50% found this document useful (2 votes)

2K views41 pages

Mastering Functional Safety and ISO-26262

Q: How does Renesas Electronics address the need for internal safety expertise when implementing ISO26262?

Renesas Electronics addresses the need for internal safety expertise by establishing an internal e-learning program aimed at spreading safety culture within the company. This program involves a virtual guide that educates employees on the basics of safety and their specific job roles, along with a set of questions that must be answered to complete the course . Renesas further ensures that their employees are involved in ISO and IEC Working Groups to develop expertise in safety requirements . The company also engages in regular workshops and provides continuous support for ISO26262 development through safety consultancy and tools . By implementing a structured approach to safety education and industry engagement, Renesas builds a knowledgeable workforce capable of effectively applying functional safety standards.

Q: What strategies has Renesas employed to overcome the challenges in ISO26262 and IEC61508 standardization?

Renesas has developed several strategies to overcome challenges in the standardization of ISO26262 and IEC61508. The company has created an internal expertise development approach by selecting experts to join ISO and IEC working groups, ensuring that they are well-versed in safety requirements and market demands . Renesas has set up specialized sub-groups to coordinate their approach to ISO26262 and employed proprietary tools, such as a GUI, to facilitate the integration of MCU capabilities into customer profiles . Additionally, Renesas participates actively in international standardization efforts and has defined an internal safety strategy accepted by the market . The company further enhances its organizational structure and development flow by integrating safety audits, process assessments, and confirmation reviews . They also conduct regular workshops and provide safety consultation to maintain alignment with safety goals .

Q: How does Renesas address component selection and system integration challenges when developing safety-critical automotive systems under ISO26262?

Renesas addresses component selection and system integration challenges in safety-critical automotive systems under ISO26262 by employing several strategies. They use a structured assessment and qualification process for Commercial Off-The-Shelf (COTS) components to ensure safety compliance . For components developed specifically for target items, Renesas ensures that clear specifications are defined by the customer and strictly adheres to ISO26262 standards . The company also uses Tailoring of ISO26262 parts applicable to MCUs and ASICs, ensuring that development activities are aligned with product system levels, hardware levels, and ASIL-oriented analyses . Additionally, Renesas utilizes simulation models and internal methodologies to compute hardware safety metrics and facilitate flexible adjustment to proprietary application profiles . Through these measures, Renesas ensures that both components and systems are integrated effectively into the broader safety management requirements of automotive standards.

Q: How does Renesas implement redundancy in its safety mechanisms to improve reliability and safety compliance?

Renesas implements redundancy in its safety mechanisms to enhance reliability and safety compliance by using Dual Core Lock Step (DCLS) architecture and other redundant systems. The DCLS architecture enables fast detection of faults by having a secondary checker core to verify the operations of the master core, ensuring zero latency in error detection . Additional redundancy is applied through the use of multiple clock sources, such as the Phase-Locked Loop (PLL), main oscillator, and ring oscillator, to mitigate common-caused failures . They further incorporate error collection and management systems that utilize interrupt or reset signals for error handling, alongside power and layout separation to reduce crosstalk and enhance safety . These redundancy strategies enable Renesas to achieve fast Fault Tolerant Time Interval (FTTI), crucial for adhering to ISO26262 standards and maintaining high system reliability.

Q: What challenges are associated with understanding and implementing functional safety standards like IEC61508 and ISO26262 at Renesas?

Renesas faces several challenges in understanding and implementing functional safety standards such as IEC61508 and ISO26262. One key challenge is the complexity of functional safety as a topic, coupled with the difficulty in mastering the related standards . The interpretation of ISO26262 can vary, which often leads to misunderstandings, particularly because many companies, including Renesas, initially approached ISO26262 with an IEC61508 focus, which assumes different constraints . There is often confusion in distinguishing concepts of safety, availability, and reliability; this confusion is exacerbated by interpreting ISO26262 terminology with an IEC61508 perspective . Furthermore, internal expertise is necessary to make informed judgments in applying these standards . Renesas has also noted that the diversity in application scenarios requires assumptions that must be defined precisely to correctly implement safety measures, and this requires a deep understanding of both standards .

