You need to login in order to view this content
Redirecting to the source: http://mp.weixin.qq.com/s?__biz=MzA3MzIwNDYwMA==&mid=2655340237&idx=1&sn=445e3b9c6dea243390ee896cb921fb2a
Weixin Official Accounts Platform Function Safety Best Partner: AURIX TC4x and OPTIREG PMIC TLF4x Function Safety Overview Sherry, Dan Infineon Automotive Electronics Ecosystem Infineon Automotive Electronics Ecosystem Weixin ID Infineon-Ecosystem About Feature Infineon has more than forty years of rich experience and technological accumulation in automotive semiconductors, dedicated to achieving clean, safe, and intelligent cars through microelectronics. Infineon’s automotive electronics ecosystem here shares with you the latest technologies, products, solutions, collaborations, and trends of Infineon’s automotive electronics, building a platform for technical exchanges and market cooperation with local partners. July 11, 2024, 07:00 Shanghai Infineon MCU AURIX Review of Previous Issues Introduction of the Parallel Processing Unit (PPU) of the Microscontroller AURIX TC4x Introduction of the Free Development Environment of AURIX TC4x The mass production of Infineon’s new generation MCU AURIX TC4x is about to commence. Origin of this life: All series of Infineon automotive MCUs now support Rust language development. Exploring AUTOSAR and Infineon’s AURIX TC4x MCAL solution – Part 1 Exploring AUTOSAR and Infineon’s AURIX TC4x MCAL solution – Part 2 AURIX TC4x virtualization technology assists the design of next-generation automotive EE architecture Car Ethernet and AURIX TC4x Gigabit Ethernet/Time-Sensitive Networking Overview AURIX TC4x Network Security Architecture and Support for ISO/SAE 21434 Introduction AURIX TM is one of the product families of Infineon’s 32-bit automotive-grade MCU. Its second-generation product, AURIX TM TC3x, is already recognized in the automotive industry for its excellent functional safety design, having garnered a good reputation in the industry. This success stems from Infineon’s first-generation AURIX TM products, TC2x, which were designed with a functional safety concept according to ISO 26262: 2011 and supported ASIL-D, the highest safety level. The functional safety concept of AURIX TM has been optimized and upgraded from TC2x to TC3x, and with the third-generation AURIX TM products, TC4x, the chip’s functional safety features have been further enhanced based on TC3x products, fully complying with ISO 26262: 2018 functional safety standards. The enhanced functional safety features make it easier for users to achieve system functional safety design. Moreover, Infineon’s power management chip OPTIREG TM PMIC has always been the best partner for AURIX TM since its design, from TLF35584/5 paired with TC2x/TC3x to TLF4x paired with TC4x, their cooperation makes the automotive safety system design more reasonable. 1 Top-Level Safety Requirements of AURIX TM TC4x Products TLSR MCU products, as stipulated by ISO26262, can be designed out of context (Safety Element out of Context, SEooC) ahead of related items, meaning that it is not designed for any specific related item but exists beforehand. Whether it meets various application scenarios in cars and whether it helps better assist automotive system safety design depends on whether the top-level safety requirements (TLSR) definition of the MCU is reasonable. With these top-level safety requirements, the hardware and software design of the MCU will revolve around them. The top-level safety requirements (TLSR) of AURIX TM TC4x products can be categorized into three major types: TLSRs related to MCU safety functions, including safe operation code, safe start-up, safe input, safe output, safe communication, safe sensor interface, etc. TLSRs supporting safe states, including responses after fault alarms to report to the chip’s internal or external circuit. TLSRs free from common cause failures, including preventing common cause failures caused by power supply, clock, overheating, etc., monitoring the impacts of software different safety levels, etc. 2 How are the top-level safety requirements (TLSR) of AURIX TM TC4x products derived? In short, they are extracted from various application demands in the automobile industry. The figure below shows a typical EPS (Electric Power Steering) system in a steering column, which includes EPS ECU controller, steering angle sensor, steering torque sensor, steering column motor, motor position