simplifying sil3 mcu safety architectures in automotive ... · simplifying sil3 mcu safety...
TRANSCRIPT
Simplifying SIL3 MCU safety architectures in automotive applications according to IEC61508 norm
Silvano Motto – CEO YogitechStefano Lorenzini – Design Engineering Manager Yogitech
Automotive Electronics and Electrical Systems Forum 2008, 6th May
Outline
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 2
• Background• From black to white-box approach: the fRMethodology• The faultRobust IPs• A comprehensive approach• Conclusions
Background (1)
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 3
shrinking dimensions
increasing complexity
HigherDensity
Increase infaults !
New technologies allow deeper and deeper integration
Fault robustness is more and more a top priority concern
safety-critical automotive applications are looking today for next generation solutions and methodologies addressing fault robustness; IEC61508 and in future ISO26262 are more and more popular as reference norms
Systematic
SW HW
Permanent Intermittent
Random
HW
Intermittent TransientPermanent
Kopetz, Mitra
10-7÷ 10-9 FIT/gateTransient (glue logic)
Kopetz, Mitra
10-3÷ 10-5 FIT/regTransient (registers)
ITRS 2006
10-2÷ 10-4 FIT/bitTransient (memories)
Telcordia Pauli, VDI SN29500
≤ 10-5 FIT/gatePermanent
TrendSourcesUnitFault model
FIT = Failure In Time, number of failures in 109 hours
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 4
Modern MCUs:• Complex CPU with big memories and many peripherals• Mix of commodity and safety-critical functions• Complex interconnection scenarios
A comprehensive approach for safety-integrity is needed:• reducing system costs and complexity• saving CPU performance• allowing reuse and flexibility• easing system ‘safety’ engineering• easing system certification
Background (2)
Yogitech faultRobust technology
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 5
fRMethodologyA systematic procedure addressing IEC61508
requirements in the design of VLSI components for
safety-critical applications
fRIPsHW modules implementing ad-hoc diagnostic for basic elements like CPU, MEM,
BUS and Peripherals aimed to reach appropriate
Safety Integrity Level at VLSI component level
The fRMethodology
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 6
• Allowing a safety oriented design exploration at System-on-Chip level (white-box approach)
• Using well established methodologies (FMEA, Fault Injection, etc.) embedded in a standard System-on-Chip design&verification flow
• Computing and validating metrics and parameters required for IEC61508 certification: Safe Failure Fraction, Diagnostic Coverage, Failure Rate and βIC
• TÜV SÜD approved
Certifying with fRMethodology
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 7
A3
A2
A1
generalinformationabout MCUand system
First AuditReport
Certification flow
fRM
etho
dolo
gy
TechnicalReport III
Certification
TechnicalReport I
TechnicalReport II
fRFMEA, fRFIreports, Safety
Plan (II)
fRFMEA, fRFIreports, Safety Plan (III), Safety
Manuals
fRFMEA,MCU module arch., Safety
Plan (I)
Safety Architecture,
SRS, MCU HW Arch, FMEA
SiliconProvider
from OEM, car maker
Tech
nica
l rep
ort
Concept Report
FMEA (high-level)
fRFMEA(qualitative)
fRFMEA(quantitative)
fRFIvalidation
FinalAnalysis
MCU block diagrams
MCU model
MCU RTL, gate,
layout
Workload
Netlist, layout
Develop. Process, testing, production, factory inspection
CertificationBody
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 8
Support fee
TÜV SÜD fee
TÜV SÜD fee
Design Database
Design InformationSafety documentation
Certification
fRMethodology: Business Model
Silicon Provider
The faultRobust IPs
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 9
CPUMemory
Peripheral
Peripheral
fRPERI
fRPERI
.....
Bus
fRCPU
fRMEM
fRBUS
.....
