Access the latest quantum technology

Quantum technology in Bristol and bath - find out more about how you can access the commercialisation of quantum technology for sensing and security

Monday, January 18, 2010

Toshiba certifies Cortex-M3 controller to SIL3

ARM Cortex-M3 MCU designed with Yogitech methodology to IEC61508 and ISO26262



Toshiba Electronics Europe (TEE) has developed a microcontroller that can be certified to Safety Integrity Level 3 (SIL3) and Automotive SIL D (ASILD) while significantly reducing associated system cost and performance overheads.
The Toshiba SIL3/ASILD implementation delivers a more cost-effective solution than alternative methods through a smaller chip size, smaller program requirement and better performance than conventional dual-core lock-step methods. It is based on a hardware architecture that reduces both effort of safety mechanisms and their detection latency. Detailed diagnostic information and the ability to configure the reaction according to the severity of the error allow new system approaches that target higher availability.
TEE worked closely with Yogitech, a company specialized in functional safety, and used Yogitech’s fRMethodology based assessment flow and library of Intellectual Properties (fRIPs) in its solution. The fRMethodology is a “white box” approach that was used to do functional safety analysis and safety-oriented exploration of MCU in compliance with IEC 61508 or ISO 26262.   
The MCU was split into sensitive zones, failure rates were computed for each zone and then used to calculate safety metrics (for example calculating the diagnostic coverage) and to decide chip architecture. A detailed validation was done using fault injection. The fRIPs, certified by TÜV SÜD, are small hardware supervisors designed for MCU sub-block (e.g. CPU, memory) that they supervise with architectural and functional diversity. Other peripheral functions on the chip are monitored by Toshiba’s own hardware diagnostic circuits. 
Functional safety related system components generally employ duplicated CPU cores (homogenous redundancy): a “mission” core runs the application software and an identical “monitor” core guards the system against dangerous faults in the mission core. A conventional dual-core lock-step SIL3/ASILD approach has to add further protective features, such as a guard ring, separate supply voltage, synthesis and timing diversity, which increase the chip and program size significantly and impact the system performance. Moreover, homogenous redundancy is very much prone to systematic faults.
The fRMethodology allowed Yogitech to identify critical zones in the mission core, providing the specification of a monitor core that executes the same instructions as the mission core while excluding unnecessary operations. This process led to the implementation of a separate, optimised monitor core (the fRCPU), eliminating unnecessary hardware overheads while avoiding systematic faults and also significantly reducing the possibility of common cause failures. The fRCPU version implemented by Toshiba in the MCU for the ARM Cortex-M3 has a gate count up to 58% smaller than is used for the mission core. 
The run-time supervision guaranteed by fRCPU hardware leads to high diagnostic coverage for transient faults while the short detection latency (through a dedicated interface between the ARM Cortex-M3 and fRCPU) allows failed operational to be handled. There are also special measures on chip to avoid latent faults; for example through built-in self test of supervisor circuits or “scrub and repair” function against bit-flips in memories.
The Toshiba TSB-TC SIL3/ASILD test chip is available now for evaluation by selected partners. It has received a Technical Report I from T
ÜV SÜD for SIL3 functional safety operation. In addition to typical automotive peripheral functions like FlexRay and CAN, it offers an operating temperature range of minus 40 to plus 125 degrees Celsius.
Reblog this post [with Zemanta]

No comments: