safety mit professionellen sw-komponenten › fileadmin › documents › misc › ... ·...

Building a safe and secure embedded world

Michael Weiß, Senior Account Manager

Safety mit professionellen SW-Komponenten

“Sicherheit” – What is Security and Safety?

Security

Protect the System against

unauthorized

external influence

Safety

Avoid harm and injuries caused by

malfunctioning

of the System

Security SafetySafe and Secure System

211.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.

Functional safety definition

Functional safety is about “absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems”

Hazards: “potential source of harm”

Harm: “physical injury or damage to the health of persons”

Failures are the main impairment to safety:

Systematic failures: “failure, related in a deterministic way to a certain cause, that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors”

Random HW failures: “failure that can occur unpredictably during the lifetime of a hardware element and that follows a probability distribution”


Systematic Failures vs. Random Failures

Systematic-Inherently Unsafe Random-Sometimes Unsafe


Safety Standards


ISO26262Automotive

ISO13849Machinery

IEC 501xxRailway

IEC 60335Household appl.

IEC 60601Medical

IEC61508Electrical, electronic and

programmable electronic systems

Safety Standards


ISO26262Automotive

ISO13849Machinery

IEC 501xxRailway

IEC 60335Household appl.

IEC 60601Medical

IEC61508Electrical, electronic and

programmable electronic systems

Class A

Class B

Class C

SIL 1

SIL 2

SIL 3

SIL 4

ASIL A

ASIL B

ASIL C

ASIL D

Cat 1

Cat 2

Cat 3

PL A

PL B

PL C

PL D

Demands of the standards (Safety)

Reduction of

systematically

failures

Reduction of

random

failures

Analyse failures

Reduction of

failures to fulfil

Safety Integrity

Level


In all stages of the development process measures have to be

planned

executed and

documented

to

manage

verify and

assess

functional safety.

V-Model approach

Traceability

Demands of the standards (Systematically failures)


Total failure rate

The proportion of safe failures (Safe Failure

Fraction SFF) describes the proportion of safe

failures towards the total failure rate of a

subsystem.

𝑺𝑭𝑭 =𝚺𝝀𝑺 + 𝚺𝝀𝑫𝑫𝚺𝝀𝒕𝒐𝒕𝒂𝒍

= 𝟏 −𝚺𝝀𝑫𝑼𝚺𝝀𝒕𝒐𝒕𝒂𝒍

The diagnostic coverage (DC) describes how

many dangerous failures can be detected. 𝑫𝑪 = 𝟏 −𝜮𝝀𝑫𝑼

𝜮𝝀𝑫=

𝝀𝑫𝑫

𝝀𝑫

Demands of the standards (Statistical failures)

Detected

Undetected

𝜆𝑆𝐷

𝜆𝑆𝑈

Detected

Undetected

𝜆𝐷𝐷

𝜆𝐷𝑈

Safe 𝜆𝑆

Dangerous 𝜆𝐷

𝜆𝑡𝑜𝑡𝑎𝑙


Copyright © Hitex GmbH 2018. All rights reserved. 11

Risk Reduction to fulfil Safety Integrity Level

11.09.2018

0

Ris

k

Tolerable Risk

With

Safety

Measure

n

With

Safety

Measure

…

With

Safety

Measure

5

With

Safety

Measure

4

With

Safety

Measure

3

With

Safety

Measure

2

With

Safety

Measure

1

Product

without any

safety

measures

Residual Risk

Necessary minimal risk reduction

Actual risk reduction

Safety Mechanism – Overview

Safety Element out of Context (SEooC) Safety System/Item

Hardware

Safety

Mechanisms

(ESM)

External Safety

Mechanisms

Safety

Mechanisms


Safety mechanism = Technical solution to detect faults or control failures in order to achieve or maintain a safe state.

Measures to avoid faults

Measures to control faults

Safety mechanism effective within the element (Structural & Functional Measures)

Safety measurers applied during development of element (Procedural Measures)

Safety mechanisms are classified as:

Hardware safety mechanism [HW]

External safety mechanisms [ESM

Safety Mechanism – Definition & Classification


Solutions and Productsfrom Hitex

Only drivers for safety or security critical peripherals have to be developed according to process

