AURIX After-Lunch-Seminar Performance meets Safety. Safety & Security with professional Software-Components. Björn Assmann (Hitex GmbH)

Transcription

1 Building a safe and secure embedded world AURIX After-Lunch-Seminar Performance meets Safety Safety & Security with professional Software-Components Björn Assmann (Hitex GmbH)

2 Agenda 14:00 Begrüßung und Einführung 14:15 AURIX TM Family Überblick (EBV) 14:35 Performance meets Safety mit AURIX Mikrocontrollern (Infineon) 15:30 Mit neuen Werkzeugen sicher ans Ziel (Tasking) 16:10 Kaffeepause 16:30 Modellbasierte Entwicklung mit AURIX (Hitex) 16:50 Safety & Security mit professionellen Software-Komponenten (Hitex) 17:35 PDH* Angebot am Beispiel erfolgreicher Kundenprojekte (Hitex) 18:00 Abschluss mit Expertentalk bei Drinks und Fingerfood *Hitex ist AURIX Preferred Design House 2

3 Table of content Introduction & Overview about Safety and Security Demands of the standards and failure types Low Level Driver and embedded real-time OS Infineon SafeTlib Aurix 1G SafeTlib Aurix 1G integration service by Hitex Outlook about Hitex SafeTpack Aurix 2G Summary 3

4 Sicherheit What is Security and Safety? Security Protect the System against unauthorized external influence Safety Avoid harm and injuries caused by malfunctioning of the System Security Safe and Secure System Safety 4

5 Functional safety definition Functional safety is about absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems Hazards: potential source of harm Harm: physical injury or damage to the health of persons Failures are the main impairment to safety: Systematic failures: failure, related in a deterministic way to a certain cause, that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors Random HW failures: failure that can occur unpredictably during the lifetime of a hardware element and that follows a probability distribution 5

6 Systematic Failures vs. Random Failures Systematic-Inherently Unsafe Random-Sometimes Unsafe 6

7 Safety Standards IEC61508 Electrical, electronic and programmable electronic systems IEC Household appl. IEC Medical IEC 501xx Railway ISO13849 Machinery ISO26262 Automotive 7

8 Safety Standards IEC61508 Electrical, electronic and programmable electronic systems SIL 1 SIL 2 SIL 3 SIL 4 IEC Household appl. IEC Medical IEC 501xx Railway ISO13849 Machinery ISO26262 Automotive Class A Class B Class C Cat 1 Cat 2 Cat 3 PL A PL B PL C PL D ASIL A ASIL B ASIL C ASIL D 8

9 Demands of the standards (Safety) Analyse failures Reduction of failures to fulfil Safety Integrity Level Reduction of systematically failures Reduction of random failures 9

10 Demands of the standards (Systematically failures) In all stages of the development process measures have to be planned executed and documented to manage verify and assess functional safety. V-Model approach Traceability 10

11 Demands of the standards (Statistical failures) Total failure rate λ total Safe λ S Detected Undetected λ SD λ SU Dangerous λ D Detected Undetected λ DD λ DU The proportion of safe failures (Safe Failure Fraction SFF) describes the proportion of safe failures towards the total failure rate of a subsystem. SFF = Σλ S + Σλ DD Σλ total = 1 Σλ DU Σλ total The diagnostic coverage (DC) describes how many dangerous failures can be detected. DC = 1 Σλ DU Σλ D = λ DD λ D 11

12 Demands of the standards (Statistical failures) Dangerous Undetectable Failures Dangerous Detectable Failures Safe Failures Dangerous Undetectable Failures λ DU Dangerous Detectable Failures λ DD The proportion of safe failures (Safe Failure Fraction SFF) describes the proportion of safe failures towards the total failure rate of a subsystem. SFF = Σλ S + Σλ DD Σλ total = 1 Σλ DU Σλ total The diagnostic coverage (DC) describes how many dangerous failures can be detected. DC = 1 Σλ DU Σλ D = λ DD λ D 12

