Ensuring Reliable Networks New Challenges in Safety ......Cross-Industry Safety, Certification and Availability ... Effort • Development cost grows considerably with design assurance

www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved.

Ensuring Reliable Networks

Safety Day 2014 – FH Campus Wien

New Challenges in

Safety Critical Systems

April 2nd, 2014

Dr. Stefan Poledna

www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved. Page 2

Ensuring Reliable Networks Overview

• Megatrends and Industry Drivers

• Safety and Re-use?

• Safety and Availability

• High performance (consumer) devices vs. embedded

devices



What do they have in common

… Reliable Networks and Controls from TTTech

Boeing 787 Vestas Turbines

Prinoth Leitwolf Audi A8



Mega Trends and Industry

Drivers



Safety Becomes Ubiquitous

1. Megatrend Safety

• Automotive: 50 million injuries, out of those 1.2 million were fatal injuries (3.300

per day according to WHO 2010)

• Industrial: Manufacturers lose over $ 20 billion each year alone in safety

incidents, Norm Gilsdorf, President of Honeywell Process Solutions Honeywell

User Group 2010

• Civil Aviation: In 2010 there were 47.3 million flight hours and 22.3 million

departures with 9 serious accidents

• Smart and safe mega cities

• Medical systems and healthcare for aging populations

• By 2020 every second embedded device will be safety relevant

5



IEC 61508 EN/ISO 13849 ISO 26262 DO 178B / 254

1. Megatrend Safety

Design assurance standards are similar across industries

Cross-Industry Safety, Certification and Availability

Fail-Stop Fail-Operational

Clear trend towards fail-operational

for availability reasons



2. Megatrend Autonomous and

Smart Interacting Machines Autonomous cars Robot human collaboration

Snow grooming: airport and slopes Autonomous farming machines



2. Megatrend Autonomous

Interacting Machines

Automated Parking Side View Assist

193cm

Rear view + overlays Surround /Top View 120cm

Object Detection

120cm Manoeuvre Assist

Driver Drowsiness

Auto Emergency Braking

Congestion Pilot

Lane Assist

Automated Stop Autonomous Driving

Key drivers: Safety and Convince, enabling people to do different things

than manoeuvring the car

Examples of Driver Assistance Use Cases



3. Megatrend Internet of

Things

Smart Grid

Intelligent Buidlings Smart Cities

Safety & Security

Healthcare

Water

Intelligent

Transportation

Connected Car

Autonomous Driving

RT Cloud Services

Ambient Intelligence

Mobile Devices

Aerospace

Flexible Integrated

Automation Food & Farming

All necessary services

need to be supported by one

single communication

infrastructure

Systems of Systems



3. Megatrend Internet of

Things

Smart Grid

Intelligent Buidlings Smart Cities

Safety & Security

Healthcare

Water

Intelligent

Transportation

Converged by

Ethernet/IP v6 and

Deterministic Ethernet

Connected Car

Autonomous Driving

RT Cloud Services

Ambient Intelligence

Mobile Devices

Aerospace

Flexible Integrated

Automation Food & Farming

Systems of Systems



Safety and Re-use?



Development Effort vs. Design

Assurance Level

Prototype Product

QM

Safety Product

ASIL

Development

Effort

• Development cost grows considerably with design assurance levels

• Re-use across different design assurance levels is difficult

Re-use

Effort

How to Address the Efficiency Challenge?


