i.mx 8/8x functional safety concepts - nxp community · 2020. 9. 1. · company public 7 functional...
TRANSCRIPT
PUBLIC – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP B.V. All
other product or service names are the property of their respective owners. © 2019 NXP B.V.
Patrick Stilwell
i.MX 8/8X Functional Safety Concepts
August 2019 | Session #AMF-AUT-T3635
1COMPANY PUBLIC
i.MX 7 family
i.MX 8 family
Safety Certifiable & Efficient Performance
Flexible Efficient Connectivity
ARM® v7-A
i.MX 8M family
i.MX 8X family
Advanced Computing, Audio/Video & Voice
Advanced Graphics & CPU Performance
i.MX 7ULP family Ultra Low Power with Graphics
ARM ® v8-A (32-bit/ 64-bit)
ARM® v7-A (32-bit)
i.MX 6QuadPlus
i.MX 6Dual
i.MX 6Solo
i.MX 6DualLite
i.MX 6SoloLite
i.MX 6SoloX
i.MX 6UltraLite
i.MX 6DualPlus
i.MX 6Quad
i.MX 6SLL
i.MX 6ULL
i.MX Applications Processor Scalability
M4
A7
M4
A53
M4
A35
M4
A53
A72
Pin
-to-p
in C
om
pa
tib
le
Soft
ware
Com
patible
M4
A9
A9
A7
2COMPANY PUBLIC
i.MX 8 & 8X Subsystem ReuseScalability of Embedded Processing
HMI, Vision, Audio and Voice-enabled with i.MX
DSP, Vision Acceleration, Real Time Domain, Safe Camera/Display/Audio, Simplified eCockpit
New TSN Connectivity, Telematics and V2X Optimization with i.MX 8DualXLite / 8SoloXLite
Future
3COMPANY PUBLIC
i.MX 8 & 8X Subsystem ReuseScalability of Embedded Processing
HMI, Vision, Audio and Voice-enabled with i.MX
DSP, Vision Acceleration, Real Time Domain, Safe Camera/Display/Audio, Simplified eCockpit
New TSN Connectivity, Telematics and V2X Optimization with i.MX 8DualXLite / 8SoloXLite
Future
4COMPANY PUBLIC
i.MX 8 & 8X Subsystem ReuseScalability of Embedded Processing
HMI, Vision, Audio and Voice-enabled with i.MX
DSP, Vision Acceleration, Real Time Domain, Safe Camera/Display/Audio, Simplified eCockpit
New TSN Connectivity, Telematics and V2X Optimization with i.MX 8DualXLite / 8SoloXLite
Future
5COMPANY PUBLIC
i.MX 8X Block Diagram – Hardware Safety-related
Components
6COMPANY PUBLIC
Aerospace Control
e.g. flap drives, ventilation pumps, fuel pumps, brakes
Motor Control / Drives
e.g. robotics used in industrial automation, DC / AC motor
drives
Industrial Transportation
e.g. conveyor belts, fork lifter, brakes, (unmanned)
vehicles
Robtics
e.g. welding, pick & place, laser/
water/plasma cutter, harvester
Power Generation and management
e.g. power plants, solar inverters, refineries
Generic Functional
Safety Standard
IEC 61508
Required for all applications where a
malfunction may cause physical injury or
damage to the health of people!
Building
Control e.g. automatic
doors, access
Public
Transportation e.g. elevators,
escalators, automatic
doors, stair lifts, rail
switching controls
Medical e.g. pumps, injectors,
defibrillators, powered
patient beds, valves,
ventilators
Automotivee.g. ADAS, Gateway,
Chassis, Body,
wireless charging
Industrial
Automation e.g.
process/ temperature/
smoke control,
boilers, chemical
Applications with
controlling
functionality Applications
with moving
parts
Applications for
people EN 50128
railway
ISO 26262
automotive
IEC 62061
machinery
IEC 61511
process industry
DO-178B &
DO-254
aerospace
IEC 60880 & IEC 61513
nuclear power stations
IEC 60601
medical equipment
IEC 61131
controls
IEC 61800
powertrain
IEC 61215
solar
ISO 13849
machinery
Functional Safety Applications Derived from IEC 61508
7COMPANY PUBLIC
Functional Safety Applications Derived from IEC 61508
Aerospace Control
e.g. flap drives, ventilation pumps, fuel pumps, brakes
Motor Control / Drives
e.g. robotics used in industrial automation, DC / AC motor
drives
Industrial Transportation
e.g. conveyor belts, fork lifter, brakes, (unmanned)
vehicles
Robtics
e.g. welding, pick & place, laser/
water/plasma cutter, harvester
Power Generation and management
e.g. power plants, solar inverters, refineries
Generic Functional
Safety Standard
IEC 61508
Required for all applications where a
malfunction may cause physical injury or
damage to the health of people!