13 Demands of the standards (Statistical failures) Failures in time Failures 1 FIT = 10 9 Hours SIL Level PFH [failure h] ASIL Level PMHF [failure h] SIL to < 10 8 ASIL D < 10 8 SIL to < 10 7 ASIL C < 10 7 SIL to < 10 6 ASIL B < 10 7 SIL to < 10 5 ASIL A No requirements 13

14 Risk Reduction to fulfil Safety Integrity Level Product without any safety measures With Safety Measure 1 With Safety Measure 2 With Safety Measure 3 With Safety Measure 4 Necessary minimal risk reduction With Safety Measure 5 With Safety Measure With Safety Measure n 0Risk Tolerable Risk Actual risk reduction Residual Risk Copyright Hitex GmbH All rights reserved. 14

15 Safety Mechanism Overview Safety Element out of Context (SEooC) Safety System/Item Safety Mechanisms Hardware Safety Mechanisms (AoU) Assumptions of Use 15

16 Safety Mechanism Definition & Classification Safety mechanism = Technical solution to detect faults or control failures in order to achieve or maintain a safe state. Measures to avoid faults Measures to control faults Safety mechanism effective within the element (Structural & Functional Measures) Safety measurers applied during development of element (Procedural Measures) Safety mechanisms are classified as: Hardware safety mechanism [HW] Assumptions of Use [AoU] 16

17 Safety Mechanism [SM1] & [SM2] Safety mechanisms are also classified as: Mechanisms to mitigate single point and residual faults [SM1] Supports the Single-Point fault Metric Usually carried out continuously / repeated cyclically ASIL B ASIL C ASIL D Single-Point Fault Metric 90% 97% 99% Mechanisms to avoid dual faults from being latent [SM2] Supports the Latent-Fault Metric Usually carried out once per driving cycle ASIL B ASIL C ASIL D Latent-Fault Metric 60% 80% 90% 17

18 Fault classification Fault Potential to violate a Fault in a no yes Potential to violate a no safety goal only in no safety related safety goal? combination with an element? independent fault? yes yes no Safety mechanism in place? yes Potential to violate a safety goal only in combination with 2 independent faults? yes no no Violation of safety goal prevented? yes yes Failure prevented from being latent? yes Failure prevented from being latent? no no No Part (Safe) SPF (Single Point Fault) RF (Residual Fault) DPF det. (Detected Dual-Point Fault) DPF lat. (Latent Dual-Point Fault) MPF det. (Detected Multiple Point Fault) MPF lat. (Latent Multiple Point Fault) Safe 18

19 Safety Mechanism Naming convention To identify these properties, following conventions are followed by Infineon documents: SM1/2[HW/AoU].<Part Name>:<Safety Mechanism> Example 1 SM1[HW].CPU:LOCKSTEP Lockstep architecture to detect errors in CPU Example 2 SM2[AoU].CPU:LOCKSTEP.ALARM_TEST Testing of LSCU by fault injection Example 3 SM1[HW].SRI:CLKMON SRI Clock frequency monitor Example 4 SM2[AoU].CLK:CLKMON Testing of Clock frequency monitor Short outlook to SafeTlib: The SafeTlib software implements several AoUs SafeTlib provides tests to ensure the integrity of the safety mechanisms of the vital parts 19

20 Reflexion for customer Problem 1: How to fulfil the demand safety integrity level? How to fulfil all AoU during software development for Infineon AURIX? Problem 2: Effort (Time & Costs) T Safety Critical Code = 2 4 T Non Safety Critical Code Source: The Industrial Take-up Formal Methods in Safety-Critical and other Areas: A Perspective Jonathan Bowen (University Oxford) and Voictoria Stavridou (University of London) 20

