Académique Documents
Professionnel Documents
Culture Documents
for Microcontrollers
Safetronic 2006
Nov.14th, 2006
Florian Bogenberger
TM
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 1
Safety relevant Automotive Applications
Today’s Cars
• Electronic Parking Brake (EPB)
• Electro Hydraulic Brake (EHB)
• Electro Magnetic Brake (EMB)
• Electronic Stability Control (ESC) Already starting:
• Electronic Power Steering (EPS)
• Active Front Steering (AFS)
• Steering Wheel Angle Sensor Cost optimization
• Electronic Throttle Control
• Electronic Steering Wheel Lock drives
• Chassis Management
• ... etc. merge
Tomorrow’s Cars of safety-related
•
•
Hybrid Brake
Emergency Braking through Automatic
processes with
Distance Control (ADC) non-safety
• Steer-by-Wire, Brake-by-Wire
• ... etc. processes
Ultimately: Autonomous driving
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 2
Components become Systems
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 3
Characteristics
System-level Component-level
Lower robustness on PCB Higher robustness on chip
Higher cost Lower cost
Easier for end-user to inspect Harder for end-user to inspect
Consequences
Automotive industry needs to specify testable requirements on component level
Semiconductor industry needs to characterize component abilities and limits
HW functions and SW functions need to be closely harmonized
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 4
Processing Subsystem Philosophies for Safety
Master / Slave Approach Dual Processor Approach
MCU #1 MCU #2
MCU #1 CPU CPU
CPU
MCU #2 LVI
Clock
Mon
Clock
LVI
CPU
Mon
COP
COP
Clock
Mon
Memory
LVI
Validation
Clock Mon
LVI
Memory Peripherals
Safety Relay
COP
Output
SPI
Drivers
n
n
(Valves,pump)
Memory n
Peripherals Complex
hardware Input
Watchdog Modules n Sensors
Safety Relay
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 5
System Integration of Safety Functions
Discrete General
Solution Purpose
ICs
time
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 6
System Integration and Functional Safety
% of IEC61508 requirements
ASIC ASSP
nr of safety functions /
that can be applied
Integration of Electronic
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 7
Overview
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 8
Target Failure Rates According To IEC61508
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 9
Target Failure Rates according to IEC61508
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 10
What “FIT” means...
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 11
Measurement of Diagnostic Coverage
Current definition in IEC61508
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 12
Diagnostic Coverage versus Test Coverage
nr of det. faults
DC ≠ —————————— = test coverage
nr of all faults
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 13
Assumption & Presumption
Past: Low reliability of silicon technology dominates failure rate
• difficulties to achieve high test coverage for production test
• dominating failure root cause: physical defects
• IEC61508 considers environment to be well under control and within the ICs
limits (derating concept)
∑λext : EMC, disturbances of power supply & ground, EOS, ... etc.
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 14
Failure Rate depends on Mission Profile
Architecture
Application
Monitoring
Concept
Mission
Profile
data from IC manufacturer
Monitoring
DFC
effectiveness
Dangerous
IC Failure Impact of failure rate
Rate Table app. arch
Controlled
dangerous
IC Environment Impact of failure rate
Sensitivity environment
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 15
Overview
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 16
Fault – Error – Failure Chain (1)
Root
Root cause
cause ofof an
an error
error
(e.g.
(e.g. neutron
neutron hitting
hitting aa RAM
RAM cell)
cell)
Fault
Fault
Ca ext s el
se
n
au
n c yst
nc
au em
Ca Impairments to
lev
se
on
dependability
Error
Error Failure
Failure
Can cause
Manifestation Deviation
Deviation of
of the
the delivered
delivered service
service
Manifestation of of
the from compliance with the specification
from compliance with the specification
the fault
fault in
in aa system
system
(e.g. (Transition
(Transition from
from correct
correct to
to incorrect
incorrect output)
output)
(e.g. RAM
RAM bitbit value
value toggles)
toggles)
(e.g.
(e.g. calculate
calculate wrong
wrong value)
value)
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 17
Fault – Error – Failure Chain (2)
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 18
Fault Propagation in Microcontrollers
Undetected
Environment external fault
induced
Development of
System
a common
Undetected
cause fault
external fault
SubSystem A SubSystem
causing B
faults in the
Undetected system B2
B1 B3 B4
Fault
SubSystem A1 SubSys A2
that affect
Propagation the environment
A1a A1b A1c SubSys A2a
Undetected
Fault
SubSys A2b Each subsystem
SubSystem A3 may contain
SubSystem C
HW and/or SW
Fault affecting
environment
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 19
Important Observation
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 20
Opportunities of today’s Microelectronics ...
Observation:
• there is a fault specific tcrit,int for device-internal faults
t < tcrit,int : propagation
t >= tcrit,int : common cause failure
⇒ monitors in microelectronics
• very fast, achievable error detection time can be < 1µs
• high observability of internal states & signals
• multiple instances of monitors possible
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 21
... & Constraints of today’s Microelectronics
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 22
What will be the future Trend?
Mon &
Saving
Mon Mon
µC
Use Technology to improve Safety
Mon
More Safety Mon
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 23
Conclusions
TM
Freescale™ and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 24
TM