sensor, etc. After HARA analysis, the EPS system’s vehicle-level hazards and safety goals requiring the highest safety integrity level are: Assuming the FIT value target breakdown to MCU in the EPS ECU controller is 3-4FIT, quantified index requirements ASILD 99% SPFM and 90% LPFM, safety time requirement FTTI 50-150ms. According to the application assumption, the safety functions required by the MCU in the EPS ECU controller are: MCU can safely run software, and software of different safety levels can operate independently. MCU needs a safe start before running user code, with a start-up time within 200ms. MCU can redundantly read motor position sensor signals, such as digital signals SENT or analog signals. MCU can output safe PWM control signals. The MCU communication interface can safely transmit signals with other ECU. When the MCU fails, it can output a fault indication signal to notify peripheral circuits to bring the system into a safe state. … By analyzing control systems of different common applications in cars, such as engine control system (EMS), battery management system of new energy vehicles (BMS), power conversion system (OBC/DCDC), traction inverter, electronic brake assist system, ADAS (Advanced Driver Assistance Systems), radar processing system, gateway, body control system, etc., the top-level safety requirements for AURIX TM TC4x products are extracted from various application scenarios, and subsequent product design activities will revolve around these top-level safety requirements. 3 How are the top-level safety requirements (TLSR) of AURIX TM TC4x products applied in actual application designs? Simply put, by combining each application case (Use Case) of TC4x TLSR with actual application scenarios and applying them to actual application designs. Each TLSR of AURIX TM TC4 can list more than one application case (Use Case), and these application cases (Use Case) can apply AURIX TM TC4x……In this method, analyze the control systems of different common applications in automobiles, such as Engine Management System (EMS), Battery Management System (BMS) of new energy vehicles, On-Board Charger / Direct Current to Direct Current Converter (OBC/DCDC), Traction Inverter, Electronic Brake Booster System, ADAS (Advanced Driver-Assistance System) auxiliary automatic driving system, radar processing system, gateway, body control system, etc. From various different application scenarios, the top-level safety requirements of the AURIX TM TC4x product are extracted, and subsequent product design activities will revolve around these top-level safety requirements. 3. How are the top-level safety requirements TLSR of AURIX TM TC4x products implemented in actual application designs? Simply put, by combining each application case Use Case of TC4x TLSR with actual application scenarios and applying them to actual application design. Each TLSR of the AURIX TM TC4 can enumerate more than one application case Use Case. Through these application cases, the top-level safety requirements of AURIX TM TC4x can be concretized and scenarized. When designing actual systems, users can choose the appropriate application cases according to their needs. For example, TC4x ASIL-D safe software execution TLSR may have different scenarios in the application such as: CPU accesses its own NVM and RAM space; after SOTA SWAP, the CPU running code access area is PFLASH Bank A or Bank B; CPU accesses other CPUs’ NVM and shared RAM space; CPU accesses data in DFLASH or stores data into DFLASH; code is stored in external FLASH. For example, TC4x ASIL-D safe analog input TLSR can achieve scenarios in the application such as: redundant ADC channels input into two TC4x ADC modules, and the two ADC modules can be of the same type, for example, both are TMADC modules or both are DSADC modules. For example, TC4x ASIL-B safe analog input TLSR can achieve scenarios in the application such as: a single ADC channel inputs to two ADC modules inside TC4x and then processes separately; a single ADC channel inputs to one ADC module inside TC4x for processing. 