Implications of microcontroller software and tooling on ... · PDF fileImplications of microcontroller software and tooling on safety-critical ... (FMEA) High component ... Parameter

Implications of microcontroller software and tooling on safety-criticalautomotive systemsKai Konrad (Dipl. Ing. (FH), MBA)Infineon Technologies AGApril 2008

[email protected]

Page 2Copyright © Infineon Technologies 2008. All rights reserved. 28.04.2008Automotive Electronics and

Electrical Systems Forum 2008

Table of contents

� Functional safety applied to microcontrollers

� Software as a major issue for functional safety

� Functional safety software partitioning

� Functional dependent safety

� Functional independent safety

� Conclusion



Primary causes of system failure -Industry as example

Source: HSE UK report 1999, based on industrial accidents based on 34 incidents

Specification

44,10%

Design

Changes

20,60%

Installation &

Commissioning

5,90%

Design &

Implementation

14,70%

Operation &

Maintenance

14,70%

Over 80% off all failures are caused before any user

touches installations

Only 15% of failures happen during operation

and maintenance



Safety for automotive systems:Inherent risk minimization as major task

� A system is ‘Safe’ if there is a ‘Tolerable Risk’ when it is in operation

� Functional Safety“Part of the overall safety which depends on the correct functioning of safety-related systems for risk reduction. Functional safety is achieved, when every safety function is performed as specified”

Inherent Process RiskTolerable RiskResidual Risk

Increasing Risk

Necessary risk reduction

Actual risk reduction

‘Safe’



Automotive system safety includes:

�Sensors

�Processing

¬ Hardware

¬ Software

�Actuators

�Interconnections

�Energy Supply



Process standardization as key to define functional safety future

� Industrial Standard for functional safety IEC61508 emerging as a guideline for current automotive systems�Defining Safety Integrity Levels (SIL) 1 to 4� Interesting for Automotive are levels up to SIL3

� New Automotive Standard ISO26262 currently under preparation�Will be designed for automotive systems needs�Defining Automotive Safety Integrity Levels ASIL A to D

� Motivation for standardization�Common process over automotive industry� Legal protection�State-Of-The-Art definition�Higher system quality



IEC61508 - Sil3 (Safety Integrity Level 3)

� SIL3 as SYSTEM safety accreditation standardMeans:

� Probability of dangerous failure < 10-7 per hour of operation

(100 FIT = 100 Failure In Time)

� Possible failure modes leading to a dangerous system state of <1% of total system operational envelope(99% Safe Failure Fraction = SFF)

Requires:

� Detailed system and component fault analysis (FMEA)

� High component quality

� Strict design and integration methodology, documentation, application support

� Example: A person who lives to 80 years old has 701280 hours of life before their ‘dangerous failure’

Equivalent to 0.7ppm SIL 2



What does IEC 61508 SIL 3 mean when applied to a microcontroller?

�Microcontroller + Safety-Driver + Application Functional Safety Software has to meet:

FPU

TriCore(TC-1M)

PMI

48 kB SPRAM16 kB ICACHE

InterruptSystem

OCDS DebugInterface/

JTAG

ASC0

ASC1

GPTA1

LTCA2

FP

I-B

us I

nte

rfa

ce

16 KB PRAM

PCP2 Core

32 KB PCODE

Inte

rru

pts

MSC0

MSC1

PLLfFPI

fCPUS

yste

m P

eri

phe

ral B

us

Rem

ote

Pe

rip

he

ral B

us

Ports

SCU

SSC1

SSC0

MultiCAN

(4 Nodes)

SBCU

STM

Ext.Trigger/Interr.Block

SPRAM:ICACHE:LDRAMDPRAM:BROM:PFlash:DFlash:

SBRAM:OVRAM:DFSRAM:

PRAM:PCODE:PLMB:

DLMB:RPB:SPB:

DMA

BI0

BI1

SMIF

DMI

56 kB LDRAM8 kB DPRAM

CPS

DMU

Scratch-Pad RAMInstruction cacheLocal data RAMDual-port RAMBoot ROMProgram FlashData Flash (EEPROM Emu.)