Q: In what ways does Renesas utilize its internal and external collaborations to enhance functional safety in its products?

Renesas enhances functional safety through both internal and external collaborations. Internally, Renesas has selected experts to participate in ISO and IEC working groups, thereby contributing to the development and refinement of safety standards while ensuring their own internal processes align with these standards . Externally, Renesas continues to work with market leaders to gather industry-specific knowledge and refine their safety methodologies, helping them to align with customer needs and regulatory requirements . Additionally, the company engages in international standardization efforts and has created internal methodologies, such as checklists and GUI tools, to assist in compliance with ISO26262 . By leveraging these collaborative efforts, Renesas is able to maintain industry leadership and advance the integration of functional safety in its product lines.

Q: What is the significance of the Fault Tolerant Time Interval (FTTI) in Renesas' safety strategies for its MCUs, and how is it applied?

The Fault Tolerant Time Interval (FTTI) is crucial in Renesas' safety strategies as it defines the maximum time allowed for a system to detect and react to faults without leading to a hazardous event. Renesas applies FTTI by specifying the time intervals for various systems, such as 200 microseconds for the Electronic Power Steering (EPS) system or 10 milliseconds for the Passive Safety Airbag system . This parameter is essential in designing MCUs for applications that demand high performance and real-time operation to ensure immediate error detection and to prevent faults from causing safety-critical failures . The identification and application of FTTI allow Renesas to meet the safety requirements of different automotive systems, aligning with ISO26262's emphasis on minimizing risks associated with system failures.

Q: What role does simulation play in the development process of Renesas' MCUs regarding ISO26262 compliance?

Simulation plays a pivotal role in the development process of Renesas' MCUs concerning ISO26262 compliance by allowing for early analysis and validation of the system's safety concepts. By providing simulation models of their MCUs, Renesas enables the early detection and correction of potential issues, reducing risks prior to full-scale production . The company has created proprietary GUI tools to simulate various safety scenarios and customer profiles, ensuring the MCUs meet the stringent requirements of ISO26262 from the outset . These simulations allow Renesas to refine its designs based on predictive analysis and optimize hardware metrics computation in safe environments, facilitating a smoother integration of safety measures and compliance in the final products.

Q: How does Renesas Electronics ensure compliance with ISO26262 in its MCU and ASIC development processes?

Renesas Electronics ensures ISO26262 compliance through several mechanisms. Firstly, they have developed an internal methodology that includes a checklist approach to confirm full compliance with ISO26262 requirements . The company has also set up a new sub-group for ISO26262 to synchronize their approaches and has created proprietary GUI tools to estimate MCU capabilities within customer profiles . Furthermore, Renesas utilizes a safety culture spread program with e-learning for employees and has involved its experts in the standardization processes of ISO26262 . The development process encompasses ASIL decomposition driven by customer requirements, confirming that the standard is integrated into the management of functional safety at both the MCU and ASIC levels . Additionally, they have tailored ISO26262 for MCU and ASIC projects by ensuring relevant parts are applied effectively across various development stages, such as product development at the system and hardware levels, supporting processes, and safety-oriented analyses .

Q: What are the different approaches outlined by Renesas for the development of components under ISO26262, and how do they address various use cases?

Renesas outlines four approaches for component development under ISO26262 to address different use cases. The first is the use of Commercial Off-The-Shelf (COTS) components, which requires a safety qualification before use . The second involves components that are Prove In Use (PIU), where precise and accurate field data is required to substantiate their reliability in similar applications . The third approach is the development of components specifically for the target application, known as "in context," which requires clear customer specifications and adherence to ISO26262 as a state-of-the-art process . The fourth is for Safety Element out of Context (SEooC), where the developer aims to address the requirements of major target customers by adopting ISO26262, accommodating potential deviations compared to "in context" development . These tailored approaches ensure flexibility and compliance while addressing specific needs across different automotive applications.

