Compilers for Embedded Systems

7/28/2019 Compilers for Embedded Systems

http://slidepdf.com/reader/full/compilers-for-embedded-systems 1/130

Compilers for Embedded

Systems



CompilersTranslates high level language programto machine instructions of target

processorsCompilers need to exploit characteristicsof the target processor



CompilationCompilation strategy (Wirth):

compilation = translation + optimization

Compiler determines quality of code:

use of CPU resources;

memory access scheduling;

code size.



Basic compilation phases

HLL

parsing, semantic analysis, symbol table

machine-independent

optimizations

machine-dependent

optimizations

m/c code



Why Compilers an issue?Processor architecture for embedded systemsexhibit special features

High levels of optimisation important thanhigh compilation speed

Compilers potentially help to meet and provereal-time constraints

Optimisation of instruction sets of processorusing retargetable compilers

Design space exploration



Energy Aware CompilationEnergy saving is essential for batterypowered devices

Compiler optimisation of the machinecode can reduce energy consumption

Power models form essential ingredient



Optimization for low-energy the

same asoptimization for high performance?

High-performance if available memorybandwidth fully used;

Low-energy consumption if memories

are at stand-by modeReduced energy if more values are keptin registers



Power Models An example:

Provides base costs and inter-instruction costs

Base costs of an instruction correspond to energyconsumed per instruction execution if an infinitesequence of that instruction is executed

Inter instruction costs model the additional energy

consumed by the processor if instruction changes Additional cost of switching functional units on and off



Another Energy Model

Data

Memory

Instruction

MemoryInstr

IAddr

Data

VDD

ALU

Multi-plier

Barrel

Shifter

Register File

Instr. Decoder & Control Logic

I n s t rImm

Reg

Value

Reg#

Opcode

ARM7

DAddr

Etotal = Ecpu_instr + Ecpu_data + Emem_instr + Emem_data



Instruction dependent CostsCost of a sequence of m instructions

Ecpu_instr = MinCostCPU(Opcode i ) +1 * w(Imm i,j ) + ß1 * h(Imm i-1,j , Imm i,j ) +2 * w(Reg i,k ) + ß2 * h(Reg i-1,k , Reg i,k ) +

3 * w(RegVal i,k ) + ß3 * h(RegVal i-1,k , RegVal i,k ) +

4 * w(IAddr i ) + ß4 * h(IAddr i-1 , IAddr i ) +

FUCost(Instr i-1 ,Instr i )

w : number of ones;h: Hamming distance;

FU Cost: cost of switching functional units

, ß: determined through experiments



Other costsEcpu_data =

5 * w(DAddr i ) + ß5 * h(DAddr i-1 , DAddr i ) +6 * w(Data i ) + ß6 * h(Data i-1 , Data i )

Emem_instr = MinCostMem(InstrMem,Word_width i ) +7 * w(IAddr i ) + ß7 * h(IAddr i -1 , IAddr i ) +8 * w(IData i ) + ß8 * h(IData i -1 , IData i )

Emem_data = MinCostMem (DataMem, Direction , Word_w idth i ) +9 * w(DAddr i ) + ß9 * h(DAddr i -1 , DAdd r i ) +10 * w(Data i ) + ß10 * h(Data i -1 , Data i )



Energy Aware Optimisations Energy-aware scheduling

Order of instructions can be changed such thatthe number of transitions on the instruction bus is

minimised

Energy-aware instruction selection Instead of number of cycles

Operator strength reduction: e.g. replace *by + and <<

Standard compiler optimizations with energyas a cost function



ExampleStandard Compiler optimisation with consideration

for energy

for i:= 0 to 10 doC:= 2 * a[i] + a[i-1];

R2:=a[0];

for i:= 1 to 10 do

begin

R1:= a[i];C:= 2 * R1 + R2;

R2 := R1;

end;

Converted to



Exploiting Memory HierarchySmaller memories provide faster accessand consume less energy per access

Substantial saving is possible if compilers can exploit existence of scratch pad memories



Using scratch pad memories (SPM)

Scratch pad memories are highspeed on-chip memory

Part of address space

scratch pad memory

0

FFF..

main

SPM

processor

Hierarchy

no tag

memory



Exploitation of

SPM

Which segment

(array, loop, etc.) tobe stored in SPM?

Processor

SPMcapacity K

board

Main

memory

(On-board)

?

