ISO26262 compliant safe computing for 3-phase motor controlInfineon 2 Gui Kok-Cheng Agenda ISO26262...
Transcript of ISO26262 compliant safe computing for 3-phase motor controlInfineon 2 Gui Kok-Cheng Agenda ISO26262...
1InfineonGui Kok-Cheng
ISO26262 compliant
safe computing for
3-phase motor control
International TÜV Rheinland Symposium in ChinaFunctional Safety in Industrial Applications18 – 19 October 2011, Shanghai - China
2InfineonGui Kok-Cheng
Agenda
� ISO26262 compliant safe computing for 3-phase motor control
� Safety SW with no redundancy on inner loop
� Infineon safety computing platform
3InfineonGui Kok-Cheng
Page 3
3-phase Motor Control Overview
� System overview
� Application software overview
CAN message (xEV), torque sensor (steering)
4InfineonGui Kok-Cheng
3-phase Motor Control Software
� Motor control software is the kernel of the application� Motor control inputs / outputs
� Acquiring motor parameters� phase current, driver’s wheel torque, motor speed, rotor position,
steering wheel angle� Driving the inverter through PWM signals
� Motor control inner loop / outer loop� Inner loop run at high rate, focused on motor control loop� Outer loop run at lower rate involving external parameters
� vehicle speed, driver’s torque request
� Motor control diagnostic SW� Anomalous condition detection and error management
���� Motor control inner loop is the most CPU intensive SW
5InfineonGui Kok-Cheng
3-phase Motor Control Inputs / Outputs
� Motor control inputs / outputs cannot be 100% safe� Potential signal corruption between CPU core and MCU peripherals� This affects any MCU, being lock-step, being loosely coupled cores
� Error can be Soft error� Transient error (peripheral bus, peripheral) � Soft error can affect inputs / outputs
Infineon approach� Not focus only on MCU-computing� Ensure the concept is covering MCU-inputs & MCU-outputs as well
6InfineonGui Kok-Cheng
Safety Concept for Inputs
� Safety concept for inputs is valid for any MCU architecture� MCU may read erroneous inputs
� Focus is on Redundant acquisitions with plausibilit y check
� Redundancy on acquisitions required� Redundant acquisitions SW + SW compare� Standard acquisition + state observer + SW compare
� Output of redundant acquisitions� Safe-inputs for SW-components
7InfineonGui Kok-Cheng
Safety Concept for Outputs
� Safety concept for outputs is valid for any MCU architecture� MCU may produce erroneous outputs
� Application safety time : typ. 10ms in EPS� Error (~100-200µs) should be recoverable (no damage to power
stage / actuator)� Availability : error should be short enough not to impact availability
� Focus is on having safe inputs and ability to detec t error conditions
Time
OK OK OK OK OK OK OK OKKO
Control loopperiod ~100µs-200µs
EPS use caseShort term error in PWM outputs can happen with any MCU currently available in automotive
8InfineonGui Kok-Cheng
Safety Critical Software
What is safety critical ?� Only acquisitions are critical
� Reason = transient error in acquisitions may generate effects over several inner loop periods
� Inner loop can be design not to be safety critical� As taking inputs from safe functions (acquisitions e.g. torque sensor)� As transient error (one time) has effect for only 1 inner loop period � If freedom from interference with other SW components is implemented
(e.g. memory protection unit)
9InfineonGui Kok-Cheng
Summary (1)
� Motor control loop can be designed to avoid redundancy requirements on inner loop
� Inner loop is most CPU intensive task in motor control application
� SW architecture approach allows� To avoid redundancy requirements on inner loop
� No need for hardware redundancy like lock step in inner loop� less power consumption/cost
� To focus on key SW requirements for safety valid for any MCU architecture� Freedom from interference among SW modules� System concept to have “safe input”
� Redundant acquisition + plausibility check� Use of state observer
10InfineonGui Kok-Cheng
Infineon Safety Computing Platform
11InfineonGui Kok-Cheng
Infineon Safety Computing Platform Introduction
Driving forces / Vision
� Think system� Go beyond MCU
� ISO26262 focus� Identify system requirements
� Safety involves supervision� HW but also SW is part of supervision
Proposal = Infineon Safety Computing Platform
12InfineonGui Kok-Cheng
08.08.2011
Safety is a System Requirement
A chain not stronger as itA chain not stronger as it’’s weakest link s weakest link ……
Do not focus on 1 component only.
