Tech Symposia Functional Safety With Arm Architecture · GPOS / RTOS Safety Certifiable RTOS / GPOS Non-critical partition Infotainment (IVI) ... •Modularized tests executed across

• Neil Stroud• Director, Technology Strategy &

Functional Safety

Functional Safety With Arm Architecture

Tech Symposia

2 © 2018 Arm Limited

Agenda

• Introduction

• Market, applications & Standards

• Arm functional safety headlines

• Safety Ready

• Cortex-A76AE

• STL’s

• Certification

• Summary


Introduction


Functional Safety

“Absence of unreasonable risk due to hazards caused by malfunctions”

• Systems must function correctly– Faults must be detected and controlled– Products must be properly specified and developed accordingly

• Safety critical– Systems relied upon to always function– High risk of hazard and loss of life

• Safety ‘nominal’– Systems that are helpful rather than essential– User can act to avoid hazards if aware of fault


Safety application

Patient-controlled drug delivery

Functional Safety Controls Risks of Hazards

Safety application

Pro

tect

ion

ag

ain

st

Braking system

Systematicfaults

Design errorsSoftware errors

Processes

Randomfaults

Run-time errors

Productsafety features


Types of Fault

▪ Hard errors

▪ Soft errors

▪ Permanent faults

▪ Transient faults

▪ Latent faults

Managed by including features forfault detection and control

▪ Hardware errata

▪ Software bugs

▪ Incorrect specification

▪ Incomplete requirements

▪ Unfulfilled assumptions

Managed through design process, verification and assessment

Random faults Systematic faults


Market, applications and Standards


Markets and Applications

AutomotiveAutonomous driving

IndustrialFactory automation

HealthcareRobotic surgery

TransportationTrain control systems

AvionicsFlight systems

ConsumerDomestic robots


Applicable standards – scaling across verticals

Standards always represent an industry consensus

• Long lead times for standards development (5-10 years)

• Often lagging behind true state-of-the-art

• Objective based or objective and method oriented

Safety Integrity Levels

Low

ASIL ANominalNominalNominal

ASIL B90%60%<10-7 / h

ASIL D99%90%<10-8 / h

ASIL C97%80%<10-7 / h

SPFMLFMFIT

SIL 1 SIL 2 SIL 3IEC 61508

ISO 26262

High


Arm Functional Safety Headlines


Requirements: From IP to system

IP integratore.g. MCU designer

Tier 1 designer Automotive OEMIP supplier

ISO 26262

-1-2-3-4-5-6-7-8-9

Applicable requirementNot applicable requirements

Requirements, assumptions

Supporting documentation (evidence)

ISO 26262

-1-2-3-4-5-6-7-8-9

ISO 26262

-1-2-3-4-5-6-7-8-9

ISO 26262

-1-2-3-4-5-6-7-8-9

© 2

01

8A

rm L

imit

ed

Safety Ready: Safer solutions, faster time to market

Reduces design effort Accelerates deploymentEases certification to ISO26262

Accelerating time to market for the whole automotive supply chain


A head-start on safety

Software tools Systematic

certification to ISO26262

Certified software components

Broadest functional safety IP

Comprehensive safety documentation

Innovative safety features for automotive

applications

Leading features and technologies

Software components and tools

Robust methodologies and certification


Arm functional safety package

• Design and verification process

• Fault detection and control• Verification summary

Safety manual

• Evidence of safety analysis on the Arm IP

• Aids partners with their own SoC level FMEA

• Interworking relationship• Replaces conventional DIA• Ambiguity avoidance

FMEA reportDevelopment Interface Report

© 2

01

8A

rm L

imit

ed

Safety Ready Products


▪ Cache parity / ECC▪ Exception handling▪ MMU▪ RAS features

Cortex-A55 Cortex-A76

Functional Safety throughout Arm CPUs

† availability dependent on processor

Cortex-M3/M4Cortex-M0+

▪ Exception handling▪ MPU▪ SW test library

▪ Cache parity / ECC†

▪ Exception handling▪ MMU

Cortex-AArmv8-A ▪ Dual core lockstep

▪ Exception handling▪ MMU▪ RAS features▪ SW test library

Cortex-A76AEHelios AE

▪ Dual core lockstep†

▪ Exception handling▪ MPU▪ Stack limit check▪ SW test library

Cortex-M33Cortex-M23

▪ TCM ECC interface▪ MBIST interface▪ Dual core lockstep▪ Cache ECC▪ Exception handling▪ MPU