For i .{ }

for j ..{ }

while ...

Repeat

call ...

Array ...

Int ...

Array

Example:



Using SPMEach basic block and each variable canbe modeled as a memory segment I

For each segment there is acorresponding size Si

We can compute gain Gi of moving

segment i to scratch pad memoryThe problem can considered as anoptimisation problem



More Formal Representation

Migrating only functionSymbols:

S(F i ) = size of function i

ni = number of instruction executions in function i

ei = energy saved per instruction execution, if F i is migrated ( independent of i )

E(F i ) = energy saved if function F i is migrated (= ei ni )

K = size of the scratch pad

m(F i ) = decision variable, 1 if function i is migrated to SPM, else0; I = set of functions

Integer programming formulation:Maximize G=i I m(F i ) E(F i ) Subject to the constrainti I S (F i ) m(F i ) K



Allocation of basic blocksFine-grained

granularity

smoothensdependency on the

size of the scratch

pad.

Requires additional jump instructions to

return to "main"

memory.

Main

memoryBB1

BB2

Jump1

Jump2

Jump4

Jump3

For consecutive

basic blocks

Statically 2 jumps,

but only one is taken



Dynamic replacement within

scratch pad Address assignment

within SPM required

(paging orsegmentation-like)

Effectively results in akind of compiler-controlledsegmentation/paging for SPM

Reference: Verma, Marwedel: Dynamic Overlay of Scratchpad Memory for Energy Minimization, ISSS 2004

CPU

Memory

Memory

SPM



Architecture Specific

AdaptationCompiler to take advantage of thearchitectural features of the processor

Compiler support generally available for generalpurpose micro-controllers and DSP

ASIP’s (Application Specific Instruction Set

Processor) & Parameterizable processors normally

does not have support of good compilersMachine/Assembly code prevents re-usability



Issues Architectural Retargetability

Compilation tool to adopt to different processor

architectureCode Quality

Compiled solution to exploit all the architecturalfeatures of DSP or ASIP architecture

Low cycle count – execution speedLow instruction count – memory requirement

Compilers try to optimize both



Configurable & Re-configurableProcessors

Configurable:

CPU architectural features are selected atdesign time.

Reconfigurable:

Hardware can be reconfigured in the field.

May be dynamically reconfigured duringexecution.



Tensilica configurable processorsConfigurability:

Processor parameters (cache size, etc.)

Instructions.

Result:

HDL model for processor.

Software development environment.



Application-specific instruction

processors An ASIP is a stored-memory CPU whosearchitecture is tailored for a particular set of

applications.Programmability allows changes toimplementation, use in several differentproducts, high datapath utilization.

Application-specific architecture providessmaller silicon area, higher speed.



ASIP enhancementsPerformance/cost enhancements:

special-purpose registers and busses to

provide the required computations withoutunnecessary generality;

special-purpose function units to performlong operations in fewer cycles;

special-purpose control for instructions toexecute common combinations in fewercycles.



ASIP co-synthesisGiven: a set of characteristic applications;

required execution profiling. Automatically generate:

Micro-architecture for ASIP core;

Optimizing compiler targeted to the synthesized

ASIP.Implement application using core +compiler.



ASIP design problems Processor synthesis

choose an instruction set

optimize the datapath

extract the instruction set from the register-transfer design

Compiler designdrive compilation from a parametric description of the datapathand instruction set

bind values to registers

select instructions for code matched to parameterized

architectureschedule instructions

Key Technology: Retargetable Compilers



Retargetable Compiler

Based upon Architectural ModelGenerates code for the class of processorarchitectures that fit its model

Classification Parameters for processor

architecture Arithmetic Specialization

Data type

Code type

Data Stationary

Every instruction controls a set of operation that have tobe executed on a data item as it traverses the datapipeline

Time Stationary

Every instruction controls a complete set of operationthat have to be executed in a single machine cycle



More Classification Parameters

Memory Structure Von Neumann or Harvard

Operand LocationRegister-Register, Memory-memory, Memory-register

Register StructureHomogenous, Heterogenous

Addressing Mode

Control flowStandard

Zero-overhead loop: no separate cycles for loop control

Residually controlled: operation depends upon bit values in acontrol register



Re-targetable compilation

microarchitectural

model

for (i=0; i<N; i++)c[i] = xy(a[i],b[i]);

application

code

front end

code

generation

object code

from ASIP core synthesis

instruction

set definition



Processor Specification

LanguagesNetlist-Based Languages

Processor as a netlist of hardware building

blocks including data path, memories,instruction decoder, controller.

