i.mx 8/8x functional safety concepts - nxp community · 2020. 9. 1. · company public 7 functional...

PUBLIC – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP B.V. All

other product or service names are the property of their respective owners. © 2019 NXP B.V.

Patrick Stilwell

i.MX 8/8X Functional Safety Concepts

August 2019 | Session #AMF-AUT-T3635

1COMPANY PUBLIC

i.MX 7 family

i.MX 8 family

Safety Certifiable & Efficient Performance

Flexible Efficient Connectivity

ARM® v7-A

i.MX 8M family

i.MX 8X family

Advanced Computing, Audio/Video & Voice

Advanced Graphics & CPU Performance

i.MX 7ULP family Ultra Low Power with Graphics

ARM ® v8-A (32-bit/ 64-bit)

ARM® v7-A (32-bit)

i.MX 6QuadPlus

i.MX 6Dual

i.MX 6Solo

i.MX 6DualLite

i.MX 6SoloLite

i.MX 6SoloX

i.MX 6UltraLite

i.MX 6DualPlus

i.MX 6Quad

i.MX 6SLL

i.MX 6ULL

i.MX Applications Processor Scalability

M4

A7

M4

A53

M4

A35

M4

A53

A72

Pin

-to-p

in C

om

pa

tib

le

Soft

ware

Com

patible

M4

A9

A9

A7

2COMPANY PUBLIC

i.MX 8 & 8X Subsystem ReuseScalability of Embedded Processing

HMI, Vision, Audio and Voice-enabled with i.MX

DSP, Vision Acceleration, Real Time Domain, Safe Camera/Display/Audio, Simplified eCockpit

New TSN Connectivity, Telematics and V2X Optimization with i.MX 8DualXLite / 8SoloXLite

Future

3COMPANY PUBLIC





Future

4COMPANY PUBLIC





Future

5COMPANY PUBLIC

i.MX 8X Block Diagram – Hardware Safety-related

Components

6COMPANY PUBLIC

Aerospace Control

e.g. flap drives, ventilation pumps, fuel pumps, brakes

Motor Control / Drives

e.g. robotics used in industrial automation, DC / AC motor

drives

Industrial Transportation

e.g. conveyor belts, fork lifter, brakes, (unmanned)

vehicles

Robtics

e.g. welding, pick & place, laser/

water/plasma cutter, harvester

Power Generation and management

e.g. power plants, solar inverters, refineries

Generic Functional

Safety Standard

IEC 61508

Required for all applications where a

malfunction may cause physical injury or

damage to the health of people!

Building

Control e.g. automatic

doors, access

Public

Transportation e.g. elevators,

escalators, automatic

doors, stair lifts, rail

switching controls

Medical e.g. pumps, injectors,

defibrillators, powered

patient beds, valves,

ventilators

Automotivee.g. ADAS, Gateway,

Chassis, Body,

wireless charging

Industrial

Automation e.g.

process/ temperature/

smoke control,

boilers, chemical

Applications with

controlling

functionality Applications

with moving

parts

Applications for

people EN 50128

railway

ISO 26262

automotive

IEC 62061

machinery

IEC 61511

process industry

DO-178B &

DO-254

aerospace

IEC 60880 & IEC 61513

nuclear power stations

IEC 60601

medical equipment

IEC 61131

controls

IEC 61800

powertrain

IEC 61215

solar

ISO 13849

machinery

Functional Safety Applications Derived from IEC 61508

7COMPANY PUBLIC

Functional Safety Applications Derived from IEC 61508

Aerospace Control

e.g. flap drives, ventilation pumps, fuel pumps, brakes

Motor Control / Drives

e.g. robotics used in industrial automation, DC / AC motor

drives

Industrial Transportation

e.g. conveyor belts, fork lifter, brakes, (unmanned)

vehicles

Robtics

e.g. welding, pick & place, laser/

water/plasma cutter, harvester

Power Generation and management

e.g. power plants, solar inverters, refineries

Generic Functional

Safety Standard

IEC 61508

Required for all applications where a

malfunction may cause physical injury or

damage to the health of people!