Building
Control e.g. automatic
doors, access
Public
Transportation e.g. elevators,
escalators, automatic
doors, stair lifts, rail
switching controls
Medical e.g. pumps, injectors,
defibrillators, powered
patient beds, valves,
ventilators
Automotivee.g. ADAS, Gateway,
Chassis, Body,
wireless charging
Industrial
Automation e.g.
process/ temperature/
smoke control,
boilers, chemical
Applications with
controlling
functionality Applications
with moving
parts
Applications for
people EN 50128
railway
ISO 26262
automotive
IEC 62061
machinery
IEC 61511
process industry
DO-178B &
DO-254
aerospace
IEC 60880 & IEC 61513
nuclear power stations
IEC 60601
medical equipment
IEC 61131
controls
IEC 61800
powertrain
IEC 61215
solar
ISO 13849
machinery
8COMPANY PUBLIC
Example Interaction Between OEM, Tier 1 & Tier 2 (NXP)OEM
• Safety Architecture
• Safety Concept
• ASIL Classification of Functions
Tier 1
• HW / SW products
Tier 2 Supplier - NXP
• Item definition
• Hazard analysis and risk assessment
• Safety Goals
• Functional Safety ConceptISO26262 Safety
Requirements &
DIA
Safety
Requirements &
DIA
Safety Manual &
Safety Analysis
Relevant
scope of
ISO26262
high
Fo
un
datio
n Product Safety Mechanisms
(implemented in offering, described in
Safety Manual, quantified/qualified by
Safety Analysis)
Development Process & Methods
Quality & Quality Data
Relevant
scope of
ISO26262
medium
Overall ISO 26262 compliance is achieved
together, we each own a piece of the puzzle
NXPFunctional Safety Focus
Safety Element out of Context
Safety Manual &
Safety Analysis
9COMPANY PUBLIC
Functional Safety Basic Concepts
• All systems will have some inherent, quantifiable failure rate. It is not possible to develop a
system with zero failure rate.
• For each application, there is some tolerable failure rate which does not lead to unacceptable
risk.
• Acceptable failure rates vary per application, based on the potential for direct or indirect physical
injury in the event of system malfunction.
• The hazards and risks of applications can be analyzed and assigned categories based on the
level of acceptable risk. These categories are known as Safety Integrity Levels, or SILs.
10COMPANY PUBLIC
Safety Failures and their causes
Failures in a functional safety system can be broadly classified into two categories: Systematic and Random failures
Failures
Systematic Random
Systematic Failures
– Result from a failure in design or manufacturing
– Often a result of failure to follow best practices
– Occurrence of systematic failures can be reduced through continual and rigorous process
improvement and robust analysis of any new technology
Random Failures
– Result from random defects or soft errors inherent to usage condition
– Rate of random faults cannot generally be reduced; focus must be on the detection and
handling of random faults to prevent application failure
Note: Software failures are considered to be systematic
11COMPANY PUBLIC
OEM
• Item definition
• Hazard analysis and risk
assessment
• Safety Goals
• Functional Safety Concept
Safety GOALS and Process
12COMPANY PUBLIC
OEM
• Item definition
• Hazard analysis and risk
assessment
• Safety Goals
• Functional Safety Concept
• Safety Architecture
• Safety Concept
• ASIL Classification of Functions
Tier 1
Safety GOALS and Process
13COMPANY PUBLIC
OEM
• Item definition
• Hazard analysis and risk
assessment
• Safety Goals
• Functional Safety Concept
• Safety Architecture
• Safety Concept
• ASIL Classification of Functions
Tier 1
Product Safety Mechanisms (implemented
in offering, described in Safety Manual,
quantified/qualified by Safety Analysis)
Development Process & Methods
Quality & Quality Data
• HW / SW products
Tier 2 Supplier - NXP
Safety GOALS and Process
14COMPANY PUBLIC
E= Exposure C= ControllabilityS= Severity
ASIL
How often is it
likely to happen?Can the hazard be
controlled?
