It is very common that a microcontroller is used in a safety relevant system to acquire data from sensors, process the data and then control actuators. With the shrink of technology every few years it becomes ever more common to use digital serial interfaces and high speed PWM links for both inputs and outputs. The microcontroller vendors have responded to the need for functional safety in the CPU cores by lock-stepping them and adding ECC to buses and memories. They are also implementing highly flexible and complex timer peripherals to be able to automate much of the real-time processing of the digital signals. However these timers are becoming significantly large, and many have their own embedded sequence engines or microkernels, which although powerful, often lack the rigorous diagnostic mechanisms required to reach ASILD. Currently the only solution is to use an application level measure to detect timer failures, but the large quantity of signals can lead to a substantial CPU load just for the monitoring tasks. This paper describes how a new I/O Monitoring peripheral can be used to ‘lockstep’ digital input and output signals, using two redundant or diverse timer peripherals. It will outline the problems, the current state of the art, and the proposed new solution, together with some typical use-cases of braking, electrical power steering and airbag.
