Simplifying SIL3 MCU safety architectures in automotive ... · Simplifying SIL3 MCU safety architectures in automotive applications according to IEC61508 norm ... Comparison is given

Simplifying SIL3 MCU safety architectures in automotive applications according to IEC61508 norm

Silvano Motto – CEO YogitechStefano Lorenzini – Design Engineering Manager Yogitech

Automotive Electronics and Electrical Systems Forum 2008, 6th May

Outline

Automotive Electronics and Electrical Systems Forum 2008 / SLIDE 2

• Background• From black to white-box approach: the fRMethodology• The faultRobust IPs• A comprehensive approach• Conclusions

Background (1)


shrinking dimensions

increasing complexity

HigherDensity

Increase infaults !

New technologies allow deeper and deeper integration

Fault robustness is more and more a top priority concern

safety-critical automotive applications are looking today for next generation solutions and methodologies addressing fault robustness; IEC61508 and in future ISO26262 are more and more popular as reference norms

Systematic

SW HW

Permanent Intermittent

Random

HW

Intermittent TransientPermanent

Kopetz, Mitra

10-7÷ 10-9 FIT/gateTransient (glue logic)

Kopetz, Mitra

10-3÷ 10-5 FIT/regTransient (registers)

ITRS 2006

10-2÷ 10-4 FIT/bitTransient (memories)

Telcordia Pauli, VDI SN29500

≤ 10-5 FIT/gatePermanent

TrendSourcesUnitFault model

FIT = Failure In Time, number of failures in 109 hours


Modern MCUs:• Complex CPU with big memories and many peripherals• Mix of commodity and safety-critical functions• Complex interconnection scenarios

A comprehensive approach for safety-integrity is needed:• reducing system costs and complexity• saving CPU performance• allowing reuse and flexibility• easing system ‘safety’ engineering• easing system certification

Background (2)

Yogitech faultRobust technology


fRMethodologyA systematic procedure addressing IEC61508

requirements in the design of VLSI components for

safety-critical applications

fRIPsHW modules implementing ad-hoc diagnostic for basic elements like CPU, MEM,

BUS and Peripherals aimed to reach appropriate

Safety Integrity Level at VLSI component level

The fRMethodology


• Allowing a safety oriented design exploration at System-on-Chip level (white-box approach)

• Using well established methodologies (FMEA, Fault Injection, etc.) embedded in a standard System-on-Chip design&verification flow

• Computing and validating metrics and parameters required for IEC61508 certification: Safe Failure Fraction, Diagnostic Coverage, Failure Rate and βIC

• TÜV SÜD approved

Certifying with fRMethodology


A3

A2

A1

generalinformationabout MCUand system

First AuditReport

Certification flow

fRM

etho

dolo

gy

TechnicalReport III

Certification

TechnicalReport I

TechnicalReport II

fRFMEA, fRFIreports, Safety

Plan (II)

fRFMEA, fRFIreports, Safety Plan (III), Safety

Manuals

fRFMEA,MCU module arch., Safety

Plan (I)

Safety Architecture,

SRS, MCU HW Arch, FMEA

SiliconProvider

from OEM, car maker

Tech

nica

l rep

ort

Concept Report

FMEA (high-level)

fRFMEA(qualitative)

fRFMEA(quantitative)

fRFIvalidation

FinalAnalysis

MCU block diagrams

MCU model

MCU RTL, gate,

layout

Workload

Netlist, layout

Develop. Process, testing, production, factory inspection

CertificationBody


Support fee

TÜV SÜD fee

TÜV SÜD fee

Design Database

Design InformationSafety documentation

Certification

fRMethodology: Business Model

Silicon Provider

The faultRobust IPs


CPUMemory

Peripheral

Peripheral

fRPERI

fRPERI

.....

Bus

fRCPU

fRMEM

fRBUS

.....

Solution provided according to fRIP set selection

MCUsub-systems

diagnosticinfos

peripherals

busses

memories

CPUs

fRIPs

fRNET

fRPERI

fRBUS

fRMEM

fRCPU

Optimized Tightly Coupled (OTC)

Dual CoreCurrently available for ARM

CortexM3 CPU

Currently available for ARM AHB BusSolutions currently available for SRAM, DRAM, EEPROM, Flash

fRNET

Common features of IPs


• Architectural + functional diversity– common-cause failures intrinsically reduced– βIC ≤ 25% achieved without additional layout/HW measures

• Functional safety guaranteed for the complete subsystem– Safe Failure Fraction calculated at subsystem level– Self-checking circuitry included in each fRIP