13InfineonGui Kok-Cheng
Infineon Safety Computing PlatformConcept Introduction
From MCU centric to System level approach� HW = MCU, 2nd independent safety path, error management� SW = MCU run time self tests, error management, Task monitoring
FreedomFrom interference
Acquisitions
ActuationsCPUcore
Com.
CIC61508
monitoring
PowerdevicesSensor
oracquisitions
System to control
Safety Related System(SRS)
CPU memories
Flash, RAMs
MCU
Peripheral bus
Acquisitions
Peripheral bridge
= ?
Main application
Safing
SafeTcore lib
In2
In1
Softwaremodule
14InfineonGui Kok-Cheng
Software architectureECU monitoring with 3 level concept
� The 3 level concept identifies� Level 1 = Main functionality� Level 2 = Process monitoring
� Plausibility check of all safety-relevant inputs, Monitoring of level1 error reaction
� Level 3 = Processor monitoring� Monitoring of processor functionality
to ensure correct computation of Level2
Infineon TriCore TM SafeTcore library is covering Level2 and Level3
15InfineonGui Kok-Cheng
CIC61508 : Safety Companion IC for TriCore™
� Principle� Challenge based Safety watchdog with
integrated monitors providing support for common cause of failure detection and reaction
� Configurable behavior via calibration variables in non volatile memory
� Up to 3 independent safety paths
Reset
SPI
32-bit MC
e.g. TriCore™
Power SupplyTLE 7368
orTLE 42xxx
Appl.Main Switch
Vbat
Vdd2 e.g 3.3V
Vdd1 e.g. 5V
Secured supplyfor actuators
ADC, VoltageMonitors
Opcode test sequencer
Safety PathControl
NVM
Opcode Test Sequence
Config ChksumSSCReset PathControl
Control Logic
Error stateMonitor
Safety WatchdogCIC61508
TaskMonitor
16InfineonGui Kok-Cheng
Software ArchitectureTask Monitoring
� ISO26262 = Task monitoring covering scheduling and timing is required to ensure integrity of critical tasks (freedom of interference)
� Task monitoring is supported by AUTOSAR� Needs CPU load� Ex: 10% for task timing protection
� TriCore TM SafeTcore library� Task monitoring is performed by PCP without CPU load !
17InfineonGui Kok-Cheng
Task Monitor Sequence Example
� Task A, Task C, Task D monitored� Task deadlines configured per task
� Task sequence configured to match extract of safety relevant tasks from AUTOSAR schedule table
� PCP holds a copy of the schedule table of TriCoreTM tasks which relate to safety goals
� Task monitor called by native API in Autosar OS
Task A
time
0ms5ms
Task C
TaskB
InterruptTask
Activate C
Terminate C
Activate A
Terminate A
Task C
UnmonitoredTasks Tasks D
Activate D
Terminate D
Activate D1
Terminate D1
18InfineonGui Kok-Cheng
Redundancy and ISO26262
� 3 redundant methods have “high” coverage ranking by ISO26262
� Infineon safety concept for TC1724:� Software diversified redundancy
(one hardware channel)� Same software executed twice� Comparison performed by TriCoreTM
� TriCoreTM data compare is monitored by PCP
� additional measure for TC1724 : high coverage power-on self tests + periodic CPU self tests (SBST)� Self tests checked by CIC61508
� Concept reviewed and validated SIL3 compliant by TÜV
19InfineonGui Kok-Cheng
Page 19
ISO26262 Requirements: MCU and beyond
� Processing unit� Single hardware channel possible
� Challenge response based diagnostic
� HW for stack over/under flow
� Freedom from interference� MPU to be managed by SW having
highest safety integrity level� Task monitoring
� Schedule, timing protection
� Self tests managed by hardware channel
� External error facility
20InfineonGui Kok-Cheng
Infineon - Your expert to achieve ASIL-D
� 32Bit microcontroller� AUDO FUTURE/AUDO MAX
µC TriCore TM
SafeTcore SW
� Function: Runs „Answer“ SW on µC� Provided in source code
Safety watchdog: CIC61508� Hardware channel
for error management� Based on 8 Bit µC
Monitor SW
� Function: Runs „question“ SW to µC� SW on ROM mask