High Level Languages

Describe processors in terms of structuralskeleton, data types, storage elementsand description of actual instruction set



Processor Models for

CompilationTemplate Pattern Bases:

essentially enumerates different partial

instructions available in the instruction set;often expressed using a grammar

Graph ModelRepresent structural information

Connection-operation graph – net-listPlace-time graph – legal data moves

Instruction set Graph



Instruction selection by

template matching

+

1 -

a b

expression instruction

templates

+

op1 op2

plus

-

op1 op2

minus*

op1 op2

product



minus

plus

Tree covering

+

1 -

a b

step 1

minus

+

1 -

a b

step 2



Use of Retargetable CompilersRetargetable compilers help in the designspace exploration phase of application designprocess, while tuning an initial architecturetowards a given application

Retargetable compiler (in combination withassembler, simulator) provides feedback tothe designer about architecture efficiencyw.r.t. given application

Retargetable compiler may serve as astarting point for a production compiler, oncethe architecture is fixed



SummaryWe have looked at some compilerrelated issues

Efficient compilation forms the basis foruseful design



Developing Embedded

Systems



More on Compilers for EmbeddedSystems



Compilation for DSP’sSpecial Instructions

Address generation schemes

Auto-increment/auto-decrement operations

Support for Loop

Compilers should exploit these special

features



Example

Example: Data path ADSP210x

Application: y[j] = i=0

x[j-i]*a[i]

i: 0i n: yi[j] = yi-1[j] + x[j-i]*a[i]

Architecture:

n

- Parallelism

- Dedicated

registers

- No matchingcompiler

inefficient

code MR

MF

MX MY

*+,-

AR

AF

AX AY

+,-,..

DP

Yi-1[j]

x[j-i]

x[j-i]*a[i]

a[i]

Address

generation

unit (AGU)

Address-

registers

A0, A1, A2

..

i+1, j-i+1

a x



Memory AddressingLets have variables a,b,c,d stored inconsecutive locations accessed in a sequenceb,d,a,c,d,c using register indirect addressing

A number of address calculation operations arerequired assuming a single address register A

Auto-increment or decrement can not take care of access requirements

If layout changes to b,d,c,aOperations will be A++, A+=2,A--,A--,A++

Most operations executed in parallel with someoperation in data path



Variables in a basic block: Access sequence:

V = {a, b, c, d} S = (b, d, a, c, d, c)

Load AR,1 ;b

AR += 2 ;d

AR -= 3 ;a

AR += 2 ;c

AR ++ ;d AR -- ;c

a

b

c

d

0

1

2

3

cost: 4

Example

cost: 2

Load AR,0 ;b AR ++ ;d

AR +=2 ;a

AR -- ;c

AR -- ;d AR ++ ;c

b

d

c

a

0

1

2

3

Ref: Marwedel: Embedded System Design



Generation of LayoutConsider variable access graph

a

c

b

d

1

2

111

a

c

b

d

1

2

1

Maximum linear pathLinks for adjacent accesses

Weight = no. of accesses



Scheme Variables connected by links of high weightshould be allocated to adjacent memory

locationsNumber of address calculations saved isproportional to weight of corresponding weight

Goal is to find a linear path of maximum

weight so that linear ordering of variables inmemory maximizes use of auto-increment/auto-decrement operations



Compilation for MultimediaProcessors

In order to support packed data type

compilers must be able to automaticallyconvert operations in loops tooperations on packed data types

Combination with zero overhead loopcan provide significant speed-up



VLIWRequires special optimizations

Allocation of tasks to functional units,

register pathsPartitioning of computation into multiple pathsof execution

Branch delay penalty

Pedicated execution to efficiently implementsmall if statements

Inlining is also very useful for VLIW processors



Interpreters and JIT compilersInterpreter: translates and executesprogram statements on-the-fly.

JIT compiler: compiles small sections of code into instructions during programexecution.

Eliminates some translation overhead.Often requires more memory.



Design & Product Validation



Introduction Validation is the process of checkingwhether or not a certain (possibly

partial) design is appropriate for itspurpose, meets all constraints and willperform as expected.

