SAFETY

Safety Concept

AURIX™ TC3xx Microcontroller Training

V1.0 2020-09
Please read the Important Notice and Warnings at the end of this document
SAFETY
Safety Concept

Hardware Safety External Safety Highlights

designed for Documentation Mechanisms
functional safety
› AURIX™ was developed as a Safety
Element out of Context (SEooC)
fulfilling the applicable objectives of
ISO 26262 up to ASIL D

ISO 26262 part of Infineon‘s standardized

development process

Key Features Customer Benefits

ISO 26262 standardized development › Support ISO 26262:2011 compliant
process applications development

Hardware safety mechanisms › Supports protection against random

faults as described in safety manual
Safety documentation › Accelerates the development of safety
critical applications

2019-08-13 Copyright © Infineon Technologies AG 2020. All rights reserved. 2

SAFETY
ISO 26262 standardized development process

The scope of the SEooC comprises:

› The AURIX™ microcontroller hardware component
› Assumptions of use (AoU) related to the software elements that
– support the integration to the AURIX microcontroller hardware components in a safety-
related application
– support the single point fault metric up to ASIL D for software applications target to utilize
non-lockstep CPU core.
› Assumptions of use related to the hardware environment including assumed external safety
mechanisms
› Assumptions of use related to the software environment
› Assumptions of use related to the use of the safety mechanisms provided by the SEooC
All of the above support the development of safety critical applications which are ISO
26262:2011 compliant.

2019-08-13 Copyright © Infineon Technologies AG 2020. All rights reserved. 3

SAFETY
Hardware safety mechanisms

Safe computing:
› Delayed Lockstep CPU with diverse layout Checker Core AURIX™

CPU5
CPU4
CPU3
TC 1.6P TC39x

CPU2
CPU1
CPU0
Safe data and code storage: FPU
64KB PSPR
› Error Detection Codes ECC for RAM and 32KB PCACHE
96KB DSPR
Flash memories 16KB DCACHE

› Memory Protection Unit MPU for code and DFlash PFlash LMU DAM
Mini
MCDS
data
› Address
Safe Monitoring
intra chip communication: System Resource Interconnect

› SRI Cross Bar: End-to-End monitoring of data

SMU

HSM
MSC
SCU
Port
SFI

FCE
IOM
and address failures using ECC DMA HSSL
Bridge HSCT

Safe infrastructure:
System Peripheral Bus
› Clock frequency range monitors

ETH MAC

MCM CAN
EDSADC

ASC LIN
› Power supply range monitoring
EVADC

PSI5S
CCU6

SENT
ERAY

QSPI

PSI5
GTM

STM
GPT

I2C
› Internal watchdog timers

Support for coexistence of elements: Safety management unit: I/O Monitor:

› CPU Memory Protection › Configurable error › Flexible logic analyzer to
handling monitor or compare digital
› Bus Memory Protection
signals
› Register Access Protection

2019-08-13 Copyright © Infineon Technologies AG 2020. All rights reserved. 4

 SAFETY
Safety documentation
System/Software
Engineers
› Which safety
mechanisms are
available in AURIX™
TC3xx hardware and
how to use them?
› Which external safety
mechanisms are
required?
› Which safety
mechanism shall be
implement at the
application-level?
› How to monitor Safety Case Report
application dependent
parts and which ones
are independent?
hnologies
2019-08-13
AG 2020. All rights reserved.
Functional Safety
Managers/Engineers/QM
› Computation of project
specific hardware
FMEDA Extract architectural metrics
› Are all the required
safety measures
correctly
implemented?
Safety Manual
› Assessment of
AURIX™ compliance
to the objective of
ISO26262
5
SAFETY
System integration

› Safety as a concept is an
integrated part of the AURIX™,
nonetheless there are aspects that Checker Core AURIX™
TC 1.6P TC37x

CPU2
are application dependent such as:

CPU1
CPU0
FPU
64KB PSPR
32KB PCACHE

– Ensuring redundancy over the 96KB DSPR

16KB DCACHE

analog and digital Inputs / DFlash PFlash LMU DAM

Mini
MCDS
Outputs and over
System Resource Interconnect
communication protocols
– Configuration of individual

SMU
QSPI

HSM
MSC
SCU
Port
SFI

FCE
IOM
DMA HSSL
Bridge HSCT

modules (e.g. peripherals) in a System Peripheral Bus

safe manner

MCM CAN
ETH MAC
EDSADC

ASC LIN
– Implementation/Fulfillment of
EVADC

PSI5S
CCU6

SENT
ERAY

PSI5
GTM

STM
GPT

I2C
AoU according to the Safety
Manual as applicable for
respective application

2019-08-13 Copyright © Infineon Technologies AG 2020. All rights reserved. 6

Application example
External safety mechanisms

Overview Vbat +12V

› AURIX™ can manage different fail Time

Voltage
scenarios such as detecting under/over Monitor
Window
voltage of the external supply, dependent Watchdog
Safe
failures which cause the diagnostic
State
system to fail too Control
Error
Monitoring

Advantages 𝑉𝐸𝑋𝑇 PSP

PORST
› For all these fail scenarios, recommended
AURIX™
reactions can be implemented, such as
bringing the system in its safe state TC3xx Actuator
Actuator
Control
› Well defined reaction systems ensure that the
faulty behavior of external components will not
produce malfunctions
Note: the grey blocks represent functions to be
allocated to external devices, not hardware
components.

2019-08-13 Copyright © Infineon Technologies AG 2020. All rights reserved. 7

Trademarks
All referenced product or service names and trademarks are the property of their respective owners.

Edition 2020-09 IMPORTANT NOTICE For further information on the product,

Published by The information given in this document shall in no technology, delivery terms and conditions and
Infineon Technologies AG event be regarded as a guarantee of conditions or prices please contact your nearest Infineon
81726 Munich, Germany characteristics (“Beschaffenheitsgarantie”) . Technologies office (www.infineon.com).
With respect to any examples, hints or any typical
© 2020 Infineon Technologies AG. WARNINGS
values stated herein and/or any information
All Rights Reserved. Due to technical requirements products may
regarding the application of the product, Infineon
contain dangerous substances. For information
Technologies hereby disclaims any and all
Do you have a question about this on the types in question please contact your
warranties and liabilities of any kind, including
document? nearest Infineon Technologies office.
without limitation warranties of non-infringement
Email: erratum@infineon.com
of intellectual property rights of any third party. Except as otherwise explicitly approved by
Infineon Technologies in a written document
Document reference In addition, any information given in this
signed by authorized representatives of Infineon
AURIX_Training_2_Safety_Concept document is subject to customer’s compliance
Technologies, Infineon Technologies’ products
with its obligations stated in this document and
may not be used in any applications where a
any applicable legal requirements, norms and
failure of the product or any consequences of the
standards concerning customer’s products and
use thereof can reasonably be expected to result
any use of the product of Infineon Technologies in
in personal injury.
customer’s applications.
The data contained in this document is exclusively
intended for technically trained staff. It is the
responsibility of customer’s technical
departments to evaluate the suitability of the
product for the intended application and the
completeness of the product information given in
this document with respect to such application.