ASIL Functional Safety: MCU, PMIC & Sensor Diagnostic Coverage

In the rapidly evolving landscape of Automotive Electronics, the transition to Domain Controllers and Zonal Architectures has fundamentally shifted how we approach functional safety. As vehicles adopt 800V high-voltage platforms, SiC-based OBCs (On-Board Chargers), and 10GBASE-T1 backbones, the stakes for safety have never been higher. For hardware engineers and system architects, the challenge is no longer just about selecting an “ASIL D compliant” chip—it is about proving Diagnostic Coverage (DC) at the system level.

How do we practically achieve the >99% Single Point Fault Metric (SPFM) required for ASIL D? How do generic MCUs, PMICs, and Sensors collaborate to form a safety net that protects against random hardware failures? This article provides an actionable engineering checklist for implementing diagnostic coverage, moving beyond theory into the silicon-level mechanisms that keep modern software-defined vehicles safe.

The Arithmetic of Safety: Why 99% is the Hardest Mile

Under ISO 26262, the ASIL (Automotive Safety Integrity Level) determination dictates the rigor of development. For the highest level, ASIL D, the standard requires:

• Single Point Fault Metric (SPFM): ≥ 99%
• Latent Fault Metric (LFM): ≥ 90%
• Probabilistic Metric for Random Hardware Failures (PMHF): < 10 FIT (Failures in Time)

Achieving 99% coverage means that for every 100 potential fatal hardware faults, 99 must be detected and controlled by a safety mechanism within the Fault Tolerant Time Interval (FTTI). This is not achieved by a single component but by a triad of mutual monitoring between the Logic (MCU), Power (PMIC), and Perception (Sensors).

1. The Logic Core: MCU Diagnostic Mechanisms

The microcontroller (MCU) is the decision-making brain. In Domain Controllers, high-performance SoCs (like NXP S32 series or Infineon AURIX TC4x) are standard. To reach ASIL D, they rely on redundancy and hardware-based diagnostics.

Lockstep Cores: The Gold Standard

For ASIL D computation, Dual-Core Lockstep (DCLS) is non-negotiable. Two cores execute the same code 1-2 clock cycles apart.

• Mechanism: A hardware comparator checks the outputs of both cores. Any mismatch triggers an immediate trap.
• Diagnostic Coverage: High (>99%). This covers random logic errors, bit flips, and stuck-at faults in the ALU/Pipeline.
• Implementation Note: The temporal delay (1-2 cycles) prevents Common Cause Failures (CCF), such as a voltage spike affecting both cores identically at the same instant.

Memory Protection: ECC and BIST

SRAM and Flash are vulnerable to soft errors (bit flips caused by cosmic radiation).

• SECDED ECC (Single Error Correction, Double Error Detection):
  • Mechanism: Every 64-bit word carries 8 bits of ECC checksum.
  • Coverage: Corrects 1-bit errors (transparent to software) and detects 2-bit errors (triggers an interrupt/reset).
• MBIST (Memory Built-In Self-Test):
  • Mechanism: Runs at startup (and periodically) to write/read specific patterns (e.g., March C-) to verify memory cell integrity.
  • Coverage: Detects “stuck-at” faults that ECC might miss in unused memory areas.

Logic BIST (LBIST)

• Mechanism: Hardware engine scans the internal logic chains of the MCU with pseudo-random patterns.
• Coverage: Critical for detecting latent faults in safety mechanisms that are rarely used (e.g., the alarm signal itself).

2. The Power Foundation: PMIC as the External Watchdog

In 800V SiC systems and OBC designs, the Power Management IC (PMIC) is not just a regulator; it is the independent safety observer. An MCU cannot reliably monitor its own power supply voltage—if the core voltage drops, the ADC monitoring it might also drift, leading to a false pass.

Voltage Monitoring with Bandgap Independence

• Requirement: The PMIC must monitor the MCU’s core rails (e.g., 0.8V, 1.1V, 3.3V) using a reference voltage independent of the one used for regulation.
• UV/OV Detection: Under-Voltage (UV) can cause erratic instruction execution; Over-Voltage (OV) can damage silicon.
• Diagnostic Coverage: The PMIC sends a reset signal if rails deviate by >3% (typical for ASIL D). This provides 99% coverage for power supply failures.