Validation with mathematical rigor iscalled (formal) verification.



ScenarioFormally verified tools transformingspecifications into implementations

correctness by constructionIn practice: Non-verified tools and manualdesign steps

Validation of each and every design required

Unfortunately has to be done at intermediatesteps and not just for the final design



SimulationsSimulations try to imitate the behavior of thereal system on a (typically digital) computer.

Simulation of the functional behavior requiresexecutable models.

Simulations can be performed at variouslevels.

Some non-functional properties (e.g.temperatures, EMC) can also be simulated.



Simulations: A critiqueTypically slower than the actual design.

Violations of timing constraints likely if simulator isconnected to the actual environment

Simulations in the real environment may be

dangerousThere may be huge amounts of data and it may beimpossible to simulate enough data in the availabletime.

Most actual systems are too complex to allowsimulating all possible cases (inputs).

Simulations can help us to find errors in our designs,but they cannot guarantee the absence of errors.



Rapid PrototypingPrototype: Embedded system that canbe generated quickly and behaves very

similar to the final product.May be larger, more power consumingand have other properties that can beaccepted in the validation phase

Typical use: auto-industry

Can be built, for example, using FPGAs



TestingTest patterns are applied to the real, alreadymanufactured systems

Manufacturing test: purpose is to identify systems

that have not been correctly manufacturedField test: to identify systems that fail later

Testing involves:Test pattern generation

Test pattern application

Response observation

Result comparison



Test pattern generationTest pattern generation typicallyconsiders certain fault models

Generates patterns that enable adistinction between the faulty and thefault-free case.



Hardware Fault modelsThe stuck-at fault model (each and every netcan be permanently connected to ground or

Vdd)

Stuck-open faults: for CMOS devices, opentransistors can behave like memories(combinatorial circuits become sequentialcircuits)

Delay faults: there may be cases in which thecircuit is functionally correct, but the delay isnot.



Fault coverage A certain set of test patterns will notalways detect all faults that are possible

within a fault modelCoverage = No. of detectable faults fora given test pattern set/ No. of faults

possible due to fault model



Software TestingMostly Functional testing

Performance testing is harder.

What tests are required to adequatelytest the program?



Basic testing procedureProvide the program with inputs.

Execute the program.

Compare the outputs to expectedresults.



Types of software testingBlack-box: tests are generated withoutknowledge of program internals.

Clear-box (white-box): tests aregenerated from the program structure.



Clear-box testingGenerate tests based on the structureof the program.

Is a given block of code executed when wethink it should be executed?

Does a variable receive the value we think it should get?



Path-based testingClear-box testing generally testsselected program paths:

control program to exercise a path;observe program to determine if path wasproperly executed.

May look at whether location on pathwas reached (control), whether variableon path was set (data).



Example: choosing pathsTwo possible criteria for selecting a setof paths:

Execute every statement at least once.Execute every direction of a branch at leastonce.

Equivalent for structured programs, butnot for programs with gotos.



Path example

Covers all

statements

+/+ Covers all branches

Ref: Wolfe: Computer as Components



Branch testing strategyExercise the elements of a conditional,not just one true and one false case.

Devise a test for every simple conditionin a Boolean expression.



Example: branch testingTarget statement:if (a || (b >= c)) { printf(“OK\n”); }

Actual statement:if (a && (b >= c)) { printf(“OK\n”); }

Branch testing strategy:

One test is a=F, (b >= c) = T: a=0, b=3,c=2.

Produces different answers.



Another branch testing

exampleTarget:

if ((x == var_pointer) && (x->field1 == 3))... Actual:

if ((x = var_pointer) && (x->field1 == 3))...

Branch testing strategy:

If we use only field1 value to exercise branch, wemay miss pointer problem.



Domain testingConcentrates on linear inequalities.

Example: j <= i + 1.

Test two cases on boundary, oneoutside boundary.

correct incorrect



Data flow testingDef-use analysis: match variabledefinitions (assignments) and uses.

Example:x = 5;

…

if (x > 0) ...

Does assignment get to the use?

def

p-use



Loop testingCommon, specialized structure---specialized tests can help.

Useful test cases:skip loop entirely;

one iteration;

two iterations;

mid-range of iterations;

n-1, n, n+1 iterations.



