multicore challenge an automotive perspective
TRANSCRIPT
Multicore ChallengeAn Automotive Perspective
14th September 2010
Glenn Farrall
Senior Principal Engineer
Page 2Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
S A S A S A S A S A S A S A S A S A S A S A S
F S S F S F S
Convergence of systems
BRAKINGSTEERING SUSPENSION TRACTION
Global Vehicle
Control
Real Pilot
Driver
Assist
Virtual Co-Pilot
Passiv
e
A
ctiveACC
2nd Gen.
Lane Departure
VisionEnhance
ParkingAssist
BlindSpot
Navigation
TrafficInfo
Guardian Angel
Passiv
e
A
ctive
Airbag Belt
TPMS
Passenger Detection
Collision Avoidance
Collision Warning
Pedestrian Protection
Risk
Management
Page 3Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Primary causes of system failure -Industry as example
Source: HSE UK report 1999, based on industrial accidents based on 34 incidents
Specification
44,10%
Design
Changes
20,60%
Installation &
Commissioning
5,90%
Design &
Implementation
14,70%
Operation &
Maintenance
14,70%
Over 80% off all failures are caused before any user
touches installations
Page 4Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
ISO26262 Automotive Safety Integrity Level
Inherent Process RiskTolerable RiskResidual Risk
Increasing Risk
Necessary risk reduction
Actual risk reduction
‘Safe’
Event
Exposure
Severity
Controllability
Page 5Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Safety Versus Availability
Unavailable, Safe Now…
Available, Unsafe…
Page 6Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Redundancy Versus Diversity
Redundant
(& Independent)
Diverse
(& Independent)
Page 7Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Automotive Software-Enabled Functionality ~50% Increase in Performance Annually
5Mips
40Mips
300Mips
2.2Gips
17Gips
126Gips
Page 8Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Software development as critical issue for system safety Is it possible to write software without bug’s???
After initial coding you can expect one bug per 20 lines of code
After thorough unit testing you can expect 1 bug per 1000 lines of code in the final release
1 line ~5 bytes, so 1 bug per ~5KB
0100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100 0 0 1 0 1 00100100101100110001000000111100101101111011101010010000001100011011000010110111000100000011100100110010101100001011001000010000001110100011010000110100101110011001000000111100101101111011101010010000001100100011011110110111001110100001000000110111001100101011001010110010000100000011001110110110001100001011100110111001101100101011100110011101100101101001010010000110100 0 0 1 0 1 0
Application Microcontroller Type Code Size
Steering Angle Sensor 8 Bit 32KB
Low-end Sensor Cluster 16 Bit 128KB
Airbag Controller 16/32 Bit 256KB
EPS Controller 16/32 Bit 512KB
Central Chassis Controller 32 Bit 1.5MB
7 Bugs
Statistics
26 Bugs
52 Bugs
104 Bugs
308 Bugs
Page 9Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Today's automotive software partitioning ascritical issue
Microcontroller (e.g. TriCore®)
AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication
Microcontroller Abstraction Layer
Applic
atio
n
Task 1
Task 2
….
Applic
atio
n 2
Task 1
Task 2
….
Applic
atio
n 3
Task 1
Task 2
….
Applic
atio
n 4
Task 1
Task 2
….
SafetyCritical
Software parts
Safety Driver
Semiconductor Company
Independent Software Company
Independent Software Company
Supplied byTIER1 Supplied by OEM
Independent Software Company
Independent Software Company
Independent Software
Company???
Page 10Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Software compilation flow as critical issue
Mathematic Model
Auto code Generator
C-CodeC-Code C-Code
Compiler
Object Code Object CodeObject Code
Final Target Code
Optimizer
Target Code
Optimizer
Linker
Tool chainOverall Size:
Several 100MB…
Page 11Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Additional Safety Driver requirements
Fault model for testing data and addresses of registers, caches, internal RAM, Flash, CSFRs
Test for dynamic cross-over of memory cells or registers
No, wrong or multiple addressing
Testing of opcode decoding and execution including flag registers
Test of watchdog, traps, ECC (Parity), …
Coverage of transient computation faults
Testing of program counter and stack pointers
Peripheral configuration and operation
Detection of Continuous interrupts, Crossover of interrupts, Unused Interrupts
Task execution monitor for OS and critical tasks
External ASIC covers common cause failurePower supply, short circuit on chip Temperature of chip EMC System clock
Ap
pli
cati
on
in
dep
en
den
t req
uir
em
en
ts f
or
fun
cti
on
al safe
ty i
n
mic
ro
co
ntr
oll
ers
Page 12Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Software development and computation proposals
Every effort must be made to negate the need to qualify software and the tooling
Qualification is expensive, limits configurations, freezes release levels, is difficult or impossible to prove
Transient
Error
Detection
Static Error
Detection
Programming
Model
Code
Generator
Compiler
/Linker Libraries
Data
/Structures
Computing
Cores
(Hardware) Method Proposal
Common Common Common Common Common One Core No Failure Consideration
Common Common Common Common RedundantOne Core (Double
Calculation)
Calculate Same Algorithm
Twice For Transient Errors
Common Common Common Common RedundantRedundant (e.g.
Lockstep)
Calculate Algorithm Twice
For Transient Errors
Common Common Diverse Diverse RedundantCommon (Running
Diverse Code Set)
Compile Code Twice With
Different Optimization
Levels For diversity
Common Common Diverse Diverse RedundantDiverse (e.g. TriCore +
PCP)
Use Asymmetric Core
System With Two Different
Tool Chains
Common Diverse Diverse Diverse RedundantCommon (Running
Diverse Code set)
Add Diverse Code
Generation (e.g. Auto +
Complex Code)
Diverse Diverse Diverse Diverse RedundantDiverse
(e.g. TriCore + PCP)Fully Diverse Development
nono
yesyes
Page 13Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Robust software partitioning as requirement for functional safety
Microcontroller e.g. TriCore PCP
Safety Software Driver (Functional Independent)
Applic
atio
n 4
Task 1
Task 2
….
Functio
nal Dependent
Safe
ty C
ritical S
oftw
are
*AutoSAR - scalability class 4Memory protection
Time protection
Applic
atio
n 1
aTasks
Applic
atio
n 1
bTasks
Applic
atio
n 2
(2x)
Tasks
AutoSAR* Operating SystemRun-Time EnvironmentDrivers, Communication
Microcontroller Abstraction Layer
Applic
atio
n 3
Task 1
Task 2
Unmonitored Tasks
Diversity Redundancy
Page 14Copyright © Infineon Technologies 2010. All rights reserved. Preliminary Information Subject to ChangeNMI 201014.09.2010
Summary
Increases in affordable computation has the potential to allow autonomous vehicles within next 10 years
New powertrain technologies (hybrid & electric drive) mean that drive by wire systems will become common place
Automotive software is very expensive to produce and test, so much legacy code needs to be reused
ISO26262 safety standard demands higher ‘degree of rigor’ in all aspects of engineering process
Use of common safety diagnostic library (SafeTcore) allows Infineon customers to claim integrity of host processor system and just focus on application level safety topics
Heterogeneous multicores provide certain advantages for safety relevant, embedded automotive control systems but deeper diagnostic coverage can result in less system availability