Funcional safety - automotive

Uploaded by

v53

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

50% found this document useful (2 votes)

2K views41 pages

Mastering Functional Safety and ISO-26262

Funcional safety - automotive

Uploaded by

v53

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Introduction to Functional Safety
Renesas Experience in ISO26262
Addressing Key Challenges
Renesas Approach to Functional Safety
Planning Automotive MCU
Functional Safety Support
Conclusion

Mastering Functional Safety and ISO-26262

Renesas Electronics America Inc.

Renesas Technology & Solution Portfolio

2012 Renesas Electronics America Inc. All rights reserved.

Microcontroller and Microprocessor Line-up

2010

2013

1200 DMIPS, Superscalar

32-bit

Automotive & Industrial, 65nm

600A/MHz, 1.5A standby

1200 DMIPS, Performance

Automotive, 40nm
500A/MHz, 35A deep standby

500 DMIPS, Low Power

165 DMIPS, FPU, DSC
32-Bit High Performance,
High Scalability & High Reliability Industrial, 40nm

Automotive & Industrial, 90nm

600A/MHz, 1.5A standby

242A/MHz, 0.2A standby

165 DMIPS, FPU, DSC

Industrial, 90nm
242A/MHz, 0.2A standby

8/16-bit

25 DMIPS, Low Power

Industrial, 90nm
1mA/MHz, 100A standby

Industrial & Automotive, 150nm

190A/MHz, 0.3A standby

44 DMIPS, True Low Power

10 DMIPS, Capacitive Touch

Industrial & Automotive, 130nm

144A/MHz, 0.2A standby

Industrial & Automotive, 130nm

Wide
Format LCDs
350A/MHz, 1A standby
3

Embedded Security, ASSP

2012 Renesas Electronics America Inc. All rights reserved.

Enabling The Smart Society

Cars and trucks clearly one of the biggest elements of the
smart society many dramatic innovations.
Challenge:
How to develop these innovations safely and in full
compliance with ISO 26262
Solution:
Renesas have extensive expertise in ISO 26262, a set of
microcontrollers developed in compliance with the standard,
and the expertise to assist customers in applying these
microcontrollers

2012 Renesas Electronics America Inc. All rights reserved.

Renesas experience in complying to ISO26262

Our first experiences

Gaining internal expertise
Key challenges and the IEC 61508 effect
Renesas approach toward functional safety
How we planned Automotive MCU for ISO26262
Conclusion

2012 Renesas Electronics America Inc. All rights reserved.

Our First Experiences

2012 Renesas Electronics America Inc. All rights reserved.

The first projects

Renesas efforts to address faults has been always a priority
Zero defects our key policy for systematic faults
Minimal FIT our key policy for random faults
Involvement and promotion of solutions to address remaining
risks our key strength
Renesas is always on the driver seat

Renesas has always been a key supplier of solutions for

safety applications
With the emerging requirements for safety compliance
Renesas invested since 2005 to have proven products
First priority: DCLS MCUs targeting IEC61508 SIL3 requirements
DCLS: Dual Core Lock Step
7

2012 Renesas Electronics America Inc. All rights reserved.

Px4 and SH7226

Dual Core Lock Step MCUs for Chassis applications
SIL3 and ASIL D capabilities confirmed by
TUV-SUD
Example of results achieved
SFF > 99.84%
(SIL3:>99%)
PFH = 2.553 * 10-10
(SIL3:< 10-7)

FLASH ROM
On chip RAM

Master

Slave

ROM I/F_1

Comparator Module

INT(INT_1)
SH-2A
CPU
(CPU_1)

-CPU (F, M-Bus)

-Interrupts
-ROM I/F(ROM read)
-ROMC (F, M, I-Bus)
-RAM I/F (F, M, I-Bus)
-RAM ECC

