Post on 27-Dec-2021
Safety with Embedded Multicores Glenn Farrall: Microcontrollers Infineon UK
2014-09-23
24/09/2014 Page 2 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
AURIX™ MultiCore
24/09/2014 Page 3 Copyright © Infineon Technologies 2014. All rights reserved.
Automobiles are no longer a composition of mechanical systems.
In 2008: 10,000,000 lines of code in the average in premium vehicles.
Software is responsible for up to 80% of the innovation in premium vehicles.
30% to 40% of the added value in the automotive industry is based on software.
The software runs on variously sized ‘Electronic Control Units’– mixture of 8-bit (still!) 16-bit and 32-bit ECUs
24/09/2014 Page 4 Copyright © Infineon Technologies 2014. All rights reserved.
Increasing electronic functionality =>increasing number of ECUs
2005: 43 ECUs in a Passat
2010: ‘more than 70 ECUs…’
Many issues with this growth
Total power now a CO2 concern
Running out of room to fit them
Hence higher performance uCs a requirement
For both increasing functionality and value &
less ECUs
“There simply is no more room or mass allowance to package additional ECUs; up-
integration is a must.”
Robert Rimkus, General Motors, 2013 AUTOSAR Conference
24/09/2014 Page 5 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
MultiCore
AUTOSAR
ISO26262
AURIX MultiCore
TC1775
TC1796
TC1797
TC1793
0
100
200
300
400
500
600
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Eff
ecti
ve M
Hz
Availability
HighEnd Automotive uControllers
TC1775
TC1796
TC1797
TC1793
TC277 Triple Core
0
100
200
300
400
500
600
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Eff
ecti
ve M
Hz
Availability
HighEnd Automotive uControllers
24/09/2014 Page 6 Copyright © Infineon Technologies 2014. All rights reserved.
MultiCore for Automotive Performance
Clearly a need for more performance in automotive
Why multicore and not higher performance uniprocessors
300MHz -> 600MHz?
Power limitations and memory issues similar to other industries, just occurring at a lower performance level
Passive cooling for reliability + cost; Higher leakage issue (under bonnet 150°C or higher); Avoiding expensive packaging (ceramic, heat spreaders, etc.)
eFLASH – capacity scaling with technology nodes, but not latency
Complicated memory hierarchies are anathema to Hard Real Time
multiprocessors with 2-3 cores at 200 and 300MHz now common offerings.
24/09/2014 Page 7 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
MultiCore
AUTOSAR
ISO26262
AURIX MultiCore
24/09/2014 Page 8 Copyright © Infineon Technologies 2014. All rights reserved.
AUTOSAR
AUTomotive Open System Architecture; goals include
Definition of a modular software architecture for automotive ECUs
Consideration of HW dependent and HW independent SW modules
Integration of SW modules provided by different suppliers to increase the functional reuse
To aid in legacy porting, AUTOSAR does not mandate a protected operating system – instead scalability classes
SC1: deterministic RTOS baseline
SC2: protected timing
SC3: protected memory (MMU/MPU)
SC4: protected timing and memory
24/09/2014 Page 9 Copyright © Infineon Technologies 2014. All rights reserved.
AUTOSAR Releases
© 2013 AUTOSAR
24/09/2014 Page 10 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
MultiCore
AUTOSAR
ISO26262
AURIX MultiCore
24/09/2014 Page 11 Copyright © Infineon Technologies 2014. All rights reserved.
ISO 26262 Automotive Functional Safety Standard
Adapted from generic IEC 61508 for Electrical/Electronic safety systems
Published in 2011
Takes into account
automotive life cycle
automotive environment, driver controllability, etc.
Specifies Automotive Safety Integrity Levels
low ASIL-A to high ASIL-D
& QM; no safety required
Active Safety
Power Steering
Central Chassis
Suspension
Braking
Passive Safety
Airbag
Restraint
Driver Assistant
24/09/2014 Page 12 Copyright © Infineon Technologies 2014. All rights reserved.
ISO 26262 System Development
“A quantitative analysis of the hardware architecture with respect to the single-point, residual and dual-point faults shall provide evidence that target values … have been achieved”
i.e. for ASILD: show that with technology fault rate system does not result in failure rate >10-8 per hour.
Development rigour for both SW and HW is specified
Assumption that SW developed to the required level is then ‘fault free’
Running ASIL code of different levels (+QM) on the same ECU is possible provided it can be shown there is ‘freedom from interference’
Hardware will have fault rates, that must be managed to a lower failure rate
24/09/2014 Page 13 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
AURIX MultiCore
Introduction
ISO26262 support
Customer experience
24/09/2014 Page 14 Copyright © Infineon Technologies 2014. All rights reserved.
AURIX Generation Architecture
15
TriCore Introduction
Most widely distributed microcontroller you’ve probably never heard of
In approximately 50% of all automobiles produced this year
32-bit architecture with a focus on hard real time
Combines RISC and DSP support for C and DSP native data types.
Application areas
Automotive powertrain
Stability control systems
EVehicle: charging, BMS etc.
