Upload
vuduong
View
214
Download
2
Embed Size (px)
Citation preview
Implications of microcontroller software and tooling on safety-criticalautomotive systemsKai Konrad (Dipl. Ing. (FH), MBA)Infineon Technologies AGApril 2008
Page 2Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Table of contents
� Functional safety applied to microcontrollers
� Software as a major issue for functional safety
� Functional safety software partitioning
� Functional dependent safety
� Functional independent safety
� Conclusion
Page 3Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Primary causes of system failure -Industry as example
Source: HSE UK report 1999, based on industrial accidents based on 34 incidents
Specification
44,10%
Design
Changes
20,60%
Installation &
Commissioning
5,90%
Design &
Implementation
14,70%
Operation &
Maintenance
14,70%
Over 80% off all failures are caused before any user
touches installations
Only 15% of failures happen during operation
and maintenance
Page 4Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Safety for automotive systems:Inherent risk minimization as major task
� A system is ‘Safe’ if there is a ‘Tolerable Risk’ when it is in operation
� Functional Safety“Part of the overall safety which depends on the correct functioning of safety-related systems for risk reduction. Functional safety is achieved, when every safety function is performed as specified”
Inherent Process RiskTolerable RiskResidual Risk
Increasing Risk
Necessary risk reduction
Actual risk reduction
‘Safe’
Page 5Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Automotive system safety includes:
�Sensors
�Processing
¬ Hardware
¬ Software
�Actuators
�Interconnections
�Energy Supply
Page 6Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Process standardization as key to define functional safety future
� Industrial Standard for functional safety IEC61508 emerging as a guideline for current automotive systems�Defining Safety Integrity Levels (SIL) 1 to 4� Interesting for Automotive are levels up to SIL3
� New Automotive Standard ISO26262 currently under preparation�Will be designed for automotive systems needs�Defining Automotive Safety Integrity Levels ASIL A to D
� Motivation for standardization�Common process over automotive industry� Legal protection�State-Of-The-Art definition�Higher system quality
Page 7Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
IEC61508 - Sil3 (Safety Integrity Level 3)
� SIL3 as SYSTEM safety accreditation standardMeans:
� Probability of dangerous failure < 10-7 per hour of operation
(100 FIT = 100 Failure In Time)
� Possible failure modes leading to a dangerous system state of <1% of total system operational envelope(99% Safe Failure Fraction = SFF)
Requires:
� Detailed system and component fault analysis (FMEA)
� High component quality
� Strict design and integration methodology, documentation, application support
� Example: A person who lives to 80 years old has 701280 hours of life before their ‘dangerous failure’
Equivalent to 0.7ppm SIL 2
Page 8Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
What does IEC 61508 SIL 3 mean when applied to a microcontroller?
�Microcontroller + Safety-Driver + Application Functional Safety Software has to meet:
FPU
TriCore(TC-1M)
PMI
48 kB SPRAM16 kB ICACHE
InterruptSystem
OCDS DebugInterface/
JTAG
ASC0
ASC1
GPTA1
LTCA2
FP
I-B
us I
nte
rfa
ce
16 KB PRAM
PCP2 Core
32 KB PCODE
Inte
rru
pts
MSC0
MSC1
PLLfFPI
fCPUS
yste
m P
eri
phe
ral B
us
Rem
ote
Pe
rip
he
ral B
us
Ports
SCU
SSC1
SSC0
MultiCAN
(4 Nodes)
SBCU
STM
Ext.Trigger/Interr.Block
SPRAM:ICACHE:LDRAMDPRAM:BROM:PFlash:DFlash:
SBRAM:OVRAM:DFSRAM:
PRAM:PCODE:PLMB:
DLMB:RPB:SPB:
DMA
BI0
BI1
SMIF
DMI
56 kB LDRAM8 kB DPRAM
CPS
DMU
Scratch-Pad RAMInstruction cacheLocal data RAMDual-port RAMBoot ROMProgram FlashData Flash (EEPROM Emu.)
