next generation safety architecture
TRANSCRIPT
Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.
Sr. Director, Central Systems SolutionsAutomotive Microcontrollers & Processors
Dev Pradhan
Next Generation Safety Architecture
October 2019 | Session #AMF-AUT-T3624
COMPANY PUBLIC 1COMPANY PUBLIC 1
• Recap on Functional Safety• Recap on ISO 26262• Next Generation Safety Concept−Hardware
−Software & Tools
• Getting Safety Support
Agenda
COMPANY PUBLIC 2
Recap on Functional Safety
COMPANY PUBLIC 3
Implementing Functional Safety is About Managing RiskThe Risk of Failure
How products are developed: Leads to Systematic Failures• Result from a failure in design or manufacturing • Addressed by a rigorous and mature development process• Relevant to Hardware and Software• Occurrence of failures can be reduced through continual and
rigorous process improvement
Unpredictable Events:Leads to Random Failures• Addressed by including mechanisms to detect and report
faults• Inherent to Process or usage condition• Relevant to Hardware only• FMEDA*, Dependency and Fault Tree Analysis help
determine sufficiency of detection mechanisms
Failures
Systematic Random
FMEDA – Failure Mode Effects and Diagnostic Analysis
COMPANY PUBLIC 4
Risk Assessment Correlated to StandardsHazard
Internal External
Malfunction Misuse Environment
Conscious Unconscious
ISO 21434
PAS 21448
ISO 26262
Source
Cause
Behavior
Standard
Functional Safety Security SOTIF
Problem
COMPANY PUBLIC 5
Recap on ISO 26262
COMPANY PUBLIC 6
ISO 26262 – Functional Safety of Road Vehicles• Vertical standard, performance based.
• First edition published in 2011, second edition released in 2018 adding guidelines for motorcycles and semiconductor− Generic guidelines (partitioning IC, IP, DFA, fault injection, etc..)− Technology specific guidelines (digital, analog, PLD, MCU, sensors)
• Follows similar structure to IEC 61508, but totally replaces instead of augmenting.
• Separates system design from hardware component design. As a result, most components used require compliance.
COMPANY PUBLIC 7
Determining ISO 26262 ASIL Level• To determine the ASIL level of a system a Risk Assessment must be
performed for all Hazards identified• Risk is comprised of three components: Severity, Exposure & Controllability
S = Severity E = Exposure C = Controllability
C1 – Simple C2 – Normal C3 – Difficult
Light
E1 (very low) QM QM QM
E2 (low) QM QM QM
E3 (medium) QM QM A
E4 (high) QM A B
Severe
E1 (very low) QM QM QM
E2 (low) QM QM A
E3 (medium) QM A B
E4 (high) A B C
Fatal
E1 (very low) QM QM A
E2 (low) QM A B
E3 (medium) A B C
E4 (high) B C D
(QM: “quality managed” no requirements from standard applied explicitly)
S1
S2
S3
COMPANY PUBLIC 8
Automotive Applications and ASIL Level (e.g.)Note: that in the context of Autonomous there is the concept of SOTIF (ISO PAS 21448) that is not covered by ISO 26262 and any ASIL
ADAS – RADAR SRR, MRR, LRR – ASILB
ADAS – Vision Data Fusion – ASILB, up to ASIL D (Autonomous Drive)
Drive Train – ElectrificationBattery Management (12V, 48V, HV) – ASILC
Drive Train – ElectrificationElectric Motor (Alterno Starter, eAxel drive…) – ASILC
Drive Train – PowerTrainTransmission, Transfer Case – ASILD Drive Train – Electrification
Inverter, DCDC Converter - ASILC
Drive Train – S&CElectric Power Steering – ASILD
Domain Gateway Body, Safety, Chassis – up to ASILD
Drive Train – S&CSuspension / Dumping – ASILC
ADAS – ACC Adaptive Cruise Control – ASILC
Drive Train – PowerTrainEngine Management Unit – ASILB
Drive Train – S&CABS, ESP – ASILD