Access to peripherals needed by the SafeTpack is included in the SafeTpack

Write from scratch

Low Level Drivers

• AURIX™ User Manual is extensive

• Relations of peripherals may be complex

• If development process needed big effort

AURIX™ Experts can do it faster




Write from scratch

Use free iLLD drivers

Low Level Drivers

• Easier to understand than User Manual

• Examples available

• No safety documentation like specification

and validation documents




Write from scratch


Buy MCAL drivers

Low Level Drivers

• AUTOSAR compatible

• SDHB, as Infineon Development Standard,

has been extended to support Safety ISO26262

• ASPICE L2 aligned process for AURIX™ TC3x MCAL

• Configuration with TRESOS Studio

• Configuration and Integration Service

offered by Hitex




Write from scratch


Buy MCAL drivers

Buy Hitex industrial drivers

Low Level Drivers

• Developed according to

ISO26262 ASIL B & IEC61508

• Full validation on request

• Available for MCU, IO, ADC, GTM,

MultiCan, Quad Encoder,

Hall Encoder, QSPI, ASC


MCAL DriversInfineon MC-ISAR Packages

AUTOSAR MCAL Driver for AURIX™ Family MC-ISAR Product Overview


Application Layer

AUTOSAR Run Time Enviroment (RTE)

System ServicesMemory Services

Communication Services

I/O Hardware Abstraction

Complex Device Driver

On-Board Device Abstraction

Memory Abstraction

Communication Abstraction

MCU

WD

G

GPT

FLS

RAM

TEST

SPI

LIN

CAN

Fle

xRay

PO

RT

DIO

ICU

PW

M

AD

C

SCI

MEM

Check

FAD

C

...

MCAL

Microcontroller

Infineon MC-ISAR driver (MicroController Infineon Software ARchitecture) Enabled via partners

AUTOSAR in production since 2009

21Copyright © Hitex GmbH 2019. All rights reserved

Product Sheet

Autosar MCAL Drivers for AURIX™ 2G Family

Device AURIX TC3xx TC39xB / TC38x / TC37x / TC36x / TC35x / TC 33x

Safety claim at Production Release PR

AUTOSAR version 4.2.2

MCAL drivers

MC-ISAR Basic

package

MCU

Port

DIO

ICU (supporting GTM, CCU6 and GPT12)

GPT

PWM (supporting GTM and CCU6)

SPI

ADC (feature set 3)

WDG

OCU

FLS

FEE (feature set 2)

CAN

CanTrcv

LIN

BFX

CRC

MC-ISAR COM Enhanced package

FlexRay

Ethernet ASIL D process to ensure freedom from

interference in memory space

MC-ISAR MCD

MCAL Complex Drivers

DS-ADC

DMA

FLSloader

Demo code / App note : HSSL , SENT, SMU

ASIL B functionality claim

Except for FLSloader

ASIL D process to ensure freedom from interference in memory space

Configuration tool Tresos

Compiler - migrate to TASKING 6.2r2- HighTec GNU 4.9.2.0- Wind River v5.9.6.4 -Greenhills (version to be defined) for TC38x, TC35x, TC36x; availability to be discussed on request

Delivery package Source code, Documentation

ASIL B functionality claim

Except for CAN, CanTrcv, LIN

ASIL D process to ensure freedom from interference in memory space

Copyright © Hitex GmbH 2019. All rights reserved

Infineon Microcontroller: Software Quality

22Copyright © Hitex GmbH 2019. All rights reserved

› Standard and tailored development process SDHB established

› SDHB, as Infineon Development Standard, has been extended to support Safety ISO26262

› ASPICE L2 aligned process for AURIX™ TC3x MCAL

› 6 processes at L3

› 4 processes at L2

Qualified software releases

Building a safe and secure embedded world

Hitex SafeTpack– AURIX™ 2G Safety Software

More safety and security inside? We ensure it!

Version 1.8 2019-07-19

What‘s new in AURIXTM second Generation (A2G) TC3xx

More productivity with Hitex SafeTpackfor ISO 26262 &

IEC 61508

Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.

Hitex A2G SafeTpack is a complete safety manager for the AURIX™ second generation (A2G) 32-bit safety microcontrollers that provides a shortcut to implementing the Safety Manual requirements.

Like the PRO- SILTM SafeTlib for AURIX™ TC2xx first generation, it provides a rapid and straightforward way to achieve ISO26262 or IEC61508 certification for safety applications using TC3xx second generation devices.

Retains the existing PRO-SILTM SafeTlib APIs.

Migration of TC2xx safety applications to TC3xx is made simpler.

AURIX™ 2G TC3xx SafeTpack – Key Facts

25Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.

AURIXTM 2G does not need the SafeTlibTM MicroTest library but…

You still need to:

Manage and test the TLF35584 safety watchdog

Manage the internal watchdogs

Run the LBIST (Logical Built-In Self Test), MBIST (Memory BIST), MONBIST (Monitor BIST) … for details see end of presentation …

Run ASIL-D checks of critical SFRs (Special Function Register)

Run the CPU and SPU SBSTs (self-test for non-lockstep core)

Implement the ESMs (External Safety Mechanism) functions

Handle safety-relevant errors

These functions have a huge effect on the overall SPFM (Single Point Fault Metric), LFM (Latent Fault Metric) and overall FIT (Failure In Time) rate of the system.

