multicore challenge an automotive perspective

Multicore ChallengeAn Automotive Perspective

14th September 2010

Glenn Farrall

Senior Principal Engineer

Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010

S A S A S A S A S A S A S A S A S A S A S A S

F S S F S F S

Convergence of systems

BRAKINGSTEERING SUSPENSION TRACTION

Global Vehicle

Control

Real Pilot

Driver

Assist

Virtual Co-Pilot

Passiv

e

A

ctiveACC

2nd Gen.

Lane Departure

VisionEnhance

ParkingAssist

BlindSpot

Navigation

TrafficInfo

Guardian Angel

Passiv

e

A

ctive

Airbag Belt

TPMS

Passenger Detection

Collision Avoidance

Collision Warning

Pedestrian Protection

Risk

Management


Primary causes of system failure -Industry as example

Source: HSE UK report 1999, based on industrial accidents based on 34 incidents

Specification

44,10%

Design

Changes

20,60%

Installation &

Commissioning

5,90%

Design &

Implementation

14,70%

Operation &

Maintenance

14,70%

Over 80% off all failures are caused before any user

touches installations


ISO26262 Automotive Safety Integrity Level

Inherent Process RiskTolerable RiskResidual Risk

Increasing Risk

Necessary risk reduction

Actual risk reduction

‘Safe’

Event

Exposure

Severity

Controllability


Safety Versus Availability

Unavailable, Safe Now…

Available, Unsafe…


Redundancy Versus Diversity

Redundant

(& Independent)

Diverse

(& Independent)


Automotive Software-Enabled Functionality ~50% Increase in Performance Annually

5Mips

40Mips

300Mips

2.2Gips

17Gips

126Gips


Software development as critical issue for system safety Is it possible to write software without bug’s???

After initial coding you can expect one bug per 20 lines of code

After thorough unit testing you can expect 1 bug per 1000 lines of code in the final release

1 line ~5 bytes, so 1 bug per ~5KB

0100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100 0 0 1 0 1 00100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100 0 0 1 0 1 0

Application Microcontroller Type Code Size

Steering Angle Sensor 8 Bit 32KB

Low-end Sensor Cluster 16 Bit 128KB

Airbag Controller 16/32 Bit 256KB

EPS Controller 16/32 Bit 512KB

Central Chassis Controller 32 Bit 1.5MB

7 Bugs

Statistics

26 Bugs

52 Bugs

104 Bugs

308 Bugs


Today's automotive software partitioning ascritical issue

Microcontroller (e.g. TriCore®)

AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication

Microcontroller Abstraction Layer

Applic

atio

n

Task 1

Task 2

….

Applic

atio

n 2

Task 1

Task 2

….

Applic

atio

n 3

Task 1

Task 2

….

Applic

atio

n 4

Task 1

Task 2

….

SafetyCritical

Software parts

Safety Driver

Semiconductor Company

Independent Software Company


Supplied byTIER1 Supplied by OEM



Independent Software

Company???


Software compilation flow as critical issue

Mathematic Model

Auto code Generator

C-CodeC-Code C-Code

Compiler

Object Code Object CodeObject Code

Final Target Code

Optimizer

Target Code

Optimizer

Linker

Tool chainOverall Size:

Several 100MB…


Additional Safety Driver requirements

Fault model for testing data and addresses of registers, caches, internal RAM, Flash, CSFRs

Test for dynamic cross-over of memory cells or registers

No, wrong or multiple addressing

Testing of opcode decoding and execution including flag registers

Test of watchdog, traps, ECC (Parity), …

Coverage of transient computation faults

Testing of program counter and stack pointers

Peripheral configuration and operation

Detection of Continuous interrupts, Crossover of interrupts, Unused Interrupts

Task execution monitor for OS and critical tasks

External ASIC covers common cause failurePower supply, short circuit on chip Temperature of chip EMC System clock

Ap

pli

cati

on

in

dep

en

den

t req

uir

em

en

ts f

or

fun

cti

on

al safe

ty i

n

mic

ro

co

ntr

oll

ers


Software development and computation proposals

Every effort must be made to negate the need to qualify software and the tooling

Qualification is expensive, limits configurations, freezes release levels, is difficult or impossible to prove

Transient

Error

Detection

Static Error

Detection

Programming

Model

Code

Generator

Compiler

/Linker Libraries

Data

/Structures

Computing

Cores

(Hardware) Method Proposal

Common Common Common Common Common One Core No Failure Consideration

Common Common Common Common RedundantOne Core (Double

Calculation)

Calculate Same Algorithm

Twice For Transient Errors

Common Common Common Common RedundantRedundant (e.g.

Lockstep)

Calculate Algorithm Twice

For Transient Errors

Common Common Diverse Diverse RedundantCommon (Running

Diverse Code Set)

Compile Code Twice With

Different Optimization

Levels For diversity

Common Common Diverse Diverse RedundantDiverse (e.g. TriCore +

PCP)

Use Asymmetric Core

System With Two Different

Tool Chains

Common Diverse Diverse Diverse RedundantCommon (Running

Diverse Code set)

Add Diverse Code

Generation (e.g. Auto +

Complex Code)

Diverse Diverse Diverse Diverse RedundantDiverse

(e.g. TriCore + PCP)Fully Diverse Development

nono

yesyes


Robust software partitioning as requirement for functional safety

Microcontroller e.g. TriCore PCP

Safety Software Driver (Functional Independent)

Applic

atio

n 4

Task 1

Task 2

….

Functio

nal Dependent

Safe

ty C

ritical S

oftw

are

*AutoSAR - scalability class 4Memory protection

Time protection

Applic

atio

n 1

aTasks

Applic

atio

n 1

bTasks

Applic

atio

n 2

(2x)

Tasks

AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication

Microcontroller Abstraction Layer

Applic

atio

n 3

Task 1

Task 2

Unmonitored Tasks

Diversity Redundancy


Summary

Increases in affordable computation has the potential to allow autonomous vehicles within next 10 years

New powertrain technologies (hybrid & electric drive) mean that drive by wire systems will become common place

Automotive software is very expensive to produce and test, so much legacy code needs to be reused

ISO26262 safety standard demands higher ‘degree of rigor’ in all aspects of engineering process

Use of common safety diagnostic library (SafeTcore) allows Infineon customers to claim integrity of host processor system and just focus on application level safety topics

Heterogeneous multicores provide certain advantages for safety relevant, embedded automotive control systems but deeper diagnostic coverage can result in less system availability

multicore challenge an automotive perspective

Documents