Building

Control e.g. automatic

doors, access

Public

Transportation e.g. elevators,

escalators, automatic

doors, stair lifts, rail

switching controls

Medical e.g. pumps, injectors,

defibrillators, powered

patient beds, valves,

ventilators

Automotivee.g. ADAS, Gateway,

Chassis, Body,

wireless charging

Industrial

Automation e.g.

process/ temperature/

smoke control,

boilers, chemical

Applications with

controlling

functionality Applications

with moving

parts

Applications for

people EN 50128

railway

ISO 26262

automotive

IEC 62061

machinery

IEC 61511

process industry

DO-178B &

DO-254

aerospace

IEC 60880 & IEC 61513

nuclear power stations

IEC 60601

medical equipment

IEC 61131

controls

IEC 61800

powertrain

IEC 61215

solar

ISO 13849

machinery

8COMPANY PUBLIC

Example Interaction Between OEM, Tier 1 & Tier 2 (NXP)OEM

• Safety Architecture

• Safety Concept

• ASIL Classification of Functions

Tier 1

• HW / SW products

Tier 2 Supplier - NXP

• Item definition

• Hazard analysis and risk assessment

• Safety Goals

• Functional Safety ConceptISO26262 Safety

Requirements &

DIA

Safety

Requirements &

DIA

Safety Manual &

Safety Analysis

Relevant

scope of

ISO26262

high

Fo

un

datio

n Product Safety Mechanisms

(implemented in offering, described in

Safety Manual, quantified/qualified by

Safety Analysis)

Development Process & Methods

Quality & Quality Data

Relevant

scope of

ISO26262

medium

Overall ISO 26262 compliance is achieved

together, we each own a piece of the puzzle

NXPFunctional Safety Focus

Safety Element out of Context

Safety Manual &

Safety Analysis

9COMPANY PUBLIC

Functional Safety Basic Concepts

• All systems will have some inherent, quantifiable failure rate. It is not possible to develop a

system with zero failure rate.

• For each application, there is some tolerable failure rate which does not lead to unacceptable

risk.

• Acceptable failure rates vary per application, based on the potential for direct or indirect physical

injury in the event of system malfunction.

• The hazards and risks of applications can be analyzed and assigned categories based on the

level of acceptable risk. These categories are known as Safety Integrity Levels, or SILs.

10COMPANY PUBLIC

Safety Failures and their causes

Failures in a functional safety system can be broadly classified into two categories: Systematic and Random failures

Failures

Systematic Random

Systematic Failures

– Result from a failure in design or manufacturing

– Often a result of failure to follow best practices

– Occurrence of systematic failures can be reduced through continual and rigorous process

improvement and robust analysis of any new technology

Random Failures

– Result from random defects or soft errors inherent to usage condition

– Rate of random faults cannot generally be reduced; focus must be on the detection and

handling of random faults to prevent application failure

Note: Software failures are considered to be systematic

11COMPANY PUBLIC

OEM

• Item definition

• Hazard analysis and risk

assessment

• Safety Goals

• Functional Safety Concept

Safety GOALS and Process

12COMPANY PUBLIC

OEM

• Item definition


assessment

• Safety Goals



• Safety Concept


Tier 1


13COMPANY PUBLIC

OEM

• Item definition


assessment

• Safety Goals



• Safety Concept


Tier 1

Product Safety Mechanisms (implemented

in offering, described in Safety Manual,

quantified/qualified by Safety Analysis)

Development Process & Methods

Quality & Quality Data

• HW / SW products

Tier 2 Supplier - NXP


14COMPANY PUBLIC

E= Exposure C= ControllabilityS= Severity

ASIL

How often is it

likely to happen?Can the hazard be

controlled?

What is the

level of injury?

Quantify A Risk: Automotive Safety Integrity Level (ASIL)

Definition:

15COMPANY PUBLIC

Functional Dependencies i.MX 8

i.MX 8 and 8x are ASIL QM rated (quality managed) devices

All input and output sources (serial/parallel IO interfaces like camera

and display based functionality) have an inherent dependency on

system level resources. Because of this dependency, the i.MX

8QuadMax is considered a “Safety Element out of Context” or SEooC.

Safety level safety measures will have to be achieved on a systems

level to include safety elements both inside and outside the SoC

(System on a Chip).