4. How does the AURIX TM TC4x product design safety mechanisms to help application cases achieve the target ASIL? Each application case of the top-level safety requirements of AURIX TM TC4x has its target ASIL level, which means there are quantitative requirements (SPFM, LFM & PMHF). Each application case contains different internal functional modules of TC4x. These functional modules may fail and introduce FIT values (failure-in-time). Therefore, each module’s various failure modes must have certain diagnostic mechanisms to reduce the module’s failure rate, thereby reducing the entire application case failure rate to an acceptable level, meeting the target ASIL level’s quantitative requirements. Diagnosis of internal faults in the chip comes from different safety mechanisms: Internal hardware safety mechanisms SM[HW], internal software safety mechanisms SM[SW], external hardware safety mechanisms ESM[HW], and external software safety mechanisms ESM[SW]. Like TC3x, AURIX TM TC4x designs many internal hardware safety mechanisms, such as CPU Lockstep, NVM ECC, RAM ECC, Power Voltage Monitor, Clock Monitor, etc. However, compared with TC3x, TC4x has added and enhanced many on-chip hardware safety mechanisms. The following explain these enhancements and changes in several aspects. 1. TC4x Systematic Fault Avoidance: In the hardware design of TC4x products, Systematic Fault Avoidance ASIL-D top-level safety requirements are added. Except for a few modules such as SCR and CSRM which are QM or ASIL-B level, other module hardware circuits can reach ASIL-D level. 2. TC4x Safe Boot: The boot code SSW solidified in TC4x internal ROM is developed according to the ASIL-D safety level. Its function is to complete the basic function initialization of the TC4x chip or cooperate with the power-on boot detection, aiming to provide a safe and complete initial environment for TC4x when starting to run user code. The security mechanisms integrated in the firmware boot code SSW can identify unexpected behavior caused by failures of hardware modules during the boot code operation process, thereby stopping the TC4x startup. Without a safe and complete startup process, the user code will not be run, thus, there will be no risk of potential failure in the system. 3. TC4x SMU upgraded to Safety and Security Alarm Management Unit: The SMU module of AURIX TM TC3x includes two redundant modules SMU_core and SMU_stdby. In TC4x, the SMU module is upgraded to four sub-modules: SMU_CS, SMU_SAFE0, SMU_SAFE1, and SMU_STDBY. SMU_CS is located in the Core Domain and is responsible for collecting and processing Security-related on-chip alarm signals, such as key usage errors, authentication failures, debug port enablement monitoring, as well as power monitoring, bus clock monitoring, bus errors, etc. All these alarms are processed and responded to by SMU_CS. SMU_SAFE0 and SMU_SAFE1 are located in the Core Domain and are responsible for collecting and processing Safety-related on-chip alarm signals. SMU_SAFE0 and SMU_SAFE1 are designed similarly. All safety mechanism alarms in the TC4x chip can be connected to two SMU_SAFEx modules. The user can decide which alarms will be processed by which SMU_SAFEx. The SMU_SAFEx will perform corresponding response actions according to the alarm configurations. The two SMU_SAFEx sub-modules can be used independently to process different on-chip alarm signals separately, each with its own independent error status output pins connected to other external chips (such as Infineon PMIC TLF4x). This dual SMU_SAFEx sub-module configuration…in, it is responsible for collecting and processing on-chip alarms related to security, such as key usage errors, authentication failures, debug interface mis-enables monitoring and other alarms, or power monitoring, bus clock monitoring, bus errors, and so on, all handled and responded by SMU_CS. SMU_SAFE0 and SMU_SAFE1 are located in the Core Domain, responsible for collecting and processing on-chip alarms related to safety. SMU_SAFE0 and SMU_SAFE1 have the same design, where all safety mechanisms alarms on the TC4x chip can be connected to two SMU_SAFEx modules, and the user decides which alarms are handled by which SMU_SAFEx. The SMU_SAFEx will respond accordingly based on the alarm configuration. The two SMU_SAFEx modules can be used independently, handling different on-chip alarms separately, with their independent fault status output pins connected to other off-chip components (such as Infineon PMIC TLF4x). This dual SMU_SAFEx module design aims at scenes where multiple applications are integrated into a single TC4x, each application has its independent fault response path, thus putting the system into a safe state. The SMU_STDBY is located in the Standby Domain, independent of the SMU_SAFEx and SMU_CS modules in the Core Domain. It is responsible for collecting alarms from safety mechanisms related to voltage, temperature, clock common cause failure (CCF), and also monitoring SMU_SAFEx and SMU_CS faults via the SMU Alive signal. Additionally, the on-chip safety mechanism alarms handled by SMU_SAFEx and SMU_CS can be aggregated into a Critical Alarm sent to SMU_STDBY for redundancy processing. SMU_STDBY can enforce the FSP Error Pin to fault state upon these alarms, notifying the off-chip monitoring component to perform secondary safety path output control. 