SafeTlibTM vs SafeTpack


A2G SafeTpack has four main sections:

Test library/Test Handler

Internal/external safety watchdog interface and associated drivers

Signature Monitor/error reporting system

Safety Management Unit (SMU) driver (provided by IFX)

A2G SafeTpack can be used either with or without AUTOSAR (AS4.x.x).

Constitutes an AUTOSAR complex driver.

100% compatible with the Infineon MCAL

Can still be used independently

Inside A2G SafeTpack


Inside A2G SafeTpack


The Test Library includes a Test Handler that launches the TC3xx built-in hardware test functions:

LBIST, MONBIST and MBIST

LBIST replaces SafeTlib (A1G) Latent Fault Metric tests

• User can configure LBIST activation method and result handling

Optional SBST for the non-lockstep mode of the Signal Processing Units (ASIL-C) and non-lockstep AURIX™ CPU cores (ASIL-B).

Support for redundant SFR configuration checking for ASIL-D.

Test Manager reports any errors via

Application call-back.

Predefined 32-bit test result signature value, which is passed to the Signature Monitor.

Tests are activated and configured using the Tresos Studio environment.

Test Library & Test Manager

29Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved

SafeTpack Overview


APPLICATION SW STARTUP:

During Application SW startup, the user isresponsible for executing a number ofoperations for ensuring the absence oflatent faults and correctly initialize theMCU before starting the runtimeexecution.

SafeTpack Overview


SMC[SW]:MCU:LBIST_CFG

ESM[SW]:MCU:LBIST_RESULT

SMC[SW]:PMS:MONBIST_CFG

ESM[SW]:PMS:MONBIST_RESULT

ESM[SW]:SYS:MCU_FW_CHECK

ESM[SW]:SMU:ALIVE_ALARM_TEST

SMC[SW]:VMT:MBIST

ESM[SW]:VMT:MBIST

ESM[SW]:DTS:DTS_RESULT

ESM[SW]:SMU:REG_MONITOR_TEST

ESM[SW]:AMU.LMU_DAM:REG_MONITOR_TEST

ESM[SW]:CIF.RAM:REG_MONITOR_TEST

ESM[SW]:CPU.DCACHE:REG_MONITOR_TEST

ESM[SW]:CPU.DLMU:REG_MONITOR_TEST

ESM[SW]:CPU.DSPR:REG_MONITOR_TEST

ESM[SW]:CPU.DTAG:REG_MONITOR_TEST

ESM[SW]:CPU.PCACHE:REG_MONITOR_TEST

ESM[SW]:CPU.PSPR:REG_MONITOR_TEST

ESM[SW]:CPU.PTAG:REG_MONITOR_TEST

ESM[SW]:DMA.RAM:REG_MONITOR_TEST

ESM[SW]:EMEM.RAM:REG_MONITOR_TEST

ESM[SW]:ERAY.RAM:REG_MONITOR_TEST

ESM[SW]:GETH.RAM:REG_MONITOR_TEST

ESM[SW]:GTM.RAM:REG_MONITOR_TEST

ESM[SW]:HSPDM.RAM:REG_MONITOR_TEST

ESM[SW]:LMU.RAM:REG_MONITOR_TEST

ESM[SW]:MCMCAN.RAM:REG_MONITOR_TEST

ESM[SW]:PSI5.RAM:REG_MONITOR_TEST

ESM[SW]:SCR.RAM:REG_MONITOR_TEST

ESM[SW]:SDMMC.RAM:REG_MONITOR_TEST

ESM[SW]:SPU.BUFFER:REG_MONITOR_TEST

ESM[SW]:SPU.CONFIG:REG_MONITOR_TEST

ESM[SW]:SPU.FFT:REG_MONITOR_TEST

ESM[SW]:TRACE.TRAM:REG_MONITOR_TEST

SafeTpack implements the following ESMs and SMCs:

SafeTpack Overview


SFR Test module of SafeTpack can be used to realise:

ESM[SW]:SYS:MCU_STARTUP

ESM[SW]:CPU:AP_CHECK

ESM[SW]:CPU:BUS_MPU_INITCHECK

ESM[SW]:CPU:CODE_MPU_CHECK

ESM[SW]:CPU:DATA_MPU_CHECK

ESM[SW]:CPU:SFR_TEST

SafeTpack’s watchdog driver and the optional Program Flow Monitor module can be used to realise:

ESM[SW]:SYS:SW_SUPERVISION

ESM[SW]:CPU:SOFTERR_MONITOR

SMU driver (from IFX MCAL CD package) can be used to realise SMC[SW]:SMU:CONFIG

Optional CPU SBST module can be used to realise ESM[SW]:CPU:SBST

Optional SPU SBST module can be used to realise ESM[SW]:SPU:SBST

SafeTpack Tresos Configuration


TLF35584 driver Tresos configuration menu

TC399 LBIST driver Tresos configuration menu

Signatures from the test library are fed via the Signature Monitor to refresh the watchdog

Incorrect signature(s) causes safe state to be entered.