ROMC_1 RAM ECC_1

RAM I/F_1

ROM I/F_2

INT(INT_2)
SH-2A
CPU
(CPU_2)

ROMC_2 RAM ECC_2

RAM I/F_2

F-Bus
C-Bus (32bit)
M-Bus
(32bit)
I-Bus
Bridge_1

MISG

AUD
JTAG

I-Bus
Bridge_2

UBC

I-Bus
(32bit)
DMAC_1

P-Bus
Bridge_1

DMAC_2

Comparator Module

P-Bus
Bridge_2

P-Bus
(16bit)

RSPI

2012 Renesas Electronics America Inc. All rights reserved.

MTU

A/D

RCAN

SCI

GPIO

Peripherals

Renesas contribution on standardisation

2005 German national group for IEC61508

2005 UK and Japanese national groups for ISO26262
2009 International group for ISO26262
2011 SAE safety working group

2012 Renesas Electronics America Inc. All rights reserved.

Key challenges and the IEC 61508 effect

2012 Renesas Electronics America Inc. All rights reserved.

Need for internal expertise

Functional safety is a complex topic
Functional safety standards are difficult to master
Further challenges
ISO26262 can lead to multiple interpretations
Many companies/consultants were (and still are) very much
IEC61508 focused
But automotive has different constraints to consider

Often concept of safety, availability and reliability are mixed up

It must always work. Then needs to comply to ISO26262!

ISO26262 terminology is still often read with IEC61508 eyes

leading to many misunderstanding. E.g.
IEC61508: Item is an element of the final Control System
ISO26262: Item is the final system at vehicle level

In-house expertise is required to take right judgements

2012 Renesas Electronics America Inc. All rights reserved.

Understand own responsibilities

ISO26262 addresses the complete product safety lifecycle

Each part is dedicated to a certain aspect of the lifecycle

Item definition

Part 3

Supporting processes

Production and Release

Safety management

Impact analysis and

Hazard and Risk Assessment

Safety Goal

Safety
Safety
Safety
Concepts
Concepts
Concepts

Safety assessment

Part 4

System (safety)
verification

Part 4

System Integration
& testing

Part 5

HW design specification

Part 6

Item safety validation

Item Integration
& testing

System design specification

(including HSI)

SW Design

Part 9

Part 4

Part 3

System Tech. Safety

Requirements & Concept

HW safety requirement
Specification and HSI

Part 4, 7

Part 2

Part 3

Analysis
ASIL

Part 8

Part 4

HW production
Part 5

Safety Analysis

HW Design

HW Verification

Part 5

Part 5, 6

SW Verification
Part 6

How to prepare a tailored program for Renesas?

2012 Renesas Electronics America Inc. All rights reserved.

Which part is relevant to

Renesas?

Address the key challenges

Specifications
misunderstanding

Safety Concepts

Computation of HW metrics

Dependent failures
Interface to
our customers

2012 Renesas Electronics America Inc. All rights reserved.

How to make sure specifications are

clearly understood?

How to address gaps in applications knowhow to define right assumptions?

The safety analyses shall be performed in
accordance with appropriate standards or
ISO26262-9 8.4.1
guidelines
Which guidelines should be used?
How to perform dependency analysis and
overcome Beta IC contamination?
How to simplify selection of components
for our customers?
How to flexibly adjust results to
proprietary application profiles

Renesas approach toward functional safety

2012 Renesas Electronics America Inc. All rights reserved.

Creation of internal expertise

to mastering

From learning
First exposure

Acquired initial
background on
safety requirements
Worked with market
leaders in the area

Single DCLS
MCU for EPS

Gain of confidence

Exposure to
system aspects
Selected a group
of experts in
Renesas to join
ISO26262 and
IEC61508 WGs