What is the
level of injury?
Quantify A Risk: Automotive Safety Integrity Level (ASIL)
Definition:
15COMPANY PUBLIC
Functional Dependencies i.MX 8
i.MX 8 and 8x are ASIL QM rated (quality managed) devices
All input and output sources (serial/parallel IO interfaces like camera
and display based functionality) have an inherent dependency on
system level resources. Because of this dependency, the i.MX
8QuadMax is considered a “Safety Element out of Context” or SEooC.
Safety level safety measures will have to be achieved on a systems
level to include safety elements both inside and outside the SoC
(System on a Chip).
16COMPANY PUBLIC
ISO 26262 Key Differences from IEC 61508
• ISO 26262 aligns with auto industry use cases and definition of acceptable risk
• IEC 61508 concept of safety function is replaced with ISO 26262 safety goals.
− Safety function concept was based on the idea of defining a system under control and then “bolting-on” risk reduction measures
− Safety goal concept requires that risk reduction be part of the initial control system design
• Typical IEC 61508 systems are installed and then validated in place. ISO 26262 systems must be validated before release to market.
• ISO 26262 standard clearly defines work products for each requirement. This makes determination of compliance easier but limits flexibility of development system definition.
• ISO 26262 has hazard and risk analysis, failure rates and metrics adapted for Automotive use cases.
16
17COMPANY PUBLIC
ISO 26262 vs IEC 61508 Safety Integrity Levels• ISO 26262 was developed to meet
automotive industry specific needs as replacement for IEC 61508.
• IEC 61508 defines 4 safety integrity levels (SIL1,2,3,4)
• ISO26262 defines a Quality Managed level in addition to 4 safety integrity levels (ASIL A,B,C,D)
• DO-254 defines 5 levels (A-E) where E will not impact operation or aircraft or pilot workload and A will be catastrophic failure condition.
• There is no direct correlation between IEC61508 SIL and ISO 26262 ASIL levels or DO-254
IEC 61508
SIL Levels
1
2
3
4
ISO 26262
ASIL Levels
A
B
C
D
QMQuality Managed
DO-254
Levels
D
C
B
A
E
18COMPANY PUBLIC
ISO 26262 vs IEC 61508 Safety Integrity Levels• ISO 26262 was developed to meet automotive
industry specific needs as replacement for IEC 61508.
• IEC 61508 defines 4 safety integrity levels (SIL1,2,3,4)
• ISO26262 defines a Quality Managed level in addition to 4 safety integrity levels (ASIL A,B,C,D)
• DO-254 defines 5 levels (A-E) where E will not impact operation or aircraft or pilot workload and A will be catastrophic failure condition.
• There is no direct correlation between IEC61508 SIL and ISO 26262 ASIL levels or DO-254
IEC 61508
SIL Levels
1
2
3
4
ISO 26262
ASIL Levels
A
B
C
D
QMQuality Managed
19COMPANY PUBLIC
ADAS – RADAR
SRR, MRR, LRR – ASILB
FS652x with S32R2
ADAS – Vision
Data Fusion – ASILB, up to ASIL D (Autonomous Drive)
FS652x with MPC5777C (Safety Domain Control)
Drive Train – Electrification
Battery Management (12V, 48V, HV) – ASILC
FS650x with MPC5744P and MC33771
Or FS45 + S32K + KEA (NEWTEC Ref Des)
Drive Train – Electrification
Electric Motor (Alterno Starter, eAxel drive…) – ASILC
FS45 + S32KDrive Train – PowerTrain
Transmission, Transfer Case – ASILD
FS650x with Other MCU supplier
Drive Train – Electrification
Inverter, DCDC Converter - ASILC
FS651x + MPC577x
Drive Train – S&C
Electric Power Steering – ASILD
FS45 or FS65 with MPC574x
Domain Gateway
Body, Safety, Chassis – up to ASILD
FS652x with MPC574xCDrive Train – S&C
Suspension / Dumping – ASILC
FS65 with other MCU Supplier
FS65 + MPC574x
ADAS – ACC
Adaptive Cruise Control – ASILC
FS652x with MPC5744P
Drive Train – PowerTrain
Engine Management Unit – ASILB
FS651x with MPC5777C
Drive Train – S&C
ABS, ESP – ASILD
BE13 with MPC5744P
Automotive Use Cases and ASIL Level
1
2
2
3
4
5
1
7
1
8
3
ASIL
D
C
B
A
QM
LEGEND
6
20COMPANY PUBLIC
HW Safety Element out of Context Development
NXP focuses on HW and/or SW component development
The HW component can be targeted for different applications and for different customers where:
• Assumptions are made about the requirements allocated to the HW element and its external interfaces
• It corresponds to a HW SEooC
• Assumptions’ validity established during integration of the SEooC in the different systems.