Har
dwar
eS
oftw
are
TriCore TM
safety computing platform
21InfineonGui Kok-Cheng
Infineon - Your expert to achieve ASIL-D
ASILDsafety computing
platform
TriCore TM (dual core) : ASILD
Har
dwar
eS
oftw
are
TriCore TM CIC61508 : ASILD
32-bit MicrocontrollerProven safety monitor
with error management
TriCore TM : CMMI Level3 SafeTcore lib
CPU safety swSelf-tests + OS monitor+system monitor
TriCore TM
AUTOSAR supporting ASILD application
22InfineonGui Kok-Cheng
Infineon provides scalable ASIL–roadmap
QM ASILB support ASILC support ASILD support
up to 100MIPs(XC2000/ 16-bit MCU)
XC23xx + TLE4678 XC23xx + TLE4678 + SBST (self tests part of the SafeTcore library)
XC23xx + 1xTLE4287 + CIC61508 + full implementation of SafeTcore library
XC23xx +2x TLE42344 + CIC61508 + full implementation of SafeTcore library
80 up to 400MIPS(Tricore TM/ 32-bit MCU)
TC17xx + TLE7368 TC172x + TLE7368+ SBST (self tests part of the SafeTcore library)
TC172x + CIC61508 + TLE42754 + full implementation of SafeTcore libraryOr(TC17Xx + TLE7368+ CIC61508)
TC172x + CIC61508 + (TLE42744 + TLE42344) + full implementation of SafeTcore libraryOr(TC17Xx + TLE7368+ CIC61508)
Safety computing platform facilitates ASIL-D from l ow cost to high performance applications
23InfineonGui Kok-Cheng
4 MB
2.5 MB
1.5 MB
1 MB
0,5MB
LQFP144
LQFP176
LFBGA292
LBGA416
LFBGA516
AUDO MAX OverviewMay 2011
TC172480 /133MHz
TC1793270 MHz
TC1791240 MHz
TC1728133 MHz
TC1782180 MHz
TC1784180 MHz
TC1798300 MHz
� EPS (Electric Power Steering)� ABS� Airbag with sensor cluster
� Vehicle Stability Control(VSC)
� Damping systems
� Domain Control Unit (DCU)� Safety Domain control system
� Long range RADAR 77GHz� Short range RADAR 24GHz� Camera based systems
Chassis applications
TC172480/133 MHz
TC172480/ 133 MHz
24InfineonGui Kok-Cheng
XC2300 Safety Roadmaphigh scalability guarantees best cost performance r atio
64 pin38 pin 100 pin
64 kB
384 kB
768 kB
48 pin 144 pin
128 kB
256 kB
512 kB
1 MB
XC236xB40-80MHz
XC233xD20-66MHz
XC2336B20-80MHz
XC236xA66-80MHz
XC2336A
20-80MHz
XC238xA66-80MHz
XC2310S20-40MHz
XC236xE80-128MHz
XC238xC80-100MHz
XC238xE80-128MHz
XC2336A
20-80MHz
XC2336B20-80MHz
XC236xA66-80MHz
XC236xA
66-80MHz
XC236xB40-80MHz
XC236xE80-128MHz
XC236xE80-128MHz
XC238xA66-80MHz
XC238xA
66-80MHz
XC238xC80-100MHz
XC238xE80-128MHz
XC238xE80-128MHz
XC233xD20-66MHz
XC2320S20-40MHz
XC232xD20-66MHz
ABS
Seamless and flexible Hardware Scalability
Sea
mle
ss S
oftw
are
Sca
labi
lity
Low dynamic ESC
25InfineonGui Kok-Cheng
TriCore TM Safety computing platform - single supplier of complete package -
� MPU for TriCoreTM, DMA, PCP
� RAM/FLASH ECC
� Enhanced CRC
� Bus Error Detection
� Safe DMA
� SSC Guardian
� Time-Triggered CAN
� Spatial redundancy CAPCOM6, GPT12, ADC
HW Features
� FMEDA (Failure Mode Effect and Diagnostic Analysis)
� CCA (Common Cause Analysis)
� FTA (Failure Tree Analysis)
� Proof of diagnostic coverage
� Safety manual
� Safety case report
Documentation
� SafeTcore SW supporting CIC61508
� CPU self-tests (part of SafeTcore)
Software
� CIC61508
� Hardware channel for self tests, error management and common cause failure monitor (clock, voltage)
� Independent MC supervision
� 3 independent safety enable paths
Watchdog
Significant reduction of effort @customer Faster time-to market
26InfineonGui Kok-Cheng
Your safe choice: Infineon PRO-SIL TM
The PRO-SIL™ Trademark designates productswhich contains SIL Supporting Features
27InfineonGui Kok-Cheng
Summary (2)
� Infineon commitment to excellence in safety� 5 years of PRO-SIL™
� Infineon Safety Computing Platform� Breakthrough in safety� Complete safety infrastructure
� HW, SW, safety documentation� Fast time to market� Available for TriCoreTM and for XC23xx MCUs� Concept already used at several Tiers1 and OEMs