MCU + ASIC
solution for Airbag

Focus on IEC61508
15

2012 Renesas Electronics America Inc. All rights reserved.

Strategy definition

Biz as usual

Definition of
internal safety
approach

Compliance as
part of normal
daily work

Received
acceptance from
the market

Continuing
cooperation in
ISO (and IEC)
WGs to improve
safety

General
All new products
Focus on ISO26262

First required enhancements

Project definition

Work product 1

Functional safety requires to enhance

Organisation
Development flow

Project classification
gate

Work product m

WW
Marketing
teams

Specification
definition
teams

Component
development
teams

Confirmation reviews &

Technical Functional Safety
Assessments
Functional Safety Audits &
Process Functional Safety
Assessments

Independent Safety Group

2012 Renesas Electronics America Inc. All rights reserved.

Work product n

Specification
Concept gate

Front-end gate

Back-end gate

Qualification gate

MP gate

Design & Verification

Layout & verification

Fabrication & testing

MP request

ISO26262 approaches for elements development

and their relevance

An element can be
1. Already existing in the market (COTS)

Mainly standard components as sensor, etc

A (safety) qualification is required prior to use it

2. Already existing and PIU

E.g. used already in a very similar application for several years

Precise and accurate field data required to claim this class!

3. Developed specifically for the target item (in context)

Clear specification defined by the customer

ISO26262 shall be adopted as state of the art flow

Development also known as Distributed Development (DD)

4. Developed for more than one usage (out of context or SEooC)

COTS:
17

The component developer try to address requirements from major target

customers

ISO26262 shall be adopted as state of the art flow even if some deviations with
respect to 3 applies

Commercial Off The Shelf

2012 Renesas Electronics America Inc. All rights reserved.

PIU: Prove In Use

SEooC: Safety Element out of Context

ISO26262 tailoring for MCU and ASIC projects

ISO26262 part

Applicability to MCUs

2 Management of
functional safety
3 Concept phase
4 Product development
at the system level
5 Product development
at the hardware level

Applicability to ASICs

Applicable to both developments activities

To be considered only to make
reasonable assumptions at MCU
level

Driven by our customers

Mostly applicable

Different options possible

7 Production and
operation

Mostly applicable

8 Supporting processes

Mostly applicable

9 ASIL oriented and

safety oriented analysis

Mostly applicable but

ASIL decomposition used to

define assumptions

ASIL decomposition driven by our

customers

Part 1 and 10 only containing informative requirements. Part 6 (SW) excluded in this presentation
18

2012 Renesas Electronics America Inc. All rights reserved.

Renesas solutions for the key challenges

Specifications
misunderstanding

Simulation models of our MCUs available

for early analysis

Safety Concepts

Renesas is market leader in automotive for

MCU, ASIC, ASSPs
Thanks to WW marketing teams information
are shared to define safety concepts

Computation of HW metrics

Internal methodology created

Full compliance to ISO26262 confirmed

Dependent failures

Internal methodology available based on

checklist approach
New ISO26262 sub-group set-up to
synchronise on approach

Interface to
our customers

2012 Renesas Electronics America Inc. All rights reserved.

Proprietary GUI created to estimate

capabilities of our MCUs in customer
profiles

Flexibility of Renesas GUI

MCU
development

Safety MCU
analysis

Safety system
analysis

MCU
S, SPF,
MPF,
DCRF,
DCLF

MCU
safety
database

Customer

2012 Renesas Electronics America Inc. All rights reserved.

Safety culture spread

How to spread the safety culture within the company?
Decision taken to create an internal e-learning program

A virtual guide takes each involved employee into the basics

of safety with a description of their job role
A set of questions must be answered to complete the course
21

2012 Renesas Electronics America Inc. All rights reserved.

How we planned Automotive MCU for ISO26262

2012 Renesas Electronics America Inc. All rights reserved.

Takashi Yasumasu
Manager for Chassis & Safety technical marketing
Renesas Electronics Corp. Automotive system div.