HW
Component
Developed as
SEooC
Reference ISO 26262-10:2012Applicable to Component developed as SEooC
SW
Component
Developed as
SEooC
21COMPANY PUBLIC
Safety Feature 8QuadXplus, 8DualXPlus, 8DualX 8QuadMax, 8QuadPlus
Ultra Low Alpha (ULA) package ✓ ✓
Manufacturing Process 28nm FD-SOI 28nm FD-SOI
Memory Protection (ECC, parity)
ARM Cortex-A L1 cache Parity Parity
ARM Cortex-A L2 cache ECC ECC
ARM Cortex-M4 tightly coupled
memoryECC ECC
DDR memory interface ECC on DDR3L -
Failover Displays and Cameras ✓ ✓
Highest Automotive Safety Certifiable* QM QM
Targeted Industrial Safety Certifiable * SIL3 SIL2
i.MX 8/8X Safety and Reliability Features
*Designed for
ASIL A/B Platforms
22COMPANY PUBLIC
i.MX 8X Block Diagram – Hardware Safety-related
Components
23COMPANY PUBLIC
Safety Mechanisms & Faults
• A safety mechanism is a technical solution implemented by E/E functions or elements, or by other technologies, to
detect faults or control failures in order to achieve or maintain a safe state
• Safety mechanisms are implemented to prevent faults from leading to single-point failures or to reduce residual
failures and to prevent faults from being latent
− multiple-point fault is a individual fault that, in combination with other independent faults, leads to a multiple-point failure.
• Safety Mechanisms can take effect during
− Power up (pre-drive checks)
− During operation
− During power-down (post-drive checks)
− Part of maintenance.
Q: How to decide where to
implement safety mechanisms?
… in HW or SW, in system or
component or IP…
Reference ISO 26262-1:2011
24COMPANY PUBLIC
Fault Detection & Reaction Times
Diagnostic test interval
• amount of time between the executions of online
diagnostic tests by a safety mechanism
Fault reaction time
• time-span from the detection of a fault to reaching
the safe state
Fault tolerant time interval
• time-span in which a fault or faults can be present
in a system before a hazardous event occurs
Multiple-point fault detection interval
• time span to detect multiple-point fault before it
can contribute to a multiple-point failure Reference ISO 26262-1:2011
Q: How to know which times to use?
1ms, 10ms, 100ms, 1sec, 1hr, several hours etc.
25COMPANY PUBLIC
Safety Mechanisms and Countermeasures
Light sensors
Efuses/shado
w registers
Basic SCA
countermeasures (masking,
randomization, jitter)
Glitch sensor
Limit the debug
output in the final
product
Secure Debug,
Disable Debug
Timing
invariance
(HW/SW)
Memories with
hardware fault
protection/detection
Memory
encryption
NVM error
correction
NVM content
check
Triple
voting
Flipflops
(TVF)
Delayed
lockstep
cores
Power
monitoring
Clock
monitoring
Redundant use of
I/O application
checks
Memory Built In
Self Test (MBIST)
at start-up
Logic Built In Self
Test (LBIST) at start-
up
Watchdog
Fault
Collection &
Control
(FCCU)
Safe
interconnect
HW
Security Counter
Reliable
brown-out
detection
Reliable over-/ under
voltage detection
Shields
Randomization
Memory scrambling
Physical
Separation
Delayed
lockstep eDMA
ECC protection
data/addr.Sea of gates
Obfuscation of
layout
Temperature
sensors
Safety
Security
26COMPANY PUBLIC
Safety Mechanisms
Light sensors
Efuses/shado
w registers
Basic SCA
countermeasures (masking,
randomization, jitter)
Glitch sensor
Limit the debug
output in the final
product
Secure Debug,
Disable Debug
Timing
invariance
(HW/SW)
Memories with
hardware fault
protection/detection
Memory
encryption
NVM error
correction
NVM content
check
Triple
voting
Flipflops
(TVF)
Delayed
lockstep
cores
Power
monitoring
Clock
monitoring
Redundant use of
I/O application
checks
Memory Built In
Self Test (MBIST)
