ensuring reliable networks new challenges in safety ......cross-industry safety, certification and...
TRANSCRIPT
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved.
Ensuring Reliable Networks
Safety Day 2014 – FH Campus Wien
New Challenges in
Safety Critical Systems
April 2nd, 2014
Dr. Stefan Poledna
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 2
Ensuring Reliable Networks Overview
• Megatrends and Industry Drivers
• Safety and Re-use?
• Safety and Availability
• High performance (consumer) devices vs. embedded
devices
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 3
Ensuring Reliable Networks
What do they have in common
… Reliable Networks and Controls from TTTech
Boeing 787 Vestas Turbines
Prinoth Leitwolf Audi A8
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 4
Ensuring Reliable Networks
Mega Trends and Industry
Drivers
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 5
Ensuring Reliable Networks
Safety Becomes Ubiquitous
1. Megatrend Safety
• Automotive: 50 million injuries, out of those 1.2 million were fatal injuries (3.300
per day according to WHO 2010)
• Industrial: Manufacturers lose over $ 20 billion each year alone in safety
incidents, Norm Gilsdorf, President of Honeywell Process Solutions Honeywell
User Group 2010
• Civil Aviation: In 2010 there were 47.3 million flight hours and 22.3 million
departures with 9 serious accidents
• Smart and safe mega cities
• Medical systems and healthcare for aging populations
• By 2020 every second embedded device will be safety relevant
5
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 6
Ensuring Reliable Networks
IEC 61508 EN/ISO 13849 ISO 26262 DO 178B / 254
1. Megatrend Safety
Design assurance standards are similar across industries
Cross-Industry Safety, Certification and Availability
Fail-Stop Fail-Operational
Clear trend towards fail-operational
for availability reasons
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 7
Ensuring Reliable Networks
2. Megatrend Autonomous and
Smart Interacting Machines Autonomous cars Robot human collaboration
Snow grooming: airport and slopes Autonomous farming machines
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 8
Ensuring Reliable Networks
2. Megatrend Autonomous
Interacting Machines
Automated Parking Side View Assist
193cm
Rear view + overlays Surround /Top View 120cm
Object Detection
120cm Manoeuvre Assist
Driver Drowsiness
Auto Emergency Braking
Congestion Pilot
Lane Assist
Automated Stop Autonomous Driving
Key drivers: Safety and Convince, enabling people to do different things
than manoeuvring the car
Examples of Driver Assistance Use Cases
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 9
Ensuring Reliable Networks
3. Megatrend Internet of
Things
Smart Grid
Intelligent Buidlings Smart Cities
Safety & Security
Healthcare
Water
Intelligent
Transportation
Connected Car
Autonomous Driving
RT Cloud Services
Ambient Intelligence
Mobile Devices
Aerospace
Flexible Integrated
Automation Food & Farming
All necessary services
need to be supported by one
single communication
infrastructure
Systems of Systems
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 10
Ensuring Reliable Networks
3. Megatrend Internet of
Things
Smart Grid
Intelligent Buidlings Smart Cities
Safety & Security
Healthcare
Water
Intelligent
Transportation
Converged by
Ethernet/IP v6 and
Deterministic Ethernet
Connected Car
Autonomous Driving
RT Cloud Services
Ambient Intelligence
Mobile Devices
Aerospace
Flexible Integrated
Automation Food & Farming
Systems of Systems
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 11
Ensuring Reliable Networks
Safety and Re-use?
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 12
Ensuring Reliable Networks
Development Effort vs. Design
Assurance Level
Prototype Product
QM
Safety Product
ASIL
Development
Effort
• Development cost grows considerably with design assurance levels
• Re-use across different design assurance levels is difficult
Re-use
Effort
How to Address the Efficiency Challenge?