Working since 1993 at Renesas Electronics

ex. Hitachi semi-conductor division and Renesas technology
Involved on safety activities since 2007 for Automotive
IEC61508 SIL3 system solution by MCU plus ASIC
Active in the standardisation process of ISO26262. In particular
contributed to ISO26262 part10 in Japan SAE
Member of Japan SAE Functional Safety WG group and
JASPAR Functional Safety WG since 2009
Member ISO26262 WG16 semi-conductor WG from Japan
Technical Marketing leader for global Chassis & Safety
application, Mainly responsible for the following MCUs
RH850/P1x series for Chassis
RH850/R1x series for Safety

Challenge for applying ISO26262 on MCU

SEooC based development with assumed
safety requirement for wide variety of
automotive application
Standard is changed from previous IEC61508
to ISO26262.
Similar , but there are differences for MCU
SFF for MCU vs. SPF/LF for item development
Beta IC table vs. Dependent failure analysis

Necessity to implement the State of the art

architecture with wide acceptance in the market
ISO26262 description is not concrete for the
implementation of the safety mechanism
SEooC : Safety Element out of Context
SFF : Safe Failure Fraction
SIL : Safety Integrity Level
2012 Renesas Electronics America Inc. All rights reserved.

IEC61508
SIL2

SIL1

SIL3

SIL is applied for its

each sub component

ISO26262
Items safety goal

ASIL is applied on
the total system

SPF : Single Point Fault

LF : Latent Fault
ASIL : Automotive Safety Integrity Level

Product Line ups for Automotive MCU

Wide variety of products for many application by 40nm MCU

Powertrain

37%

Chassis, Break
Steering

22%

Airbag

40%

Body+Others

52%

Car Audio

54%

Instrument

44%

Navigation*

75%

*including SOC devices

Source: Strategy Analytics Jun/2012
Renesas Estimate
2011 Renesas Electronics Corporation. All rights reserved.

RENESAS Group CONFIDENTIAL

2012 Renesas Electronics Corporation. All rights reserved.

Fundamental strength of RH850 series

Leading 40nm Flash MCU Process technology
Smallest Die size & Lowest Power consumption

Lowest Power

Smallest Size

90nm
Process

World smallest Flash MCU@40nm

40nm
Process

mA/MHz

40nm MCU is 25% die area of 90nm

2.81
(38%)

1.08
0.51
90nm MCU

40nm MCU
Competitor
(90nm)

(90nm)

Our 40nm technology has enough capability to avoid power and

size overhead for having H/W Safety Mechanism !
26

2011 Renesas Electronics Corporation. All rights reserved.

(40nm)

ISO26262 SEooC MCU Safety Life Cycle in Renesas

SEooC : Safety Element out of Context

Functional safety concept,

(FSR, preliminary architectural assumption)

Technical safety concept,

Safety assessment

Safety requirement
Coming from each
Applications safety
Concept is the key

(TSR, System design)

Gap analysis is
Safety
validationat
necessary
integration in case of
using MCU SEooC
Is applied.
Item Integration

System verification
and validation
(OEM/Tier1)

Requirement derivation
and design for system
(OEM/Tier1)

Safety goal

Validation for the system

Decision for MCU/ASSP
MCU safety plan

HW safety Requirement

MCU testing and validation

HW safety verification

The accuracy of assumed safety requirement is the key

In case of SEooC
27

2011 Renesas Electronics Corporation. All rights reserved.

Product verification
and validation
(MCU vendor)

Requirement derivation
and design for device
(MCU vendor)

MCU safety concept

MCU safety assessment

Safety requirement led by Safety concept

To have more accuracy when defining safety requirement, we start
with the safety concept with external measures
Assumed Hardware Software Interface
H/W, S/W requirement
Assumed External measures
Hardware : ASSP, ASIC
Assumed system Safety Goal and FTTI
FTTI for MCU
Example of the Safety Concept (EPS)

Example of the Safety Requirement

FTTI : Fault Tolerant Time Interval

Assumed hazardous Event and ASIL

MCU FTTI: MCU fault tolerant time Interval
Notes: The information above is an example based on market survey by Renesas.