4. TC4x Safe Computation Platform Safe software operation. The modules related to safe software operation in AURIX TM include CPU, IR, DMA, NVM, RAM, SRI Bus, and FPI Bus. In TC3x, the CPU has a lockstep safety mechanism. For IR and DMA modules, users need to implement external software safety mechanisms to diagnose IR and DMA faults in TC3x products. However, in TC4x, the lockstep safety mechanism has been extended from CPU to IR and DMA, eliminating the need for previous TC3x software safety mechanisms, making it more user-friendly. 5. TC4x RAM ECC can correct bit errors. The volatile memory unit RAM in AURIX TM can correct bit errors during runtime via the ECC mechanism, ensuring that the read RAM content is correct, hence there is no risk of violating system safety goals. As such, bit errors corrected by internal RAM do not require user response. Therefore, in TC4x, the address logging design for correctable bit errors in RAM has been canceled and is no longer considered a safety-related fault. This point was not emphasized in TC3x, making it easy for users to overlook, resulting in excessive safety response actions to normal correctable bit errors. 6. TC4x MBIST Volatile memory unit self-test. The integrated test module in AURIX TM TC4x supports MBIST (Memory Built-In-Self-Test) self-test for RAM. TC3x MBIST only supports Non-destructive Inversion Test (NDIT), while TC4x MBIST upgrades to support Destructive Test, achieving higher diagnostic coverage reaching ASIL-D level. Additionally, TC4x supports Key-On/Key-Off MBIST testing. The TC4x SafeTlib software includes Key-On/Key-Off MBIST tests. 7. TC4x LBIST logic self-test. AURIX TM TC4x LBIST supports two operation modes, Key-on LBIST and Key-off LBIST. Inside TC4, LBIST is hierarchically designed and divided into multiple test domains. Key-on LBIST only tests the safety-related digital logic circuits on the chip, completed within 5~6ms, achieving 90% stuck-at fault coverage. Key-off LBIST tests the complete digital logic circuits internally, with each test domain completing within 50ms, achieving 90% stuck-at fault coverage. The Key-on LBIST test is included in TC4x SafeTlib software. 8. TC4x Clock Monitoring. AURIX TM TC4x clock system retains three safety mechanisms from TC3x: OSC watchdog monitor, PLL loss of lock detection monitor, and Clock alive monitor. Additionally, TC4x includes hardware safety mechanisms for plausibility checks on internally generated clocks, a task previously requiring user software implementation in TC3x. These enhanced hardware safety mechanisms in TC4x simplify the user’s clock safety software design. 9. TC4x Power Monitoring. AURIX TM TC4x, like TC3x, has primary undervoltage monitoring and secondary undervoltage overvoltage monitoring. In contrast to TC3x, TC4x only includes secondary undervoltage overvoltage monitoring in the on-chip power monitoring safety mechanism, as primary undervoltage monitoring is no longer considered safety-related. The reasoning is that before the voltage reaches the primary undervoltage monitoring threshold within TC4x’s operating voltage range, secondary under and overvoltage monitoring can already report alarms, allowing SMU to perform appropriate safety response actions to these alarms. 10. TC4xonitor, PLL loss of lock detection Monitor, Clock alive Monitor three hardware safety mechanisms. In addition, TC4x added hardware safety mechanisms for Plausibility check of the clocks generated on-chip. This hardware safety mechanism required user software to implement in TC3x, TC4x these enhanced hardware safety mechanisms simplify the software design for clock safety. 