Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL

Similar documents
Enabling Increased Safety with Fault Robustness in Microcontroller Applications

A tool based estimation computation method of MCU random failure rate &functional safety metrics

Functional Safety Design Packages for STM32 & STM8 MCUs

Fault-robust microcontrollers for automotive applications

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Using an innovative SoC-level FMEA methodology to design in compliance with IEC61508

DEPENDABLE PROCESSOR DESIGN

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

88 Dugald Campbell. Making Industrial Systems Safer Meeting the IEC standards

What functional safety module designers need from IC developers

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

FMEDA-Based Fault Injection and Data Analysis in Compliance with ISO SPEAKER. Dept. of Electrical Engineering, National Taipei University

Tools and Methods for Validation and Verification as requested by ISO26262

Using Zynq-7000 SoC IEC Artifacts to Achieve ISO Compliance

UM1741. STM32F0 Series safety manual. User manual. Introduction

New ARMv8-R technology for real-time control in safetyrelated

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

FUNCTIONAL SAFETY FOR INDUSTRIAL AUTOMATION

Is This What the Future Will Look Like?

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

New developments about PL and SIL. Present harmonised versions, background and changes.

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

Virtual Hardware ECU How to Significantly Increase Your Testing Throughput!

A Model-Based Reference Workflow for the Development of Safety-Related Software

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

FUNCTIONAL SAFETY CERTIFICATE

An Automated Formal Verification Flow for Safety Registers

Failure Modes, Effects and Diagnostic Analysis

By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

XMC Class-B library software. September 2016

Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, C-Ware, t he Energy Efficient Solutions logo, mobilegt, PowerQUICC,

ida Certification Services IEC Functional Safety Assessment Project: Masoneilan Smart Valve Interface, SVI II ESD Customer: GE Energy

Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C- Ware, the Energy Efficient Solutions logo, Kinetis,

2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

Growth outside Cell Phone Applications

Engineering of Reliable Software Systems

VDE Testing and Certification Institute

EXPERIENCES FROM MODEL BASED DEVELOPMENT OF DRIVE-BY-WIRE CONTROL SYSTEMS

NHP SAFETY REFERENCE GUIDE

Report. Certificate Z AC500-S

EDA Support for Functional Safety How Static and Dynamic Failure Analysis Can Improve Productivity in the Assessment of Functional Safety

Industrial Embedded Systems - Design for Harsh Environment -

CAN on Integration Technologies

Automotive Safety Manual

Company: Valeo Powertrain Systems Business Company: Valeo Powertrain Systems Business

Application Note. AC500-S Usage of AC500 Digital Standard I/Os in Functional Safety Applications up to PL c (ISO )

Report. Certificate Z Rev. 00. SIMATIC Safety System

UM1840 User manual. STM32F4 Series safety manual. Introduction

ISO INTERNATIONAL STANDARD. Safety of machinery Safety-related parts of control systems Part 1: General principles for design

Don t Judge Software by Its (Code) Coverage

Chapter 5. Introduction ARM Cortex series

Functional Safety on Multicore Microcontrollers for Industrial Applications

Software architecture in ASPICE and Even-André Karlsson

Formal Verification and Automatic Testing for Model-based Development in compliance with ISO 26262

ISO compliant verification of functional requirements in the model-based software development process

Workpackage WP2.5 Platform System Architecture. Frank Badstübner Ralf Ködel Wilhelm Maurer Martin Kunert F. Giesemann, G. Paya Vaya, H.

Failure Modes, Effects and Diagnostic Analysis

Isolation of Cores. Reduce costs of mixed-critical systems by using a divide-and-conquer startegy on core level

RazorMotion - The next level of development and evaluation is here. Highly automated driving platform for development and evaluation

Failure Modes, Effects and Diagnostic Analysis

FUNCTIONAL SAFETY CERTIFICATE

automatisiertensoftwaretests

ISO26262 This Changes Everything!

Functional Safety on Multicore Microcontrollers for Industrial Applications. Thomas Barth (h-da) Prof. Dr.-Ing. Peter Fromm (h-da)

Kostiantyn Leontiiev, Technical Director October, 2018, Dallas, USA 11 th International FPGA Workshop

Failure Modes, Effects and Diagnostic Analysis

Semantics-Based Integration of Embedded Systems Models

SOFTWARE QUALITY. MADE IN GERMANY.