Application

Hazardous Event

ASIL

Example

MCU

RH850

FTTI(1%)

Series

EPS

1. Self steer during driving

2. Steering Wheal lock

200us
1ms

ABS

One wheel lock during hard

braking

1ms

Stability Control System

one wheel lock during driving

1ms

Booster
(electrical Motor supporter)

one wheel lock during driving

1ms

Passive
Safety

Airbag

Inadvertent deployment during

driving

10ms

Active
Safety

Mid Range & Long Range

Radar Systems (MRR/LRR)

Inadvertent hard braking

during driving

10ms

Power
train

Powertrain

decreasing of engine torque

10ms

Transmission

speed down on express way

10ms

Front beam

Both of front lamps turn off

during night driving

10ms

Brake lamp

no brake lighting during

braking

10ms

Meter

Wrong gear position

10ms

Motor control

Sudden torque Up/Down

TBC

Chassis

Body

HEV/EV

Multi core strategy for performance and Safety

Performance
Flash Memory

Flash Memory

CPU CMP CPU

CPU

CPU CMP CPU

System BUS

Hybrid (DCLS plus single core)

Engine Control, ADAS
High performance
Real time operation

Dual lock step architecture

Cost and performance

1oo1D Architecture

No latency for error detection

Dual core lock step

Flash Memory

CPU

Single Core
Airbag/Body
Central gateway

System BUS

Dual DCLS
ADAS, Server

Fast time to detect the faults

DCLS
(Dual Core Lock Step)
Braking/Steering
Motor Control

Flash Memory

CPU

CMP

CPU

System BUS

RH850/P1x Safety Mechanism outline

CPU
Dual Core Lock Step
Comparator
Memory Protection Unit
Logic-BIST
Redundant DMAC/INTC

Application
Independent Part

RH850/P1x

Memory
ROM : ECC (SECDED), CRC
Address Parity
RAM : ECC (SECDED)
M-BIST
Address Parity
EEPROM : ECC(SECDED)
Memory

Others
Bus : End to End S.M.
ECM : Control behavior
at Error
Clock Monitor
Voltage Monitor

Peripheral
Application
Dependent Part

12 bit ADC:2 Self Test

Timer : Output Monitor
Input Monitor
CAN : Parity on data
Loop back

Safety mechanism for Application independent parts

Trying to have rich safety mechanism by hardware to achieve fast FTTI
ECM
ECC

Separation

ECM

Flash
2 clock
delay

Logic
BIST

ECC

SPF

V850
G3M MPU

INT
PBUS
I/F

ECC

Flash
I/F

CPU
Master

Flash
I/F

2 clock
delay

Compare Unit

CPU
Checker

DMA

RAM
I/F

ECC

SPF

Logic
BIST

V850

MPU G3M
INT
ECC

PBUS
I/F

2 clock
delay

ECC

RAM
BIST

WDT

Power
Supply

Standard MCU
Error Correction
CPU
ERROR
DMA detection
Failure
Systematic
Faults

Memory
and
correction
Fault
detection
Built
In
Self Test
Peripherals

Flash
ECC
Memory
Protection

RAM
ECC
Redundancy
Timing
Supervision
Latent
fault
detection

Peri.
MEM
ECC

Peri.
Protection
@
Start-Up
Lockstep
operation
Monitors
Clock
Watchdog

CPU
CoreCPU
MASTER
Volatile
Memories
ECM
CHECKER
CPU

Peripherals
H/W comparator
PLL
Common
Cause

Collection
Identical
inputs
Error
Main
Oscillator

Error
Management
Output
comparison

Ring
Oscillator
by
Inverted
signals
Interrupt
by
2-clock
delay
Reset
by
Layout
Separation
ERROR
output
Power separation
Cross talk analysis

Clock
Clock
Clock
Monitor
Monitor
Monitor

Peripherals
Logic
BIST
ECC RAM
BIST

Clock Gen.