Black-box testingBlack-box tests are made from thespecifications, not the code.

Black-box testing complements clear-box.

May test unusual cases better.



Types of black-box testsSpecified inputs/outputs:

select inputs from specifications, determinerequired outputs.

Random:Generate random tests, determineappropriate output.

Regression:Tests used in previous versions of system.



Evaluating testsHow good are your tests?

Keep track of bugs found, compare to

historical trends.Error injection:

Add bugs to copy of code, run tests on

modified code.Modify data



Fault InjectionIf real systems are available, faults can beinjected to check behaviour of the system

Two types of fault injection:local faults within the system, and

faults in the environment (behaviors which do notcorrespond to the specification).

For example, we can check how the system behaves if itis operated outside the specified temperature orradiation ranges.



Physical fault injectionHardware fault injection requires majoreffort, but generates preciseinformation about the behavior of thereal system.

Includes:Signal manipulation at the pin,

Nuclear radiation Application of Electro-magnetic field



Software fault injectionErrors are injected into the memories.

Advantages:

Predictability: it is possible to reproduceevery injected fault in time and space.

Reachability: possible to reach storage

locations within chips instead of just pins.Less effort than physical fault injection: nomodified hardware.



Software Fault InjectionSoftware fault injection with bit-flips inthe data is comparable to hardware

fault injection Application software error detection ishigher for software-implemented fault

injection. Most hardware-injected faultsdo not propagate to the applicationlevel.



Formal Verification

Formal verification is concerned with formallyproving a system correct using mathematicaltechniques

A formal model is required to make formal

verification applicableManual effort

With the model certain properties can be proved

Different types of logic used:Propositional logic

First order logic

Higher order logic



SummaryWe have looked at features of architecture specific compilers

Studied other system developmentphases

Validation

Testing Verification



Building Dependable

Embedded Systems



Dependability

Dependability is that property of an

embedded system such that reliance can justifiably be placed on the service it delivers.



Facets of dependability

Reliability continuity of correct service

Availability readiness for usage

Safety no catastrophic consequences

Security prevent unauthorized access

Integrity, Confidentiality

Maintainability repair and modification

Customers must identify the dependabilityrequirements of their system and developersmust design so as to achieve them



ReliabilityReliability means that the level andfrequency of failure is acceptable

We are not requiring no failures at allMerely an acceptable level

Failure is measured pragmatically



Difference: Failures & Faults

A failure corresponds to unexpected run-timebehavior observed by a user

A fault (or defect) is a static characteristic

which causes a failure to occurFaults need not necessarily cause failures.Only if the faulty part is used

If a user does not notice a failure, is it a

failure?Remember most users don’t know thespecification



Correctness and ReliabilityCorrect but unreliableCan result from an incorrect specification

Reliable but incorrectCan result from a program that does notexactly meet its specification, but whichworks well enough.

Reliability is main concernCorrectness is a means to this end



Reliability and efficiency As reliability increases system efficiencytends to decrease, because…

To make a system more reliable,redundant code must be included to carryout run-time checks, etc.

This tends to slow it down



Reliability and efficiencyReliability is usually more important thanefficiency

No need to utilize hardware to fullest extent as

processors are cheap and fastUnreliable software should not be used

Hard to improve unreliable systems

Software failure costs often far exceed systemcosts

Costs of data loss are very high



Failure consequencesReliability measurements do NOT take theconsequences of failure into account

Transient faults may have no realconsequences but other faults may causedata loss or corruption and loss of systemservice

Necessary to identify different failure classesand use different measurements for each of these



Requirements for ReliabilityIf a failure has high cost, then reliabilitybecomes important.

How important depends on the costMost software is typically not veryreliable



ReliabilityCannot be always defined objectively

Requires operational profile for its definitionThe operational profile defines the expectedpattern of software/hardware usage

Must consider fault consequences

Not all faults are equally serious. System isperceived as more unreliable if there are moreserious faults



Reliability metricsProbability of failure on demand

This is a measure of the likelihood that the systemwill fail when a service request is made

POFOD = 0.001 means 1 out of 1000 service

requests result in failureRelevant for safety-critical or non-stop systems

Rate of fault occurrence (ROCOF)Frequency of occurrence of unexpected behavior

ROCOF of 0.02 means 2 failures are likely in each100 operational time units

Relevant for operating systems, transactionprocessing systems



Reliability measurementMeasure the number of system failuresfor a given number of system inputs