9. TC4x Power Monitoring voltage monitoring AURIX TM TC4x has a first-level undervoltage monitoring and a second-level undervoltage overvoltage monitoring, just like TC3x. Unlike TC3x, only the second-level undervoltage overvoltage monitoring is included in the on-chip power monitoring safety mechanism in TC4x. The first-level undervoltage monitoring is no longer categorized as safety-related. The reason is that before the voltage reaches the first-level undervoltage monitoring voltage threshold within the TC4x operating voltage range, the second-level undervoltage and overvoltage monitoring can already report an Alarm, and SMU can perform appropriate safety response actions to this Alarm. 10. TC4x Over-temperature monitoring AURIX TM TC4x has redundant temperature detection modules (DTS), just like TC3x. Unlike the 2 in TC3x, TC4x has increased to 6. Moreover, only over-temperature is safety-related in TC4x, because any internal fault of the MCU will not cause it to cool down spontaneously, so low temperature is not a failure mode caused by MCU faults, thus only chip over-temperature is included in the scope of safety consideration. DTS continuously measures the temperature every 2ms, and if the chip overheats, it reports an Alarm. 11. Safe Digital Actuation For the design of safe digital output, usually, an output of a Mission Channel adds a Monitoring Channel input to return to AURIX TM for monitoring, ensuring that the AURIX TM digital output is as expected through comparison of two signals, to achieve the safe digital output of ASIL-D. In TC3x, this comparison usually introduced an IOM (Input Output Monitor) hardware module to complete. In TC4x, this hardware module has been removed, and the comparison of the output signal of the Mission Channel and the readback signal of the Monitoring Channel can usually be realized by hardware modules like GTM/eGTM, which are both signal generation and capture units, simplifying the safe digital output design for users. 12. Safe Digital Acquisition For the safety mechanism of safe digital input, redundant input is usually used, one Mission Channel and one Monitoring Channel, to verify the integrity of digital input through comparison. In TC4x, independent GTM/eGTM dual-channel captures external dual digital input for redundancy verification to achieve ASIL-D safe input solution. For external single-channel digital input to chip’s internal to divide into dual channels to independent GTM/eGTM dual channels for redundancy verification can achieve ASIL-B safe input solution. Compared to TC3x’s safe digital input application cases, it is more abundant and convenient for users to design flexibly. 13. Safe Analog Acquisition For the safety mechanism of safe analog input, redundant input is usually used, one Mission Channel and one Monitoring Channel, to verify the integrity of analog input through comparison. In TC4x, for safe analog input, redundant verification of dual inputs of similar ADC modules (such as TMADC + TMADC or DSADC + DSADC) can achieve ASIL-D safe analog input solution; external single analog input to internal divided into dual channels (TMADC + TMADC, TMADC + DSADC, TMADC + FCC) for redundancy verification, or external single-input channel sent to internal single ADC module for processing, can achieve ASIL-B safe input solution. This is richer than TC3x’s safe application cases, helping users design required ASIL level safe analog input solutions. Besides these safety feature enhancements or changes, TC4x also adds some new IP modules, such as PPU (Parallel Processing Unit), LLI (Low Latency Interconnect), PCIe, DRE (Data Routing Engine), xSPI, AUDIO, etc., all of which have top-level safety requirements and application cases, accordingly added necessary safety mechanisms. 5 OPTIREG TM TLF4x helps AURIX TM TC4x achieve ASIL D application design Infineon’s TLF3x and TLF4x two generations of power management chips both have safety monitoring features specifically customized for AURIX TM, providing external safety measures required by AURIX TM: Power supply voltage monitoring, Clock monitoring (watchdog), SMU (Safety Management Unit) alarm monitoring. Additionally, PMIC also provides a second shutdown path independent of MCU for the system, forming a minimum safety core unit with MCU, supporting ASIL-D functional safety requirements. TLF4x series power management chips, compared with TLF35584/5, have further optimization and enhancement in functional safety structure: 1. Built-in safety shutdown control (Safety Switch) The PMIC’s first-stage synchronous DCDC (Pre-buck) realizes the conversion from high voltage domain (12V/24V) to low voltage domain (