Stand-by RAMSRAM with overlay capabilityData Flash shadow RAM

Parameter RAM In PCPCode RAM in PCPProgram Local Memory Bus

Data Local Memory BusRemote Peripheral BusSystem Peripheral Bus

GPTA0

ADC0

ADC1

LFI Bridge

Program Local Memory BusPBCU

Data Local Memory BusDBCU

LMI

DMU

16 KB SBRAM64 KB SRAM

incl. OVRAM &DFSRAM

functionality

PLMB DLMB

RP

B

SP

B

FADC

An

alo

g I

np

ut

As

sig

nm

en

t

RBCU

MLI0

MLI1

MEMCK

64

64

32

32

128 256

EBU

Emulation Memory Interface

PMU

2 MB PFLASH

16 KB EEPROMEmulation

16 KB BROM

Safe Failure Fraction (SFF) > 99%

(Covers > 99% of used silicon!!!)

Probability of failure per hour (PFH) <<10-7

Infineon TriCore® TC1796

State of the Art Microcontroller



Error Case

General

Behavior

Statistical/Transient Error

Short Temporal Duration

Systematic/Static Error

Permanent Nature

Hardware errors in semiconductor as cause of dangerous systems faults

Potential

Causes

ESD

EMI

Radiation

…

ESD, EMI

Electrical / Mechanical

Overstress

Specification Errors

Hardware and Software

Bugs (Common Mode

Errors)

…

Measurement FIT Rate Determination

(e.g. Experimental)

PPM Rate Estimation

(e.g. Field Experience)



Table of contents






� Conclusion



Software development as critical issue for system safety

� Is it possible to write software without bug’s???

� After initial coding you can expect one bug per 20 lines of code

� After thorough unit testing you can expect 1 bug per 1000 lines of code in the final release� 1 line ~5 bytes, so 1 bug per ~5KB

01001001011001100010000001111001011011110111010100100000011000110110000101101110001000000111001001100101011000010110010000100000011101000110100001101001011100110010000001111001011011110111010100100000011001000110111101101110011101000010000001101110011001010110010101100100001000000110011101101100011000010111001101110011011001010111001100111011001011010010100100001101000010100100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100001010

Application Microcontroller Type Code Size

Steering Angle Sensor 8 Bit 32KB

Low-end Sensor Cluster 16 Bit 128KB

Airbag Controller 16/32 Bit 256KB

EPS Controller 16/32 Bit 512KB

Central Chassis Controller 32 Bit 1.5MB

7 Bugs

Statistics

26 Bugs

52 Bugs

104 Bugs

308 Bugs



Today's automotive software partitioning ascritical issue

Microcontroller (e.g. TriCore®)

AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication

Microcontroller Abstraction Layer

Applicatio

n

Task 1

Task 2

….

Applicatio

n 2

Task 1

Task 2

….

Applicatio

n 3

Task 1

Task 2

….

Applicatio

n 4

Task 1

Task 2

….

SafetyCritical Software parts

Safety Driver

Semiconductor Company

Independent Software Company


Supplied byTIER1

Supplied by OEM



Independent Software

Company???



Software compilation flow as critical issue

Mathematic Model

Auto code Generator

C-CodeC-Code C-Code

Compiler

Object Code Object CodeObject Code

Final Target Code

Optimizer

Target Code

Optimizer

Linker

Tool chainOverall Size: Several 100MB

…

Safe ?

??



Additional Safety Driver requirements

�Fault model for testing data and addresses of registers, caches, internal RAM, Flash, CSFRs

�Test for dynamic cross-over of memory cells or registers

�No, wrong or multiple addressing

�Testing of opcode decoding and execution including flag registers

�Test of watchdog, traps, ECC (Parity), …

�Coverage of transient computation faults

�Testing of program counter and stack pointers

�Peripheral configuration and operation

�Detection of Continuous interrupts, Crossover of interrupts, Unused Interrupts

�Task execution monitor for OS and critical tasks

�External ASIC covers common cause failurePower supply, short circuit on chip Temperature of chip EMC System clock

Application independent

requirements for

functional safety in

microcontrollers



Table of contents





� Functional impendent safety

� Conclusion



Feasible functional safety approach for microcontrollers:

� Functional safety of a microcontroller as part of the system hasto be split into:

�Microcontroller functional dependent safety

¬ Must be considered in the application itself

¬ Key competence of (automotive) ECU supplier

¬ Concept support by semiconductor supplier

�Microcontroller functional independent safety

¬ Must be supported independent from application

¬ Key competence of semiconductor supplier

– Hardware support by microcontrollers

– Supply pre accredited software and concepts to all customers

– Supply maintenance and know how

– Supply scalability over IEC61508



Example: Infineon TriCore® PRO-SIL™ concept

Existing Infineon TriCore® products can fulfill IEC61508 SIL3 requirements

without an additional safety microcontroller or dual core lockstep technology.