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 13
Ensuring Reliable Networks The “Lift-Up Effect” I
Typical Hazards & Risk Profile • The majority of functions is not safety
related and thus QM classified
• Only a minority of functions is ASIL
classified
The “Lift-Up Effect” • An ECU must be developed in
conformance to highest ASIL level of any
function within the ECU
• If freedom from interference (or
partitioning) cannot be proven then all
functionality needs to be developed acc.
to the highest ASIL level
75%
5%
3%
17%
QM
ASIL A
ASIL C
ASIL D
100%
Percentage of ECU functionality
per ASIL level
Example
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 14
Ensuring Reliable Networks
Reduced
development
effort
The “Lift-Up Effect” II
75%
5%
3%
17%
QM
ASIL A
ASIL C
ASIL D
Complete development
according to highest ASIL
level
100%
Development
effort
Development of functions
according to their respective
ASIL Level
Percentage of
ECU functionality
per ASIL level
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 15
Ensuring Reliable Networks The “Lift-Up Effect” III
The “Lift-Up Effect” can be avoided by ensuring
“Freedom from Interference”
Def: Freedom from Interference
Absence of cascading failures
between two or more elements that
could lead to the violation of a safety
requirement. (ISO 26262, Part 1)
Def: Cascading failure
Failure of an element of an item
causing another element or elements
of the same item to fail.
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 16
Ensuring Reliable Networks
Re-Use in Safety Related
Systems
Hazard Analysis & Risk Assessment
Safety Goals ASIL
Conformity Review
Co
nfig
ura
tion
Man
ag
em
en
t
Development
Plan
Requirements
Design
Implementation
Integration
Shipping
Valid
atio
n
SQ
A
High level integrated safety development process
The Re-Use Problem • Safety goals cut across the
integrated development process
• Components are therefore
developed in a system level safety
context
• Hence, components cannot be
re-used outside the system level
safety context easily
• This drives development effort
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 17
Ensuring Reliable Networks
Re-Use in Safety Related
Systems
Re-Use can be supported by defining a
“Safety Element out of Context”
Safety Element out of Context (SEooC)
A SEooC is a safety-related element which is not developed for a specific item.
(…) Assumptions are made on requirements and design, including safety
requirements that are allocated to the element by higher levels of design and
on the design external to the element. (ISO 26262, Part 10)
Assumed Safety Requirements without
reference to a specific system
CM Development Validation SQA
Conformity Review Safety Manual
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 18
Ensuring Reliable Networks
Goals for the Modular Safety ECU Platform
Goals
• Enables efficient development of safety ECUs
• Enable re-use as a Safety Element out of Context
• Supports Freedom from Interference (Partitioning)
Modular Safety ECU Platform
ISO 26262 ASIL D IEC 61508 SIL 3 EN/ISO 13849 PL e
SEooC Requirements
• Supports fault-tolerant time interval < 50 ms (including anti-glitch behavior)
• FIT rate of core < 5 FIT (main CPU, safety companion, clock, power …)
• Single point fault metric and safe failure fraction > 99 %
• Latent fault metric > 90 %
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 19
Ensuring Reliable Networks
Components of the
Modular Safety ECU Platform
Modular Safety ECU Platform
CPU & Safety
Companion
I/O Blocks &
SafeIO Drivers
Cert Package
Safety Manual
SafeCOM,
SafeExe,
SafeMon
Application
safety function
SafeExec
Safe-
Watchdog
App. 3 App. 4
CommComm..
ServicesServicesMemoryMemory
ServicesServicesSystem System
ServicesServices
Complex
Drivers
BSPBSP
Sa
feS
elfC
he
ck
Sa
feC
ros
sC
hec
k
RTERTE
I/OI/O
ServicesServices
Sa
feD
isp
atc
he
r
SafeHAL
OS
Bo
otlo
ad
er
App. 2App. 1
Checkpoint
„SafeCDR“
Checkpoint
„SafeApp2“
Checkpoint
„SafeApp1“
WDG_HALE2E
-Lib
SafeCOM
SafeCOM
ISO 26262 ASIL D IEC 61508 SIL 3 EN/ISO 13849 PL e
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 20
Ensuring Reliable Networks
Safety and Availability
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 21
Ensuring Reliable Networks Why Safety in Wind Power?
IEC 61508 applies
Safety Related
functions typically
rated SIL 3
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 22
Ensuring Reliable Networks
Source: IEEE TRANSACTIONS ON ENERGY CONVERSION,
VOL.22, NO.1, MARCH 2007
“Survey of Failures in Wind Power Systems With Focus on
Swedish Wind Power Plants During 1997-2005”
Why High-Availability in Wind Power?