16COMPANY PUBLIC

ISO 26262 Key Differences from IEC 61508

• ISO 26262 aligns with auto industry use cases and definition of acceptable risk

• IEC 61508 concept of safety function is replaced with ISO 26262 safety goals.

− Safety function concept was based on the idea of defining a system under control and then “bolting-on” risk reduction measures

− Safety goal concept requires that risk reduction be part of the initial control system design

• Typical IEC 61508 systems are installed and then validated in place. ISO 26262 systems must be validated before release to market.

• ISO 26262 standard clearly defines work products for each requirement. This makes determination of compliance easier but limits flexibility of development system definition.

• ISO 26262 has hazard and risk analysis, failure rates and metrics adapted for Automotive use cases.

16

17COMPANY PUBLIC

ISO 26262 vs IEC 61508 Safety Integrity Levels• ISO 26262 was developed to meet

automotive industry specific needs as replacement for IEC 61508.

• IEC 61508 defines 4 safety integrity levels (SIL1,2,3,4)

• ISO26262 defines a Quality Managed level in addition to 4 safety integrity levels (ASIL A,B,C,D)

• DO-254 defines 5 levels (A-E) where E will not impact operation or aircraft or pilot workload and A will be catastrophic failure condition.

• There is no direct correlation between IEC61508 SIL and ISO 26262 ASIL levels or DO-254

IEC 61508

SIL Levels

1

2

3

4

ISO 26262

ASIL Levels

A

B

C

D

QMQuality Managed

DO-254

Levels

D

C

B

A

E

18COMPANY PUBLIC

ISO 26262 vs IEC 61508 Safety Integrity Levels• ISO 26262 was developed to meet automotive

industry specific needs as replacement for IEC 61508.

• IEC 61508 defines 4 safety integrity levels (SIL1,2,3,4)

• ISO26262 defines a Quality Managed level in addition to 4 safety integrity levels (ASIL A,B,C,D)

• DO-254 defines 5 levels (A-E) where E will not impact operation or aircraft or pilot workload and A will be catastrophic failure condition.

• There is no direct correlation between IEC61508 SIL and ISO 26262 ASIL levels or DO-254

IEC 61508

SIL Levels

1

2

3

4

ISO 26262

ASIL Levels

A

B

C

D

QMQuality Managed

19COMPANY PUBLIC

ADAS – RADAR

SRR, MRR, LRR – ASILB

FS652x with S32R2

ADAS – Vision

Data Fusion – ASILB, up to ASIL D (Autonomous Drive)

FS652x with MPC5777C (Safety Domain Control)

Drive Train – Electrification

Battery Management (12V, 48V, HV) – ASILC

FS650x with MPC5744P and MC33771

Or FS45 + S32K + KEA (NEWTEC Ref Des)


Electric Motor (Alterno Starter, eAxel drive…) – ASILC

FS45 + S32KDrive Train – PowerTrain

Transmission, Transfer Case – ASILD

FS650x with Other MCU supplier


Inverter, DCDC Converter - ASILC

FS651x + MPC577x

Drive Train – S&C

Electric Power Steering – ASILD

FS45 or FS65 with MPC574x

Domain Gateway

Body, Safety, Chassis – up to ASILD

FS652x with MPC574xCDrive Train – S&C

Suspension / Dumping – ASILC

FS65 with other MCU Supplier

FS65 + MPC574x

ADAS – ACC

Adaptive Cruise Control – ASILC

FS652x with MPC5744P

Drive Train – PowerTrain

Engine Management Unit – ASILB

FS651x with MPC5777C

Drive Train – S&C

ABS, ESP – ASILD

BE13 with MPC5744P

Automotive Use Cases and ASIL Level

1

2

2

3

4

5

1

7

1

8

3

ASIL

D

C

B

A

QM

LEGEND

6

20COMPANY PUBLIC

HW Safety Element out of Context Development

NXP focuses on HW and/or SW component development

The HW component can be targeted for different applications and for different customers where:

• Assumptions are made about the requirements allocated to the HW element and its external interfaces

• It corresponds to a HW SEooC

• Assumptions’ validity established during integration of the SEooC in the different systems.

