Designing ISO 26262-Compliant HMI Graphics and Storage for Automotive Clusters
October 09, 2019
Story
The ISO 26262 standard defines the need for functional safety through the entire lifecycle of the electronics in a vehicle.
The increasing number of electronic components in vehicles raises the potential for more failures with higher risk to drivers and passengers. This increased risk has led the automotive industry to make functional safety standards an integral part of automotive design.
The ISO 26262 standard defines the need for functional safety through the entire lifecycle of the electronics in a vehicle. It provides a risk assessment for ASIL (Automotive Safety Integrity Level) ratings from A to D for automotive systems/components, where an ASIL D system has the requirement to be the safest and most robust. ASIL requirements vary based on the application. Automotive clusters, which must display critical information from various sensors and actuators in the car, must meet the ASIL B standard. There is some cluster display information, such as brake, telltales, and transmission gear selector (PRNDL) images that must also follow the ISO 26262 functional safety standard.
Advanced Automotive Cluster Technology
To simplify and accelerate development, next-generation instrument cluster technology brings together key functional safety technologies to deliver complete, ISO 26262-compliant development platforms for automotive applications. For example, Figure 1 shows a reconfigurable digital instrument cluster with a 1280x480 display powered by an automotive MCU. The cluster also utilizes failsafe NOR Flash memory and employs a graphical human-machine interface (HMI) that meets all functional safety requirements.
Critical System Features
Next-generation automotive clusters must combine high performance with fail-safe and fault tolerant operation. They need to be able to detect and correct all safety-critical graphics before the system displays them on the screen. The graphics storage in these systems plays an important role in supporting key requirements, including a safe and fast boot process.
SafeBoot
The first requirement is safe boot. In many modern instrument clusters, an automotive MCU is paired with a NOR Flash device for boot code and graphics assets storage. In some cases, a NOR Flash device may become corrupt or nonresponsive if there is a power outage during initialization or configuration processes. Operation failure can be prevented by a fail-safe NOR Flash, which reports device initialization failures and configuration corruption and that also provides a means to recover from the failure.
Instant On
A second required instrument-cluster feature is “instant on.” Cluster displays should illuminate and display accurate data immediately upon power on or reset. There should not be a delay. Instant-on can be implemented by pairing the automotive MCU with a high-speed NOR Flash memory controller and designing an efficient graphics implementation.
Safety Graphics Monitor
As discussed earlier in this article, all ISO 26262 ASIL B functional safety-compliant displays require that warning lights, signals, and gear indicators on virtual instrument clusters are safeguarded from errors. The driver must always be informed if the instrument cluster is not working correctly. For example, instrument clusters must be able to monitor and detect safety-critical images/symbols (see Figure 2a).
A safety-compliant graphics monitor should be able to check the signature of safety-critical content in each frame of display output. If any safety-critical content gets corrupted, then the system must generate a different signature of the corrupted content and notify the driver with a warning message (see Figure 2b).
Image Correction
Another critical requirement for instrument clusters is image correction. Any viable instrument cluster should leverage a NOR Flash device to store display images and provide both error detection and correction. Figures 3a and b demonstrate this concept. In this example, we have intentionally stored the corrupted image of a low-beam telltale in the NOR Flash device with the correct image’s ECC syndrome bits. When we turn off the error correction feature in the NOR Flash device, it produces the fuzzy, corrupted low-beam telltale image shown (See Figure 3a). When we enable the error correction feature in the Flash device, the corrected icon appears (see Figure 3b).
As shown, NOR Flash technology takes safety one-step further by monitoring and correcting safety-critical display information to ensure accuracy.
Figure 4 shows a block diagram of an instrument cluster using NOR Flash to access image data in a safety-compliant manner.
Functional Safety in the Instrument Cluster MCU
Functional-safety instrument cluster MCU’s like Traveo II from Cypress form the heart of safety-compliant instrument cluster systems. They combine traditional MCU functionality with graphics capabilities in a single component. The MCU is functional safety ISO-26262-compliant and supports safety-related IPs like watchdog, clock supervisor, low voltage detection, CRC engine, timing protection unit, and peripheral protection unit.
Software also plays an important role in functional safety. Instrument cluster platforms like Altia ISO 26262 and Altia Safety Monitor (ASM) for Automotive Embedded Graphics make use of the signature unit inside the instrument cluster MCU’s graphics subsystem to check the signature of safety-critical content. Table 1 shows some of the functional safety capabilities of an instrument cluster MCU.
Functional Safety in NOR Flash
NOR Flash is the most-reliable nonvolatile memory. This has been proven in millions of cars on the road. Still, the ISO 26262 standard requires automakers to catch any potential failure that could occur to guarantee functional safety. NOR Flash designed for functional safety, such as Semper NOR Flash from Cypress, integrates critical safety features for automotive systems. Semper, for example, is ASIL B-compliant and ASIL D-ready with an endurance of more than 1 million program/erase cycles and data retention of 25 years even at extreme temperatures. NOR Flash is available in up to 4Gb density and supports QSPI and JEDEC xSPI standards-compatible Octal and HyperBus interfaces, which provide up to 400 MB/s throughput. Table 2 shows all safety mechanisms and diagnostics features supported by functional safety NOR Flash.
Functional Safety in Software
HMI software like Altia’s confirms the correct display of functional safety content when commanded. Its ASIL B-compliant general-purpose embedded software application provides monitoring functionality for safety-critical objects in the HMI. It has been developed using ISO 26262 ASIL B-compliant standards, and checks signatures of safety-critical content in each frame of the display’s output to ensure that they meet ISO 26262 requirements.
By building functionality into the instrument cluster MCU, non-volatile memory, and embedded software, developers can quickly design complex safety-compliant automotive applications. For more information, please refer to How to Build Functional Safety into Your Automotive Cluster Design.
Martin Oberkoenig has a Ph.D. in electrical engineering from the Technical University of Darmstadt. Formerly with Fujitsu and Spansion, he has been with Cypress Semiconductor since 2010. He has worked in R&D for automotive microcontrollers and is responsible for functional safety at Cypress.
Pritesh Mandaliya is a Staff Applications Engineer in the Memory Product Division of Cypress Semiconductor. He holds a master’s degree in Electrical Engineering from San Jose State University.