Industrial control
24/09/2014 Page 15 Copyright © Infineon Technologies 2014. All rights reserved.
24/09/2014 Page 16 Copyright © Infineon Technologies 2014. All rights reserved.
AURIX TC277T High Level Overview
Automotive specialised peripherals (CAN,
FlexRAY, LIN, SENT, PSI, etc.) on low speed
32-bit bus
Embedded Flash for code and EEPROM emulation.
No external memory required.
Cores and Memory on full frequency 64-bit crossbar
24/09/2014 Page 17 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
AURIX MultiCore
Introduction
ISO26262 support
Customer experience
Page 18 Copyright © Infineon Technologies 2014. All rights reserved.
AURIX Family Safety Features
A Lockstep core(s)
A A
24/09/2014 Page 19 Copyright © Infineon Technologies 2014. All rights reserved.
Soft Errors and ISO26262
Time Separation
~ double execution time
Safety on demand
LockStep’d Logic
No execution increase
Simplest quantitative safety argument
Spatial Separation
some execution time increase
Alpha and other particles will induce soft-errors in most Si based processes.
SER (Soft Error Rate) is high enough to violate ASIL-D failure rate without mitigation.
Multiple Approaches possible
Page 20 Copyright © Infineon Technologies 2014. All rights reserved.
AURIX Family Safety Features
SRI Transport Checked D
B SRAM ECC (w. SECDED+)
Safe DMA E
C Flash ECC (w. DECTED +)
A Lockstep core(s)
A
B C
D
E
A
24/09/2014 Page 21 Copyright © Infineon Technologies 2014. All rights reserved.
AURIX Family Safety Features
SRI Transport Checked D
B SRAM ECC (w. SECDED+)
Safe DMA E
C Flash ECC (w. DECTED +)
Redundant, spatially
separated peripherals F
A Lockstep core(s)
G Bus Protection for Memory
H Bus Protection for Peripherals
I Safe Interrupt Processing
J Clock Monitoring
A
B C
D
E
F
G
H
I J
A
F
F
F
F
H H H H H H H H H H
H H H H H H H
H
H
H
H
H
24/09/2014 Page 22 Copyright © Infineon Technologies 2014. All rights reserved.
AUTOSAR + Safety Critical Challenges
AUTOSAR scalability classes provided through
Core MPU
Temporal protection system (cannot be turned off like interrupts).
ISO26262 Freedom from interference (spatial) is provided through bus protection mechanisms which can be viewed as a system MPU
Distinct from Core MPU – which could always be incorrectly setup by QM software
System MPU can be setup once then locked down by highest ASIL software developed for ECU.
24/09/2014 Page 23 Copyright © Infineon Technologies 2014. All rights reserved.
ISO26262 Temporal Interference
Temporal isolation is more difficult with implicit sharing of a resource
i.e. multiple cores accessing an interconnect, a memory or a memory controller
AURIX design (crossbar for compute cluster) allows for allocation of cores to memories without sharing
¬ Requires judicious placement and non shared libraries
Only resource not timing isolated is the peripheral bus
¬ Strict priority arbitration is possible to bound access for safety critical code;
¬ Allows only a small timing interference effect
24/09/2014 Page 24 Copyright © Infineon Technologies 2014. All rights reserved.
Agenda
Automotive ECUs
Automotive Trends
AURIX MultiCore
Introduction
ISO26262 support
Customer experience
24/09/2014 Page 25 Copyright © Infineon Technologies 2014. All rights reserved.
Customer migration experience
Continental Engine System Software ported to AURIX multicore (see references) with AUTOSAR like RTOS
around 700,000 of lines of code and 20,000 variables.
training of ~1000 programmers to be multicore aware (this is not only development but maintenance etc.)
an exhaustive identification of the use cases of shared variables (around 150,000 data access points);
e.g. RPM used in more than 300 different modules
creation of own tooling to automate buffering of shared variables depending on code allocation to same or different cores
use of commercial tooling to optimise placement vs performance vs data footprint
24/09/2014 Page 26 Copyright © Infineon Technologies 2014. All rights reserved. Copyright © Continental.
Thank you for your attention
24/09/2014 Copyright © Infineon Technologies 2014. All rights reserved. Page 27
24/09/2014 Page 29 Copyright © Infineon Technologies 2014. All rights reserved.
References
Managed and Continuous Evolution of Dependable Automotive Software Systems; A. Rausch et al., in 2014 Symposium of Automotive Powertrain Control Systems
Introducing Multi-Core at Automotive Engine Systems; D. Claraz, F. Grimal, T. Leydier, R. Mader, G. Wirrer, in ERTS 2014
EMS3 PowerSAR® Platform - A Multi Core Software Implementation for Powertrain Applications based on AUTOSAR; R. Mader, in 2014 Symposium of Automotive Powertrain Control Systems
INTERNATIONAL STANDARD ISO26262 Road vehicles — Functional safety
On the Evaluation of the Impact of Shared Resources in Multithreaded COTS Processors in Time-Critical Environments; P. Radojković et al., in ACM Transactions on Architecture and Code Optimization 2011, Vol 8 #4