Functional Safety Technology Implementation in MCU Storage Units

MCUs are core components in automotive electronic control systems, and storage units are one of the most important parts. In the design of automotive-grade MCUs, the functional safety design of storage units and controllers is crucial, directly affecting the reliability and safety of automotive electronic control systems. This article discusses the development of automotive-grade MCUs and the implementation of functional safety design, focusing on storage units, functional safety technologies, and related technologies to improve safety.

The microcontroller unit (MCU) is a core component in automotive electronic control systems, with the storage unit being one of the most important components, mainly used to store program code, data, configuration parameters, and other information. Depending on the type of storage unit, automotive-grade MCUs can be classified into various types, including ROM, EEPROM, Flash, and SRAM. Since the storage unit is used to store the data code for MCU operation, its failure can lead to serious accidents in automotive electronic control systems. Therefore, functional safety of different types of storage units is very important. A reasonable functional safety design for storage units and controllers in automotive-grade MCUs can effectively enhance the reliability and safety of automotive electronic control systems.

Functional Safety Technology Implementation in MCU Storage Units

Figure 1: Schematic diagram of the MCU system structure with embedded storage.

The functional safety of storage in automotive-grade MCUs mainly includes two aspects: preventing failures of the storage unit and controller themselves, and preventing external attacks that can damage the storage unit and steal information. To prevent failures of the storage unit and controller, automotive-grade MCUs need to adopt various technical means to ensure functional safety. For example, using mature ECC technology or CRC check codes can detect and correct erroneous data and verify data integrity, while backup storage can hold spare data. To prevent external attacks from damaging the storage unit or stealing data, automotive-grade MCUs need to employ encryption technologies to protect data in the storage unit, such as using various complex algorithms to encrypt data, controlling access and operation permissions for code, and imposing conditional restrictions on data exchanges, which can effectively prevent external attacks and information leaks.

This article focuses on the design implementation of functional safety when discussing the design and development of automotive-grade MCUs. Only when the functional safety of the storage unit is guaranteed can the automotive electronic control system be made more reliable and safe. Therefore, the functional safety design of storage units and controllers is a very important aspect of automotive-grade MCUs, directly related to the reliability and safety of automotive electronic control systems.

Composition of Storage Unit Types

Figure 2: Different types of storage units.

Taking automotive domain control multi-core MCU chips as an example, based on different types of storage units, storage can be divided into ROM, EEPROM, Flash, and SRAM. ROM, as a read-only storage unit, cannot be modified after the boot program is programmed once, and is responsible for storing the MCU chip’s power-on boot program code, initial diagnostic test code, and basic control algorithm code. EEPROM is an electrically erasable programmable read-only memory that can be erased and programmed via electrical signals. In automotive domain control multi-core MCUs, EEPROM is typically used to store vehicle identification codes, user settings, fault codes, parameters, and other information. Flash is similar to EEPROM but has faster erase and programming speeds; it is usually used in automotive domain control multi-core MCUs to store application programs, operating systems, and drivers. Due to technological advancements and market validation, EEPROM functions are gradually being replaced by small-capacity Flash. SRAM is a type of static random-access memory known for its fast read/write speeds and low power consumption. In automotive domain control multi-core MCUs, SRAM is typically used to store cache, stacks, and heaps.

In the system architecture of MCUs, ROM storage is usually divided into two categories: internal ROM, which is directly integrated into the MCU chip, and external ROM, which is connected to the MCU chip via serial or parallel interfaces. SRAM, EEPROM, and Flash storage units are typically integrated internally and can be accessed for read/write operations via serial or parallel interfaces. In complex processing systems, due to the enormous capacity requirements of storage units, integrating them into the chip has no cost advantage, so they often exist as independent chips that need to connect to the MCU chip via external address and data buses.

Figure 3: Connection to external MCU chips via external address and data buses.

Each type of storage unit mentioned above requires a storage unit controller that meets its own read/write control timing to support normal access operations of the storage unit data. Given the functional characteristics of storage units, any failure of either the storage unit itself or the controller will lead to the failure of the MCU chip’s control and processing functions, resulting in system failure. Therefore, effectively implementing functional safety design solutions for storage units and controllers can make automotive electronic control systems more reliable and efficient.

Functional Safety Technologies

The main functional safety technologies include:

ECC with Address Information

In conventional MCU chips, the ECC scheme for storage units mainly processes the data in their storage space, and the check-two, correct-one algorithm can generally ensure over 99% fault diagnosis coverage. To ensure safety as much as possible, for complex MCUs, especially core control MCUs used in automotive electronic control, the ECC algorithm is even designed as check-three, correct-two. Compared to conventional MCUs, which have limited internal storage capacity and narrower address decoding circuits, automotive-grade core control MCUs use a large number of Flash and SRAM storage units across the entire chip, leading to a larger address range covered by the storage unit controller’s address decoding circuit, thus increasing the failure rate of the controller’s decoding circuit. Therefore, for MCUs with high safety requirements, their storage unit ECC schemes are different. When generating check bits, the “write address” is concatenated with “data” to generate the ECC check code, and “data + check code” is stored together in the storage unit, while the write address itself is not stored. During data readout and verification, the “read address + data + check code” is checked together. This design scheme can detect single-bit failures in address decoding logic without significantly increasing design costs.

Figure 4: ECC check in high safety MCUs.