ISO Compliant Automatic Requirements-Based Testing for TargetLink

VDE Testing and Certification Institute

Hardware Design and Simulation for Verification

Redundancy in fault tolerant computing. D. P. Siewiorek R.S. Swarz, Reliable Computer Systems, Prentice Hall, 1992

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

Aldebaran Microcontroller SoC for Mobile Robot (Low Power MCU Core Technology)

Report. Certificate M6A SIMATIC Safety System

Hercules ARM Cortex -R4 System Architecture. Processor Overview

IBM Rational Rhapsody. IBM Rational Rhapsody Kit for ISO 26262, IEC 61508, IEC and EN Overview. Version 1.9

Technology solutions for Industry

INTRODUCTION TO SOFTWARE ENGINEERING

Verified and validated

TCL. ASIL Level. Software. Automotive ISO Tool-Qualification. Safety Manual. Software for Safety-Related Automotive Systems

Battery Stack Management Makes another Leap Forward

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino

ST33F1M, ST33F1M0, ST33F896, ST33F768, ST33F640, ST33F512

CTFL -Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

Integrated and Separate?

Analysis on the Application of On-chip Redundancy in the Safety-critical System

NHP SAFETY REFERENCE GUIDE

Functional verification on PIL mode with IAR Embedded Workbench

O B J E C T L E V E L T E S T I N G

UM2318 User manual. STM32F7 Series safety manual. Introduction

Validation Suites vs. Validation Kits

Report. Certificate M6A SIMATIC S7 Distributed Safety

CERTIFICATION ISSUES IN AUTOMOTIVE SOFTWARE

FUNCTIONAL SAFETY AND THE GPU. Richard Bramley, 5/11/2017

ACC, a Next Generation CAN Controller

Design and Synthesis for Test

ZLF645 Crimzon Flash Microcontroller with ZBase Database Industry Leading Universal Infrared Remote Control (UIR) Solution

AN5123 Application note

Transcription:

Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL Riccardo Mariani White Paper n. 001/2014 Riccardo Mariani C.T.O. YOGITECH S.p.A. Page 0 of 10

1 Table of Contents LEGAL NOTICE... 2 Abstract... 3 About SW Test Library (STL)... 3 Requirements of IEC 61508 and ISO 26262 for STL... 3 About black-box SW Test Libraries: the ARM Cortex-M3 example... 3 About YOGITECH faultrobust Methodology (frmethodology)... 4 Using frmethodology to specify, implement and verify STL... 5 Key features of YOGITECH faultrobust STL (frstl)... 6 Using YOGITECH frstl in single, dual MCU or multi-cores... 7 Summary... 8 Availability of YOGITECH faultrobust STL products... 8 References... 8 Glossary... 8 About YOGITECH... 9

2 LEGAL NOTICE Information of this product is subject to change without notice according to continuous product development and improvements. All product details and product usage described in this document are given by YOGITECH S.p.A. in a good faith. YOGITECH S.p.A shall not be liable for any loss or damage deriving from the incorrect use of information contained in this document, or any error or omission in such information, or any incorrect use of the product. Trademarks mentioned in this document are the exclusive property of their respective owners.

