Académique Documents
Professionnel Documents
Culture Documents
Functional Safety
Multicore Motivation
ISO13849
Implemented Software
Architecture
Hardware Features for Freedom
from Interference
Error Handling
Conclusion and Outlook
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 2
Funktionale Safety Overview
Disturbance
Sensors
Logic Safe!
User Actuators
Controller 1
Latency of
external
MLI
communication? Controller 2
Replacement
by AURIX
Monitor TC27x
automotive
Costs of 2 controller?
discrete
devices?
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 4
ISO 13849
Category 2 Architecture*
PL selection chart *
Category 3 Architecture*
* Source: ISO 13849
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 5
Freedom from Interference
Data Domain
One Core may not corrupt the data of other cores.
Resource Domain
Cores may not corrupt the configuration/inputs/outputs of shared
resources/peripherals. Safety critical peripherals like the bus or PLL
have to be protected against unintentional reconfiguration.
Time-Domain
Cores may not consume too much time blocking resources and the
applications may not consume too much CPU time. When interacting
with other cores, the timing behavior has to remain consistent.
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 6
Implemented Software Architecture
Drivers Drivers
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 7
Available features for Freedom from
Interference on the AURIX
Time Domain
Core separation
Internal watchdog
Safety watchdog
Resource Domain
Register access protection (RAP)
Memory protection unit (MPU)
Privilege level
ENDINIT and S(afety)ENDINIT
signals
lvaro Salv CC BY-NC-SA 2.0
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 8
CPU-MPUs with RTOS
The primary feature for freedom from interference are the CPU-MPUs.
Every Core is equipped with an on CPU-MPU which is monitoring
outgoing communication and is able to distinguish between
read/write/execute access.
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 9
Bus-MPU / Register Access Protection (RAP)
While the CPU-MPUs only monitor outgoing traffic, the Bus-MPUs and
RAPs monitor ingoing traffic and allow to assign memory ranges and
peripherals to certain cores. Only write-access can be limited.
Bus
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 10
Data- and Resource-Domain protection
The CPU-MPUs along with an Safe RTOS like PxROS have been
proven to be an easy to use feature.
RAP can be used to secure safety critical peripherals like the PLL
against reconfiguration.
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 11
Error Handling
Core itself
detects errors
Errors like
hardware-faults
or access
violations on a
global scope
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 12
Error Handling
handlers and
escalation OS Errors / Traps Trap Handler
SW alarm
strategies wrong address E.g. logging of event.
timeouts Decision if system integrity
is still given.
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 13
Error Handling
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 14
Conclusion
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 15
Conclusion
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 16
Outlook
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 17
Contact
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 18
BACKUP
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 19
Bus-MPUs
Core RAM
Task Memory-Range
Memory-Range
Memory-Range
Bus
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 20
Register Access Protection (RAP)
The granularity depends on the peripheral, for GPIOs each Port can be
assigned.
Core Peripheral
Task Peripheral-Registers
Bus
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 21
Future architecture?
Multicore Controller
Core 1
Input Control Output
Core 2
Monitor
Freedom from
Interference?
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 22
Multicore Motivation
Functional Safety on Multicore Microcontrollers for Industrial Applications | Embedded World Conference 2016
Thomas Barth | University of Applied Sciences Darmstadt 24.09.2016 23