at start-up
Logic Built In Self
Test (LBIST) at start-
up
Watchdog
Fault
Collection &
Control
(FCCU)
Safe
interconnect
HW
Security Counter
Reliable
brown-out
detection
Reliable over-/ under
voltage detection
Shields
Randomization
Memory scrambling
Physical
Separation
Delayed
lockstep eDMA
ECC protection
data/addr.Sea of gates
Obfuscation of
layout
Temperature
sensors
i.MX8 Safety
Security
Safety
Mechanisms
27COMPANY PUBLIC
Safety Mechanisms
Light sensors
Efuses/shado
w registers
Basic SCA
countermeasures (masking,
randomization, jitter)
Glitch sensor
Limit the debug
output in the final
product
Secure Debug,
Disable Debug
Timing
invariance
(HW/SW)
Memories with
hardware fault
protection/detection
Memory
encryption
NVM error
correction
NVM content
check
Triple
voting
Flipflops
(TVF)
Delayed
lockstep
cores
Power
monitoring
Clock
monitoring
Redundant use of
I/O application
checks
Memory Built In
Self Test (MBIST)
at start-up
Logic Built In Self
Test (LBIST) at start-
up
Watchdog
Fault
Collection &
Control
(FCCU)
Safe
interconnect
HW
Security Counter
Reliable
brown-out
detection
Reliable over-/ under
voltage detection
Shields
Randomization
Memory scrambling
Physical
Separation
Delayed
lockstep eDMA
ECC protection
data/addr.Sea of gates
Obfuscation of
layout
Temperature
sensors
Check the
checker tests
Safe
stand-by
Safe boot
Peripheral
and Core
Self Test
SW
SafeAssure
i.MX8 Safety
Security
Safety
Mechanisms
28COMPANY PUBLIC
Partitioning A Safety Critical System
Partitioning can be done:
− In hardware (e.g. separate module, chips)
▪ Pros: true separation
▪ Cons: Increase cost
− In software (e.g. address spaces, virtual machines, relying on MMU or MPU)
▪ Pros: easier separation, cost efficient
▪ Cons: not a true separation, since some complex hardware could still crash the system
The i.MX8 SoC includes programmable partitioning features that bring advantages of
both hardware and software partitioning.
29COMPANY PUBLIC
Resource Partitioning on i.MX 8
M4 0
CAN
I2C
VPUADC USB
UART
SPIMIPI
CSI_1
DSI
ETH_1
GPU_0
DISPLAY
MIPI
CSI_0
ETH_0
M4 1 CPU CPU
Audio
Domain 1example
Domain 16example
Domain 0example
SCU
I2C
How Partitioning Works:
• The system controller commits peripherals and memory regionsinto a specific domains. (This is customer defined in the System Configuration Data)
• Any communication between domains are forced to use messaging protocols through Messaging Units (MU’s)
• If a domain peripheral tries to access other domains illegally, a bus error will occur.
Benefits of Partitioning:
• Reporting of immediate illegal accesses helpstrack down hard to find race conditions beforethey go to production. (AKA Sandbox
Methods)
• Provides security on a finished product: protectssystem critical SoC peripherals from less trusted apps and intentional security breaches
Security
DDR 0 DDR 1 DDR 2
…….
MU MU
GPU_1
30COMPANY PUBLIC
i.MX 8 – Arm Cortex-M4 Cores
• Tightly Coupled Memory w/ ECC
• Caches w/ Parity Checks
• Low Latency with NVIC
• Memory Protection Units
• FPU
• Messaging Units
31COMPANY PUBLIC
Examples of Key Safety Goals for the i.MX8
Prevent Misleading
Safety Indications
Prevent missing warning lamp
function in otherwise properly
functioning instrument cluster
Prevent missing audio warning chime
Prevent frozen backup camera image
The key safety goals all derive from the fundamental goal that a failure in the Infotainment system
should not give the driver a misleading sense of safety.
The safety role of the i.MX 8 is to deliver
safety information to the driver. As such, all
safety-relevant failures in the i.MX 8 are
failures to deliver safety information to the
driver.