Reduced Down Time = Lower Cost
Reduced operation
cost though
minimization
of unscheduled
maintenance
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 23
Ensuring Reliable Networks
Wind Turbine Electronics
Architecture
TTE Switch Channel 1
Functional Safety Unit, redundant
Safety I/O Unit, redundant
Main Safety Unit, redundant
Main Controller, redundant
Non Safety Related Resource Controller
Nacelle
Tower
Power Control
TTE Channel 1
TTE Channel 2
TTE Switch Channel 2
Ethernet Communication System
• TTEthernet switches & NICs
• High availability and safety
• Dual redundancy
• 100 Mbit/s, 1 Gbit/s
• Synchronization
Safety Controllers
• Modular safety controllers
• Dual core CPU
• Dual channel SIL 2
• Safe I/O: control and
shutdown
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 24
Ensuring Reliable Networks
High-Availability by Means of a
Fully-Redundant Architecture
OR
OR
Deterministic Switched Ethernet ans Safety I/O Controllers
Standard architecture – Non-redundant
Redundant architecture –
Fault-tolerance and redundancy
on network level
Full fail-operational architecture –
Fault-tolerance on network & control level
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 25
Ensuring Reliable Networks
Mix Criticality Functions in a
Single Network Architecture
TTTech Safety I/O
TTTech Control I/O
C TTTech Safety Controller
S TTTech Control Switch
S TTTech Safety / Control Switch
C TTTech Controller
One Converged Backbone Network
and Distributed Controls
Partitioned traffic
C C
Control
Functions
Safety
Functions
Monitoring
Functions
HMI
S
Monitoring, Control and Safety
in one single network
C C
Control
Functions
Safety
Functions
S S
HMI
Monitoring
Functions
S
Monitoring
Network
Control
network
Safety
network
Mixed-criticality
– one single
standard
Ethernet cable
Physically Separated Networks and
Controllers
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 26
Ensuring Reliable Networks
Energy:
Wind Turbines
Control of the next generation of
wind turbines
“Utilising technology similar to that in aircraft and performance cars, TTTech delivers
Ethernet solutions designed to improve reliability and productivity of the next generation
of wind turbines.” Vestas Press Release
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 27
Ensuring Reliable Networks
Example
TTC-500 Safety Controller CPU
TMS570 Dual Core lockstep CPU @ 160MHz
Plus Safety Companion
Designed for applications up to ASIL D / SIL 3
safety features (RAM/Flash ECC check, ...)
Floating Point Unit
MPU
I/Os and Interfaces
28 HS PWMs with with current measurement
8 HS Digital Out
8 LS Digital Out
24 Analog Inputs
12 Timer Inputs
8 PVG, VOUT
7 x CAN with configurable termination …
Flexibility
Outputs can be used as inputs
Inputs low / high active
Flexible range-configurable analog inputs
Use of “ABS-type” sensors
Programming
CODESYS® 3.0 or ANSI-C
TTC-Downloader or Download-DLL
Supporting of Lauterbach Debugger/Trace32
Functional Safety
Fulfills
… IEC 61508 SIL 2
… EN/ISO 13849 PL d
with TÜV Nord Safety Certificate
MTTFd / DC values available per I/O
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 28
Ensuring Reliable Networks
Example
TTC-500 Safety Controller
TÜV certified
• IEC 61508 SIL 2
• ISO 13849 PL d
• certifiable ISO 25119 AgPL d
• certifiable ISO 26262 ASIL-D
• Hardware metrics (MTTFd / DC and PFH/SFF)
