How to easily achieve the safety of car functions?

Every engineer is trying to build a 100% fail-safe system, but it is quite difficult to achieve this ideal goal in an economical way. Therefore, standards such as ISO 26262 and IEC 61508 generally use probabilistic risk assessment methods when defining the functional safety levels required for safety-related systems. These standards define the (Automotive) Safety Integrity Level (ASIL/SIL) to specify the system attributes that must be adhered to and the engineering process rigor that should be used to comply with the relevant system certification requirements, including defining system safety objectives and tolerance errors. The security concept of the rate, as well as the security architecture that configures the function to hardware and software functions, to continuously detect whether the system is functioning properly. Traditionally, security software, hardware, and tools are separate solutions that can each address some of the requirements but cannot be integrated. However, there is now an integrated PRO-SILTM concept that provides a complete solution that achieves functional safety objectives in an efficient and integrated manner to minimize risk, save costs and reduce complexity.

The basic motivation for developing a "safe" system is to ensure safe operation and well-defined behavior when defects are discovered. In this context, the IEC 61508 standard was developed in the mid-1980s and is constantly being revised. This standard defines the design of electronic and electric device safety systems. In addition, standards for specific requirements such as process automation (IEC 61511), mechanical automation (ISO 13849), drive (IEC 61800-5), nuclear energy (IEC 61513), and automotive (ISO 26262 draft) are derived from this general standard. Made. The measurement methods that ensure compliance with IEC 61508 are dependent on the safety integrity level required for each hazard in the system (Table 1) (SIL 1 to SIL 4 for automation applications and ASIL A to ASIL D for automotive applications).

Table 1 Safety Integrity Level, which complies with the project safety certification in accordance with IEC 61508 or ISO 26262

Functional safety has shifted from system integrator operations to component/software levels in the last two years. Simple electronic components and complex microprocessors must support IEC 61508. One of the most important and often time-consuming challenges for system designers is to ensure the security of the system, and not only must the relevant certifications be obtained at the highest system level, but also the hardware and registration materials of the machines must be of the same standard. IEC 61508 specifies detailed hardware management and testing requirements for hardware, so writing safety-critical software to perform these functions is time consuming, expensive, and difficult to use between devices.

Multiple CPUs - cost and space intensive

Under a single-channel architecture with a single microprocessor, the maximum safety integrity level will be limited to SIL 2. As a result, SIL 3 or ASIL C/D systems and security products use multiple CPU designs to handle self-testing and ensure redundancy. However, this solution is quite complicated and expensive because it takes up a lot of PCB space and the coverage is limited by the synchronization and transfer problems between the two CPUs. The new approach is to add special external hardware blocks and use a software library executed on a standard dual-core 32-bit microprocessor to break through the specified media diagnostic range (DC) limits. This solution uses a single microprocessor to reduce development burden and raw material costs, and uses smart security concepts with all relevant components (including self-testing capabilities developed in accordance with IEC61508/ISO26262) to quickly and reliably incorporate security Related systems.

TriCore does not use an external second core to evaluate the malfunction of the microprocessor; TriCore already includes the TriCore CPU itself (microprocessor and DSP) and the peripheral control processor (PCP) dual core (Figure 1), so no external second is required The core is to conduct a security assessment.

Figure 1 TriCore block diagram - PCP performs self-test function

Complete design kit

There are different solutions in the market for building safety-critical applications. While most leading suppliers offer methods for automotive applications, the range of methods for other applications, including industry, is still limited, and the development of available devices is often limited. Automotive systems are demanding strict safety requirements. Infineon has developed its PRO-SIL safety products with extensive experience in this field to meet the ever-increasing demands of the industrial market with highly integrated safety solutions. Certified automotive solutions are easily available for other applications while offering a variety of devices. The PRO-SIL is based on its 32-bit TriCore or 16-bit XC2300 microprocessor and includes the SafeTcore test library and the CIC61508 security monitor chip (Figure 2). This installation is fully verified and fully compliant with IEC 61508.

Figure 2 Safety-related system with TriCore as the main controller and safety monitoring chip (watchdog) and SafeTcore test software library