Upload
ngonga
View
214
Download
0
Embed Size (px)
Citation preview
Hans AdlkoferHead of Systems Group Automotive
Software Saxony April 21th 2009
Software in Automotive Systems
Page 222-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive System Trends
Impact on semiconductor
Impact on SW topics e.g. Autosar
IEC61508 & ISO26262
MultiCore
Summary
Agenda
Page 322-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Key Market Drivers
CO2 Reduction Pollution Reduction
Safety
HC, CO, NOx, PM
Affordable CarAffordable Car
Page 422-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Efficiency Improvement: Examples how IFX can support the CO2 reduction
Wind Resistance
Fw = k . Cx. A . V2
Fw = K . V2
Road Resistance
Fr = f. g . M
Climbing Resistance
Fc = sin(α) . g . M
M . X = Fm + Fc + Fr + Fw
M . X = K . X2 + g.(sin(α) + f ).M + Fm
EngineImproved combustion principal e.g. HCCIDirect injection, Smart turbocharger, Valve Actuation
Engine accessoriesElectrical Fuel, Water, Oil PumpElectrical Cooling fan
TransmissionECMT, ECAT, CVT, DCT
HybridizationStop/start, Mild, Full HybridRecuperative braking
Energy management / efficiency / on demand AirCon compressor, Speed controlled climate fanBreaking assistance, Electrical Power Steering (EPS)PWM lamp control, LED illumination / lightingBattery management, Electrical Energy management
Drag ReductionAir drag, radiator air flaps, spoilersRolling resistance, Tire pressure monitoring
Mass ReductionWire harness, communication, smart fusesIntegration of functions, centralization
Emerging ApplicationsThermal to electric recuperationAuxiliary electric power unit, Fuel cell, hydrogen
Driver AssistanceGear switch-point assistActive cruise control, radar
Traffic FlowCar-2-car communicationDynamic traffic light control, GPS road preview
Energy Flow
Page 522-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
S A S A S A S A S A S A S A S A S A S A S A S
F S S F S F S
From Decentralization to CentralizationGlobal and Coherent Vehicle Control
BRAKINGSTEERING SUSPENSION TRACTION
Global ChassisControl
Real Pilot
DriverAssist
Virtual Co-Pilot
Pas
sive
Act
iveACC
2nd Gen.
Lane Departure
VisionEnhance
ParkingAssist
BlindSpot
Navigation
TrafficInfo
Guardian Angel
Pas
sive
Act
ive
Airbag Belt
TPMS
Passenger Detection
Collision Avoidance
Collision Warning
Pedestrian Protection
Risk Management
Page 622-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Expected Revolution of Vehicle Architecture
Convergence of Systems
Improve In-vehicle network with increased bandwidth and higher determinism with backbone.
We cannot have one more ECU every time we add a new function
Increase Car ElectrificationHigh Voltage, High Power
Partitioning by application “Domain”
Partitioning by location
Grouping of functions
2015: Domain architecture connected via backbone
Page 722-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive System Trends
Impact on semiconductor
Impact on SW topics e.g. Autosar
IEC61508 & ISO26262
MultiCore
Summary
Agenda
Page 822-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
General Architectural Trends and Requirements for Semiconductors
Trend Application Examples IC Requirements
X-by-WireMechatronical solutions
for shifting, hybrid, steering, breaking…
RT capabilities, failsafe electronics
Analog/Digital Tradeoff
Replacement of signal processing and
communication from analog to digital
A/D conversion, signal conditioning and
processing
Software-enabled functionality
Replacement of dedicated hardware with software
algorithms running on µC
Strong microcontroller cores with RT
capabilities, broad peripheral set and eFlash
Decentralization to Centralization
µC-enabled global controls
High performance processors with network
connectivity
Centralization to Decentralization
Smart sensor, Smart actuators,
Dedicated board nets
Broad IP portfolio (sensors, µC, power) HVCMOS, SPTx and advanced packaging
Page 922-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Software-Enabled Functionality Increased Microcontroller Performance
Software platform, reuse of software modules across application and customers
Migration of functions from hardware to software
Hardware independent Software
Wider use of automatic code generation
Software standardization e.g. Operating system, Drivers with application level interfaces (OSEK, AutoSar, IEC61508, ISO26262…)
Robust, transparent software e.g. encapsulation, software self test
µC family concept with performance increase and easy migration path
Semiconductor Industry provides a 30% to 60% annual performance increase at same cost
Page 1022-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Safety integrity level
IEC 61508
ISO 26262
Cost
Durability
Availability
Reliability
Severity
Exposure
Controllability
Safety compliance
*IMS 2006
DependablePower
DependableCommunication& interconnect
Dependability
Dependablesensing
Dependableactuation
DependableComputation
Tricorebased SIL3 enabling safety core available
DualCore
Safing log.