The i.MX8 can be integrated as a QM part
into an ISO26262 system and paired with
fully qualified ASIL A or B parts to support
key ASIL A and B Infotainment Use cases
32COMPANY PUBLIC
Examples of Transition to Safe States
Missing warning lamp function in
otherwise properly functioning
instrument cluster
Missing audio warning chime
Frozen backup camera image
The safe states all have the effect of making the driver aware of the hazard. With that awareness,
the specific hazards become C0 or C1 controllable. (ISO 26262:2018 Part 3 Clause 6.4.3)
Display disabled with “Service Rear
Camera” message
“Service audio system” warning
indicator on instrument cluster
Instrument cluster blacked out,
possibly with some sort of service
message.
33COMPANY PUBLIC
SCU
• Configure i.MX 8
• Run BootROM
• Configure QSPI
• Load SCU firmware
• Load M4 User code
• High Assurance Boot
• Run time services
Cortex-M4F #1
• Execute User Code
• AutoSAR OS
• CAN Message
• AutoSAR Services
Arm Cortex-A53 and Cortex-A72
• Boot Main Operating System
• QNX, Linux, Android…
Cortex-M4F #2
• Safety Core
• OEM Custom
i.MX 8 and 8X Boot Flow
• Flexible multi-boot options
• Critical function alignment (Cortex-M4 versus Cortex-A53)
• Enables early backup camera, CAN receipt and display
i.MX 8 and 8X Flexible and Fast Boot
34COMPANY PUBLIC
i.MX 8 and 8X Family Display Processor with Failover Feature
Display
Processor Cortex-A
Clusters
GPU
2D
3D BlendLCD
i.MX 8 and 8X Family Display Processor:
• Runs independently, even if GPU and Cortex-A cores crash
• Has integrated 2D graphics unit
• Can be driven by Cortex-M4 core (safety layer support)
• Can drive 4x independent displays without the GPU
Safety layer
Cortex-M4
35COMPANY PUBLIC
55 MPH 0.4 mi Turn ►►
Detects CRC MISMATCH
CRC
Checking
Zones
i.MX 8 GPU Core 0
i.MX 8 Display
Controller 0
(2 Ports)
HUD
Cluster
55 MPH 0.4 mi Turn ►►
i.MX 8 GPU Core 0
i.MX 8 Display
Controller 0
Safety Streams x 2
Automatically Switchover to
Simplified Cluster / HUD
Failover images running in background
i.MX 8 Display Failover Strategy
36COMPANY PUBLIC
I Want to Run Two Operating Systems. Competition’s
Limitations?
Someone Else’s
Processor
What I want to do:
2x independent platforms, same chip
What I want to do:
2x independent platforms, same chip
A53
CPU1
A53
CPU2
Platform 1 Platform 2
A53
CPU3
A53
CPU4
A72
CPU0
A72
CPU1
HypervisorMust rely on internal code and DMA
to ensure IP blocks ‘behave’
GPU
Display
Peripheral
Steers requests, ensures
no access conflicts,
protects domain secrets
‘Shares’ all IP resources
with only SW to
guarantee protection
Mini
Hypervisor(GPU)
Mini
Hypervisor(GPU)
37COMPANY PUBLIC
i.MX 8Quadmax/QuadPlus Family: Full Chip Hardware
Virtualization with Resource Domain Protection
A53
CPU1
A53
CPU2
Platform 1 Platform 2
A53
CPU3
A53
CPU4
A72
CPU0
A72
CPU1
Each IP Block has
Hardware-based resource
protection ‘stitched’
around it
Block, allow, assign,
alert and track any
transaction in Hardware! GPU 0 GPU 1
Display 1Display 0
Perip
h
Perip
h
Perip
h
Perip
h
Perip
h
Perip
h
Perip
h
Perip
h
HyperVisors on i.MX 8 = thin, light, let hardware do the underlying work
Two Chips in One!
Explicitly assign
peripherals to a Platform
“Split” the SOC
in half with Dual
GPU/DC architecture
38COMPANY PUBLIC
Resource Partitioning on i.MX 8 FamilyHow Partitioning Works:
• The system controller commits
peripherals and memory regions
into a specific domains.