Stand-by RAMSRAM with overlay capabilityData Flash shadow RAM
Parameter RAM In PCPCode RAM in PCPProgram Local Memory Bus
Data Local Memory BusRemote Peripheral BusSystem Peripheral Bus
GPTA0
ADC0
ADC1
LFI Bridge
Program Local Memory BusPBCU
Data Local Memory BusDBCU
LMI
DMU
16 KB SBRAM64 KB SRAM
incl. OVRAM &DFSRAM
functionality
PLMB DLMB
RP
B
SP
B
FADC
An
alo
g I
np
ut
As
sig
nm
en
t
RBCU
MLI0
MLI1
MEMCK
64
64
32
32
128 256
EBU
Emulation Memory Interface
PMU
2 MB PFLASH
16 KB EEPROMEmulation
16 KB BROM
Safe Failure Fraction (SFF) > 99%
(Covers > 99% of used silicon!!!)
Probability of failure per hour (PFH) <<10-7
Infineon TriCore® TC1796
State of the Art Microcontroller
Page 9Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Error Case
General
Behavior
Statistical/Transient Error
Short Temporal Duration
Systematic/Static Error
Permanent Nature
Hardware errors in semiconductor as cause of dangerous systems faults
Potential
Causes
ESD
EMI
Radiation
…
ESD, EMI
Electrical / Mechanical
Overstress
Specification Errors
Hardware and Software
Bugs (Common Mode
Errors)
…
Measurement FIT Rate Determination
(e.g. Experimental)
PPM Rate Estimation
(e.g. Field Experience)
Page 10Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Table of contents
� Functional safety applied to microcontrollers
� Software as a major issue for functional safety
� Functional safety software partitioning
� Functional dependent safety
� Functional independent safety
� Conclusion
Page 11Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Software development as critical issue for system safety
� Is it possible to write software without bug’s???
� After initial coding you can expect one bug per 20 lines of code
� After thorough unit testing you can expect 1 bug per 1000 lines of code in the final release� 1 line ~5 bytes, so 1 bug per ~5KB
01001001011001100010000001111001011011110111010100100000011000110110000101101110001000000111001001100101011000010110010000100000011101000110100001101001011100110010000001111001011011110111010100100000011001000110111101101110011101000010000001101110011001010110010101100100001000000110011101101100011000010111001101110011011001010111001100111011001011010010100100001101000010100100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100001010
Application Microcontroller Type Code Size
Steering Angle Sensor 8 Bit 32KB
Low-end Sensor Cluster 16 Bit 128KB
Airbag Controller 16/32 Bit 256KB
EPS Controller 16/32 Bit 512KB
Central Chassis Controller 32 Bit 1.5MB
7 Bugs
Statistics
26 Bugs
52 Bugs
104 Bugs
308 Bugs
Page 12Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Today's automotive software partitioning ascritical issue
Microcontroller (e.g. TriCore®)
AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication
Microcontroller Abstraction Layer
Applicatio
n
Task 1
Task 2
….
Applicatio
n 2
Task 1
Task 2
….
Applicatio
n 3
Task 1
Task 2
….
Applicatio
n 4
Task 1
Task 2
….
SafetyCritical Software parts
Safety Driver
Semiconductor Company
Independent Software Company
Independent Software Company
Supplied byTIER1
Supplied by OEM
Independent Software Company
Independent Software Company
Independent Software
Company???
Page 13Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Software compilation flow as critical issue
Mathematic Model
Auto code Generator
C-CodeC-Code C-Code
Compiler
Object Code Object CodeObject Code
Final Target Code
Optimizer
Target Code
Optimizer
Linker
Tool chainOverall Size: Several 100MB
…
Safe ?
??