Ring
OSC

In-/Outputs
Inputs
Outputs
Error
Clock
Safety Block
Functional Block

Clock Input
32

Doc. No. ACSM-AB-11S-1xxx

Application dependent safety mechanism

Application Dependent Part is to be analyzed by each Safety Goal

Input

Judge

Out
put

Braking
Wheel
Speed
Pulse

Input
Capture
Timer

PWM
Timer

EPS
Torque
Sensor
Motor current

12bit
SAR
ADC

PWM
Timer

ADAS
Vision
Rader
(LRR/MRR)

High
speed
Serial
ADC

Application
Dependent Part
RENESAS Group CONFIDENTIAL

CAN

Application Independent Part

Solenoid Control
(PWM)

3 Phase PWM output

(U/V/W)

Command via
CAN

Application
Dependent Part

Safety Mechanism for Input and Output

Assumed
FTTI
Brake

EPS

100ms

20ms

ADAS

100ms

Input

Output

Test Pattern

Timer
(IC)

Timer
(PWM)

(Input)

ADC
Or Serial

Timer
(PWM)

(Input)

CAN

(Input)

TIMER INPUT MONITOR

(Output) PWM OUTPUT MONITOR

ADC Diagnosis

(Output) PWM OUTPUT MONITOR

CAN software protocol

(Output) CAN software protocol

End to end protection by the combination of

H/W and S/W

RENESAS Group CONFIDENTIAL

Test Pattern of on chip communication :Input

Assumed Technical Safety Requirement
Timer(Input Capture) works correctly
Correct transfer to L-RAM

Input

Out
put

Judge

L-RAM

Mission Logic
Timer (Input Capture)
Bus interconnect(Address/Data )
L-RAM

DCLS CPU

Internal connection
E2E

Safety Mechanism (On chip comms.)

Hardware :TIMER INPUT MONITOR
Software :Read from Timer0 and 1

TIMER
INPUT
MONITOR

Merit
E2E from Input to L-RAM(read after write)
Easy implementation into application program
Effective for Transient fault

Timer
input1

Timer
input0

data path
Address path

L-RAM : Local RAM, tightly coupled RAM with Dual Core Lock Step
RENESAS Group CONFIDENTIAL

Test Pattern of on chip communication :Output

Assumed Technical Safety Requirement
Timer(PWM Output) works correctly
Correct transfer to L-RAM

Input

Out
put

Judge

L-RAM

Mission Logic
Timer (PWM output)
Bus interconnect(Address/Data )
L-RAM
CPU

DCLS CPU

Internal connection
E2E

Safety Mechanism
Hardware :TIMER OURPUT MONITOR
Software :Read from Timer input

TIMER
OUTPUT
MONITOR

Merit
E2E from L-RAM to Timer Output
Easy implementation into application program
Effective for Transient fault

Timer
input

Timer
Output

data path
Address path

L-RAM : Local RAM, tightly coupled RAM with Dual Core Lock Step
RENESAS Group CONFIDENTIAL

Functional Safety Support for Renesas customer

Concept FMEDA
Qualitative FMEDA
Metrics analysis
Sub part size information
for FIT calculation

Safety Manual
How to use safety mechanism
Recommendation of timing
for application usage
Qualitative DC

Concept
FMEDA

Work Products

SEooC based
work products

Safety
Manual

ISO26262
Work
Products

To achieve easy verification

In system, work products is
Prepared
Assumed Safety Requirement
Safety Analysis
Safety Design etc

Conclusion

Renesas support for your ISO26262 development

Safety Hardware
and Work Products
e.g. H/W Safety Mechanism
by each product family

Independent Checks
i.e. Confirmation Measures done
by our internal independent
organization

Safety Software
and Work Products
e.g. Core Self Test Software

Safety
Consultancy
e.g. Workshops, GUI tool

Questions?

Renesas Electronics America Inc.

Common questions