HW

Component

Developed as

SEooC

Reference ISO 26262-10:2012Applicable to Component developed as SEooC

SW

Component

Developed as

SEooC

21COMPANY PUBLIC

Safety Feature 8QuadXplus, 8DualXPlus, 8DualX 8QuadMax, 8QuadPlus

Ultra Low Alpha (ULA) package ✓ ✓

Manufacturing Process 28nm FD-SOI 28nm FD-SOI

Memory Protection (ECC, parity)

ARM Cortex-A L1 cache Parity Parity

ARM Cortex-A L2 cache ECC ECC

ARM Cortex-M4 tightly coupled

memoryECC ECC

DDR memory interface ECC on DDR3L -

Failover Displays and Cameras ✓ ✓

Highest Automotive Safety Certifiable* QM QM

Targeted Industrial Safety Certifiable * SIL3 SIL2

i.MX 8/8X Safety and Reliability Features

*Designed for

ASIL A/B Platforms

22COMPANY PUBLIC

i.MX 8X Block Diagram – Hardware Safety-related

Components

23COMPANY PUBLIC

Safety Mechanisms & Faults

• A safety mechanism is a technical solution implemented by E/E functions or elements, or by other technologies, to

detect faults or control failures in order to achieve or maintain a safe state

• Safety mechanisms are implemented to prevent faults from leading to single-point failures or to reduce residual

failures and to prevent faults from being latent

− multiple-point fault is a individual fault that, in combination with other independent faults, leads to a multiple-point failure.

• Safety Mechanisms can take effect during

− Power up (pre-drive checks)

− During operation

− During power-down (post-drive checks)

− Part of maintenance.

Q: How to decide where to

implement safety mechanisms?

… in HW or SW, in system or

component or IP…

Reference ISO 26262-1:2011

24COMPANY PUBLIC

Fault Detection & Reaction Times

Diagnostic test interval

• amount of time between the executions of online

diagnostic tests by a safety mechanism

Fault reaction time

• time-span from the detection of a fault to reaching

the safe state

Fault tolerant time interval

• time-span in which a fault or faults can be present

in a system before a hazardous event occurs

Multiple-point fault detection interval

• time span to detect multiple-point fault before it

can contribute to a multiple-point failure Reference ISO 26262-1:2011

Q: How to know which times to use?

1ms, 10ms, 100ms, 1sec, 1hr, several hours etc.

25COMPANY PUBLIC

Safety Mechanisms and Countermeasures

Light sensors

Efuses/shado

w registers

Basic SCA

countermeasures (masking,

randomization, jitter)

Glitch sensor

Limit the debug

output in the final

product

Secure Debug,

Disable Debug

Timing

invariance

(HW/SW)

Memories with

hardware fault

protection/detection

Memory

encryption

NVM error

correction

NVM content

check

Triple

voting

Flipflops

(TVF)

Delayed

lockstep

cores

Power

monitoring

Clock

monitoring

Redundant use of

I/O application

checks

Memory Built In

Self Test (MBIST)

at start-up

Logic Built In Self

Test (LBIST) at start-

up

Watchdog

Fault

Collection &

Control

(FCCU)

Safe

interconnect

HW

Security Counter

Reliable

brown-out

detection

Reliable over-/ under

voltage detection

Shields

Randomization

Memory scrambling

Physical

Separation

Delayed

lockstep eDMA

ECC protection

data/addr.Sea of gates

Obfuscation of

layout

Temperature

sensors

Safety

Security

26COMPANY PUBLIC

Safety Mechanisms

Light sensors

Efuses/shado

w registers

Basic SCA



Glitch sensor

Limit the debug

output in the final

product

Secure Debug,

Disable Debug

Timing

invariance

(HW/SW)

Memories with

hardware fault


Memory

encryption

NVM error

correction

NVM content

check

Triple

voting

Flipflops

(TVF)

Delayed

lockstep

cores

Power

monitoring

Clock

monitoring

Redundant use of

I/O application

checks

Memory Built In

Self Test (MBIST)

at start-up

Logic Built In Self


up

Watchdog

Fault

Collection &

Control

(FCCU)