Page 1122-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive System Trends
Impact on semiconductor
Impact on SW topics e.g. Autosar
IEC61508 & ISO26262
MultiCore
Summary
Agenda
Page 1222-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
The Outlook Autosar paradigm
The key statements
Hardware and software will be widely independent of each other.
Development processes will be simplified. This reduces development time and costs.
Reuse of software increases at OEM as well as at suppliers. This enhances also quality and efficiency.
Automotive Software will become a product
Page 1322-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive Open System Architecture3 tangible advantages : Customer‘s story
1. Modular Software architecture :
Facilitates the integration of hardware independent SW applications and aids SW modifications/enhancements with minimal intrusion.
2. Autosar description and format exchange methodology:
Exchange formats (templates) to enable a seamless configuration process of the basic software stack and the integration of application software in ECUs
3. RTE Application Interface:
Specification of RTE application interfaces as a standard glue logic between the Basic Software and the application software modules
Page 1422-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive Open System ArchitectureModular Software architecture
Page 1522-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
AUTOSAR Managing Complexityby Exchangeability and Reuse of Software Components
Page 1622-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Autosar methodologyFormal description of HW and SW components
Page 1722-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive System Trends
Impact on semiconductor
Impact on SW topics e.g. Autosar
IEC61508 & ISO26262
MultiCore
Summary
Agenda
Page 1822-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Software development as critical issue for system safety
Is it possible to write software without bug’s???
After initial coding you can expect one bug per 20 lines of code
After thorough unit testing you can expect 1 bug per 1000 lines of code in the final release
1 line ~5 bytes, so 1 bug per ~5KB
01001001011001100010000001111001011011110111010100100000011000110110000101101110001000000111001001100101011000010110010000100000011101000110100001101001011100110010000001111001011011110111010100100000011001000110111101101110011101000010000001101110011001010110010101100100001000000110011101101100011000010111001101110011011001010111001100111011001011010010100100001101000010100100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100001010
Application Microcontroller Type Code Size
Steering Angle Sensor 8 Bit 32KB
Low-end Sensor Cluster 16 Bit 128KB
Airbag Controller 16/32 Bit 256KB
EPS Controller 16/32 Bit 512KB
Central Chassis Controller 32 Bit 1.5MB
7 Bugs
Statistics
26 Bugs 52 Bugs
104 Bugs
308 Bugs
Page 1922-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Today's automotive software partitioning ascritical issue
Microcontroller (e.g. TriCore®)
AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication
Microcontroller Abstraction Layer
Applicatio
n
Task 1
Task 2…
.
Applicatio
n 2
Task 1
Task 2…
.
Applicatio
n 3
Task 1
Task 2…
.
Applicatio
n 4
Task 1
Task 2…
.
SafetyCritical
Software parts
Safety Driver
Semiconductor Company
Independent Software Company
Independent Software Company
Supplied byTIER1
Supplied by OEM
Independent Software Company
Independent Software Company
Independent Software
Company???
Page 2022-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Software compilation flow as critical issue
Mathematic Model
Auto code Generator
C-CodeC-Code C-Code
Compiler
Object Code Object CodeObject Code
Final Target Code
Optimizer
Target Code
Optimizer
Linker
Tool chainOverall Size:
Several 100MB…
Safe ???