available for the customer – total value and value
per I/O
Safety + Availablility
• Output shut-off in 3 groups guarantees high
availability
• Complete shut-off not necessary in case of single
I/O failure
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 29
Ensuring Reliable Networks
High Performance (Consumer)
Devices vs. Embedded Devices in
Safety Applications
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 30
Ensuring Reliable Networks
New advanced embedded MCUs
provide extensive safety support
ASIL D, SIL 3 Support
• Dual-core lockstep
• Memory protection
• ECC on Flash and RAM
• Examples: TI TMS570, Infineon
Aurix, Renesas V850
• Typically up to 300 MHz CPU
clock
• Dual / Triple Core designs
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 31
Ensuring Reliable Networks
Example TMS 570:
Extensive Safety Mechnisms 5.1 Power Supply
5.1.1 Embedded Voltage Monitor (VMON)
5.1.2 External Voltage Supervisor
5.2 Clocks
5.2.1 Low Power Oscillator Clock Detector
(LPOCLKDET)
5.2.2 PLL Slip Detection
5.2.3 Dual Clock Comparator (DCC)
5.2.4 Monitoring of External Clock Outputs (ECLK)
5.2.5 Internal Watchdog
5.2.6 External Watchdog
5.2.7 Periodic Read Back of Configuration Registers
5.2.8 Software Read Back of Written Configuration
5.2.9 Notes
5.3 Reset
5.3.1 External Monitoring of Warm Reset (nRST)
5.3.2 Software Check of Cause of Last Reset
5.3.3 Software Warm Reset Generation
5.3.4 Glitch Filtering on nRST and nPORRST
5.3.5 Shadow Registers
5.3.6 External Watchdog
5.3.7 Periodic Read Back of Configuration Registers
5.3.8 Software Read Back of Written Configuration
5.4 System Module
5.4.1 Privileged Mode Access and Multi-Bit Enable
5.4.2 Software Read Back of Written Configuration
5.4.3 Periodic Read Back of Configuration Registers
5.5 Error Signaling Module (ESM)
5.5.1 Periodic Read Back of Configuration Registers
5.5.2 Software Test of Error Path Reporting
5.5.3 Shadow Registers
5.5.4 Software Read Back of Written Configuration
5.6 CPU Subsystem
5.6.1 Lockstep CPU Diagnostic
5.6.1.1 Measures to Mitigate Common Mode Failure
5.6.2 CPU Logic Built In Self Test / Self-Test Contr.
5.6.3 CPU Memory Protection Unit (MPU)
5.6.3 CPU Memory Protection Unit (MPU)
5.6.4 Online Profiling- Performance Moni. Unit
5.6.5 Internal or External Watchdog
5.6.6 Illegal Operation and Instruction Trapping
5.6.7 Software Read Back of Written Configuration
5.6.8 CPU Lockstep Comparator (CCM) Self-Test
5.7 Primary Embedded Flash
5.7.1 Flash ECC
5.7.2 Hard Error Cache and Livelock
5.7.3 Flash Wrapper Address ECC
5.7.4 ATCM Address Bus Parity
5.7.5 Flash Contents Check by Hardware CRC
5.7.6 Bit Multiplexing in Flash Memory Array
5.7.7 Flash Sector Protection
5.7.8 Periodic Read Back of Configuration Registers
5.7.9 Software Read Back of Written Configuration
5.8 Flash EEPROM Emulation (FEE)
5.8.1 FEE Data ECC
5.8.2 FEE Contents Check by Hardware CRC
5.8.3 Bit Multiplexing in FEE
5.8.4 FEE Sector Protection
5.8.5 Periodic Read Back of Configuration Registers
5.8.6 Software Read Back of Written Configuration
5.9 Primary Embedded SRAM
5.9.1 Data ECC
5.9.2 Hard Error Cache and Livelock
5.9.3 Correctable ECC Profiling
5.9.4 BTCM Address and Control Bus Parity
5.9.5 SRAM Wrapper Redundant Address Decode
5.9.6 Data and ECC Storage in Multiple Physical
Banks 5.9.7 Programmable Memory BIST (PBIST)