Used to compute POFOD

Measure the time (or number of transactions) between system failures

Used to compute ROCOF and MTTF

Measure the time to restart after failureUsed to compute AVAIL



Time unitsTime units in reliability measurement must becarefully selected. Not the same for allsystems

Raw execution time (for non-stop systems)Calendar time (for systems which have aregular usage pattern e.g. systems which arealways run once per day)

Number of transactions (for systems whichare used on demand)



ReliabilityRel(t ) = Probability that the system will

operate correctly in a specifiedoperating environment up untiltime t

Mean Time To FailureMTTF = Expected Value[Rel(t )]

•

Note that t is important•If a system only needs to operate for ten hours at a

time, then that is the reliability target



RecoverabilityRec(t ) = Probability that the system will

operate correctly at time t after

failure

Mean Time To Repair:

MTTR = Expected Value[Rec(t )]



Availability A(t ) = Probability that the system will

be operational at time t

E[A(t)] = MTTF / (MTTF + MTTR)

•Literally, readiness for service

–

Only applies when you ask for a service• Admits the possibility of brief outages

•Fundamentally different concept than Reliability



Reliability vs. AvailabilityThey are not the same.....

Example: A system that fails, on average, once per

hour but which restarts automatically inten milliseconds is not very reliable but ishighly available

Availability = 0.9999972



Design Tradeoffs

How to make availability approach 100%?

MTTF Availability= --------------------

MTTF + MTTR

MTTF infinity (high reliability)MTTR zero (fast recovery)



Maintainability Ability to undergo repairs andmodifications

MaintenanceEvolution

Composition

Manageability



Reliability specificationReliability requirements are only rarelyexpressed in a quantitative, verifiable way.

To verify reliability metrics, an operationalprofile must be specified as part of the testplan.

Reliability is dynamic -reliability specifications

related to the source code are meaningless.



Failure classificationFail ure class Des cripti on

Transient Occurs only with certain inputs

Permanent Occurs with all inputsRecoverable System can recover without operator intervention

Unrecoverable Operator intervention needed to recover from failure

Non-corrupting Failure does not corrupt system state or data

Corrupt ing Failure corrupts system st at e or data

Steps to a reliability



Steps to a reliability

specificationFor each sub-system, analyze theconsequences of possible system failures.

From the system failure analysis, partitionfailures into appropriate classes.

For each failure class identified, set out thereliability using an appropriate metric.

Different metrics may be used for differentreliability requirements.

Example: Bank auto teller



Example: Bank auto-teller

systemEach machine in a network is used 300times a day

Bank has 1000 machinesLifetime of software release is 2 years

Each machine handles about 200, 000transactions

About 300, 000 database transactionsin total per day

E l f li bilit



Examples of a reliability

specificationFailure class Example Rel iabi li ty metric

Permanent,non-corrupting.

The system fails to operate withany card which is input. Software

must be rest arted to correct failure.

ROCOF1 occurrence/1000 days

Transient, non-corrupting

The magnet ic stripe data cannot beread on an undamaged card whichis input.

POFOD1 in 1000 transactions

Transient,corrupting

A pat t ern of t ransactions acrossthenetwork causes database

corruption.

Unquant ifiable! Shouldnever happen in t he

lifetime of the system



Approaches for Reliability

Use reliable tools

Program carefullyTest thoroughly

Reliability improvement in



Reliability improvement in

SoftwareReliability is improved when software faultswhich occur in the most frequently used partsof the software are removed

Removing X% of software faults will notnecessarily lead to an X% reliabilityimprovement

In a study, removing 60% of software defects

actually led to a 3% reliability improvementRemoving faults with serious consequences isthe most important objective



Statistical testingTesting software for reliability rather thanfault detection

Test data selection should follow the

predicted usage profile for the softwareMeasuring the number of errors allows thereliability of the software to be predicted

An acceptable level of reliability should bespecified and the software tested andamended until that level of reliability isreached



Statistical testing procedureDetermine operational profile of the software

Generate a set of test data corresponding tothis profile

Apply tests, measuring amount of executiontime between each failure

After a statistically valid number of tests have

been executed, reliability can be measured



Safety Absence of:

Catastrophic consequences on the users or

the environment

•Are commercial aircraft “safe”?