Solution provided according to fRIP set selection
MCUsub-systems
diagnosticinfos
peripherals
busses
memories
CPUs
fRIPs
fRNET
fRPERI
fRBUS
fRMEM
fRCPU
Optimized Tightly Coupled (OTC)
Dual CoreCurrently available for ARM
CortexM3 CPU
Currently available for ARM AHB BusSolutions currently available for SRAM, DRAM, EEPROM, Flash
fRNET
Common features of IPs
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 10
• Architectural + functional diversity– common-cause failures intrinsically reduced– βIC ≤ 25% achieved without additional layout/HW measures
• Functional safety guaranteed for the complete subsystem– Safe Failure Fraction calculated at subsystem level– Self-checking circuitry included in each fRIP
• Delivering detailed diagnostic information, e.g.:– type of error
• load/store fault, register fault, memory bit flip, bus matrix fault– context information
• last instruction executed without errors, address of faulty location, bus slave addressed during the fault, etc…
• All fRIPs delivered certified by TÜV SÜD– each fRIP is delivered with HW/SW Safety Manuals
OTC Dual Core block diagram
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 11
CPU_checker
Compare Unit
CPU (master)CPU
inner and outer cores
Checkers
Alarms to proprietary
diagnostic logic
CPU (slave)
Compare Unit
Dual Core Lock Step (LS)OTC Dual Core
Che
cker
s
Alarms to dedicated diagnostic logic:
fRNET
diagnostic HW
mission HWmission HW
diagnostic HW
fRCPU
Optimized CPU
• OTC dual core’s diagnostic cost is 1/5 if compared with LS dual core’s diagnostic cost
• OTC dual core requires 85% less SW test if compared with LS dual core
Comprehensive approach
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 12
CPU
FLASH
TCM
orC
AC
HES
JTAG
Interf. Ctrl
SRAM
Bus Interf.
InterruptCtrl
Bus Interface
BasicPeriphals
Basic Peripheral Subsystem
Memory Subsystem
CPU Subsystem
Interf. Ctrl
Bus Interface
SystemPeripherals
Generic Subsystem
Bus Interface
CommunicationPeripherals
Communication Subsystem
Bus Interface
Actuator/Sensor Peripherals
Actuator/Sensor Subsystem
Bus Subsystem
Exter.MemInterf. Ctrl
Watchdog
very critical areas
critical areas
attention areas
add fRCPUfor CPU
add fRBUSfor multi-layer bus
add fRMEMfor mainmemory
add fRPERIfor interrupt ctrl
add fRPERIfor timer
add custom fRIPfor customperipheral
add fRMEMfor Flash
add fRMEMfor TCM
YOGITECH fRIP solutions...or other solutions
Step 1applying fRMethodology to identify:
Step 2implementing ad-hoc diagnostics:
assure safety-integrityof core processing
CPU
TCM
/C
ache
Bus Sub-system
Flash SRAM
MemCtrl MemCtrl
IVNSub-system
Sensor/Actuator
Sub-system
BasicPlatformFunctions
BasicPeripheral
Sub-system
fRBUS
fRMEM fRMEM
fRMEMfRCPU
adding HW or SW for application-specific
redundancy
assure safety-integrityof core processing
assure safety-integrityof core processing
CPU
TCM
/C
ache
Bus Sub-system
Flash SRAM
MemCtrl MemCtrl
IVNSub-system
Sensor/Actuator
Sub-system
BasicPlatformFunctions
BasicPeripheral
Sub-system
fRBUS
fRMEM fRMEM
fRMEMfRCPU
adding HW or SW for application-specific
redundancy
MCU safety concept example
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 13
Platform protection approach
ARM968ES
512 kbyte 48 kbyte
32 kbyte
96 kgates
Application indipendentSafety Integrity Level is achieved
independently on the specific application
Application dipendentSafety Integrity Level is achieved with the contribution of specific measures at ECU
level (at HW and/or SW level)
Concept Report obtained from TÜV
SÜD by using
fRMethodology
“...risk level SIL3 in compliance with
IEC61508 is achievable by the
planned safety concept...”
Key advantages areas
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 14
MCU level
ECU level
• Common-cause failures (CFF) intrinsically reduced• Lower gate counts and easier scalability• Lower power consumption• Lower performance impact• Smaller memory footprint• No risk of undetected systematic HW faults
• No need for external supervisor/watchdog• Detailed diagnostic available and lower detection latency• Simplified fail operational functionality• Application SW easier to be certified (few CoU)• Shorter MCU time-to-certification • Reduced cost for MCU certification• Fast product derivation (HW certification reusability)
Comparison is given with reference to Dual Core LS
Conclusions
Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 15
• Systematic methodology addressing IEC61508 requirements, easing safety certification.– TÜV SÜD certified white box approach computing and validating metrics
required for IEC61508
• Achieving robustness reducing HW/SW costs– using optimized HW fault supervisors– distributing the supervisors to the whole MCU
• Guaranteeing compliance with IEC 61508– developed under the supervision of TÜV SÜD– achieving SIL3– Solving βIC (common mode)
• Being scalable and flexible– implementing a portable and reusable architecture
• Adding system-level benefits– increasing availability by enhancing diagnostic capability– freeing CPU performance– allowing system makers to exploit new ideas
• sophisticated safety concepts• next level of component integration