21 Solutions and Products from Hitex

22 Low Level Drivers Only drivers for safety or security critical peripherals have to be developed according to process Access to peripherals needed by the SafeTlib is included in the SafeTlib Write from scratch AURIX User Manual is extensive Relations of peripherals may be complex If development process needed big effort AURIX Experts can do it faster 22

23 Low Level Drivers Only drivers for safety or security critical peripherals have to be developed according to process Access to peripherals needed by the SafeTlib is included in the SafeTlib Write from scratch Use free illd drivers Easier to understand than User Manual Examples available No safety documentation like specification and validation documents 23

24 Low Level Drivers Only drivers for safety or security critical peripherals have to be developed according to process Access to peripherals needed by the SafeTlib is included in the SafeTlib Write from scratch Use free illd drivers Buy MCAL drivers AUTOSAR compatible Developed according to ISO26262 ASIL B BASE Package, MEM Package, COM Package, COM enhanced Package, LIB Package, CDT Package Configuration with TRESOS Studio Configuration and Integration Service offered by Hitex 24

25 Low Level Drivers Only drivers for safety or security critical peripherals have to be developed according to process Access to peripherals needed by the SafeTlib is included in the SafeTlib Write from scratch Use free illd drivers Buy MCAL drivers Buy Hitex industrial drivers Developed according to ISO26262 ASIL B & IEC61508 Full validation on request Available for MCU, IO, ADC, GTM, MultiCan, Quad Encoder, Hall Encoder, QSPI, ASC 25

26 RTOS, SAFERTOS, Real-time OS

27 RTOS, SAFERTOS, Real-time OS Product RTOS SAFERTOS RTOS PXROS Comment RTOS is a key part of the application and dividing safe and unsafe components, provides an scheduler and RTOS Objects but has to be save! And you have to designed and validated by yourself. SAFERTOS is a safety certified Real Time Operating System and based on FreeRTOS, but pre-certified for ISO ASIL D and also for IEC SIL 3 by TÜV SÜD. Each core has an instance of SAFERTOS Deployment of tasks at build time Message Queues and Semaphores are intercore compatible Professional certified PXROS One RTOS for all cores Dynamical optimization of tasks during runtime 27

28 MCAL Drivers Infineon MC-ISAR Packages

29 MCU WDG GPT FLS RAM TEST SPI LIN CAN FlexRay PORT DIO ICU PWM ADC SCI MEM Check FADC... AUTOSAR MCAL Driver for AURIX Family MC-ISAR Product Overview Application Layer MC-ISAR: MicroController Infineon Software Architecture System Services On-Board Device Abstraction AUTOSAR Run Time Enviroment (RTE) Memory Services Memory Abstraction Communication Services Communication Abstraction I/O Hardware Abstraction Complex Device Driver MC-ISAR: MCU, WDG, GPT, SPI, PORT, DIO, ICU, PWM, ADC MC-ISAR COM Basic: CAN, CanTrcv, LIN MC-ISAR COM Enhanced: FlexRay, Ethernet MC-ISAR MEM: FLASH, FEE MC-ISAR MCAL CD: SCI, MEMCheck, FADC, etc. for TriCore MCAL Microcontroller AUTOSAR in production since 2009 Infineon MC-ISAR driver (MicroController Infineon Software ARchitecture) Enabled via partners 29

30 Infineon SafeTlib A1G

31 SafeTlib Reduction of dangerous statistical errors AURIX MCU 32

32 SafeTlib Reduction of dangerous statistical errors HW Safety Mechanisms AURIX MCU 33

33 SafeTlib Reduction of dangerous statistical errors Assumptions of use HW Safety Mechanisms AURIX MCU 34

34 SafeTlib Reduction of dangerous statistical errors PRO-SIL SafeTlib Assumptions of use HW Safety Mechanisms AURIX MCU 35

35 SafeTlib Reduction of dangerous statistical errors Documentation PRO-SIL SafeTlib Assumptions of use HW Safety Mechanisms AURIX MCU 36