•They crash very occasionally. How many crashes

are too many?•Are cars “safe”? They crash quite a lot.



Risk Risk is the expected loss per unit time

Risk =S pr(accidenti) x cost(accidenti)

•Safety is expressed as an acceptable level of loss



Reliability vs. Availability vs. SafetyThey are not the same.....

Example:

A system that is turned off is not very reliable,is not very available,but is probably very safe

In practice, safety often involvesspecific intervention



Safety Critical System A system is said to be safety critical if afailure can cause loss of life or severeinjury

Nuclear power plant control

Breaking systems in cars

Avionics (military and commercial)

Train signal systemsDam control systems Embedded Applications

Risk- and dependability



Risk and dependability

analysisRisk of damages can not be reduced tozero.

For every damage there is a severityand a probability.

Several techniques for analyzing risks.

F lt T A l i (FTA)



Fault Tree Analysis (FTA)

FTA is a top-down method of analyzing risks. Analysis starts with possible damage, tries tocome up with possible scenarios that lead tothat damage.

FTA typically uses a graphical representation of possible damages, including symbols for AND-and OR-gates.

OR-gates are used if a single event could result

in a hazard. AND-gates are used when several events orconditions are required for that hazard to exist.

Example



Example

Ref: Marwedel: Embedded System Design



LimitationsThe simple AND- and OR-gates cannotmodel all situations.

Can not model if shared resources of somelimited amount (like energy or storagelocations) exist.

Markov models have been used to dealwith such cases.

Failure mode and effectanalysis (FMEA)



analysis (FMEA)

FMEA starts at the components and tries toestimate their reliability. The first step is tocreate a table containing components,possible faults, probability of faults and

consequences on the system behavior.Using this information, the reliability of thesystem is computed from the reliability of its

parts(corresponding to a bottom-up analysis).



Confidentiality Absence of:

Absence of unauthorized disclosure of

information



Integrity Absence of:

Absence of improper system state

alterations



SecuritySecurity is a combination of attributes:Integrity

Confidentiality

AvailabilityUnder different circumstances, theseattributes are more or less important:

Denial of service is an availability issue

Exposure of information is a confidentiality issue

Security Requirements



User Identification

Secure Network AccessService access if authorized

Secure CommunicationConfidentiality and integrity of communicated data

Secure StorageConfidentiality and integrity of sensitiveinformation stored in the system

Content Security

Usage restrictions of digital content stored

AvailabilityCan perform its intended function and servicelegitimate users at all times

Example: Security



Example: Security

Requirements for a Cell Phone

Ref: S. Ravi et al. Security in Embedded Systems, ACM Trans. On Embedded Systems, 2004



Design ChallengesProcessing GapComputational demands of security processing aresubstantial

Battery GapEnergy consumption overheads for supportingsecurity is very high

Flexibility

Support for multiple and diverse security protocolsTamper resistance

Protection against attacks of malicious software

Security Processing



Security Processing

ArchitectureFirst GenerationExecuting security software on embeddedprocessors

Poor efficiencyHigh Flexibility

Fast turn-around time

Second GenerationOffload crypto-function to crypto-hardware

High Efficiency

Poor Flexibility

High Design Complexity



Security ArchitectureThird Generation

Protocol level offload to programmableengines

High Efficiency

High Flexibility

Fast turn-around time



FeaturesMoving cryptographic processes out of firmware and into FPGA

Harder to probe than ROM devices

Increased performance (more efficient)

Using secure cryptographic coprocessorSelf-contained, hardware tamper response,authentication, general-purpose processor

Ex.: Philips VMS747, IBM 4758



Fault ToleranceEssential for reliable and highly availableEmbedded Systems

Software fault tolerance is the ability forsoftware to detect and recover from a faultthat is happening or has already happened ineither the software or hardware in the system

in which the software is running in order toprovide service in accordance with thespecification.



Techniques for Fault ToleranceDesign DiversityRecovery Block

operates with an adjudicator which confirms the

results of various implementations of the samealgorithm

N-version Methodvoting

Self-checking Software

Self-checking software are the extra checks, oftenincluding some amount check-pointing and rollback recovery methods added into fault-tolerant or safetycritical systems



SummaryWe had an introduction to differentaspects of dependable design

Dependability is a critical issue fordeployment of embedded systems

Documents

Compilers for Embedded Systems