1
2
2
34
5
1
7
18
3
ASILD
C
B
A
QM
LEGEND
6
COMPANY PUBLIC 9
Functional Safety Process Assessed to Meet ISO 26262 ASIL-D
NPI LIFECYCLE
TO CES RQ ECQS
CONCEPT DEFINITION PLANNING EXECUTION CLOSURE
PROJECT LIFECYCLE
PDA PPA R PCPCAPI
(4-6) Safety Context
(4-7) Safety Concept
(5-6) Requirements Specifications (RS)
(5-7) Detailed Design Specifications (DDTS)
(5-8,9) Initial Safety Analysis
(5-10) Validation Testing
(5-7) Block Level Verification Testing
(8-13) Qualification Testing
(5-7) Chip Level Verification Testing
ImplementSafety Documentation Silicon TestingSimulation TestingFunctional Documentation
Diagram Color Schema Development Flow Requirement Traceability
Fault Injection Testing
Fault Injection Testing
Fault Injection Testing
Input RequirementsStandard
CustomerMarketing (MRD)
Internal
Product Requirements (PRD)
Architectural Specification
Data Sheet
Reference Manual
Safety Manual
FMEDA, FTA, DFA
(7-5) Production Testing
Customer Documents
Input Document
PI GateDefine product typeQM or ISO 26262
R GateProduct Functional Safety Assessment Report & Safety Case
ISO 26262 Process
NXP Process
COMPANY PUBLIC 10
S32 Automotive PlatformSafety Concept Architecture
COMPANY PUBLIC 11
S32 Automotive Processing Platform
Highest performing ASIL-D processorsof today’s best performing safe automotive platforms1
Maximizes software Re-use within and across application domains
Delivers new levels of automotive safety, security and over-the-air (OTA) capabilities
1 Based on publicly available competitor roadmap performance statements.
COMPANY PUBLIC 12
Powertrain & Vehicle Dynamics
Vehicle Dynamics & Safety
Chassis, Safety, Torque and Energy
Management
• Long term innovator in chassis and powertrain control
• Significant growth in safety as autonomous control drives robust fault tolerant systems
Body & Comfort
General Purpose & Integrated Solutions
Body ElectronicsEdge Nodes
• Broadest portfolio of integrated MCU+HV mixed-signal solutions
• Application specific software solutions
Gateway
Connectivity & Security
Vehicle Network Processing
• #1 in vehicle networking and security
• End-to-end portfolio of networking devices
Driver Replacement
Advanced Driver Assistance Systems
Radar, LIDAR, VisionSensor Fusion
• #1 in radar processing
• Comprehensive radar, vision and central processing portfolio
MPC577S32S
S32KS12Z
S32RS32V
MPC574S32
S32 Automotive Computing Portfolio
COMPANY PUBLIC 13
Safety Targets for Next-Generation Platform
Developed as a Safety Element Out of Context (SEooC)
Following an ISO 26262 ASIL-D Safety Development Process
Supported with Complementary Safety Collateral
Sensor processingASIL B to D
Number crunching
ASIL B to D
DecisionASIL D
ProtectedMemory
ProtectedI/O
Real-time CPUsPerformance CPUs
Application specific
accelerators
COMPANY PUBLIC 14
S32 HW Safety Measures
Memory Bus
Main Bus
Coherent Bus
xRDC
xRDCxRDC
SRAM
xRDC
xRDC
DRAM
Security
HS Comms
xRDC
DMA
DMA
DMA
DMADebugTrace
xRDC
Interconnect:• Replicated Master
& Slave NIUs• Parity on all
messages• Fault Reporting• BIST
Fault Collector UnitError Injection ManagerError Recovery ManagerReset Generation ManagerSafety by Software ECC on SRAM
Logic & Memory Built-in Self Test
Clock MonitoringPower Supply Monitoring
Redundant Peripherals
Peripheral Bus
Timers
Comms
PLLs
FCCUEIM
RCCURGM
SbSW
CMUCRC
ADC
WDog
POST
STCUTimers
Comms
PLLs
ADC
xRDC xRDC xRDC xRDC
ECC on DRAM
Lockstep DMA with ECC on memories & integrated CRC
To SoC Island
Delayed Lockstep or Decoupled Performance Clusters, INT CTL
ECC on memories.
