The ever-increasing number of Electronic components in vehicles not only increases failure rates, but also creates greater risks for drivers and passengers. This increased risk has forced the automotive industry to incorporate functional safety standards into vehicle designs.
The ISO 26262 standard specifies the functional safety requirements for in-vehicle electronic equipment throughout its life cycle. It provides Automotive Safety Integrity Level (ASIL) risk assessments for automotive systems/components from A to D, with D being the highest. The specific requirements for ASIL vary from application to application. Car dashboards must Display critical information from the various sensors and actuators in the vehicle and must meet ASIL B standards. There are also instrument Panel Display information, such as brake, indicator and transmission gear selector (PRNDL) information, which must also comply with the ISO 26262 functional safety standard.
Advanced Automotive Dashboard Technology
To simplify and accelerate development, the new generation of dashboard technology uses functional safety-critical technologies to provide a complete ISO 26262-compliant development platform for automotive applications. For example, the reconfigurable digital instrument panel shown in Figure 1 is equipped with a 1280×480 resolution display supported by an automotive MCU. In addition, the dashboard features fail-safe NOR flash memory and a graphical human-machine interface (HMI) that meets all functional safety requirements.
Figure 1: ISO 26262 Compliant Automotive Dashboard Solutions
Main System Features
The next generation of automotive dashboards requires high performance while ensuring safe and fault-tolerant operation. They need to detect and correct all safety-critical graphics before they can be displayed on the screen. Graphics storage within these systems plays an important role in supporting critical requirements, including enabling a secure and fast boot process.
1. Secure Boot
The first requirement is Secure Boot. In many modern dashboards, automotive MCUs are paired with NOR flash devices to store boot code and graphics content. If a power loss occurs during initialization or configuration, the NOR flash device may be damaged or unresponsive under certain conditions. The use of fail-safe NOR flash can prevent operational failures. It can report device initialization failures and configuration failures, and provide methods to recover from failures.
2. Instant start
The second required dashboard feature is “Instant Launch”. Dashboard displays should show accurate data immediately after power-up or reset, with no delay. By combining an automotive MCU with a high-speed NOR flash memory controller and designing a high-efficiency graphics display scheme, instant boot can be achieved.
3. Security Graphic Monitor
As discussed earlier in this article, all ISO 26262 ASIL B functional safety-compliant displays require error-proofing for warning lights, signals, and gear position indications on the virtual instrument panel. The driver must know at all times whether the instrument panel is working properly. For example, dashboards must be able to monitor and detect safety-critical images/symbols (see Figure 2a).
A safety-compliant graphics monitor shall be capable of checking the safety-critical content characteristics of each frame of display output. In the event of damage to safety-critical content, the system should generate a different characteristic indicator for the damaged content and alert the driver with a warning message (see Figure 2b).
Figure 2a: Correct brake indicator light
Figure 2b: Malfunctioning brake indicator light and safety monitoring alarm
4. Image Correction
Another key requirement for dashboards is image correction. Any practical dashboard should use NOR flash devices to store display images and provide error detection and correction capabilities. Figures 3a and 3b illustrate this concept. In this example, we deliberately combine the image of the damaged low beam indicator with the ECC symptom code of the correct image and store it in a NOR flash device. If we disable error correction in the NOR flash device, a blurred and damaged low beam indicator image is displayed (see Figure 3a). If we enable error correction in the flash device, the corrected icon is displayed (see Figure 3b).
As shown, NOR flash technology will further increase the level of security by monitoring and correcting safety-critical display information to ensure accuracy.
Figure 3a: LED image display with NOR flash ECC disabled
Figure 3b: LED image display with NOR flash ECC enabled
Figure 4 shows a schematic diagram of a dashboard that uses NOR flash to access image data in a security-compliant manner.
Figure 4: Dashboard System Solution
Functional Safety within the Dashboard MCU
Functional safety dashboard MCUs, such as the Cypress Traveo II, are an essential part of a safety-compliant dashboard system. They combine traditional MCU functionality with graphics capabilities in a single component. The MCU is ISO 26262 compliant for functional safety and provides support for safety-related IP such as watchdog, clock manager, low-voltage detection, CRC engine, timing protection unit, and peripheral protection unit.
In addition, software also plays an important role in functional safety. Dashboard platforms such as Altia ISO 26262 and the Altia Safety Monitor (ASM) for Automotive Embedded Graphics use feature cells within the dashboard MCU graphics subsystem to check for safety-critical content features. Table 1 shows some of the functional safety features of the dashboard MCU.
Table 1: Functional Safety within Dashboard Traveo II MCUs
Functional Safety in NOR Flash
NOR flash is the most reliable non-volatile memory. Millions of cars on the road have confirmed this. Still, the ISO 26262 standard requires automakers to detect any possible failures to ensure functional safety. NOR flash designed for functional safety, such as Semper NOR flash from Cypress, integrates safety-critical features in automotive systems. Take the Semper as an example, it is an ASIL B level device that is about to meet ASIL D requirements. It has good endurance with over 1 million program/erase cycles and data retention of up to 25 years, even under extreme temperature conditions. NOR flash density up to 4Gb, supports Octal and HyperBus interfaces compatible with QSPI and JEDEC xSPI standards. Both interfaces can provide up to 400MB/s throughput. Table 2 shows all the safety mechanisms and diagnostic functions supported by functional safety NOR flash.
Table 2: Functional Safety Detailed Functional Safety of Semper NOR Flash
Functional safety of the software part
HMI software like Altia can confirm the correct display of functional safety content as needed. Its general-purpose embedded software application reaches ASIL B level and provides monitoring functions for safety-critical objects within the HMI. Developed in accordance with ISO 26262 and ASIL B, it ensures that it meets the requirements of the ISO 26262 standard by examining the safety-critical content characteristics in each frame of the display output.
By incorporating functional safety into dashboard MCUs, non-volatile memory and embedded software, developers can quickly design complex automotive applications that meet safety requirements.