Page 14Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Additional Safety Driver requirements
�Fault model for testing data and addresses of registers, caches, internal RAM, Flash, CSFRs
�Test for dynamic cross-over of memory cells or registers
�No, wrong or multiple addressing
�Testing of opcode decoding and execution including flag registers
�Test of watchdog, traps, ECC (Parity), …
�Coverage of transient computation faults
�Testing of program counter and stack pointers
�Peripheral configuration and operation
�Detection of Continuous interrupts, Crossover of interrupts, Unused Interrupts
�Task execution monitor for OS and critical tasks
�External ASIC covers common cause failurePower supply, short circuit on chip Temperature of chip EMC System clock
Application independent
requirements for
functional safety in
microcontrollers
Page 15Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Table of contents
� Functional safety applied to microcontrollers
� Software as a major issue for functional safety
� Functional safety software partitioning
� Functional dependent safety
� Functional impendent safety
� Conclusion
Page 16Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Feasible functional safety approach for microcontrollers:
� Functional safety of a microcontroller as part of the system hasto be split into:
�Microcontroller functional dependent safety
¬ Must be considered in the application itself
¬ Key competence of (automotive) ECU supplier
¬ Concept support by semiconductor supplier
�Microcontroller functional independent safety
¬ Must be supported independent from application
¬ Key competence of semiconductor supplier
– Hardware support by microcontrollers
– Supply pre accredited software and concepts to all customers
– Supply maintenance and know how
– Supply scalability over IEC61508
Page 17Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Example: Infineon TriCore® PRO-SIL™ concept
Existing Infineon TriCore® products can fulfill IEC61508 SIL3 requirements
without an additional safety microcontroller or dual core lockstep technology.
� E.g. TriCore TC1796 or TC1766
� Based on asynchronous / asymmetric dual core architecture
TriCore PRO-SIL™ concept for functional dependent safety
� Concept support for redundant or diverse calculation
� Software encapsulation schemes
� Task and OS execution monitoring
TriCore PRO-SIL™ concept for functional independent safety
� Supply accredited safety concepts
� Supply and maintain State-Of-The-Art safety driver
� Written after CMMI standard
� Application, operation system and runtime environment independent
� Customer independent
� Scalable common code set over many OEM and ECU suppliers for
¬ greater quality
¬ Interoperability
¬ legal protection
PRO-SIL™ and PRO-SIL™ logo are property of Infineon Technologies AG
Page 18Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Table of contents
� Functional safety applied to microcontrollers
� Software as a major issue for functional safety
� Functional safety software partitioning
� Functional dependent safety
� Functional independent safety
� Conclusion
Page 19Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Options for safe software development
Safe and Robust Code
Write and certify:- All used Tools
- All application softwareto SIL3 Standards
Use Proven-In-Use or diverse tools,build redundancies and diversity into
application
Page 20Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Requirements for safe computation
Safe and Robust SoftwareComputation
Redundant Calculationof critical software
Diverse Calculationof critical software
Safe and Robust Code
Coverage of Transient Errors
� Caused by e.g. Radiation� PFH for usual microcontroller core
system is not reaching SIL3 requirements (<10^-7)
Coverage of Static Errors
� Caused by soft- and hardware bugs
� Avoid common mode errors from hardware and software bugs
Page 21Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Software development and computation proposals
Every effort must be made to negate the need to qualify softwareand the tooling
� Qualification is expensive, limits configurations, freezes release levels, is difficult or impossible to prove
� Currently there are full tool chains known to fulfill IEC61508 SIL 3 requirements
Fully Diverse
Development
Diverse
(e.g. TriCore + PCP)RedundantDiverseDiverseDiverseDiverse
Add Diverse Code
Generation (e.g. Auto +
Complex Code)
Common (Running
Diverse Code set)RedundantDiverseDiverse DiverseCommon
Use Asymmetric Core
System With Two
Different Tool Chains
Diverse (e.g. TriCore
+ PCP)RedundantDiverseDiverseCommonCommon
Compile Code Twice With
Different Optimization
Levels For diversity
Common (Running
Diverse Code Set)RedundantDiverseDiverseCommonCommon
Calculate Algorithm Twice
For Transient Errors
Redundant (e.g.
