As electronics become ever more pervasive in the automotive, industrial automation, and medical device sectors, fault-tolerant electronic subsystems are becoming a standard requirement. Designing these systems with Cortex-R series processors that have a high level of fault tolerance realizes benefits such as:
- Improved reliability
- Enhanced fault detection and coverage
- Reduced cost of operation
Functional safety support is increasingly becoming an essential part of these systems. As the various functional safety standards continue to develop in complexity, ARM has developed the Cortex-R5 Safety Documentation Package to speed time to market, simplify the certification effort, and enable higher levels of certification to be obtained.
Key technologies to support functional safety in the ARM Cortex-R series
The ARM Cortex-R series processors have been developed to be used in applications that require high dependability and detection of any errors that can arise in the processor or the system. The types of faults that can occur in any system include hardware faults (such as failures from aging memory or temperature-induced stresses) that cause erroneous values and random faults (such as random radiation hits to the silicon that “flip” a bit or gate or even cause permanent hardware damage). If the system has safety implications, where any failure could have serious consequences, then any error must be detected and handled in the appropriate way for the particular system.
For addressing this, two key strategies exist:
- Detection of errors in memory: Additional error correcting codes (ECC) are appended to all memory values and checked before the data is used. This enables automatic detection and correction of single-bit errors and detection (but not correction) of multiple-bit errors. This requires the use of wider memory that has extra bits to store the ECC and is used on all memories in the system, including caches and tightly coupled memory (TCM). The processor automatically checks the ECC codes when data is read, automatically corrects single-bit errors, and signals an error to the system if it is uncorrectable. On writing memory the processor automatically creates the ECC codes.The Cortex-R5 also enables detection of errors on all the buses that connect the processor to the system.
- Detection of errors in the processor: Radiation could hit any gate in a system, and if this causes an error (not in the memory but in the actual logic) then this must also be detected. Dual-core lock step (DCLS) implements two identical processors with identical inputs, though one is slightly delayed to ensure events that affect the whole system at the same time are detected, and checks that the outputs from both processors are identical. If the compared outputs do not match then there must have been an error in the system, which is signaled so the system can take the appropriate action.
These key areas, when combined with many other features within the Cortex-R series, enable SoCs and wider systems to be developed that meet the requirements of many functional safety standards.
The Cortex-R series has been adopted by more than 70 partners, many of whom rely on the error detection features. The processors have shipped in more than 1.5 billion devices and their reliability has been proven across many markets, such as automotive, industrial, storage, and medical, where data integrity is critical.
However, just having a processor with these features is not sufficient to meet the needs of applications that have functional safety requirements.
How does ARM support functional safety for the Cortex-R5?
Functional safety standards such as ISO 26262 and IEC 61508 require evidence to demonstrate particular system or system component properties. The safety documentation package for Cortex-R5 series processors has been designed to simplify certification, and helps SoC integrators develop and demonstrate the required level of functional safety.
In the context of functional safety standards (ISO 26262 in particular) semiconductor IP can be treated as a safety element out of context (SEooC). For such elements the actual use cases are not necessarily known during design time. This is of course exactly the case for the Cortex-R5, which can be used in a huge number of real-time applications. The safety documentation package has been designed with this in mind, to allow SoC integrators to develop products for particular applications with safety requirements.
The Cortex-R5 Safety Documentation Package contains information about the Cortex-R5 product itself, focusing on its fault detection and control mechanisms such as DCLS and memory protection options with ECC or parity. To facilitate integration of the Cortex-R5 into safety-related designs, an FMEA report with example failure rate distributions is also included.
The information is structured into a set of three documents: Cortex-R5 Safety Manual, Cortex-R5 FMEA Report, and a document describing the allocation of roles and responsibilities for functional safety in projects integrating the Cortex-R5 processor. The Safety Manual includes details on measures used to avoid and control systematic faults during the processor design and verification activities. It also includes details on the processor behavior when faults are detected. The FMEA Report includes a detailed analysis of the design, which can be used as a starting point for system-level safety concept definition and subsequent analyses.
This information helps the SoC integrators create required safety documentation for their products, reducing their time to market. The information can also be used to support functional safety assessment activities for the SoC products with an integrated Cortex-R5 processor.
ARM is only making this information available to SoC integrators. Therefore, if you are a system or software developer targeting safety-related designs, you need to refer to any safety documentation provided by your SoC vendor. The key reason for this is the fact that Cortex-R5 is highly configurable, with different configuration options having possible impact on the processor fault behavior. Since the ARM Safety Manual for Cortex-R5 describes all these configuration options, we want to ensure that any safety documentation available to system and software developers correctly reflects the actual feature set of your chosen SoC implementation.
It’s worth remembering that complementary to the Cortex-R5 Safety Documentation Package, the ARM Compiler toolchain has also been certified by TÜV SÜD, a recognized safety industry expert. The TÜV Certificate and the accompanying report confirm that the ARM Compiler 5.04 fulfils the requirements for development tools for safety-related applications. This enables you to use the ARM Compiler 5.04 for safety-related development up to SIL 3 (IEC 61508) or ASIL D (ISO 26262) without further qualification activities when following the recommendations and conditions documented in the Qualification Kit.