Xcell Journal Issue 78: Charge to Market with Xilinx 7 Series ...
Xcell Journal Issue 78: Charge to Market with Xilinx 7 Series ...
Xcell Journal Issue 78: Charge to Market with Xilinx 7 Series ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
XCELLENCE IN AUTOMOTIVE APPLICATIONS<br />
RTE<br />
BSW<br />
GPIO registers<br />
output<br />
enable<br />
SAFETY<br />
SHELL<br />
out in<br />
SAFETY-RELATED PATH<br />
<strong>to</strong> extend the MCU inputs and outputs<br />
<strong>with</strong> external chips that perform<br />
the parallel-serial data conversion,<br />
like digital shift registers or<br />
analog multiplexers. An FPGA lets<br />
you skip all these satellite components,<br />
reducing thus the bill of materials<br />
as well as the PCB dimensions<br />
of the electronic board.<br />
State-of-the-art FPGA devices<br />
already incorporate analog-<strong>to</strong>-digital<br />
converters. This feature is interesting<br />
in au<strong>to</strong>motive design since many<br />
ECUs make use of analog signals (for<br />
example, battery voltage) <strong>to</strong> implement<br />
part of the needed functionality.<br />
The presence of ADCs in programmable<br />
logic devices opens new application<br />
fields for FPGAs.<br />
Like MCUs, FPGAs offer remote<br />
update capability. However, it is<br />
important <strong>to</strong> note that in this case, the<br />
bitstream downloaded in<strong>to</strong> the FPGA<br />
relates not only <strong>to</strong> software code but<br />
also <strong>to</strong> hardware circuitry. This means<br />
output<br />
enable<br />
RTE<br />
BSW<br />
GPIO registers<br />
out in<br />
that, once the product is in production,<br />
it is still possible <strong>to</strong> change the hardware<br />
design by means of system<br />
updates or upgrades. The au<strong>to</strong>motive<br />
industry appreciates such flexibility,<br />
since it also enables bug fixes (in this<br />
case, both hardware and software) after<br />
the product launch.<br />
In any ECU that embeds a function<br />
qualified as safety-relevant under ISO<br />
26262, the hardware and software<br />
involved in this implementation must<br />
fulfill a certain level of protection<br />
depending on how it is categorized.<br />
From the software point of view, it is<br />
necessary <strong>to</strong> demonstrate freedom<br />
from interference—that is, the nonsafety-relevant<br />
code running in an<br />
ECU must not corrupt the operation of<br />
any code inside the same ECU classified<br />
as safety-relevant. This isolation is<br />
necessary <strong>to</strong> guarantee correct execution<br />
of safety-related and non-safetyrelated<br />
functions running side-by-side<br />
on the same processor. Often, it’s easi-<br />
er <strong>to</strong> manage these measures more<br />
flexibly in programmable logic than<br />
in MCUs.<br />
Regarding memory protection<br />
strategies oriented <strong>to</strong> functional safety,<br />
it is necessary <strong>to</strong> guarantee write<br />
access <strong>to</strong> certain safety-related signals<br />
only from authorized safety software<br />
components. In the context of MCU<br />
devices, memory partitioning provides<br />
a fault-containment technique <strong>to</strong> separate<br />
software applications from each<br />
other <strong>to</strong> avoid any data corruption<br />
among them. Programmable logic will<br />
likely make it possible <strong>to</strong> implement a<br />
more efficient self-protection mechanism.<br />
It is possible <strong>to</strong> manage the RTE<br />
buffer related <strong>to</strong> safety signals through<br />
dedicated single dual-port memories<br />
so that the data is written from the<br />
write port and read from the read port.<br />
In this way, it is possible <strong>to</strong> implement<br />
dedicated hardware controllers that<br />
put different restrictions on writing or<br />
reading those signals from the software<br />
side. The same approach can be<br />
implemented <strong>with</strong> registers.<br />
The possibility of introducing cus<strong>to</strong>m<br />
hardware solutions in the ECU<br />
system is a big advantage of the FPGA<br />
approach, especially for safety-related<br />
features. In this case, <strong>with</strong> regard <strong>to</strong><br />
I/O pins and GPIO controllers, the<br />
pinout involved in safety functions can<br />
be grouped in made-<strong>to</strong>-measure I/O<br />
ports that are accessed exclusively by<br />
safety components inside the ECU,<br />
separated from the remaining pins of<br />
the device. This is a good way <strong>to</strong><br />
decouple the safety-critical pins from<br />
the non-safety-critical pins of the system,<br />
ensuring freedom from interference<br />
by design. Any access <strong>to</strong> nonsafety<br />
pins cannot corrupt the status<br />
of the safety pins, which are managed<br />
by safety-relevant code only. This idea<br />
is depicted in Figure 4.<br />
Furthermore, it’s also possible <strong>to</strong><br />
tailor the size of each GPIO port <strong>to</strong> the<br />
needs of the application or the software<br />
component that handles it, skipping<br />
the step of converting a GPIO port<br />
in<strong>to</strong> a physical resource that different<br />
26 <strong>Xcell</strong> <strong>Journal</strong> First Quarter 2012<br />
SW<br />
HW<br />
Figure 4 – Hardware/software co-design of a safety shell architecture isolates the safetyrelevant<br />
ports from non-safety ports <strong>to</strong> guarantee there will be no interference.