Functional safety of electronic systems in automotive passenger cars is an important topic in the light of increasing automation and semiconductor content of modern cars. It is desirable to have a reliable and safe functionality for the safety critical parts deployed in the system.
One requirement which may often exist in such safety-critical applications is that malfunctions of a sensor device have to be detectable by the system, for example by an entity receiving signals from the sensor device. In other words, according to such a requirement it has to be possible to detect, if a sensor device delivers erroneous values, e.g. due to a fault of the sensor device. One approach to ensure this is to provide redundancy, for example to provide two separate sensors for measuring the same physical quantity. Deviations between measurements of the two sensor devices above a threshold may indicate a malfunction of at least one of the two sensors provided. However, providing such redundancy requires additional chip space.
Further, hardware solutions may use different types of processors which are developed using different hardware architectures. Different hardware architectures require at least doubled verification effort to reach the same quality as compared with a duplicated homogenous redundant architecture. Moreover, the implementation of the same functionality in on the different architectures is error prone and implies a high risk that corner cases behave differently in an unintended manner. A corner case typically involves a problem or situation that occurs only outside of normal operating parameters, specifically one that manifests itself when multiple environmental variables or conditions are simultaneously at extreme levels, even though each parameter is within the specified range for that parameter.
Further, floating point and fixed point architectures may be used in parallel to perform actual mathematical calculations in a redundant manner. The results are compared and the difference in the results is analyzed to determine whether is it within a margin specified by the calculation precisions. In general, this implementation is not efficient since it requires implementation with fixed and floating points which limits this application to processors supporting both fixed point and floating points. Moreover, some calculations can be subject to the same systematic failure even if they are implemented as fixed and floating points.
Another known implementation is called “coded processing” with AN-Coding as one example. AN-Coding is a method of extending a data numberspace. The original data is multiplied before processing with specific code and later checked if the calculated result is still in the expected numberspace. This method is primarily used to protect a single processor function against incorrect calculation.
However, this type of coding increases the required bitwidth for the numberspace which is a severe disadvantage for embedded computing and especially firmware. Higher bitwidth also implies more routing wires and higher transistor counts in the whole architecture which increases the amount of failure possibilities. This also explains why this method found so far only in applications of process computers that use a high hardware complexity.