Ensuring Reliable Networks The “Lift-Up Effect” I

Typical Hazards & Risk Profile • The majority of functions is not safety

related and thus QM classified

• Only a minority of functions is ASIL

classified

The “Lift-Up Effect” • An ECU must be developed in

conformance to highest ASIL level of any

function within the ECU

• If freedom from interference (or

partitioning) cannot be proven then all

functionality needs to be developed acc.

to the highest ASIL level

75%

5%

3%

17%

QM

ASIL A

ASIL C

ASIL D

100%

Percentage of ECU functionality

per ASIL level

Example



Reduced

development

effort

The “Lift-Up Effect” II

75%

5%

3%

17%

QM

ASIL A

ASIL C

ASIL D

Complete development

according to highest ASIL

level

100%

Development

effort

Development of functions

according to their respective

ASIL Level

Percentage of

ECU functionality

per ASIL level


Ensuring Reliable Networks The “Lift-Up Effect” III

The “Lift-Up Effect” can be avoided by ensuring

“Freedom from Interference”

Def: Freedom from Interference

Absence of cascading failures

between two or more elements that

could lead to the violation of a safety

requirement. (ISO 26262, Part 1)

Def: Cascading failure

Failure of an element of an item

causing another element or elements

of the same item to fail.



Re-Use in Safety Related

Systems

Hazard Analysis & Risk Assessment

Safety Goals ASIL

Conformity Review

Co

nfig

ura

tion

Man

ag

em

en

t

Development

Plan

Requirements

Design

Implementation

Integration

Shipping

Valid

atio

n

SQ

A

High level integrated safety development process

The Re-Use Problem • Safety goals cut across the

integrated development process

• Components are therefore

developed in a system level safety

context

• Hence, components cannot be

re-used outside the system level

safety context easily

• This drives development effort



Re-Use in Safety Related

Systems

Re-Use can be supported by defining a

“Safety Element out of Context”

Safety Element out of Context (SEooC)

A SEooC is a safety-related element which is not developed for a specific item.

(…) Assumptions are made on requirements and design, including safety

requirements that are allocated to the element by higher levels of design and

on the design external to the element. (ISO 26262, Part 10)

Assumed Safety Requirements without

reference to a specific system

CM Development Validation SQA

Conformity Review Safety Manual



Goals for the Modular Safety ECU Platform

Goals

• Enables efficient development of safety ECUs

• Enable re-use as a Safety Element out of Context

• Supports Freedom from Interference (Partitioning)

Modular Safety ECU Platform

ISO 26262 ASIL D IEC 61508 SIL 3 EN/ISO 13849 PL e

SEooC Requirements

• Supports fault-tolerant time interval < 50 ms (including anti-glitch behavior)

• FIT rate of core < 5 FIT (main CPU, safety companion, clock, power …)

• Single point fault metric and safe failure fraction > 99 %

• Latent fault metric > 90 %



Components of the



CPU & Safety

Companion

I/O Blocks &

SafeIO Drivers

Cert Package

Safety Manual

SafeCOM,

SafeExe,

SafeMon

Application

safety function

SafeExec

Safe-

Watchdog

App. 3 App. 4

CommComm..

ServicesServicesMemoryMemory

ServicesServicesSystem System

ServicesServices

Complex

Drivers

BSPBSP

Sa

feS

elfC

he

ck

Sa

feC

ros

sC

hec

k

RTERTE

I/OI/O

ServicesServices

Sa

feD

isp

atc

he

r

SafeHAL

OS

Bo

otlo

ad

er

App. 2App. 1

Checkpoint

„SafeCDR“

Checkpoint

„SafeApp2“

Checkpoint

„SafeApp1“

WDG_HALE2E

-Lib

SafeCOM

SafeCOM

ISO 26262 ASIL D IEC 61508 SIL 3 EN/ISO 13849 PL e



Safety and Availability


Ensuring Reliable Networks Why Safety in Wind Power?

IEC 61508 applies

Safety Related

functions typically

rated SIL 3



Source: IEEE TRANSACTIONS ON ENERGY CONVERSION,

VOL.22, NO.1, MARCH 2007

“Survey of Failures in Wind Power Systems With Focus on

Swedish Wind Power Plants During 1997-2005”

Why High-Availability in Wind Power?