Lockstep)RedundantCommonCommonCommonCommon
Calculate Same Algorithm
Twice For Transient
Errors
One Core (Double
Calculation)RedundantCommonCommonCommonCommon
No Failure ConsiderationOne CoreCommonCommonCommonCommonCommon
Method Proposal
Computing
Cores
(Hardware)
Data
/Structure
sLibraries
Compiler
/Linker
Code
Generator
Programming
Model
Static
Error
Detection
Transient
Error
Detection
nono
yesyes
Page 22Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Robust software partitioning as requirement for functional safety
Microcontroller e.g. TriCore with PCP PCP
Safety Software Driver (Functional Independent)
Applicatio
n 4
Task 1
Task 2
….
Functio
nal D
ependent
Safety Critic
al S
oftw
are
*AutoSAR - scalability class 4Memory protection
Time protection
Applicatio
n 1a
Tasks
Applicatio
n 1b
Tasks
Applicatio
n 2 (2
x)
Tasks
AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication
Microcontroller Abstraction Layer
Applicatio
n 3
Task 1
Task 2
Unwatched Tasks
Diversity Redundancy
Page 23Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Table of contents
� Functional safety applied to microcontrollers
� Software as a major issue for functional safety
� Functional safety software partitioning
� Functional dependent safety
� Functional independent safety
� Conclusion
Page 24Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Example: TriCore & PCP as asymmetric dual core to support functional independent safety
FPU
TriCore(TC-1M)
PMI
48 kB SPRAM16 kB ICACHE
InterruptSystem
OCDS DebugInterface/
JTAG
ASC0
ASC1
GPTA1
LTCA2
FPI-Bus Inte
rface
16 KB PRAM
PCP2 Core
32 KB PCODEIn
terrupts
MSC0
MSC1
PLLfFPI
fCPUS
yste
m P
eriphera
l Bus
Rem
ote
Periphera
l Bus
Ports
SCU
SSC1
SSC0
MultiCAN
(4 Nodes)
SBCU
STM
Ext.Trigger/Interr.Block
SPRAM:ICACHE:LDRAM
DPRAM:
BROM:PFlash:DFlash:
SBRAM:OVRAM:DFSRAM:
PRAM:PCODE:PLMB:
DLMB:
RPB:SPB:
DMA
BI0
BI1
SMIF
DMI
56 kB LDRAM8 kB DPRAM
CPS
DMU
Scratch-Pad RAMInstruction cacheLocal data RAM
Dual-port RAM
Boot ROMProgram FlashData Flash (EEPROM Emu.)
Stand-by RAMSRAM with overlay capabilityData Flash shadow RAM
Parameter RAM In PCPCode RAM in PCPProgram Local Memory Bus
Data Local Memory Bus
Remote Peripheral BusSystem Peripheral Bus
GPTA0
ADC0
ADC1
LFI Bridge
Program Local Memory BusPBCU
Data Local Memory BusDBCU
LMI
DMU
16 KB SBRAM64 KB SRAM
incl. OVRAM &DFSRAM
functionality
PLMB DLMB
RPB
SPB
FADC
Analo
g Input Assig
nm
ent
RBCU
MLI0
MLI1
MEMCK
64
64
32
32
128 256
EBU
Emulation Memory Interface
PMU
2 MB PFLASH
16 KB EEPROMEmulation
16 KB BROM
Watchdog ASIC
SPIChallenge /
Response
TriCore® TC1796
Service
Page 25Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Safety Driver Solution
PRO-SIL™ safety driver provides a scalable and state of the art solution –supplied by the silicon vendor
� Covering functional independent parts� Supporting functional dependent parts
X FlexRay Monitoring
X CAN Monitoring
X X Peripheral Tests
X Analog Converter Tests
X External Watchdog Tests
X X Internal Watchdog Tests
X X Timer Tests
X X Inter Core Comm. Tests
X X Internal Bus Tests
X Task Execution Timing
X Program Flow Monitoring
X X Opcode Tests
X Interrupt System Tests
SlicesX SRAM Tests
SlicesX Flash Checksum