Page 2122-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Additional Safety Driver requirements
Fault model for testing data and addresses of registers, caches, internal RAM, Flash, CSFRs
Test for dynamic cross-over of memory cells or registers
No, wrong or multiple addressing
Testing of opcode decoding and execution including flag registers
Test of watchdog, traps, ECC (Parity), …
Coverage of transient computation faults
Testing of program counter and stack pointers
Peripheral configuration and operation
Detection of Continuous interrupts, Crossover of interrupts, Unused Interrupts
Task execution monitor for OS and critical tasks
External ASIC covers common cause failurePower supply, short circuit on chip Temperature of chip EMC System clock
Ap
pli
cati
on
in
dep
en
den
t re
qu
irem
en
ts f
or
fun
ctio
nal
safe
ty i
n
mic
roco
ntr
oll
ers
Page 2222-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Safety path
Microcontroller
ECU
network ECUs
Sensors & Actuators
Plant, Environment, Driver, Passengers
Safety monitor Guardian
Safety path
No common cause failures allowed on the safety path
Question Answer
Page 2322-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Error Case
GeneralBehavior
Statistical/Transient Error
Short Temporal Duration
Systematic/Static Error
Permanent Nature
Hardware errors in semiconductor as cause of dangerous systems faults
PotentialCauses
Load dump, SupplyEMC, EMIAlpha particle…
EMC, EMI, TemperatureElectrical / Mechanical
OverstressSpecification ErrorsHardware and Software
Bugs (Common Mode Errors)
…
Measurement FIT Rate Determination(e.g. Experimental)
PPM Rate Estimation(e.g. Field Experience)
Page 2422-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
What does IEC 61508 SIL 3 mean when applied to a microcontroller?
Microcontroller + Safety-Driver + Application Functional Safety Software has to meet:
FPU
TriCore(TC-1M)
PMI
48 kB SPRAM16 kB ICACHE
InterruptSystem
OCDS DebugInterface/
JTAG
ASC0
ASC1
GPTA1
LTCA2
FPI-B
us In
terfa
ce
16 KB PRAM
PCP2 Core
32 KB PCODE
Inte
rrup
ts
MSC0
MSC1
PLLfFPI
fCPUSyst
em P
erip
hera
l Bus
Rem
ote
Perip
hera
l Bus
Ports
SCU
SSC1
SSC0
MultiCAN
(4 Nodes)
SBCU
STM
Ext.Trigger/Interr.Block
SPRAM:ICACHE:LDRAMDPRAM:BROM:PFlash:DFlash:SBRAM:OVRAM:DFSRAM:PRAM:PCODE:PLMB:DLMB:RPB:SPB:
DMA
BI0 B
I1
SMIF
DMI
56 kB LDRAM8 kB DPRAM
CPS
DMU
Scratch-Pad RAMInstruction cacheLocal data RAMDual-port RAMBoot ROMProgram FlashData Flash (EEPROM Emu.)Stand-by RAMSRAM with overlay capabilityData Flash shadow RAMParameter RAM In PCPCode RAM in PCPProgram Local Memory BusData Local Memory BusRemote Peripheral BusSystem Peripheral Bus
GPTA0ADC0
ADC1
LFI Bridge
Program Local Memory BusPBCU
Data Local Memory BusDBCU
LMI
DMU
16 KB SBRAM64 KB SRAM
incl. OVRAM &DFSRAM
functionality
PLMB DLMB
RPB
SPB
FADC
Ana
log
Inpu
t Ass
ignm
ent
RBCU
MLI0
MLI1
MEMCK
6464
32
32
128 256
EBU
Emulation Memory Interface
PMU
2 MB PFLASH
16 KB EEPROMEmulation
16 KB BROM
Safe Failure Fraction (SFF) > 99%
(Covers > 99% of used silicon!!!)