MasterCore
Comp
L1 Cache
TCMMPU
MasterCore
MPU
RTCore
Comp
L1 Cache
TCMMPU
RTCore
MPU
Delayed Lockstep Real-time Cores & INT CTL.ECC on memories
Safety Feature
L2 Cache
Perf Core
MMU
Perf Core
MMU
L2 Cache
Perf Core
MMU
Perf Core
MMU
Comp
eXtended Resource Domain Controller manages access control, system memory protection and peripheral isolation
COMPANY PUBLIC 15
Fault Management and AvailabilityPrevious Generation – State of the Art Functional Safety
S32x – Introducing availability 2019+
Lockstep mismatch MCU resetLockstep mismatch begin availability flow
No localization of fault beyond lockstep core pair
Localization of fault possible to individual core
No continued operation possible with safety coverage
Continued operation possible with loss of core, or loss of cluster
Remaining core/cluster functional
Not possible to distinguish between permanent and transient faults in core complex
All transient faults recoverableCache faults recoverable without BIST – reset only
Fail Safe Strategy Fault Tolerant Strategy
Reset/Power-up
In Lockstep
Recovery Mode
Restart
Degraded 0 Degraded 1 Shutdown
Safe State & complete
transactions
Fault
Transient Fault
Permanent Fault
COMPANY PUBLIC 16
Top Level Safety Requirements• The SoC itself is developed as a SEooC to provide functionaly with appropriate
assumed safety integrity – ASIL D− SPFM (Single Point Failure Metric): 99% for transient & permanent faults− LFM (Latent Failure Metric): 90% for permanent faults− PMHF (Probabilistic Metric Hardware Failure): 10-9 h-1 (10% of system target for ASIL-D (<10-8 h-1))
• Fault Tolerant Time Interval (time a Fault occurrence and the system transitions to a Safe state)− FTTIMCU= 10ms to 100ms
• Multiple Point Fault Detection Interval (multi-point faults are latent faults)− MPFDIMCU= defined by application (e.g. 12hrs typical auto)
• To detect multiple-point faults in the most critical safety mechanisms, software initiated fault injection tests can be periodically triggered within the FTTI.
COMPANY PUBLIC 17
Top Level Availability Requirements• The contribution of the SoC to the Fault Recovery Time of the
application is targeted to beFRT <= 50 ms.
• This time is split between fault recovery (FRTMCU) and reset/boot (BootTimeMCU) Note: This includes the time to perform SoC fault diagnostics, reset and boot the SoC to the
point to handover to load full application code. It does not include the application re-initialization time.
• Fault Tolerance (Availability) of the SoC is targeted to be:< 100 FIT (10-7 h-1) of failures should lead to application Shutdown
COMPANY PUBLIC 18
Fault Reactions – FCCU • When a fault is routed to the FCCU there are 3 reactions possible to
bring the SoC to a safe state:−R1: Alarm interrupt with FCCU timer, if timer expires interrupt and error out asserted
(local recovery)−R2: Interrupt and error out asserted (global recovery)−R3: No interrupt, error out asserted and reset (no recovery configured)
• If a fault is Not Safety Related, the FCCU could be configured to the following reactions:−Fault is disabled, no FCCU reaction− Interrupt
COMPANY PUBLIC 19
S32 Automotive PlatformSafety SW and Tools
COMPANY PUBLIC 20
Safety Software Support (Safety SDK)
• Successful boot of safety-related components is required to start a safety application.• Runtime fault detection is mediated by Safety SDK – faults are detected by both HW and
SW mechanisms • Runtime error recovery is managed via Safety SDK• Safety SDK manages a global, destructive SoC recovery.
S32 SoC
Safety SDK
Safety BootSupport
Safety SDKRuntime Detection and Reaction Support
Safety SDK
RecoverySupport
Customer Application
BIST EIM FCCU RGM ERM
COMPANY PUBLIC 21
Safety SDK Components
• SquareCheck – detects latent faults in HW safety mechanism
• BIST Manager – configures, initiates, and provides access to MBIST and LBIST
• sBoot – detects violations of HW safety configuration
• sCRCU – detects faults in CRC; also, it computes CRC
• eMCEM – Error Manager configures FCCU and provides handlers to faults signaled to FCCU
• SW Recovery – initiates the global recovery process
• Mode Selector – depending on the SoC fault status selects the appropriate operating mode
Detection Components Reaction Components
COMPANY PUBLIC 22