RuntimeBoot-Time orShutdown
Page 26Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Some PRO-SIL™ safety driver mechanisms
� Op-Code check mechanism� Coverage of 99% of used silicon in TriCore and PCP
� Test running within failure reaction time
� Usage of all TriCore build in safety features
� Task Execution Monitor for functional depended software
� Test Execution Monitor
� Error injection mechanisms� Test The Tester
� Operation and runtime environment independent
� Application independent
FPU
TriCore(TC-1M)
PMI
48 kB SPRAM16 kB ICACHE
InterruptSystem
OCDS DebugInterface/
JTAG
ASC0
ASC1
GPTA1
LTCA2
FP
I-B
us Inte
rfa
ce
16 KB PRAM
PCP2 Core
32 KB PCODE
Inte
rrup
ts
MSC0
MSC1
PLLfFPI
fCPUS
yste
m P
eri
phera
l B
us
Rem
ote
Peri
phera
l B
us
Ports
SCU
SSC1
SSC0
MultiCAN
(4 Nodes)
SBCU
STM
Ext.Trigger/Interr.Block
SPRAM:ICACHE:LDRAM
DPRAM:BROM:PFlash:DFlash:
SBRAM:OVRAM:DFSRAM:
PRAM:PCODE:PLMB:DLMB:RPB:SPB:
DMA
BI0
BI1
SMIF
DMI
56 kB LDRAM8 kB DPRAM
CPS
DMU
Scratch-Pad RAMInstruction cacheLocal data RAM
Dual-port RAMBoot ROMProgram FlashData Flash (EEPROM Emu.)
Stand-by RAMSRAM with overlay capabilityData Flash shadow RAM
Parameter RAM In PCPCode RAM in PCPProgram Local Memory BusData Local Memory BusRemote Peripheral BusSystem Peripheral Bus
GPTA0
ADC0
ADC1
LFI Bridge
Program Local Memory BusPBCU
Data Local Memory BusDBCU
LMI
DMU
16 KB SBRAM64 KB SRAM
incl. OVRAM &DFSRAM
functionality
PLMB DLMB
RP
B
SP
B
FADC
An
alo
g In
pu
t A
ss
ign
me
nt
RBCU
MLI0
MLI1
MEMCK
64
64
32
32
128 256
EBU
Emulation Memory Interface
PMU
2 MB PFLASH
16 KB EEPROMEmulation
16 KB BROM
TriCore® TC1796
Page 27Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Table of contents
� Functional safety applied to microcontrollers
� Software as a major issue for functional safety
� Functional safety software partitioning
� Functional dependent safety
� Functional independent safety
� Conclusion
Page 28Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
Conclusions
� Designing Applications following existing (IEC61508) and new (ISO26262) standards will be THE challenge for safety critical automotive systems
� Process implementation as major effort� Quality requirements to be meet with current systems
� Several safety concepts to fulfill IEC61508 are existing or in preparation
� Software is the major issue for safe systems for all involved partners
� OEM� ECU supplier� Semiconductor vendor
� Requirements to supply safe software do not depend on fully qualified tool chains
� Safe Software can be done with in limits of nowadays existing software development processes
Page 29Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008
References:
� IEC 61508-3 (2006), Functional Safety Of Electrical/Electronic Programmable Electronic Safety Related Systems
� Basic Single Microcontroller Monitoring Concept for Safety Critical Systems. (2007) Schneider, Eberhard, Brewerton. SAE#2007-01-XXXX (07AE-35)
� Implementation of a Basic Single-Monitoring Concept for Safety Critical Systems on a Dual- Core Microcontroller. (2007) Schneider, Eberhard, Brewerton. SAE#2007-01-XXXX (07AE-36)
Page 30Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and
Electrical Systems Forum 2008