Probability of failure per hour (PFH) <<10-7
Infineon TriCore® TC1796
State of the Art Microcontroller
Page 2522-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Requirements for safe computation
Safe and Robust SoftwareComputation
Redundant Calculationof critical software
Diverse Calculationof critical software
Safe and Robust Code
Coverage of Transient Errors
Caused by e.g. RadiationPFH for usual microcontroller core system is not reaching SIL3 requirements (<10^-7)
Coverage of Static Errors
Caused by soft- and hardware bugsAvoid common mode errors from hardware and software bugs
Page 2622-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive System Trends
Impact on semiconductor
Autosar
IEC61508 & ISO26262
MultiCore
Summary
Agenda
Page 2722-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Continued Performance & Memory Increase
Performance is the resultof multiple elements:
CPU-SpecificOptimized instruction set (µC, µP, DSP, FPU) Conditional instructions64 bit SIMD (Single Instruction Multiple data)Super-scalarClock at higher frequencyUse cache & scratch pad for code & dataFast interrupts arbitration & switch context
Peripheral FunctionsDMAPeripheral control processor
System-Level InteractionMultithreadingMulticoreImproved bus system, cross-bar, burstMemory
Page 2822-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Evolution of Automotive Microcontrollers
1990 1995 2000 2005 2010 2015 2020
Controller 8bit 16bit20
40%
32bit
60%
32bit
0%
Quad32bit
Dual32bit
Frequency (MHz) 5 4032bit150
Yes
Yes5%85%
200 250 300
DSP Yes Yes Yes Yes
FPU Yes Yes Yes
10%
2%30%
Assembly Code 100% 30% 5% 0%C-code 0%
68%
70% 65% 10%Automatically generated code 0% 0% 30% 90%
Page 2922-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Multicore Architecture types
Memory Memory
Memory Memory
CoreA
CoreAMemory Memory
CoreA
CoreAMemory Memory
CoreA
CoreA
CoreA
CoreBHomogeneity of the Cores
Symmetry of execution
HomogeneousHeterogeneous
SymmetricalAsymmetrical
Page 3022-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Multicore SW types
Coarse grainFine grain
Static allocationDynamic allocation
Size of SW packets
A task runs always on the same core, the choice is done at the compilation.
A task can run on any cores, the choice is done at runtime, function of the core load.
Page 3122-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Safety with redundancy & diversity
The redundancy could be performed with Homogeneous or Heterogeneous cores
2 cores on different ECUs
2 cores on the same ECU
2 cores on the same package
2 cores on the same die
Dual core in lock step
1 core and 1 smart ASIC
PCB/subs.
Package
Die
Core
ASIC
Homogeneous Heterogeneous
Page 3222-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Dualcore architectures
Heat Slug
0
100
150
200
250
300
350
400
1 1,5 2 2,5 3Power dissipation [W]
3,5
Exposed BGA
Heat SlugHeat
Spreader50
Increase of package price [%]
Thick copper
Heat Slug
0
100
150
200
250
300
350
400
1 1,5 2 2,5 3Power dissipation [W]
3,5
Exposed BGA
Heat SlugHeat
Spreader50
Increase of package price [%]
Thick copper
Multicore microcontrollers: Rationales
Page 3322-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
SW architecture / SW mapping to dual Core
Split the application for the 2 cores to minimize the dependency between the two parts
Balance the load of the two cores
Balance the code space
Balance the data space
Verify data consistency regarding Cache update
Verify data consistency regarding different Core priority level
Process contention, SW Dead lock situation
SWPart1
SWPart2
Maximum HW contention < 5%
SW overhead < 10% (application dependent)
Page 3422-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
SW architecture / SW mapping to dual Core
Two types of approachesVertical splitHorizontal split
Vertical splitHierarchical splitE.g. Application / DriversExample AutosarE.g. Control / DSP
Horizontal splitSub-Application splitE.g. EMS / TCUE.g. Control / OBD
µC Abstraction LayerECU Abstraction Layer
OS services +Libraries
EngineControl
SafetyMonitoring
OBDMonitoring
µC Abstraction LayerECU Abstraction Layer
OS services +Libraries
EngineControl
SafetyMonitoring
OBDMonitoring
Page 3522-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Support to improve multicore intro.
OS: Operating systemOne shared OSOne OS per core
Shared SemaphoresAtomic read modify write
Shared Stack or FIFOShared MemoryCache coherencySignaling
Call or Interrupt A to B B to A
Shared Watchdog
Vertical Horizontal
A B
C
Page 3622-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Automotive System Trends
Impact on semiconductor
Autosar
IEC61508 & ISO26262
MultiCore
Summary
Agenda
Page 3722-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Summary
The new trends for CO2 reduction and energy efficiency generate radical changes in automotive electronics.
Solutions will go toward higher electrification of cars and of course electrification of powertrain with system complexity will increase.
Autosar, IEC61508 and ISO26262 are enabling this Automotive revolution.
New methods, new tools and standards must be implemented to manage this complexity.
Software is the major issue for safe systems for all involved partners
OEMECU supplierSemiconductor vendor
Requirements to supply safe software do not depend on fully qualified tool chains
Safe Software can be done within limits of nowadays existing software development processes
Page 3822-Apr-09 Copyright © Infineon Technologies 2008. All rights reserved.
Thank you for yourattention