Functional Safety Island (FSI)

Functional Safety Island (FSI) is a new HW IP in Orin SoC with the following being key motivations for its inclusion:

  • Availability of ~10K ASIL D MIPS for any of the safety functions, such as Sensor Fusion, Vehicle Control, etc. for you to use by mapping onto FSI to reduce the overall higher MIPS demand from external MCU.
  • FSI hardware, being developed as ASIL D in systematics and ASIL-D Random Vs rest of SoC, provides a better overall Safety - Analogy of Island and the Water.
  • FSI hardware/software can monitor the safety errors happening across the SoC centrally.

Hardware Architecture

FSI hardware in Orin SoC has been designed to operate with independent voltage/power rails and other isolations that are needed for its independent execution of Safety functionalities.

FSI HW IP primarily contains a CPU Complex of 4 x DCLS (Dual Core Lock Step) R52 (ARMv8-R) CPUs. Each of these R52 CPUs has ATCM (256KB), BTCM (128KB), CTCM (128KB) apart from 32KB of instruction cache and 32KB of data cache.

For more information on R52 CPU, refer to ARM Reference Manuals.

Note: ARMv8-R does not provide Cache Coherency across multi-core.

FSI has a common Shared Memory of 3MB connected to CPU over a fabric/interconnect.

On the communications peripheral front, FSI HW IP has two CAN Controllers and one SPI Controller. SPI Controller is dedicated to interface with External MCU for Safety Communications following the SafetyServices infrastructure provided by DRIVE OS.

For security, key management, and crypto needs, FSI hardware IP has a Crypto Hardware Security Manager (CHSM) module that R52 CPU can use as an hardware accelerator. FSI hardware IP has access blocking logic or firewalls to maintain the FFI from the rest of the SoC during its execution.

From the hardware Safety front, FSI hardware IP has a Hardware Safety Manager (HSM) module that centrally gets notified of various Safety Errors in hardware, notifies the R52 CPUs, and asserts SOC_ERROR GPIO of Orin SoC interfaced to external MCU.

FSI hardware IP is clocked out with an independent and dedicated XTAL and voltage rail to achieve FFI from the rest of the SoC.

FSI hardware IP has a DMA engine to move data between different internal memories (TCMs and SRAM) and external memory.

FSI hardware has a UART peripheral for debug and development purposes.

There is no persistent memory for FSI hardware IP to persist any data.

FSI Software Boot

As part of Orin boot, the bootloader in MB2 stage loads the various components of the FSI binaries to the relevant memories viz. the TCMs, and the SRAM.

FSI firmware can boot without provisioned keys and all functionality not requiring provisioned key works as expected. This violates the security architecture and should only be used for development purposes.

For key provisioning details, refer to Persistent Key Object Support.