3 Abstract Self-test by software (often referred to as SW test library) is one of the methods to provide diagnostic coverage for safety-related integrated circuits. It is particularly suitable for circuits that have limited or no HW diagnostic measures. This white paper describes the requirements for STLs in relation to popular functional safety standards such as IEC 61508 and ISO 26262. Furthermore, this paper demonstrates that a real compliance with these requirements is achieved only if the STL is specified, implemented and verified by means of a white-box approach which goes into detail of the integrated circuits to be tested, and which uses fault injection at gate-level to measure the actual diagnostic coverage provided by the STL. This white paper illustrates how this is accomplished by YOGITECH faultrobust SW test libraries based on YOGITECH s faultrobust Methodology. It also describes the advantages of YOGITECH s SW test libraries in terms of their very limited code size, short execution time, flexibility and reusability. Finally, this white paper shows how YOGITECH SW test libraries can be used for both single and dual microcontroller designs, or in multicores. About SW Test Library (STL) Self-test by software is one of the methods of providing diagnostic coverage for safety-related integrated circuits. It is referred to as an SW test library (STL), a diagnostic SW test (DST), or a core-self test (CST). In essence, an STL is an SW program which is periodically executed in the field by a processing unit, with the aim of testing that the processing unit itself, or another part of the integrated circuit, is operating as designed. STLs are suitable for circuits that have limited or no HW diagnostic measures, and may also be used to complement safety mechanisms of integrated circuits that have HW support for safety. The following section describes the requirements of popular functional safety standards such as IEC 61508 and ISO 26262 for the specification, design and verification of those STLs. Requirements of IEC 61508 and ISO 26262 for STL According to IEC 61508 standard (ref. IEC 61508-7 A.3.2), the STL is realized by software functions which perform self-tests using a data pattern which tests structures such as the data registers, the address registers and the instruction decoder. According to the standard (IEC 61508-2, Table A.4), the Maximum diagnostic coverage considered achievable is Medium, i.e. 90%. Very similar requirements exist in ISO 26262, the functional safety standard for the automotive industry. For example, according to ISO 26262-5 D.2.3.1, STLs are used to detect, as early as possible, failures in the processing unit and other sub-elements consisting of physical storage (e.g., registers) or functional units (e.g., instruction decoders) by means of software. For ISO 26262 (ref. ISO 26262-5 Annex D Table D-4), the achieved diagnostic coverage depends on the quality of the STL, and it is typically Medium, i.e. 90%. Moreover, ISO 26262-5 Table D.1 clearly states that Stuck-at at gate level needs to be covered by the STL. It further states that (ref. ISO 26262-5 D.2.3.1) determining the actual coverage of the tested gates requires extensive fault simulation. Both functional safety standards agree that as far as the development process of an STL is concerned the STL has to fulfill the specification, implementation and verification requirements described in the related SW chapter of the standard, i.e. IEC 61508-3 or ISO 26262-6. Those requirements consist of, amongst other factors, avoiding specific SW constructs (e.g., no multiple use of variable names) and providing detailed evidence of the structural coverage metrics reached (e.g., MC/DC coverage). The following section demonstrates how it is impossible to claim real compliance with those requirements if the STL is designed with a black-box approach, i.e. without detailed information of the integrated circuit, and without the use of fault injection as a method to demonstrate the actual diagnostic coverage provided by the STL. About black-box SW Test Libraries: the ARM Cortex-M3 example To demonstrate how it is impossible to claim real compliance with the aforementioned requirements if the STL is designed with a black-box approach, we asked a skilled SW engineer, well trained in functional safety, on the basis of the IEC 61508 2 nd edition description of Self-test by software to prepare an STL for a popular and simple processing unit such as the ARM Cortex-M3.

4 The SW engineer, using C language, prepared the STL as indicated by IEC 61508 2 nd edition, i.e. testing all the ARM Cortex-M3 registers with walking bit, the ARM Cortex-M3 instruction decoder and address logic. The SW engineer was also requested to add the contribution of the watchdog. The SW was designed using state of the art certified compilers. The resulting STL consisted of a self-test library with a code size of 7,696 bits. Then, a fault injection environment (based on YOGITECH s Safety Verifier tool suite) was set up to demonstrate the diagnostic coverage achievable by this STL. The environment consisted of the gate-level netlist of ARM Cortex-M3 and memory models to store code and data during the execution of the self-test. More than 150,000 stuck-at faults were simulated (all the possible faults of ARM Cortex-M3) and the measured diagnostic coverage was 69.6%. The coverage was also measured with the registers walking bit test removed, resulting in a coverage of 59%. Different combinations of tests were tried, but the result was nevertheless in the range of 55%-70%, including the contribution of the watchdog. This result shows that, even for a simple processing unit such as the ARM Cortex-M3, a skilled SW engineer without the support of a safety-oriented white-box methodology will definitively fall short of achieving the Medium coverage indicated by the standard. In particular, without any fault injection tool, it is impossible for the SW engineer to measure the results of his efforts. Furthermore, without a safety-oriented design exploration methodology, it is impossible for the SW engineer to direct his efforts in the right direction. It is easy to understand how this gap between the expected and the actual measured diagnostic coverage dramatically increases for complex CPU cores such as the ARM Cortex-R or Cortex-A series. The following section describes how YOGITECH s faultrobust Methodology is the appropriate safety-oriented white-box methodology to allow the overcoming of the limitations of the black-box approach. About YOGITECH faultrobust Methodology (frmethodology) YOGITECH s faultrobust Methodology (frmethodology) is a patented white-box approach to perform and verify/validate functional safety analyses and the safety-oriented design exploration of integrated circuits, according to different functional safety standards. In essence, frmethodology consists of: Dividing the component into elementary parts 1 by using an automatic tool (YOGITECH s Elementary Part Extractor) to guarantee the completeness of the analysis; Computing, by using an automatic tool (YOGITECH s Safety Designer), the safety metrics by examining the fault models of each elementary part, attributing the failure rate, the dangerosity and then estimating the diagnostic coverage of the planned HW or SW safety mechanisms; Verifying/Validating, by using an automatic tool (YOGITECH s Safety Verifier), the safety metrics by an extensive fault injection campaign, simulating permanent, transient and common cause faults. The following section describes how an STL that is specified, implemented and verified with YOGITECH s frmethodology is able to completely fulfill the requirements of functional safety standards, providing tangible evidence of the claimed diagnostic coverage. 1 According to safety standards, an elementary part (EP) is the finest level of detail into which an integrated circuit can be sub-divided (ref. for example, ISO 26262-10, section 4.2). In YOGITECH frmethodology, an EP is composed of a flip-flop and the logic cone contributing to its fan-in.