Safe

interconnect

HW

Security Counter

Reliable

brown-out

detection


voltage detection

Shields

Randomization

Memory scrambling

Physical

Separation

Delayed

lockstep eDMA

ECC protection


Obfuscation of

layout

Temperature

sensors

i.MX8 Safety

Security

Safety

Mechanisms

27COMPANY PUBLIC

Safety Mechanisms

Light sensors

Efuses/shado

w registers

Basic SCA



Glitch sensor

Limit the debug

output in the final

product

Secure Debug,

Disable Debug

Timing

invariance

(HW/SW)

Memories with

hardware fault


Memory

encryption

NVM error

correction

NVM content

check

Triple

voting

Flipflops

(TVF)

Delayed

lockstep

cores

Power

monitoring

Clock

monitoring

Redundant use of

I/O application

checks

Memory Built In

Self Test (MBIST)

at start-up

Logic Built In Self


up

Watchdog

Fault

Collection &

Control

(FCCU)

Safe

interconnect

HW

Security Counter

Reliable

brown-out

detection


voltage detection

Shields

Randomization

Memory scrambling

Physical

Separation

Delayed

lockstep eDMA

ECC protection


Obfuscation of

layout

Temperature

sensors

Check the

checker tests

Safe

stand-by

Safe boot

Peripheral

and Core

Self Test

SW

SafeAssure

i.MX8 Safety

Security

Safety

Mechanisms

28COMPANY PUBLIC

Partitioning A Safety Critical System

Partitioning can be done:

− In hardware (e.g. separate module, chips)

▪ Pros: true separation

▪ Cons: Increase cost

− In software (e.g. address spaces, virtual machines, relying on MMU or MPU)

▪ Pros: easier separation, cost efficient

▪ Cons: not a true separation, since some complex hardware could still crash the system

The i.MX8 SoC includes programmable partitioning features that bring advantages of

both hardware and software partitioning.

29COMPANY PUBLIC

Resource Partitioning on i.MX 8

M4 0

CAN

I2C

VPUADC USB

UART

SPIMIPI

CSI_1

DSI

ETH_1

GPU_0

DISPLAY

MIPI

CSI_0

ETH_0

M4 1 CPU CPU

Audio

Domain 1example

Domain 16example

Domain 0example

SCU

I2C

How Partitioning Works:

• The system controller commits peripherals and memory regionsinto a specific domains. (This is customer defined in the System Configuration Data)

• Any communication between domains are forced to use messaging protocols through Messaging Units (MU’s)

• If a domain peripheral tries to access other domains illegally, a bus error will occur.

Benefits of Partitioning:

• Reporting of immediate illegal accesses helpstrack down hard to find race conditions beforethey go to production. (AKA Sandbox

Methods)

• Provides security on a finished product: protectssystem critical SoC peripherals from less trusted apps and intentional security breaches

Security

DDR 0 DDR 1 DDR 2

…….

MU MU

GPU_1

30COMPANY PUBLIC

i.MX 8 – Arm Cortex-M4 Cores

• Tightly Coupled Memory w/ ECC

• Caches w/ Parity Checks

• Low Latency with NVIC

• Memory Protection Units

• FPU

• Messaging Units

31COMPANY PUBLIC

Examples of Key Safety Goals for the i.MX8

Prevent Misleading

Safety Indications

Prevent missing warning lamp

function in otherwise properly

functioning instrument cluster

Prevent missing audio warning chime

Prevent frozen backup camera image

The key safety goals all derive from the fundamental goal that a failure in the Infotainment system

should not give the driver a misleading sense of safety.

The safety role of the i.MX 8 is to deliver

safety information to the driver. As such, all

safety-relevant failures in the i.MX 8 are

failures to deliver safety information to the

driver.

The i.MX8 can be integrated as a QM part

into an ISO26262 system and paired with

fully qualified ASIL A or B parts to support

key ASIL A and B Infotainment Use cases

32COMPANY PUBLIC

Examples of Transition to Safe States

Missing warning lamp function in

otherwise properly functioning

instrument cluster

Missing audio warning chime

Frozen backup camera image

The safe states all have the effect of making the driver aware of the hazard. With that awareness,

the specific hazards become C0 or C1 controllable. (ISO 26262:2018 Part 3 Clause 6.4.3)

Display disabled with “Service Rear

Camera” message

“Service audio system” warning

indicator on instrument cluster

Instrument cluster blacked out,

possibly with some sort of service

message.