Reduced Down Time = Lower Cost

Reduced operation

cost though

minimization

of unscheduled

maintenance



Wind Turbine Electronics

Architecture

TTE Switch Channel 1

Functional Safety Unit, redundant

Safety I/O Unit, redundant

Main Safety Unit, redundant

Main Controller, redundant

Non Safety Related Resource Controller

Nacelle

Tower

Power Control

TTE Channel 1

TTE Channel 2

TTE Switch Channel 2

Ethernet Communication System

• TTEthernet switches & NICs

• High availability and safety

• Dual redundancy

• 100 Mbit/s, 1 Gbit/s

• Synchronization

Safety Controllers

• Modular safety controllers

• Dual core CPU

• Dual channel SIL 2

• Safe I/O: control and

shutdown



High-Availability by Means of a

Fully-Redundant Architecture

OR

OR

Deterministic Switched Ethernet ans Safety I/O Controllers

Standard architecture – Non-redundant

Redundant architecture –

Fault-tolerance and redundancy

on network level

Full fail-operational architecture –

Fault-tolerance on network & control level



Mix Criticality Functions in a

Single Network Architecture

TTTech Safety I/O

TTTech Control I/O

C TTTech Safety Controller

S TTTech Control Switch

S TTTech Safety / Control Switch

C TTTech Controller

One Converged Backbone Network

and Distributed Controls

Partitioned traffic

C C

Control

Functions

Safety

Functions

Monitoring

Functions

HMI

S

Monitoring, Control and Safety

in one single network

C C

Control

Functions

Safety

Functions

S S

HMI

Monitoring

Functions

S

Monitoring

Network

Control

network

Safety

network

Mixed-criticality

– one single

standard

Ethernet cable

Physically Separated Networks and

Controllers



Energy:

Wind Turbines

Control of the next generation of

wind turbines

“Utilising technology similar to that in aircraft and performance cars, TTTech delivers

Ethernet solutions designed to improve reliability and productivity of the next generation

of wind turbines.” Vestas Press Release



Example

TTC-500 Safety Controller CPU

TMS570 Dual Core lockstep CPU @ 160MHz

Plus Safety Companion

Designed for applications up to ASIL D / SIL 3

safety features (RAM/Flash ECC check, ...)

Floating Point Unit

MPU

I/Os and Interfaces

28 HS PWMs with with current measurement

8 HS Digital Out

8 LS Digital Out

24 Analog Inputs

12 Timer Inputs

8 PVG, VOUT

7 x CAN with configurable termination …

Flexibility

Outputs can be used as inputs

Inputs low / high active

Flexible range-configurable analog inputs

Use of “ABS-type” sensors

Programming

CODESYS® 3.0 or ANSI-C

TTC-Downloader or Download-DLL

Supporting of Lauterbach Debugger/Trace32

Functional Safety

Fulfills

… IEC 61508 SIL 2

… EN/ISO 13849 PL d

with TÜV Nord Safety Certificate

MTTFd / DC values available per I/O



Example

TTC-500 Safety Controller

TÜV certified

• IEC 61508 SIL 2

• ISO 13849 PL d

• certifiable ISO 25119 AgPL d

• certifiable ISO 26262 ASIL-D

• Hardware metrics (MTTFd / DC and PFH/SFF)

available for the customer – total value and value

per I/O

Safety + Availablility

• Output shut-off in 3 groups guarantees high

availability

• Complete shut-off not necessary in case of single

I/O failure



High Performance (Consumer)

Devices vs. Embedded Devices in

Safety Applications



New advanced embedded MCUs

provide extensive safety support

ASIL D, SIL 3 Support

• Dual-core lockstep

• Memory protection

• ECC on Flash and RAM

• Examples: TI TMS570, Infineon

Aurix, Renesas V850

• Typically up to 300 MHz CPU

clock

• Dual / Triple Core designs



Example TMS 570:

Extensive Safety Mechnisms 5.1 Power Supply

5.1.1 Embedded Voltage Monitor (VMON)

5.1.2 External Voltage Supervisor

5.2 Clocks

5.2.1 Low Power Oscillator Clock Detector

(LPOCLKDET)

5.2.2 PLL Slip Detection

5.2.3 Dual Clock Comparator (DCC)

5.2.4 Monitoring of External Clock Outputs (ECLK)

5.2.5 Internal Watchdog

5.2.6 External Watchdog

5.2.7 Periodic Read Back of Configuration Registers

5.2.8 Software Read Back of Written Configuration

5.2.9 Notes

5.3 Reset

5.3.1 External Monitoring of Warm Reset (nRST)

5.3.2 Software Check of Cause of Last Reset

5.3.3 Software Warm Reset Generation

5.3.4 Glitch Filtering on nRST and nPORRST

5.3.5 Shadow Registers

5.3.6 External Watchdog



5.4 System Module

5.4.1 Privileged Mode Access and Multi-Bit Enable



5.5 Error Signaling Module (ESM)


5.5.2 Software Test of Error Path Reporting

5.5.3 Shadow Registers


5.6 CPU Subsystem

5.6.1 Lockstep CPU Diagnostic

5.6.1.1 Measures to Mitigate Common Mode Failure

5.6.2 CPU Logic Built In Self Test / Self-Test Contr.

5.6.3 CPU Memory Protection Unit (MPU)

5.6.3 CPU Memory Protection Unit (MPU)

5.6.4 Online Profiling- Performance Moni. Unit

5.6.5 Internal or External Watchdog

5.6.6 Illegal Operation and Instruction Trapping


5.6.8 CPU Lockstep Comparator (CCM) Self-Test

5.7 Primary Embedded Flash

5.7.1 Flash ECC

5.7.2 Hard Error Cache and Livelock

5.7.3 Flash Wrapper Address ECC

5.7.4 ATCM Address Bus Parity

5.7.5 Flash Contents Check by Hardware CRC

5.7.6 Bit Multiplexing in Flash Memory Array

5.7.7 Flash Sector Protection



5.8 Flash EEPROM Emulation (FEE)

5.8.1 FEE Data ECC

5.8.2 FEE Contents Check by Hardware CRC

5.8.3 Bit Multiplexing in FEE

5.8.4 FEE Sector Protection



5.9 Primary Embedded SRAM

5.9.1 Data ECC

5.9.2 Hard Error Cache and Livelock

5.9.3 Correctable ECC Profiling

5.9.4 BTCM Address and Control Bus Parity

5.9.5 SRAM Wrapper Redundant Address Decode

5.9.6 Data and ECC Storage in Multiple Physical

Banks 5.9.7 Programmable Memory BIST (PBIST)

5.9.8 SRAM Bit Multiplexing

5.9.9 SRAM Hardware CRC-64



5.9.12 Software Test of SRAM Wrapper Address

Decode Diagnostic and ECC

5.10 Level 2 and Level 3 (L2 and L3) Interconnect

5.10.1 Error Trapping

5.10.2 Peripheral Central Resource Management


5.10.4 Information Redundancy Techniques

5.10.5 Periodic Read Back of Configuration Reg.

5.10.6 SW Test of Basic Func. Incl Error Tests

5.10.7 SW Read Back of Written Configuration

5.11 EFuse Static Configuration

5.11.1 Autoload Self-Test

5.11.2 EFuse ECC

5.11.3 Periodic Read Back of Conf. Registers

5.11.4 Software Read Back of Written Conf.

5.12 OTP Static Configuration

5.12.1 Autoload Self-Test

5.12.2 OTP Autoload ECC



5.13 I/O Multiplexing (IOMM)

5.13.1 Locking Mechanism for Control Registers

5.13.2 Master ID Filtering

5.13.3 Error Trapping


5.13.5 SW Test of Func. Using I/O Loopback

5.13.6 SW Read Back of Written Configuration

5.14 Vectored Interrupt Module (VIM)

5.14.1 VIM SRAM Parity

5.14.2 VIM SRAM PBIST

5.14.3 VIM SRAM Bit Multiplexing

5.14.4 VIM SRAM CRC-64 Testing

5.14.5 Periodic SW Test of VIM Op. incl. Err. Tests

5.14.6 Periodic Read Back of Conf. Reg.



….