• Delivering detailed diagnostic information, e.g.:– type of error

• load/store fault, register fault, memory bit flip, bus matrix fault– context information

• last instruction executed without errors, address of faulty location, bus slave addressed during the fault, etc…

• All fRIPs delivered certified by TÜV SÜD– each fRIP is delivered with HW/SW Safety Manuals

OTC Dual Core block diagram


CPU_checker

Compare Unit

CPU (master)CPU

inner and outer cores

Checkers

Alarms to proprietary

diagnostic logic

CPU (slave)

Compare Unit

Dual Core Lock Step (LS)OTC Dual Core

Che

cker

s

Alarms to dedicated diagnostic logic:

fRNET

diagnostic HW

mission HWmission HW

diagnostic HW

fRCPU

Optimized CPU

• OTC dual core’s diagnostic cost is 1/5 if compared with LS dual core’s diagnostic cost

• OTC dual core requires 85% less SW test if compared with LS dual core

Comprehensive approach


CPU

FLASH

TCM

orC

AC

HES

JTAG

Interf. Ctrl

SRAM

Bus Interf.

InterruptCtrl

Bus Interface

BasicPeriphals

Basic Peripheral Subsystem

Memory Subsystem

CPU Subsystem

Interf. Ctrl

Bus Interface

SystemPeripherals

Generic Subsystem

Bus Interface

CommunicationPeripherals

Communication Subsystem

Bus Interface

Actuator/Sensor Peripherals

Actuator/Sensor Subsystem

Bus Subsystem

Exter.MemInterf. Ctrl

Watchdog

very critical areas

critical areas

attention areas

add fRCPUfor CPU

add fRBUSfor multi-layer bus

add fRMEMfor mainmemory

add fRPERIfor interrupt ctrl

add fRPERIfor timer

add custom fRIPfor customperipheral

add fRMEMfor Flash

add fRMEMfor TCM

YOGITECH fRIP solutions...or other solutions

Step 1applying fRMethodology to identify:

Step 2implementing ad-hoc diagnostics:

assure safety-integrityof core processing

CPU

TCM

/C

ache

Bus Sub-system

Flash SRAM

MemCtrl MemCtrl

IVNSub-system

Sensor/Actuator

Sub-system

BasicPlatformFunctions

BasicPeripheral

Sub-system

fRBUS

fRMEM fRMEM

fRMEMfRCPU

adding HW or SW for application-specific

redundancy



CPU

TCM

/C

ache

Bus Sub-system

Flash SRAM

MemCtrl MemCtrl

IVNSub-system

Sensor/Actuator

Sub-system

BasicPlatformFunctions

BasicPeripheral

Sub-system

fRBUS

fRMEM fRMEM

fRMEMfRCPU

adding HW or SW for application-specific

redundancy

MCU safety concept example


Platform protection approach

ARM968ES

512 kbyte 48 kbyte

32 kbyte

96 kgates

Application indipendentSafety Integrity Level is achieved

independently on the specific application

Application dipendentSafety Integrity Level is achieved with the contribution of specific measures at ECU

level (at HW and/or SW level)

Concept Report obtained from TÜV

SÜD by using

fRMethodology

“...risk level SIL3 in compliance with

IEC61508 is achievable by the

planned safety concept...”

Key advantages areas


MCU level

ECU level

• Common-cause failures (CFF) intrinsically reduced• Lower gate counts and easier scalability• Lower power consumption• Lower performance impact• Smaller memory footprint• No risk of undetected systematic HW faults

• No need for external supervisor/watchdog• Detailed diagnostic available and lower detection latency• Simplified fail operational functionality• Application SW easier to be certified (few CoU)• Shorter MCU time-to-certification • Reduced cost for MCU certification• Fast product derivation (HW certification reusability)

Comparison is given with reference to Dual Core LS

Conclusions


• Systematic methodology addressing IEC61508 requirements, easing safety certification.– TÜV SÜD certified white box approach computing and validating metrics

required for IEC61508

• Achieving robustness reducing HW/SW costs– using optimized HW fault supervisors– distributing the supervisors to the whole MCU

• Guaranteeing compliance with IEC 61508– developed under the supervision of TÜV SÜD– achieving SIL3– Solving βIC (common mode)

• Being scalable and flexible– implementing a portable and reusable architecture

• Adding system-level benefits– increasing availability by enhancing diagnostic capability– freeing CPU performance– allowing system makers to exploit new ideas

• sophisticated safety concepts• next level of component integration

Documents

Simplifying SIL3 MCU safety architectures in automotive ... · Simplifying SIL3 MCU safety architectures in automotive applications according to IEC61508 norm ... Comparison is given