Safety Software Portfolio
HW Safety Measures Computational Shell
Vision, RadarPeripherals
Communication& IO Peripherals
ERM
SRAM
Flash Controller
HW Safety Layer
Service Safety Layer
Functional Safety Layer
NXPSoC
SCST
eMCEM
MBIST & LBISTManager
Application SDK
sBoot
Autosar sMCAL
Vison Accelerator
GPU
Radar AcceleratorFCCU
WDG
STCU
LBIST MBIST
CMU
Recovery SW
Perf CPU
SquareCheck
PTLib
Mode SelectorSafety Device Config
sCRCUSbSW
Safety by SW – HW IP
Perf CPU
RT CPURT CPU
Safety SDK
COMPANY PUBLIC 23
SW Safety DeliverablesCONCEPT DEFINITION PLANNINGPDA PPA R PCPCA EARPI PRC RFPNPI Lifecycle
Automotive SPICE + Safety Extensions = ISO 26262
SW FMEA
Safety Manual
Safety CaseSW Safety Case
SW FMEA
Safety Assessment Plan
SW FMEA
Safety Manual
Safety Case
SW FMEA
Safety Manual
Safety Case
2-6.5.4/6/5/5
SW Safety Plan6-5.5.1/7.5.2
6-6.5.3
FSA1, FSA2, FSA3
Confirmation Review
Audit/Assessment
ISO26262 Confirmation Measures
SW Tools Evaluation & Qualification Reports8-11.5.1/11.5.2
System RS/AS/System Safety ConceptNPI Safety Manual
6-7.5.4/7.5.5/8-8.5.1
FSA3 (Final Product)
Software Safety Concept3-8.5.1
FSA1 (Safety Concept) FSA2 (Detailed Design)
COMPANY PUBLIC 24
Tool Compliance
• Classification Report• Qualification Plan• Qualification Report• Safety Manual• ISO26262 compliance report
Validas AG
Real-time CPUsPerformance CPUs
Application specific
accelerators
Certified Compilers (3P)Qualification
Kit
Certified Compilers (3P)
COMPANY PUBLIC 25
S32 Safety Alternatives for Performance Cores
L2
Core 0
SCST
Core 1
SCST
L2
Core 2
SCST
Core 3
SCST
L2
Core 2 Core 3
L2
Core 0 Core 1
L2
Core 0 Core 1
L2
Core 2 Core 3
TMWDP
TMC
TA1 TA2 TA3
• Targets ASIL D• Delayed Lock-step Clusters• Configured at Boot• Fully transparent to SW • Fallback to degraded mode in case of a
permanent fault
HW Lockstep Safety by SW Core Self Test
• Targets ASIL B (with minimal SW overhead)
• Core self-test (SCST) • Executed @ runtime on each CPU• High diagnostic coverage with low
performance impact
• Enable ASIL B/D by application monitoring
• Detects loss of integrity and data error caused by SW & HW faults
• Time Monitored Comparator (TMC) – Detects data and timing errors
• Timed Multi-Watchdog Processor (TMWDP)– Operational logical flow errors
COMPANY PUBLIC 26
Getting Safety Support
COMPANY PUBLIC 27
SafeAssure Community Public Space for knowledge
distribution and industry-wide newshere
SafeAssure NDAPrivate NDA space for customer to
access safety documentationhere
SupportSafety Expert Group composed of
Safety Managers and Architects, Field and Application Engineers
Self SufficientCommunity users find answers to their questions an safety documentation requests
SafeAssure CommunityCustomer Support for Functional Safety
COMPANY PUBLIC 28
NXP ISO 26262 Confirmation MeasuresNXP performs ISO 26262 Confirmation Reviews (CR), Audit and Assessment as required by ISO 26262 for SEooC development
Confirmation Measures (CM) performed depending on ASIL• All checks executed with independence level I3 by NXP Quality organization• NXP Assessors certified by SGS-TÜV Saar as Automotive Functional Safety Professional (AFSP) • NXP CM process certified by SGS-TÜV Saar as ISO 26262 ASIL D
Confirmation Measures ASIL A ASIL B ASIL C ASIL D
CR Safety Analysis Yes Yes Yes YesCR Safety Plan Yes Yes YesCR Safety Case Yes Yes YesCR Software Tools Yes YesAudit Yes YesAssessment Yes YesNote: The following confirmation reviews are not applicable: hazard analysis and risk assessment, item integration and testing, validation plan & proven in use argument
COMPANY PUBLIC 29
NXP SafeAssure™ ProductsTo support the customer to build their safety system, the following deliverables are provided as standard for all ISO 26262 developed products
• Public Information available via NXP Website− Quality Certificates− Reference Manual− Data Sheet
• Confidential Information available under NDA− Safety Plan − Safety Manual− Permanent Failure Rate data (Die & Package) - IEC/TR 62380 or
SN29500− Transient Failure Rate data (Die) - JEDEC Standard JESD89− Safety Analysis (FMEDA, FTA, DFA) & Report− PPAP− Confirmation Measures Report (summary of all applicable confirmation
measures)
NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2019 NXP B.V.