� E.g. TriCore TC1796 or TC1766

� Based on asynchronous / asymmetric dual core architecture

TriCore PRO-SIL™ concept for functional dependent safety

� Concept support for redundant or diverse calculation

� Software encapsulation schemes

� Task and OS execution monitoring

TriCore PRO-SIL™ concept for functional independent safety

� Supply accredited safety concepts

� Supply and maintain State-Of-The-Art safety driver

� Written after CMMI standard

� Application, operation system and runtime environment independent

� Customer independent

� Scalable common code set over many OEM and ECU suppliers for

¬ greater quality

¬ Interoperability

¬ legal protection

PRO-SIL™ and PRO-SIL™ logo are property of Infineon Technologies AG



Table of contents






� Conclusion



Options for safe software development

Safe and Robust Code

Write and certify:- All used Tools

- All application softwareto SIL3 Standards

Use Proven-In-Use or diverse tools,build redundancies and diversity into

application



Requirements for safe computation

Safe and Robust SoftwareComputation

Redundant Calculationof critical software

Diverse Calculationof critical software

Safe and Robust Code

Coverage of Transient Errors

� Caused by e.g. Radiation� PFH for usual microcontroller core

system is not reaching SIL3 requirements (<10^-7)

Coverage of Static Errors

� Caused by soft- and hardware bugs

� Avoid common mode errors from hardware and software bugs



Software development and computation proposals

Every effort must be made to negate the need to qualify softwareand the tooling

� Qualification is expensive, limits configurations, freezes release levels, is difficult or impossible to prove

� Currently there are full tool chains known to fulfill IEC61508 SIL 3 requirements

Fully Diverse

Development

Diverse

(e.g. TriCore + PCP)RedundantDiverseDiverseDiverseDiverse

Add Diverse Code

Generation (e.g. Auto +

Complex Code)

Common (Running

Diverse Code set)RedundantDiverseDiverse DiverseCommon

Use Asymmetric Core

System With Two

Different Tool Chains

Diverse (e.g. TriCore

+ PCP)RedundantDiverseDiverseCommonCommon

Compile Code Twice With

Different Optimization

Levels For diversity

Common (Running

Diverse Code Set)RedundantDiverseDiverseCommonCommon

Calculate Algorithm Twice

For Transient Errors

Redundant (e.g.

Lockstep)RedundantCommonCommonCommonCommon

Calculate Same Algorithm

Twice For Transient

Errors

One Core (Double

Calculation)RedundantCommonCommonCommonCommon

No Failure ConsiderationOne CoreCommonCommonCommonCommonCommon

Method Proposal

Computing

Cores

(Hardware)

Data

/Structure

sLibraries

Compiler

/Linker

Code

Generator

Programming

Model

Static

Error

Detection

Transient

Error

Detection

nono

yesyes



Robust software partitioning as requirement for functional safety

Microcontroller e.g. TriCore with PCP PCP

Safety Software Driver (Functional Independent)

Applicatio

n 4

Task 1

Task 2

….

Functio

nal D

ependent

Safety Critic

al S

oftw

are

*AutoSAR - scalability class 4Memory protection

Time protection

Applicatio

n 1a

Tasks

Applicatio

n 1b

Tasks

Applicatio

n 2 (2

x)

Tasks

AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication

Microcontroller Abstraction Layer

Applicatio

n 3

Task 1

Task 2

Unwatched Tasks

Diversity Redundancy



Table of contents






� Conclusion



Example: TriCore & PCP as asymmetric dual core to support functional independent safety

FPU

TriCore(TC-1M)

PMI


InterruptSystem


JTAG

ASC0

ASC1

GPTA1

LTCA2

FPI-Bus Inte

rface

16 KB PRAM

PCP2 Core

32 KB PCODEIn

terrupts

MSC0

MSC1

PLLfFPI

fCPUS

yste

m P

eriphera

l Bus

Rem

ote

Periphera

l Bus

Ports

SCU

SSC1

SSC0

MultiCAN

(4 Nodes)

SBCU

STM


SPRAM:ICACHE:LDRAM

DPRAM:

BROM:PFlash:DFlash:

SBRAM:OVRAM:DFSRAM:

PRAM:PCODE:PLMB:

DLMB:

RPB:SPB:

DMA

BI0

BI1

SMIF

DMI


CPS

DMU

Scratch-Pad RAMInstruction cacheLocal data RAM

Dual-port RAM

Boot ROMProgram FlashData Flash (EEPROM Emu.)