5 Using frmethodology to specify, implement and verify STL The flow to specify, implement and verify an STL is described in Figure 1. Figure 1: frmethodology flow for frstl It consists of: the processing of the integrated circuit database to partition it into elementary parts; executing a quantitative FMEDA in order to automatically compute the failure distribution of the elementary parts; estimating the dangerosity of each elementary parts, thereby defining the SW safety requirements describing the target diagnostic coverage for the STL; SW coding according to the those safety requirements and following a strict development flow and then executing the safety verification by means of an extensive fault injection campaign aimed at verifying the estimated dangerosity and the diagnostic coverage achieved by the STL. For example, in the case of a CPU, thanks to YOGITECH frmethodology and YOGITECH s Safety Designer tool, at first the safety engineer can quickly identify the key elementary parts that most contribute to the failure probability of the processing unit (see Figure 2, depending on CPU configuration); therefore, it can efficiently direct the efforts of the SW engineer by providing him with very detailed SW safety requirements. Then, the SW engineer prepares the STL according to those requirements. Eventually, thanks to YOGITECH s Safety Verifier tool, faults are injected into the gate-level netlist to measure the diagnostic coverage achieved by the self-test providing the same detailed information to the SW engineer in the case of remaining gaps. Furthermore, this generates tangible and objective evidence for the certification bodies. With this methodology, a diagnostic coverage of 90.5% was achieved with a code size of the STL of less than 10 Kbytes and a run time, at 100 MHz CPU operating frequency, of less than 1ms. The following section describes the key features of YOGITECH faultrobust SW Test Libraries.

6 Failure distribution vs CPU configuration 60% 50% CFG_A CFG_B Failure distribution 40% 30% 20% CFG_C 10% 0% Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Failure Mode 1 Mode 2 Mode 3 Mode 4 Mode 5 Mode 6 Mode 7 Mode 8 Mode 9 Mode Mode 11 Mode Mode Mode Mode Mode Mode Mode Mode Mode Mode Mode 10 12 13 14 15 16 17 18 19 20 21 22 CPU top-level failure modes Figure 2: CPU failure distribution Key features of YOGITECH faultrobust STL (frstl) YOGITECH faultrobust STLs (frstl) are the STLs produced by YOGITECH according to the flow described in the previous section. Their conceptual architecture is shown in Figure 3. Test Interface # ID Pass/fail Signatures Test Segment (TS) C routine... Preamble Assembler Signature calculation Test Segment (TS) Test Segment (TS)... Test Segment (TS) Postamble Figure 3: frstl architecture On top of their full compliance with the requirements of functional safety standards and the tangible evidence demonstrating the diagnostic coverage provided by the frstl, the key features are: Modularity ensured by the structure, consisting of a Test Interface and a set of Test Segments (TS). Each TS targets a specific function or a group of functions of the component; it provides pass/fail