Safety Watchdog Interface can be extended to collect signatures from optional External Safety Measure (ESM) modules

Hitex Program Flow Monitor (HtxPfm)

ADC self-test, broken wire detection etc.

Redundantly implemented SFR checks

DMA monitor (no signature)

SBST (CPU & SPU)

+ others

Test Signature Management


HtxTLF35584 Test module provides the ESM TLF35584 startup tests

Window Watchdog Test

Functional Watchdog Test

Error Pin Monitor Test

Analog built-in Self-Test (ABIST) etc.

as per the TLF35584 safety Manual.

HtxPFM Program Flow Monitor (D.2.9.5, ASIL-D)

Add-on is able to verify that tasks and functions are called in the expected order.

Runs on all cores and the status is reported via the signature manager to the external functional watchdog device.

Extended TLF35584 Support


Allows user to configure internal and external actions for SMU alarms

Driver comes from IFX MCAL and is part of the MCAL package

For non AUTOSAR/MCAL environments SMU driver will be provided as optional module

Alarms may be configured for SafeTpack start-up phase

Alarms may be configured for application run phase

Safety Management Unit Driver & Configurator


A2G SafeTpack is a software component of a larger user-defined system

For ASIL-B

Supplied as source code with reference application

ISO26262-style Safety Manual and Safety Case Report.

Hitex can provide assistance with the user’s certification procedure by special arrangement.

A2G SafeTpack may be used at up to ASIL-D

subject to special measures being taken by the user.

Roadmap for IEC61508 and ISO13849

SafeTpack Usage In ISO26262, IEC61508 …


SBST Non-Lockstep CPUs

Add-on module contains the Infineon SBST for non-locked step CPUs that are to be used for ASIL-B.

Manages the SBST slices and reports the output status through the signature management system.

SBST For Signal Processing Unit

Add-on module contains the Infineon SBST for the non-locked step SPU that is to be used for ASIL-C.

manages the SBST slices and reports the output status through the signature management system.

Optional Modules provided by Infineon


Highly recommended to integrate A2G SafeTpack with your application at the earliest possible stage.

The Trial Version package is recommended for this.

Completely representative of the ASIL-B version

Acts as a functional placeholder during early product development on standard Infineon and Hitex A2G boards.

Ensures that the TLF35584 is correctly serviced and that the basic testing and error reporting system is in place from the start of the project.

When transferring to custom hardware, the A2G SafeTpack ASIL-B version is required

Allows full configuration, continued development and final release.

Working With A2G SafeTpack


AURIX™ Toolchain Support

Tasking v6.2r2p2

Hightec GCC v4.9.2

On request: GHS, Windriver/Diab.

SafeTpack Compiler Support & Roadmap


Device Alpha Beta RC PR

TC39x available Nov 2019 Dec 2019 Q1 2020

TC38x available Oct 2019 Dec 2019 Q1 2020

TC37x On Request Dec 2019 Jan 2020 Q2 2020

RC = Release CandidatePR = Production Release .. 3 months after RC

Consulting

Functional Safety Consulting

How to achieve required ASIL or SIL with AURIXTM and SafeTpack

Training

AURIXTM Training

How to use and integrate SafeTpack

Functional Safety Training

Integration service

Development service to integrate SafeTpack in your special application

Global Support via Partners

Hitex Services for SafeTpack


Trial / Evaluation version - Free of charge

Fully functional, partial source code/object library with a Getting Started guide, limited configurator and basic documentation, supplied with simple reference application showing A2G SafeTpack usage.

For evaluation purposes only on Infineon and Hitex evaluation boards.

Allows the correct servicing of the internal or TLF35584 safety watchdogs.

ASIL-B Development & Production Version

Fully functional source code with Tresos configurator

Simple reference application showing A2G SafeTpack usage

ISO26262 Safety Manual and Safety Case Report.

A2G SafeTpack Formats


Summary

AURIX™ has a complete environment feasible for safety and security

AURIX™ hardware is designed for safety

Functional safety has high demands on development cycle and microcontroller tests

Make or buy decision is influenced by safety and security demands

AURIX™ safety and security experts are increasing speed and reliability

Summary


Stay in contact with us …

Michael Weiß

Senior Account Manager

Embedded Solutions

Tel. +49 721 9628-144

Fax. +49 721 9628-149

E-Mail [email protected]

Beray Yilmaz

Account Manager PDH & Middleware

Tel. +49 721 9628-145

Fax. +49 721 9628-149

E-Mail [email protected]


safety mit professionellen sw-komponenten › fileadmin › documents › misc › ... ·...

Documents