33COMPANY PUBLIC

SCU

• Configure i.MX 8

• Run BootROM

• Configure QSPI

• Load SCU firmware

• Load M4 User code

• High Assurance Boot

• Run time services

Cortex-M4F #1

• Execute User Code

• AutoSAR OS

• CAN Message

• AutoSAR Services

Arm Cortex-A53 and Cortex-A72

• Boot Main Operating System

• QNX, Linux, Android…

Cortex-M4F #2

• Safety Core

• OEM Custom

i.MX 8 and 8X Boot Flow

• Flexible multi-boot options

• Critical function alignment (Cortex-M4 versus Cortex-A53)

• Enables early backup camera, CAN receipt and display

i.MX 8 and 8X Flexible and Fast Boot

34COMPANY PUBLIC

i.MX 8 and 8X Family Display Processor with Failover Feature

Display

Processor Cortex-A

Clusters

GPU

2D

3D BlendLCD

i.MX 8 and 8X Family Display Processor:

• Runs independently, even if GPU and Cortex-A cores crash

• Has integrated 2D graphics unit

• Can be driven by Cortex-M4 core (safety layer support)

• Can drive 4x independent displays without the GPU

Safety layer

Cortex-M4

35COMPANY PUBLIC

55 MPH 0.4 mi Turn ►►

Detects CRC MISMATCH

CRC

Checking

Zones

i.MX 8 GPU Core 0

i.MX 8 Display

Controller 0

(2 Ports)

HUD

Cluster

55 MPH 0.4 mi Turn ►►

i.MX 8 GPU Core 0

i.MX 8 Display

Controller 0

Safety Streams x 2

Automatically Switchover to

Simplified Cluster / HUD

Failover images running in background

i.MX 8 Display Failover Strategy

36COMPANY PUBLIC

I Want to Run Two Operating Systems. Competition’s

Limitations?

Someone Else’s

Processor

What I want to do:

2x independent platforms, same chip

What I want to do:

2x independent platforms, same chip

A53

CPU1

A53

CPU2

Platform 1 Platform 2

A53

CPU3

A53

CPU4

A72

CPU0

A72

CPU1

HypervisorMust rely on internal code and DMA

to ensure IP blocks ‘behave’

GPU

Display

Peripheral

Steers requests, ensures

no access conflicts,

protects domain secrets

‘Shares’ all IP resources

with only SW to

guarantee protection

Mini

Hypervisor(GPU)

Mini

Hypervisor(GPU)

37COMPANY PUBLIC

i.MX 8Quadmax/QuadPlus Family: Full Chip Hardware

Virtualization with Resource Domain Protection

A53

CPU1

A53

CPU2

Platform 1 Platform 2

A53

CPU3

A53

CPU4

A72

CPU0

A72

CPU1

Each IP Block has

Hardware-based resource

protection ‘stitched’

around it

Block, allow, assign,

alert and track any

transaction in Hardware! GPU 0 GPU 1

Display 1Display 0

Perip

h

Perip

h

Perip

h

Perip

h

Perip

h

Perip

h

Perip

h

Perip

h

HyperVisors on i.MX 8 = thin, light, let hardware do the underlying work

Two Chips in One!

Explicitly assign

peripherals to a Platform

“Split” the SOC

in half with Dual

GPU/DC architecture

38COMPANY PUBLIC

Resource Partitioning on i.MX 8 FamilyHow Partitioning Works:

• The system controller commits

peripherals and memory regions

into a specific domains.

(This is customer defined in the System

Configuration Data)

• Any communication between domains

are forced to use messaging protocols through

Messaging Units (MU’s)

• If a domain peripheral tries to access

other domains illegally, a bus error will occur.