Cortex-M7Cortex-R5

▪ Virtualization▪ Bus protection▪ SW test library▪ System error▪ Bus ECC▪ Error management▪ TCM ECC▪ MBIST interface▪ Dual core lockstep▪ Cache ECC▪ Exception handling▪ Two-stage MPU

Cortex-R52

▪ Interface protection▪ Transient detection▪ SW test library▪ MBIST interface▪ Dual core lockstep▪ Integer lockstep▪ Exception handling▪ MPU

Cortex-M35P

SIL3/ASIL D systematic capabilitySIL2/ASIL B systematic capability SIL3/ASIL D systematic & diagnostic capability


© 2

01

8A

rm L

imit

ed

Cortex-A76AE: World's first autonomous-class processor with integrated safetyGame-changing safety innovations optimized for 7nm

*16 core Cortex-A76AE configuration with CMN-600AE at 7nm

Autonomous-class performance

>250 KDMIPS <30W SoC

<15W Compute Complex *

First application processor with Split-Lock

Developed for automotive use cases

Safety capable to industry standards ISO26262 ASIL D systematic

Best-in-class performance per watt


Autonomous-class compute complex• Automotive Enhanced system IP enabling high integrity safety designs

• Delivers high performance, safe compute complex up to 64 cores & multi-chip

• Scalable mesh network for many-core systems

• Arm V8.2 RAS features

• Memory virtualization and protection to ML / NN accelerators

• ML processing for automotive

• Multiple guest operating systems

CoreLink CMN-600AE

CoreLink GIC-600AE

DynamIQ Shared Unit

Cortex-A76AE

ELA

-60

0

Arm ML Processor

DynamIQ Shared Unit

Cortex-A76AEEL

A-6

00

Automotive Enhanced

CoreLinkMMU-600AE

Co

reSi

ght

SoC

-60

0 D

ebu

g &

Tra

ce

Mali-G76

Autonomous Compute Complex


The system view: bringing it all together

Arm Cortex-A and Cortex-R class CPUs

Safety-certifiable Hypervisor

ASIL B partition

Gateway partition

Safety Certifiable RTOS / GPOSGPOS / RTOS

Non-critical partition

Infotainment (IVI)

Safety Certifiable RTOS / GPOS

Drivers

ASIL B partition

Instrument cluster

Applications

Drivers Drivers

Applications Applications


Why STLs?

• Any safety system relies on multiple error detection mechanisms.• ECC & parity• DCLS

• Software Test Libraries provide another detection mechanism.• Libraries are broken down in to functions that cover specific blocks of

the CPU core to ensure correct behavior• Multiple suppliers across the ecosystem

TimingProtection

DCLS

LBIST

Error management

MBIST

Parity


Software test Libraries

The most optimized STLs for Arm cores with the best-in-class diagnostic coverage

• Common API framework enable

• Reduces safety hardware mitigation requirements

• Delivered pre-certified for production software integration

• Targeting 90% diagnostic coverage*

• Minimized system impact (memory and WCET)

• Modularized tests executed across multiple fault tolerant time intervals (FTTI)

• Use cases across multiple applications

CPU STL

Cortex-R52

Cortex-M0+

Cortex-M3

Cortex-M4

Cortex-M33

Cortex-M23

Cortex-A53


STL Deliverables

• STL Safety Package BOM will look similar to existing HW Safety Package:

• S/W Test Library

• STL Safety Manual

• STL Development Interface Report

• STL FMEDA Report & DFA Report

• STL Documentation (integration manual, user manual, configuration etc.)

• Release notes


Certification


Certification Strategy and Progress

• Certification and assessment are key parts of functional safety

• Arm’s strategy is to independently assess an increasing number of FuSa products

• Provides confidence in our own process

• Reduces certification time and effort down stream

• Cost and project efficiencies for ecosystem

• Close collaboration with multiple independent assessor organizations

• Influencing industry standards


What to Expect Next?

• Continued investment to support adjacent verticals and standards

• Continue to develop and expand STL portfolio

• Solutions: demonstrating the reality of multiple products in a safety system


Summary

• Safety Ready - Excelling in delivery of functional safety capable IP

• Expanding portfolio to include software and beyond

• Commitment to assessment and certification


Thank You

Confidential © Arm 2018 27

Thank You


Thank You


Documents

Tech Symposia Functional Safety With Arm Architecture · GPOS / RTOS Safety Certifiable RTOS / GPOS Non-critical partition Infotainment (IVI) ... •Modularized tests executed across