5.9.8 SRAM Bit Multiplexing
5.9.9 SRAM Hardware CRC-64
5.9.10 Periodic Read Back of Configuration Registers
5.9.11 Software Read Back of Written Configuration
5.9.12 Software Test of SRAM Wrapper Address
Decode Diagnostic and ECC
5.10 Level 2 and Level 3 (L2 and L3) Interconnect
5.10.1 Error Trapping
5.10.2 Peripheral Central Resource Management
5.10.3 Internal or External Watchdog
5.10.4 Information Redundancy Techniques
5.10.5 Periodic Read Back of Configuration Reg.
5.10.6 SW Test of Basic Func. Incl Error Tests
5.10.7 SW Read Back of Written Configuration
5.11 EFuse Static Configuration
5.11.1 Autoload Self-Test
5.11.2 EFuse ECC
5.11.3 Periodic Read Back of Conf. Registers
5.11.4 Software Read Back of Written Conf.
5.12 OTP Static Configuration
5.12.1 Autoload Self-Test
5.12.2 OTP Autoload ECC
5.12.3 Periodic Read Back of Conf. Registers
5.12.4 Software Read Back of Written Conf.
5.13 I/O Multiplexing (IOMM)
5.13.1 Locking Mechanism for Control Registers
5.13.2 Master ID Filtering
5.13.3 Error Trapping
5.13.4 Periodic Read Back of Conf. Registers
5.13.5 SW Test of Func. Using I/O Loopback
5.13.6 SW Read Back of Written Configuration
5.14 Vectored Interrupt Module (VIM)
5.14.1 VIM SRAM Parity
5.14.2 VIM SRAM PBIST
5.14.3 VIM SRAM Bit Multiplexing
5.14.4 VIM SRAM CRC-64 Testing
5.14.5 Periodic SW Test of VIM Op. incl. Err. Tests
5.14.6 Periodic Read Back of Conf. Reg.
5.14.7 Software Read Back of Written Conf.
5.14.8 Internal or External Watchdog
….
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 32
Ensuring Reliable Networks
Example High-Performance
(Consumer) Computing Device
Tegra K1
GPU
NVIDIA® Kepler™ Architecture 192 NVIDIA CUDA
® Cores
CPU
CPU Cores and Architecture NVIDIA 4-Plus-1™ Quad-Core ARM Cortex-A15 "r3"
Max Clock Speed 2.3 GHz
Memory
Memory Type DDR3L and LPDDR3
Max Memory Size 8 GB (with 40-bit address extension)
Display
LCD 3840x2160
HDMI 4K (UltraHD, 4096x2160)
Package
Package Size/Type 23x23 FCBGA, 16x16 S-FCCSP, 15x15 FC PoP
Process 28 nm
Typically not designed for
safety applications
Safety
?
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 33
Ensuring Reliable Networks
When I don´t feel like driving I
let my car do it
parking
Traffic jams
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 34
Ensuring Reliable Networks
Example:
Driver Assistance System
► High Integration of multiple functions on one control unit with TTEthernet
► Platform Approach (decoupling from application) best-in-class
Centralized Control Platform
Integrated robust electronic architecture
Ausgabe
Applika-tionen
Fusion
Wahr-nehmung
Basis
HMI Manager
Kartenfusion ObjektfusionInfrastruktur
-fusion
Fu
nk
tion
1
Fu
nk
tion
2
Fu
nk
tion
3
Fu
nk
tion
4
Fu
nk
tion
5
Fu
nk
tion
6
Fu
nk
tion
7
Fu
nk
tion
8
Fu
nk
tion
9
Fu
nk
tion
10
Fu
nk
tion
11
Fu
nk
tion
12
Se
nso
r1
Se
nso
r2
Se
nso
r3
Se
nso
r4
Se
nso
r5
Se
nso
r6
Se
nso
r7
Se
nso
r8
Se
nso
r9
Se
nso
r1
0
Se
nso
r1
1
Ap
plica
tion
Fra
me
wo
rk
Framework/BSP/Treiber
Bewegungsmanager
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 35
Ensuring Reliable Networks
Example Autonomous Driving:
Functional Safety (1)
Autonomous driving functions will need ASIL D implementations
Complication:
• Complex image processing and fusion algorithms
• Processing elements (GPUs, FPGAs,…) do not comply to ASIL D
Solution approach:
• Decomposition isolates ASIL D
requirements on Automotive grade
microcontroller („application host“)
• Application level software safety
functionality
• Link with deterministic Ethernet
QM ASIL
D
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 36
Ensuring Reliable Networks
Intraboard Connection based
on deterministic Ethernet
SoC
100 MBit/s
TTEthernet Switch 4 x 100 Mbit/s
2 x 1 Gbit/s
Clock Synchronization
Graphics + GPUs
100 Mbit/s
SoC
10 Gbit/s Cross-Link
Image
Processing
1 Gbit/s
Integration & Test
Interface
1 Gbit/s
Car2X Ethernet
100 Mbit/s
SoC
100 MBit/s
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 37
Ensuring Reliable Networks
Example Autonomous Driving:
Functional Safety (2)
Limited fail-operational capability required
(need minimum >10 sec. for hand-over to driver in case of faults)
Solution approach:
• Redundancy concept concept
necessary
• Degraded mode acceptable
• Safety monitoring at functional
level with redundant algorithms
E n s u r i n g R e l i a b l e N e t w o r k s
w w w . t t t e c h . c o m
www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved.
Thank You!