Window Watchdog (Q&A Mode)

A standard watchdog resets the MCU if it stops kicking. ASIL D requires a Window Watchdog:

• Mechanism: The MCU must service the watchdog within a specific time window (not too early, not too late).
• Advanced Q&A Watchdog: The PMIC sends a “question” (seed) to the MCU via SPI/I2C. The MCU calculates the “answer” based on a predefined formula and sends it back.
• Why it matters: This proves the MCU is not just stuck in a loop resetting the watchdog, but is actually executing code and performing calculations correctly.

3. Perception Integrity: Sensor Validity in Zonal Architectures

In a zonal architecture, sensors (LiDAR, Radar, Current Sensors in OBC) transmit raw data over high-speed links like 10GBASE-T1. Ensuring the data hasn’t been corrupted is vital.

End-to-End (E2E) Protection

When data travels from a sensor to a Zone Controller and then to a Central Compute unit, simply checking the Ethernet CRC is insufficient (it only covers the link).

• E2E Mechanism: The sensor adds a safety header at the application layer.
  • Rolling Counter (4-bit): Detects frozen data or lost frames.
  • CRC (8-bit/16-bit): Detects data corruption.
  • Data ID: Detects masquerading (data from Sensor A arriving as Sensor B).
• Diagnostic Coverage: E2E protection ensures that even if a switch or router in the middle corrupts the packet, the receiver will reject it.

Plausibility Checks and Redundancy

• Range Checks: If a temperature sensor in a SiC inverter reads -300°C, it’s a physical impossibility (electrical short/open).
• Correlation: In an OBC, input current × input voltage should roughly equal output power (minus efficiency loss). A mismatch indicates a sensor drift or fault.

High-Voltage Safety: 800V, SiC, and the OBC Context

The shift to 800V architectures introduces new failure modes. Silicon Carbide (SiC) MOSFETs switch faster and run hotter.

• Desaturation Detection (DESAT): Gate drivers must monitor the SiC MOSFET’s Vds. If it rises while the switch is ON, it implies a short circuit. The driver must shut down the SiC device within nanoseconds to prevent explosion. This is a local safety mechanism with high diagnostic coverage for the power stage.
• Isolation Monitoring: In 800V systems, leakage current detection is critical. The BMS or OBC must continuously measure isolation resistance between HV+ and chassis ground.

FAQ: Common Questions on ASIL Implementation

Q: Can I achieve ASIL D with a single ASIL B MCU?

A: Generally, no, unless you use ASIL Decomposition. For example, you can decompose an ASIL D requirement into two independent ASIL B(D) channels. However, this increases software complexity (synchronization, comparison) and hardware cost (redundant chips). Using a purpose-built ASIL D MCU (with lockstep) is often more cost-effective for the main compute.

Q: How does 10GBASE-T1 affect functional safety?

A: 10GBASE-T1 introduces electromagnetic interference (EMI) challenges. High-frequency noise can corrupt SPI/I2C signals on the PCB. Diagnostic coverage here relies heavily on PHY-level Signal Quality Index (SQI) monitoring and the aforementioned E2E protection. If the Ethernet link degrades (SQI drops), the system should degrade gracefully (e.g., disable autonomous lane change) rather than failing abruptly.

Q: What is the “Safe State”?

A: When a diagnostic mechanism (like the PMIC watchdog or Lockstep comparator) detects a fault that cannot be corrected, the system must transition to a Safe State. For an OBC, this means disconnecting the high-voltage relays. For a steering system, it might mean ramping down assist while keeping the mechanical linkage connected. Defining the Safe State is as important as detecting the fault.

Conclusion

Implementing ASIL functional safety is not an exercise in paperwork; it is a rigorous engineering discipline that dictates hardware architecture. From the lockstep cores of the MCU to the Q&A watchdogs of the PMIC and the E2E protection of sensors, every element serves to maximize Diagnostic Coverage.

In the era of 800V SiC and Zonal Architectures, the complexity of failure modes increases. Engineers must rely on a “defense in depth” strategy—where faults are detected locally (DESAT, ECC), monitored regionally (PMIC Watchdog), and validated systematically (E2E Checks). Only by creating this overlapping web of diagnostics can we deliver the safety required for the next generation of automotive electronics.