(This is customer defined in the System
Configuration Data)
• Any communication between domains
are forced to use messaging protocols through
Messaging Units (MU’s)
• If a domain peripheral tries to access
other domains illegally, a bus error will occur.
Benefits of Partitioning:
• Reporting of immediate illegal accesses helps
track down hard to find race conditions before
they go to production (AKA Sandbox Methods)
• Provides security on a finished product: protects
system critical SoC peripherals from less trusted
apps and intentional security breaches
M4 0
CAN
I2C
VPUADC USB
UART
SPIMIPI
CSI_1
DSI
ETH_1
GPU_0
DISPLA
Y
MIPI
CSI_0
ETH_0
M4 1 CPU CPU
Audio
Domain 1example
Domain 16example
Domain 0example
SCU
I2C
Security
DDR 0 DDR 1 DDR 2
…….
MU MU
GPU_1
39COMPANY PUBLIC
Power Management IC – PF8100/8200• Proven robustness, lower risk, & shorter time to market
− Co-developed with MCU team
− Support of advanced MCU technologies with high precision and enhanced thermal management
• Reduced complexity for functional safety implementation
− Scalable Functional safety from QM to ASIL-B
− Inputs to monitor additional supplies enables system level functional safety
• Reduced system cost
− Scalable Architectures matched to MCU and application
− OTP configurability allows flexibility during development
− Optimize BOM size (<200mm2 component area)
• Faster certification through radiation reduction
− Multiple frequency tuning optimization (Spread Spectrum, freq sync, Manual tuning)
40COMPANY PUBLICINTERNAL/PROPRIETARY 40
NXP’S SAFE ASSURE PROGRAM
WITH I.MX 8X AND I.MX 8
NXP Quality Foundation
Functional Safety Standards
Safety
Support
Safety
Process
Safety
Hardware
Safety
Software
Automotive
ISO 26262
Industrial
IEC 61508Simplify Customer experienceISO26262 system compliance process
Optimize Customer R&D efficiencyReduces time and complexity required to develop
ISO26262 safety systems
Reduce risk of HarmSupports the most stringent Automotive Safety
Integrity Levels (ASILs)
Safety starts with QualityZero defect methodology from design to manufacturing to
help ensure our products meet the stringent demands of
safety applications
41COMPANY PUBLIC
NXP SafeAssure™ Program
• Functional safety activities address:−Safety process (FMEA, FTA, FMEDA) integrated into
development process
−Safety hardware (safety manual) BIST, ECC, etc.
−Safety software (safety manual) Autosar MCAL, OS, core
self tests, etc.
−Safety support – training, documentation and tech
support
42COMPANY PUBLIC
NXP i.MX 8 / 8X SafeAssure
To support the customer to build a safety system, the
following deliverables are provided as standard for all ISO
26262 developed products.
• Public Information available via NXP Website− Quality certificates
− Reference manual
− Data sheet
• Confidential Information available under NDA− Safety plan
− Safety manual
− ISO 26262 safety case
− Permanent Failure Rate data (Die & Package) - IEC/TR 62380 or SN29500
− Transient Failure Rate data (Die) - JEDEC Standard JESD89
− Safety analysis (FMEDA, FTA, DFA) & Report
− PPAP
NXP Quality Foundation
Functional Safety Standards
Safety
Support
Safety
Process
Safety
Hardware
Safety
Software
Automotive
ISO 26262
Industrial
IEC 61508
43COMPANY PUBLIC
Safety Support i.MX 8 and 8X – System Level Overview and
Assumptions
44COMPANY PUBLIC
i.MX 8 Family AUTOSAR Software
45COMPANY PUBLIC
NXP provides software products where in-depth hardware knowledge is crucial – value-add software products such as AUTOSAR MCAL, Custom Complex Drivers, OS, Custom Self Test, application-specific libraries to address unique hardware features
AUTOSAR MCAL
low level drivers
AUTOSAR
Operating System
Self Test Application
oriented Libraries
NXP i.MX 8 AUTOSAR Solution
46COMPANY PUBLIC
Software Life Cycle Methodologies & Quality: Engineering
Discipline
47COMPANY PUBLIC
Built for scalable, safe
and secure multimedia
and computing• Sampling now for alpha and
beta customers
• www.nxp.com/imx8
Thank-you for
considering the
i.MX 8 Series!
i.MX 8 and 8X Applications Processors
NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2018 NXP B.V.
www.nxp.com