36 Hardware vs. SafeTlib & Safety Mechanism

37 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller AURIX MCU Peripheral A RAM FLASH Peripheral C Peripheral B CPU Peripheral D Clock Power CAN SMU other systems 38

38 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller Safe computing ensured by delayed Lockstep CPU with diverse Layout AURIX MCU Peripheral A RAM FLASH Peripheral C Peripheral B CPU Peripheral D Clock Power CAN SMU other systems 39

39 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller Safe computing ensured by delayed Lockstep CPU with diverse Layout Peripheral A AURIX MCU RAM FLASH Safe data and code storage ensured by ECC (DEDSEC for SRAM, TEDDEC for FLASH), Address Peripheral Monitoring C and Memory Protection Unit Peripheral B CPU Peripheral D Clock Power CAN SMU other systems 40

40 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller Safe intra chip communication ensured by E2E monitoring for data and address failures using ECC on SRI Bus Peripheral A AURIX MCU RAM FLASH Safe computing ensured by delayed Lockstep CPU with diverse Layout Safe data and code storage ensured by ECC (DEDSEC for SRAM, TEDDEC for FLASH), Address Peripheral Monitoring C and Memory Protection Unit Peripheral B CPU Peripheral D Clock Power CAN SMU other systems 41

41 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller Safe intra chip communication ensured by E2E monitoring for data and address failures using ECC on SRI Bus Peripheral A AURIX MCU RAM FLASH Safe computing ensured by delayed Lockstep CPU with diverse Layout Safe data and code storage ensured by ECC (DEDSEC for SRAM, TEDDEC for FLASH), Address Peripheral Monitoring C and Memory Protection Unit Peripheral B CPU Peripheral D Configurable error reaction/handling and Fault Signaling on FSP Pin Clock Power CAN SMU other systems 42

42 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller Safe intra chip communication ensured by E2E monitoring for data and address failures using ECC on SRI Bus Peripheral A AURIX MCU RAM FLASH Safe computing ensured by delayed Lockstep CPU with diverse Layout Safe data and code storage ensured by ECC (DEDSEC for SRAM, TEDDEC for FLASH), Address Peripheral Monitoring C and Memory Protection Unit Peripheral B Frequency range monitoring Power Supply range monitoring CPU Peripheral D Configurable error reaction/handling Clock Power CAN SMU other systems 43

43 Analog /digital Inputs Analog /digital outputs AURIX Safety Microcontroller Hardware safety mechanisms like CRC and Timestamp for DMA AURIX MCU Peripheral A RAM FLASH Peripheral C Peripheral B CPU Peripheral D Clock Power CAN Application safety mechanisms keywords: SMU - Redundancy - Plausibility Checks - E2E Protection other systems 44

44 Safety Concept with external Watchdog Communication Redundant Data Input AURIX Data Output Sensor System Diagnostic application dependent input Safe computation application dependent output Diagnostic Actuator System TLF35584 Safety Mechanism Power Supply Monitor Power Supply SMU Watchdog + Error Pin Monitor SPI/IO SMU ErrorPin Safety Path Control #2 Clock Safety Path Control 45

45 Safety Concept with external Watchdog Communication Redundant Data Input AURIX Data Output Sensor System Voltage Monitoring to detect under and Diagnostic over voltage of the external supply application dependent input Safe computation application dependent output Diagnostic Actuator System TLF35584 Safety Mechanism Power Supply Monitor Power Supply SMU Watchdog + Error Pin Monitor SPI/IO SMU ErrorPin Safety Path Control #2 Clock Safety Path Control 46

46 Safety Concept with external Watchdog Communication Redundant Data Input AURIX Data Output Sensor System Voltage Monitoring to detect under and Diagnostic over voltage of the external supply application dependent input Safe computation application dependent output Diagnostic Actuator System TLF35584 Power Supply Monitor Power Supply Safety Mechanism Time Window Watchdog for detection of common cause failures SMU Watchdog + Error Pin Monitor SPI/IO SMU ErrorPin Safety Path Control #2 Clock Safety Path Control 47