Example High-Performance

(Consumer) Computing Device

Tegra K1

GPU

NVIDIA® Kepler™ Architecture 192 NVIDIA CUDA

® Cores

CPU

CPU Cores and Architecture NVIDIA 4-Plus-1™ Quad-Core ARM Cortex-A15 "r3"

Max Clock Speed 2.3 GHz

Memory

Memory Type DDR3L and LPDDR3

Max Memory Size 8 GB (with 40-bit address extension)

Display

LCD 3840x2160

HDMI 4K (UltraHD, 4096x2160)

Package

Package Size/Type 23x23 FCBGA, 16x16 S-FCCSP, 15x15 FC PoP

Process 28 nm

Typically not designed for

safety applications

Safety

?



When I don´t feel like driving I

let my car do it

parking

Traffic jams



Example:

Driver Assistance System

► High Integration of multiple functions on one control unit with TTEthernet

► Platform Approach (decoupling from application) best-in-class

Centralized Control Platform

Integrated robust electronic architecture

Ausgabe

Applika-tionen

Fusion

Wahr-nehmung

Basis

HMI Manager

Kartenfusion ObjektfusionInfrastruktur

-fusion

Fu

nk

tion

1

Fu

nk

tion

2

Fu

nk

tion

3

Fu

nk

tion

4

Fu

nk

tion

5

Fu

nk

tion

6

Fu

nk

tion

7

Fu

nk

tion

8

Fu

nk

tion

9

Fu

nk

tion

10

Fu

nk

tion

11

Fu

nk

tion

12

Se

nso

r1

Se

nso

r2

Se

nso

r3

Se

nso

r4

Se

nso

r5

Se

nso

r6

Se

nso

r7

Se

nso

r8

Se

nso

r9

Se

nso

r1

0

Se

nso

r1

1

Ap

plica

tion

Fra

me

wo

rk

Framework/BSP/Treiber

Bewegungsmanager



Example Autonomous Driving:

Functional Safety (1)

Autonomous driving functions will need ASIL D implementations

Complication:

• Complex image processing and fusion algorithms

• Processing elements (GPUs, FPGAs,…) do not comply to ASIL D

Solution approach:

• Decomposition isolates ASIL D

requirements on Automotive grade

microcontroller („application host“)

• Application level software safety

functionality

• Link with deterministic Ethernet

QM ASIL

D



Intraboard Connection based

on deterministic Ethernet

SoC

100 MBit/s

TTEthernet Switch 4 x 100 Mbit/s

2 x 1 Gbit/s

Clock Synchronization

Graphics + GPUs

100 Mbit/s

SoC

10 Gbit/s Cross-Link

Image

Processing

1 Gbit/s

Integration & Test

Interface

1 Gbit/s

Car2X Ethernet

100 Mbit/s

SoC

100 MBit/s



Example Autonomous Driving:

Functional Safety (2)

Limited fail-operational capability required

(need minimum >10 sec. for hand-over to driver in case of faults)

Solution approach:

• Redundancy concept concept

necessary

• Degraded mode acceptable

• Safety monitoring at functional

level with redundant algorithms

E n s u r i n g R e l i a b l e N e t w o r k s

w w w . t t t e c h . c o m

www.tttech.com Copyright © TTTech Computertechnik AG. All rights reserved.

Thank You!

Documents

Ensuring Reliable Networks New Challenges in Safety ......Cross-Industry Safety, Certification and Availability ... Effort • Development cost grows considerably with design assurance