The controller’s effect on the storage unit is reflected in the correct access of addresses and data. When the address decoding circuit in the controller fails, it may lead to reading data from an incorrect address, while the ECC check code of that data itself is correct, thus passing the conventional ECC check, and ultimately the MCU receives erroneous data, causing system failure. The ECC scheme with address information provides safety control over the overall access effects based on both data and address, focusing on these two key points.

Independent Storage of ECC Codes

Another effective safety solution is to store the data itself and the ECC code using independent storage units. In MCU chips, SRAM acts as a data cache, and during system integration, multiple SRAM modules for different storage spaces are instantiated rather than placing them all in one large SRAM interface. This effectively ensures the efficiency of data access processing by multiple hosts. Therefore, the independent storage scheme for ECC codes is particularly suitable for the functional safety design of SRAM.

Figure 5: Improving functional safety using independent storage for data and ECC codes.

For SRAM design implementation, after each piece of data generates a corresponding ECC, the data’s SRAM and the SRAM storing the ECC code are stored separately at the same address. When the MCU chip issues a read address to retrieve a piece of data, it simultaneously reads the corresponding ECC code from the SRAM storing the ECC code for that address and verifies it through the ECC check module. When the address decoding module fails, the data read from the same address and the ECC code will mismatch, ultimately leading to an ECC check error. Thus, the failure of the address decoding module will be reflected as an ECC data check error, without distinguishing whether it is a failure of the storage unit or the address decoding circuit. In actual system-level functional safety applications, viewing the storage unit and controller as a whole, the safety response is ultimately manifested as data errors, which helps improve the efficiency of higher-level processing. Additionally, the ECC codes are divided into two physical SRAM storage areas, which helps reduce the probability of physical multi-bit failures leading to logical multi-bit failures, common cause failure probabilities, and the probability of safety mechanism failure due to transient interference in the address decoding module.

Diagnosis of ECC Check Functions

The ECC technology scheme for storage units serves as a safety mechanism to prevent single-point failures in the storage unit and control module, requiring corresponding technical measures to detect, identify, or diagnose its own issues, thereby minimizing the probability of potential failures. Although data in ROM, SRAM, EEPROM, and Flash storage units can be protected by ECC checks during normal MCU chip operation, the actual working conditions of different types of storage units vary, leading to differences in diagnostic measures for ECC encoding and checking modules.

Figure 6: Block diagram of ECC encoding and check functions.

During the BOOT startup phase and functional mode operation phase, both SRAM and EEPROM can access data, and data can be modified in real-time during MCU chip applications. For the functional characteristics of SRAM and EEPROM, their ECC check modules can be diagnosed through real-time fault injection methods. When fault injection is enabled, the MCU can read the data and ECC check codes from SRAM and EEPROM via programs, modify the data segment via injection, and send the data along with the ECC code to the ECC check module, diagnosing whether the ECC check module can correctly detect single-bit errors, multi-bit errors, and single-bit correction functions.

The fault injection scheme requires the software program in ROM or Flash to execute correctly, making it difficult to diagnose the ECC check modules for ROM or Flash used to store software program codes. For diagnosing the ECC check functions of ROM or Flash, ECC test areas can be established within the ROM or Flash storage units, and test data for ECC check function diagnosis can be pre-programmed into the ROM or Flash. This area traverses single-bit errors, all-zero data, all-one data, double-bit errors, and multi-bit errors based on the actual data bit width of the ROM or Flash. When conducting ECC diagnostics, the program actively reads the data from this test area, and if the ECC check is correct, it will trigger a normal response to ECC errors.

Figure 7: ECC test area in ROM or Flash storage units.

Other Related Collaborative Technologies

Implementing functional safety for storage units in MCU chips can be combined with other technical solutions to enhance system reliability and safety. Online MBIST generates specific test patterns via a test engine to stimulate the storage unit, then reads and compares the output data of the memory to verify its functionality and reliability. Test patterns can include various data patterns, memory access patterns, and write/read sequences, allowing for rapid detection of faults in the memory and providing accurate test results. Additionally, MCU chips can employ MPUs to protect storage units by restricting unauthorized access. The MPU can set access permissions and address ranges for memory, ensuring that only authorized programs can read and write data in the storage unit. Through the MPU, the chip can effectively prevent information leakage or tampering caused by malicious attacks and unauthorized access. Furthermore, MCU chips can also use data E2E checks to verify the integrity of the data by adding checksums at the start and end of data transmissions to detect any tampering during transmission.

Achieving functional safety for storage units involves analyzing from appropriate technical and functional levels, considering the synergistic effects of safety mechanisms and measures, assessing the adaptability of safety solutions to achieve functional safety level targets, and achieving suitable diagnostic coverage and safety effects at relatively low costs, improving the reliability and safety of chips, ensuring that the system can effectively prevent single-point failures and potential failure risks.

Recommended Hot Articles

F-15 Fighter Jet and Weapons Open Source!! A total of 250G……
Animation Demonstrating I2C, SPI, UART Communication Processes, Very Intuitive!
US Military Sonar Buoy Captured in the South China Sea, Let’s Take a Look Inside!
32-bit MCU Tape-Out Successful! Vocational Schools Can Also Develop Their Own Chips Now
SK Group Restructuring, HBM Welcomes Major Investment

Related posts

Leave a Comment Cancel reply