47 Safety Concept with external Watchdog Communication Redundant Data Input AURIX Data Output Sensor System Voltage Monitoring to detect under and Diagnostic over voltage of the external supply application dependent input Safe computation application dependent output Diagnostic Actuator System TLF35584 Power Supply Monitor Power Supply Safety Mechanism Time Window Watchdog for detection of common cause failures SMU Monitoring of FSP to perform a reaction in case that FSP enters the fault state Watchdog + Error Pin Monitor SPI/IO SMU ErrorPin Safety Path Control #2 Clock Safety Path Control 48

48 SafeTlib and HW Safety Measures vs. Faults SPF (Single Point Fault) detection: Lockstep CPU, ECC/EDC on memories and buses, redundant peripherals, SFR Test, SBST (Software Based Self-Test) for TriCore CPU LF (Latent Fault) detection: HW BIST, SBST CCF (Common Cause Fault) mitigation: Clock and voltage monitors, layout diversity, functional diversity, multiple watchdogs SafeTlib Set of software functions for self test of safety relevant hardware and HW safety measures Test routines to verify error reporting capability of HW Safety Measures 49

49 SafeTlib Components Common Modules Test Handler SMU driver Safe Watchdog Interface Example Watchdog Manager Test Manager Startup Sequence 50

50 Infineon Pro-SIL SafeTlib Package Upper Layer RefApp External Device Control Safe Watchdog Manager (SafeWdgM) Test Manager (TstM) Safe Watchdog Interface (SafeWdgIf) Internal Watchdog Driver (SafeWdgInt) SafeWdgCD External TLF35584 Watchdog Driver (SafeWdgExtTlf) QSPI Driver for External Watchdog (SafeWdgQspi) External CIC61508 Watchdog Driver (SafeWdgExtCic) ASCLIN Driver For External Watchdog (SafeWdgAscLin) Microcontroller Test Library (MicroTestLib) SafeTlibCD Test Handler (TestHandler) SMU Driver (SMU) BSW SPB, Core, SCU, SMU, Safety WDT QSPI ASCLIN LBIST, MBIST, PFLASH, SRAM, IR, SMU DMA, IOM, SFF, LMU, PMU, SRI Microcontroller 51

51 Infineon SafeTlib Hitex integration for customer

52 Hitex SafeTlib A1G Integration for customer Software: Check preconditions and prepare system for SafeTlib execution Callback functions for several detected failures IFX TLF35584 or Aurix internal safety watchdog configuration and cyclic servicing Multicore support 53

53 Hitex SafeTlib A1G Integration Framework 54

54 Hitex SafeTpack for Aurix 2G

55 Hitex SafeTpack A2G Outlook AURIX 2G does not need the SafeTlib MicroTest library but You still need to: Manage the TLF35584 safety watchdog Manage the internal watchdogs Run the LBIST, MBIST, MONBIST Run ASIL-D checks of critical SFRs Run the CPU and SPU SBSTs Host the AoU (Assumption of Use) functions Handle safety-relevant errors Hitex A2G SafeTpack These functions have a huge effect on the overall SPFM (Single Point Fault Metric), LFM (Latent Fault Metric) and FIT rate of the system. 56

56 Inside A2G SafeTpack 57

57 Summary

58 Summary AURIX has a complete environment feasible for safety and security Aurix hardware is designed for safety Functional safety has high demands on development cycle and microcontroller tests Make or buy decision is influenced by safety and security demands AURIX safety and security experts are increasing speed and reliability 63

59 Stay in contact with us Beray Yilmaz Account Manager PDH & Middleware Tel Fax Your personal contact Dr. Kurt Böhringer Head of Engineering Tel Fax Michael Weiß Senior Account Manager Embedded Solutions Tel Fax