Benefits of Partitioning:

• Reporting of immediate illegal accesses helps

track down hard to find race conditions before

they go to production (AKA Sandbox Methods)

• Provides security on a finished product: protects

system critical SoC peripherals from less trusted

apps and intentional security breaches

M4 0

CAN

I2C

VPUADC USB

UART

SPIMIPI

CSI_1

DSI

ETH_1

GPU_0

DISPLA

Y

MIPI

CSI_0

ETH_0

M4 1 CPU CPU

Audio

Domain 1example

Domain 16example

Domain 0example

SCU

I2C

Security

DDR 0 DDR 1 DDR 2

…….

MU MU

GPU_1

39COMPANY PUBLIC

Power Management IC – PF8100/8200• Proven robustness, lower risk, & shorter time to market

− Co-developed with MCU team

− Support of advanced MCU technologies with high precision and enhanced thermal management

• Reduced complexity for functional safety implementation

− Scalable Functional safety from QM to ASIL-B

− Inputs to monitor additional supplies enables system level functional safety

• Reduced system cost

− Scalable Architectures matched to MCU and application

− OTP configurability allows flexibility during development

− Optimize BOM size (<200mm2 component area)

• Faster certification through radiation reduction

− Multiple frequency tuning optimization (Spread Spectrum, freq sync, Manual tuning)

40COMPANY PUBLICINTERNAL/PROPRIETARY 40

NXP’S SAFE ASSURE PROGRAM

WITH I.MX 8X AND I.MX 8

NXP Quality Foundation

Functional Safety Standards

Safety

Support

Safety

Process

Safety

Hardware

Safety

Software

Automotive

ISO 26262

Industrial

IEC 61508Simplify Customer experienceISO26262 system compliance process

Optimize Customer R&D efficiencyReduces time and complexity required to develop

ISO26262 safety systems

Reduce risk of HarmSupports the most stringent Automotive Safety

Integrity Levels (ASILs)

Safety starts with QualityZero defect methodology from design to manufacturing to

help ensure our products meet the stringent demands of

safety applications

41COMPANY PUBLIC

NXP SafeAssure™ Program

• Functional safety activities address:−Safety process (FMEA, FTA, FMEDA) integrated into

development process

−Safety hardware (safety manual) BIST, ECC, etc.

−Safety software (safety manual) Autosar MCAL, OS, core

self tests, etc.

−Safety support – training, documentation and tech

support

42COMPANY PUBLIC

NXP i.MX 8 / 8X SafeAssure

To support the customer to build a safety system, the

following deliverables are provided as standard for all ISO

26262 developed products.

• Public Information available via NXP Website− Quality certificates

− Reference manual

− Data sheet

• Confidential Information available under NDA− Safety plan

− Safety manual

− ISO 26262 safety case

− Permanent Failure Rate data (Die & Package) - IEC/TR 62380 or SN29500

− Transient Failure Rate data (Die) - JEDEC Standard JESD89

− Safety analysis (FMEDA, FTA, DFA) & Report

− PPAP

NXP Quality Foundation

Functional Safety Standards

Safety

Support

Safety

Process

Safety

Hardware

Safety

Software

Automotive

ISO 26262

Industrial

IEC 61508

43COMPANY PUBLIC

Safety Support i.MX 8 and 8X – System Level Overview and

Assumptions

44COMPANY PUBLIC

i.MX 8 Family AUTOSAR Software

45COMPANY PUBLIC

NXP provides software products where in-depth hardware knowledge is crucial – value-add software products such as AUTOSAR MCAL, Custom Complex Drivers, OS, Custom Self Test, application-specific libraries to address unique hardware features

AUTOSAR MCAL

low level drivers

AUTOSAR

Operating System

Self Test Application

oriented Libraries

NXP i.MX 8 AUTOSAR Solution

46COMPANY PUBLIC

Software Life Cycle Methodologies & Quality: Engineering

Discipline

47COMPANY PUBLIC

Built for scalable, safe

and secure multimedia

and computing• Sampling now for alpha and

beta customers

• www.nxp.com/imx8

Thank-you for

considering the

i.MX 8 Series!

i.MX 8 and 8X Applications Processors

NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2018 NXP B.V.

www.nxp.com

http://www.nxp.com/

i.mx 8/8x functional safety concepts - nxp community · 2020. 9. 1. · company public 7 functional...

Documents