of a function better than a centralized architecture.

Figure 4

Figure 4: Distributed Architecture

 

 

Targeting safety but also availability

Dedicated hardware diagnostic circuits at each important MCU sub-block allow a high level of fault coverage, however an additional benefit is the possibility to build a fail operational or degraded fail operational system.

The example shown in figure 5 gives only one example of a possible procedure in order to reduce number of system resets or system shut downs.

Function

Capture and calculation of angle information.

Figure 5

Figure 5: possible procedure to reduce the number of system resets or system shut downs
Capture -> BUS -> RAM -> CPU

Possible HW failure:

  • Capture unit
  • BUS
  • ROM\RAM
  • CPU
 CPU-SW detect cause of failure

Exist on capture unit in use

  • not Bus
  • not ROM/RAM
  • not CPU
  • not Others

CPU continues operation

Change capture channel

 

Conclusions

Several approaches exist to implement MCUs for life-critical equipment such as Airbags, Electric Power Steering (EPS), Hybrid and Electrical Vehicles, Engine Control and Electronic Stability Control (ESC).  However, only some of them are capable of fulfilling the strict requirements of the functional safety norms, and most of them require additional costs in terms of overheads (area, power and performance) or development, validation and certification efforts.  Toshiba's flexible MCU architecture guarantees compliance with IEC 61508 and ISO 26262 and at the same time it reduces HW/SW costs by using pre-certified HW fault supervisors, which are optimized by help of a specific FMEA methodology.  Toshiba's approach – in which intelligent fault supervisors are distributed all over the MCU - allows both failsafe and fail-functionality operations - without compromising costs.

Further Information
   
To Top
Terms and Conditions |  Privacy Policy |  CSR |  Imprint |  Site Map |  Copyright © Toshiba Electronics Europe GmbH., All Rights Reserved.