Parameter RAM In PCPCode RAM in PCPProgram Local Memory Bus

Data Local Memory Bus

Remote Peripheral BusSystem Peripheral Bus

GPTA0

ADC0

ADC1

LFI Bridge



LMI

DMU


incl. OVRAM &DFSRAM

functionality

PLMB DLMB

RPB

SPB

FADC

Analo

g Input Assig

nm

ent

RBCU

MLI0

MLI1

MEMCK

64

64

32

32

128 256

EBU


PMU

2 MB PFLASH


16 KB BROM

Watchdog ASIC

SPIChallenge /

Response

TriCore® TC1796

Service



Safety Driver Solution

PRO-SIL™ safety driver provides a scalable and state of the art solution –supplied by the silicon vendor

� Covering functional independent parts� Supporting functional dependent parts

X FlexRay Monitoring

X CAN Monitoring

X X Peripheral Tests

X Analog Converter Tests

X External Watchdog Tests

X X Internal Watchdog Tests

X X Timer Tests

X X Inter Core Comm. Tests

X X Internal Bus Tests

X Task Execution Timing

X Program Flow Monitoring

X X Opcode Tests

X Interrupt System Tests

SlicesX SRAM Tests

SlicesX Flash Checksum

RuntimeBoot-Time orShutdown



Some PRO-SIL™ safety driver mechanisms

� Op-Code check mechanism� Coverage of 99% of used silicon in TriCore and PCP

� Test running within failure reaction time

� Usage of all TriCore build in safety features

� Task Execution Monitor for functional depended software

� Test Execution Monitor

� Error injection mechanisms� Test The Tester

� Operation and runtime environment independent

� Application independent

FPU

TriCore(TC-1M)

PMI


InterruptSystem


JTAG

ASC0

ASC1

GPTA1

LTCA2

FP

I-B

us Inte

rfa

ce

16 KB PRAM

PCP2 Core

32 KB PCODE

Inte

rrup

ts

MSC0

MSC1

PLLfFPI

fCPUS

yste

m P

eri

phera

l B

us

Rem

ote

Peri

phera

l B

us

Ports

SCU

SSC1

SSC0

MultiCAN

(4 Nodes)

SBCU

STM


SPRAM:ICACHE:LDRAM

DPRAM:BROM:PFlash:DFlash:

SBRAM:OVRAM:DFSRAM:

PRAM:PCODE:PLMB:DLMB:RPB:SPB:

DMA

BI0

BI1

SMIF

DMI


CPS

DMU

Scratch-Pad RAMInstruction cacheLocal data RAM

Dual-port RAMBoot ROMProgram FlashData Flash (EEPROM Emu.)


Parameter RAM In PCPCode RAM in PCPProgram Local Memory BusData Local Memory BusRemote Peripheral BusSystem Peripheral Bus

GPTA0

ADC0

ADC1

LFI Bridge



LMI

DMU


incl. OVRAM &DFSRAM

functionality

PLMB DLMB

RP

B

SP

B

FADC

An

alo

g In

pu

t A

ss

ign

me

nt

RBCU

MLI0

MLI1

MEMCK

64

64

32

32

128 256

EBU


PMU

2 MB PFLASH


16 KB BROM

TriCore® TC1796



Table of contents






� Conclusion



Conclusions

� Designing Applications following existing (IEC61508) and new (ISO26262) standards will be THE challenge for safety critical automotive systems

� Process implementation as major effort� Quality requirements to be meet with current systems

� Several safety concepts to fulfill IEC61508 are existing or in preparation

� Software is the major issue for safe systems for all involved partners

� OEM� ECU supplier� Semiconductor vendor

� Requirements to supply safe software do not depend on fully qualified tool chains

� Safe Software can be done with in limits of nowadays existing software development processes



References:

� IEC 61508-3 (2006), Functional Safety Of Electrical/Electronic Programmable Electronic Safety Related Systems

� Basic Single Microcontroller Monitoring Concept for Safety Critical Systems. (2007) Schneider, Eberhard, Brewerton. SAE#2007-01-XXXX (07AE-35)

� Implementation of a Basic Single-Monitoring Concept for Safety Critical Systems on a Dual- Core Microcontroller. (2007) Schneider, Eberhard, Brewerton. SAE#2007-01-XXXX (07AE-36)



Documents

Implications of microcontroller software and tooling on ... · PDF fileImplications of microcontroller software and tooling on safety-critical ... (FMEA) High component ... Parameter