peripheral 7 information and self-checking signatures (CRC) and it may be interrupted at any time by the application SW; Flexibility, allowing the user to either run the full test suite or a subset; Easy integration, since the frstl is mostly written in C. Optimized assembler coding is used only to address specific sequences of instructions necessary to reach the required performance in terms of coverage; Low impact on the application SW, thanks to the optimization in size and run time allowed by the frmethodology flow. The following section describes how to use YOGITECH frstl for single and dual microcontroller designs. Using YOGITECH frstl in single, dual MCU or multi-cores YOGITECH frstl can be used in single and dual microcontroller (MCU) designs or multicores. If used in a single MCU, according to the few conditions of use detailed in the frstl Safety Manual, it provides diagnostic coverage compliant with permanent faults up to IEC 61508 SIL2 or ISO 2626 ASILB safety integrity levels. It can be executed either at power-on, periodically or before/after critical actions. Its flexible structure, organized in separated interruptible test segments, and its very short execution time allow the frstl to be used in every type of application, with a process safety time or fault-tolerant time interval ranging from a few to thousands of ms. YOGITECH frstl is typically combined with additional measures provided by the user to cover transient faults, such as data coding or algorithm time redundancy. Since it has been developed according to the highest systematic capability (aligned with the systematic faults avoidance requirements of IEC 61508 SIL3 and ISO 26262 ASILD s safety integrity levels), and since it guarantees a diagnostic coverage equal to or greater than 90% for each homogenous HW element, YOGITECH frstl can also be used in dual MCU designs targeting IEC 61508 SIL3 and ISO 26262 ASILD HW architectural metrics. MCU 1 MCU 2 CPU CPU alg alg bus bus channels cross-checking (cross monitoring) peripheral CRC+... data Safety Protocol CRC+... data Safety Protocol Figure 4: frstl on dual MCU design As shown in Figure 4, YOGITECH frstl is typically executed in the two parallel MCUs either at power-on, periodically or before/after critical actions. To guarantee the highest level of diagnostic coverage for both permanent and transient faults, intermediate results (e.g. for each TS) are exchanged by means of a safety

8 protocol, and then cross-compared between the MCUs, together with intermediate results of the safety function. The same concept can be used for multicores. In this case, YOGITECH frstl is executed in the two parallel CPUs and to guarantee the highest level of avoidance of common cause faults, especially for shared logic the results are sent with a dedicated safety protocol to an independent judging element, also having the role of cross-comparing the intermediate results of the safety function. YOGITECH has unique market experience of safety-related single, dual-mcu or multi-cpu, and provides assistance to its customers on integrating frstl into their safety-relevant systems. Summary This white paper has demonstrated that an STL designed simply according to a user or reference manual, and verified without the support of a gate-level fault injection flow, will never be able to fulfill the requirements of functional safety standards. On the other hand, it has demonstrated that YOGITECH frmethodology is the appropriate white-box, safety-oriented methodology to guarantee meeting these safety requirements with an optimized, flexible and reusable frstl. Availability of YOGITECH faultrobust STL products The YOGITECH frstl portfolio includes core-only frstls for the Cortex-M0, M0+, M3, M4 series (siliconvendor independent), and frstls covering the microcontroller for STM32 F0, F1, F2, F3, F4, L1 by ST Microelectronics, and for XMC4100, XMC4200, XMC4400, XMC4500, XMC4700, XMC4800 by Infineon. The Roadmap includes frstl for Cortex-A series. frstl can be prepared for other CPUs or other microcontrollers please contact YOGITECH for further information. References IEC 61508:2010 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems. ISO 26262:2011/2012 - Road vehicles Functional safety. Glossary STL SW Test Library frstl YOGITECH faultrobust STL MCU Microcontroller EP Elementary Part TS Test Segment

9 About YOGITECH YOGITECH, founded in 2000, is a leading provider of services and solutions to silicon vendors and system integrators to help them meet their functional safety challenges. The company s faultrobust technology includes different product lines - frmethodology, frtools, frtraining, frips and frstl - supporting its mission to be the one-stop shop for functional safety. YOGITECH is a member of the ISO 26262 Working Group, taking the lead role for Part 10 - Annex A ISO26262 and Microcontrollers, and the new Part 11 - Application of ISO26262 to Semiconductors. YOGITECH S.p.A. Via Lenin 132/P - 56017 San Giuliano Terme Loc. San Martino Ulmiano (PI) ITALY TEL: +39 050 86351 FAX: + 39 050 861870 www.yogitech.com contactus@yogitech.com Date of Publication: October, 2014

10 Via Lenin 132/P - Loc. San Martino Ulmiano 56017 - San Giuliano Terme (PI) Italy Tel: +39 050.86351 - Fax: +39 050.861870 contactus@yogitech - www.yogitech.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback