Functional Safety in Linux-AP · Functional Safety in Linux-AP ... Gesture Recognition Mixed...

1Automotive Linux Summit Fall 2013

Functional Safety in Linux-AP

* ETRI=Electronics and Telecommunications Research Institute, Korea


SoCs in Automotive

SafeSafe SmartnessSmartness ComfortComfort

* Source : ETRI Industry Analysis Report 2010

Airbag

Smart door Window

Engine Control

Smart Dashboard(Nav, Audio)

TransmissionControl

TPMS(Tire Pressure

Monitoring System)

Seat Control

ABS Control Unit

Steering

Blackbox

ASV (Advanced Safety Vehicle)ASV (Advanced Safety Vehicle)


ADAS and CPU

2000 2020

ADAS (Advanced Driver Assistance System)

2010

Reduce Injuries PAS1) Danger Warning(LDWS2), Immediate Braking)

Safe Driving Control(LKAS3))

1) PAS:Parking Assist System 2) LDWS: Lane Departure Warning System3) LKAS : Lane Keeping Assist System

V2V4), V2I5), ITS6)

4) V2V: Vehicle-to-Vehicle5) V2I: Vehicle to Infrastructure6) ITS: Intelligent Transportation System

Driving-Central Smart Car

Simple SWComplex SW

Driving Smartness & Comfort

Standardized Software

High-Performance APs


ADAS for Smart/Safe Driving; Future of Cars

Safe DrivingSmart Driving

Automotive OS(Future of AGL?) Vehicle AP

Automotive Embedded System

Lane Detection Traffic Sign Recog.

Pedestrian Detection Night Vision

Multi-Radar/ACC

V2V/ITS

IVI(In-Vehicle Infotainment) Voice Recognition

Route/ParkingGuidance

Gesture Recognition

Mixed Reality Display Collision Warning Brake


Why Fault-Tolerance in Linux-AP?

Fault TolerantAutomotive SW-SoC

Automotive App.on Linux

Vehicle AP

Brake-by-Wire =Control by SW-SoC


Malfunction of Linux-AP

ADAS(Advanced Driver Assistance)+Steeringrequests High-Quality Fault-Tolerant SW-CPU

Steer-by-Wire

Brake-by-WireDrive

monitoring

ECU

Sources of Transient Erros

MCU/CPU/AP

Cosmic rayNoise

Voltage/Current fluctuation

Temperaturevariation

Error ModelingSET

(Single Event Transient)

SEU (Single Event Upset)

6


Challenges in Fault-Tolerant Linux-AP

Automotive Linux

Fault-tolerance in high-performance AP (>800MHz, ~1.2GHz)

* Plenty of researches in MCU

Redesign of the ‘Core’ for protectingtransient error

Redesign of the ‘Core and OS’ toDetect faults and Recover status

Linux kernel/drivers’ designfor fault-tolerance

* Previous works are for firmwares

Approval of ‘Core and OS’ as a ‘Safety Element’ in Vehicles


ISO 26262 Roadmap for Automotive APs

AP

SystematicFaults

HW randomfaults

Avoidance ofFaults in the process

Avoidance ofBugs in SW

Requirements tracking, conf. mgmt.

Control & Verification of the design process

Control & Verification of usage, maintenance, and

changes

Control & Verification ofTool suites (compiler,..)

Control & Verification ofSW test design

Doc. & Verification ofHW-SW interfaces

AnalysisSafety

Mechanisms


ISO 26262 Roadmap for Automotive APsAP

HW randomfaults

AnalysisSafety

Mechanisms

SystematicFaults

QualitativeAnalysis

Dependent failures(CCF) analysis

QuantitativeAnalysis

HW metrics analysis(SPFM, LFM, PMHF)

HW metrics verification(fault injection)

HW diagnosticMechanisms

(e.g ECC, DCLS, etc.)

SW diagnostic mechanisms

(e.g. SW tests)

※DCLS=Dual-Core Lockstep

Measures forCCF avoidance


ASIL Definition

C1 C2 C3

S1

E1 QM QM QME2 QM QM QME3 QM QM AE4 QM A B

S2

E1 QM QM QME2 QM QM AE3 QM A BE4 A B C

S3

E1 QM QM AE2 QM A BE3 A B CE4 B C D

QM=Quality Managed, For function but is not a safety concern

ExposureClass

E0 E1 E2 E3 E4

Desc. IncredibleVery low

probabilityLow

probabilityMedium

ProbabilityHigh

Probability

ControllabilityClass

C0 C1 C2 C3

Desc.Controllable in general

SimplyControllable

NormallyControllable

Difficult to control or

uncontrollable

SeverityClass

S0 S1 S2 S3

Desc.No

injuries

Light and moderate injuries

Severe and life-

threatening(probably survive)

Life-threatening(survival?)


SEooC8.3.1 ... Microcontrollers are an integral component of modern automotive systems. They can be developed as a safety element out of context(SEooC).

9.1...An SEooC is a safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle.

Position of SEooC

Part-10, 9.2.3. Assumptions and SEooC Development

Assumptions onsystem-level,

safety requirements,system-level design

Hardware(MCU)development

Work products(report of safety goal)

Integration of the SEooCinto the item


Fault Detection (Current Technology)

Protection

Redundancy

PerturbedRedundancy

Mem1 Mem2 Mem3Original Data

+ECC

Thread1-1

Thread1-2

Thread1-3

Core1 Core2

Thread1

Thread2

Thread3

Core1

Core2

13

Physical Isolation gives space diversity Delayed lockstep gives time diversity It may weak to CCF(Common Cause Failure)


Redundancy suppressing Failures

*Re-analysis of Infineon’s Presentation

Type Cause Effects Lifetime

EOSElectrical Over-Voltage/Current Stress

Hot spots > 1ms

ESDElectro-Static Discharge

Upto 1A dischargecurrent

100ps to 1us

Cosmic Radiation

External environment(>1MeV)

~100fC chargelocalized in a few um

< 100ps

Intrinsic Radiation

Alpha from package(~8MEV)

Hole-electron pair generation in a few um

< 100ps

14

purpose

redundancy

perturbedredundancy

error sources


DCLS (1)

PrimaryCore

CheckerCore

Compare

Physical Isolation gives space diversity Delayed lockstep gives time diversity It may weak to CCF(Common Cause Failure)


Physical separation

DCLS (2)

F DEC E

F’ DEC’ E’

AntiCore

XORXOR

XOR

Reduced delay lines Shadow core does inverse of the core Physical separation


DCLS in Action

Logic BIST

ECC FlashIF

ECC Flash

SPF

MPU(mem)

CPUMaster

INT DMA

ECC RAM IFPBUSIF

V850E2M

ECCRAMBIST

Peripherals

LogicBIST ECC BIST

RAM

2 clockdelay

2 clockdelay

2 clockdelay

CPUChecker

DMA

SPF

MPU(mem)

INT

RAM IF ECCPBUS

IF

Logic BIST

ECCFlashIF

V850E2M

SafetyGuardian

Compare Unit

Clock monitor

Clock monitor

Clock monitor

WDT

Clock Gen

Clock input

Ring OSC


DCLS in Actions

* Excerpts from Infineon

Thread 1a

Thread 1b

Thread 2


Automotive AP Dev. Process in ETRI

Appropriate development procedure Measurement for analysis (FMEA) Review by required organization Documentation

Requirements in the Development Process

OverallArchitecture

Design

Fault injection &analysis

FaultTolerance

Mechanism

FunctionVerification

Final Design

Tape-out

IntermediateReview

Synthesis P&R ReliabilityAnalysis Fab. Packaging

ReliabilityTest

(AEC-Q100)

Review &Final

Document

20

ACCDEP (Automotive CPU Core Design Process in ETRI)


Basic SoC Design Methodology

Requirements

SimulateRTL Model

Gate-levelModel

Synthesize

Simulate Test Bench

ASIC or FPGA Place & Route

TimingModel Simulate


ACCDEP in V Model

Hazard andRisk Analysis

Safety requirements

from Customer

ASIL safety goal

Safety requirements(generic, architecture,

assumption)

Specification ofSafety Integrity Measures

(SoC+SW)

ACCDep

Safety Analysisand Validation

Safety Report(FMEA, Metrics)

Item integration, Safety Validation &

Assessment

SW-SoC Design Group

Inputs for Part 5,6 Outputs for Part 5,6

22


Required Expertise in ACCDEP

Involvement & Understanding of Standardization

Safety Analysis ExperimentsFor Automotive Applications(LKAS, Braking, Airbag, ..)

Automotive AP/MCUDesign Technologies

SW-SoC Technology Core development DCLS, Assertion, Voting, ECC, ..

Cooperation with external institutes

For safety assessment

FMEA Methodology SetupFault injection & Simulation

23


Faults and Errors in ACCDEP

Systematic Error Error in the process

Bugs in SW

Bugs in HW design

Permanent Chip FailureRandom Error

Transient Error

ErrorDiscrepancy

FaultAbnormal condition

causing failure

FailureTermination of

The ability

Control & Verification

Simulation, Testing,Static analysis

Simulation, Testing, Formal verification

Stress test(AEC-Q100)

Fault-ToleranceTechniques

24


ETRI’s Roadmap for Embedded Processors

DSP Core

Video Core

2006 2008 2010 2012 2014 2016

Single-Core DSP160 instructions180MOPS@130nm

“EMP-S”

“EMP-D”Dual-CoreMulti-Port SPM160 inst.500MOPS@130nm

“Aldebaran-S”

x2 1.6GOPS@800MHz32-bit Dual-CoreMMU(TLB, Cache)

Touch Sensor2

Sound EffectSoC

Touch SensorMedia SoC Audio

SoC

AP for EmbeddedSystems

“Aldebaran-R”

x32-x64 core CPUReliability, Perf., Power0.1mW/MHz

MOSAICMulti-Core Video SoC

“Aldebaran-V”

x4 4GOPS@1GHzFault-Tolerant CPU asSEooC in ISO 26262

“MOSAIC”

“Aldebaran-C”Multi-Channel

Video Codec APx2 1.6GOPS@800MHzHEVC (4K/8K video codec)SPMD Array Processor

Fault-TolerantVehicle AP

Many-Core CPU

Compact Embedded DSP(35Kgates, 3mW@130nm/core)

AP for Embedded Products(300Kgates, 99.8mW@65nm/core)


Positioning

Cortex-A9, x2, 4000DMIPS,500mW,1GHz@40nm

Cortex-A8, x1, 1200DMIPS,300mW,600MHz@40nm

2000

Cortex-A15 (to come), x2, 8400DMIPS, ~900mW, 1.2GHz@28nm

60004000 8000

300

600

900

Power(mW)

Performance(DMIPS)

Simple “number of cores” war will face the end.The power efficiency war is the next round.

Too Hot for Mobile Applications ! (1.1W)

Aldebaranx8, 18400DMIPS,150mW@45nm


Aldebaran Development Platform< Architecture >

< Xilinx FPGA Platform >LCD(1200x800)+FPGA b/d+Base b/d


Aldebaran-S2 (Dual-Core)

SCLKNET(p_osc,4)

SJTAG(pjt,5)

FMC(pfm,15)

GPIO(pio,10)

DDR2(pdd, 76)

SDR(psd,58)

VIDEO(plcd,29)

USBHS(pus,6)

SDIO(psi,12)

SMC(psm,37)

AC97(pac,5)

I2C(pic,8)

UART(pua,4)

PWM(pwm,4)

PMU(pjumper,8)

IROM IRAM

INTC DMAC

NIC

ALDEBARAN_CORE

ID 0

ALDEBRAN_CORE

ID 1

TIMER/WDT

< Block Diagram of Aldebaran >

< Aldebaran Layout >


Aldebaran Architecture

M0 M2

S0 S1 S2

aldebaran_nic_7m8s M4

VC(VIDEO,

LCD)SJTAG

DDR2SDR

SNAKE_COREID 0

PMU Timer

S6

M1

DMA

S4

SMC(SRAM I/F)

INTC

M3

USBHS(USB Host)

irom

iram

S3

NFC(NAND Flash)

S5

USB_Slave

DMADDR2GPU PCIe HDMI MFC

USBOTG SATA Ethernet(802.3) CAM

AXI multi-layer bus

AXI multi-layer bus

LS0

LM0

RS0

RM0BL BR

SCLK4NET

AXI

AHB

APB

core_clk

SMC

Video

M5

SDIO0

S7

SDIO1

FMCWDT

NOR

M3

SNAKE_COREID 1

coreb_clk

core_clk

bl_clk

br_clk

sdr_clk

usb_clk

p_osc_clki

video_clk

pdd_sys_clk_p

pac_bit_clk_pad_i

bl_clk br_clk

usb_clk

video_clk

sdr_clk

coreb_clk

pdd_sys_clk_ppdd_clk_ref_ppdd_clk_ref_n RTC

UART0,1

AC97

I2C0,1

SJTAG

PWM

USBHS

p_osc_clk48mpjt_tck_in

CAN0,1


Features of Aldebaran

Dual-issue in-order superscalar with 32bit I/D Target : 800MHz@65nm,1.1V, 1GHz@45nm,1.0V BTB: 2-way x 256-entry x 58-bit =3.7Kbytes BP: 10-bit GHR, 256x16x2b=1Kbyte I/D cache: Each 32K bytes, Tag 2.12Kbytes,

I$+D$ 68.25Kbytes TLB: Each 32-entry PTE(Page Table Entry) for

iTLB/dTLB Separate iTLB/dTLB, each 32 entries Each 65-bit PTE with selective FLUSH/PROBE

Dual-rail decode and in-order scheduler w/ Scoreboard

Execution queue Queue containing decoded/scheduled blocks Run-time OS support for LP execution

Superscalar execution unit 2 integer units, 1 load store, and FPU for

single/double fpu operationsMulti-port register file

800MHz, 2.63mm2@65nm

Core

Clock Net Frequency Description

osc_clki (ref_clk) 50MHz PLL reference clock

SCLKNET/core_clk 500MHz~1GHz Core block

SCLKNET/bl_clk core_clk/2, 250MHz~500MHz

BL bus

SCLKNET/br_clk 200MHz BR bus

SCLKNET/sdr_clk 166MHz SDR clock

SCLKNET/video_clk 80MHz VC clock

osc_clk48m (usb_clk) 48MHz +/- 0.2% USBHS clock

pdd_sys, pdd_ref(ddr2 4 clks)

200MHz SNAKEM_DDR2

psd_clk_in 166MHz SDR feedback

pjt_tck_in 10MHz SJTAG clock

pac_bit_clk_pad_i 12.8MHz SNAKEM_AC97

sdio internal clocks ~50MHz(gated from br_clk)

Clocks in Aldebaran


NFS : NAND Flash controller 128M~32Gbytes NAND supportMax 400Mbps Configurable, for various NAND types

USBHS : Usb controller USB(1.1) Host controller

SDC : SD controller SD card(1/4-bit mode)/SDIO/SPI

Features of Aldebaran

VC: Video Controller EDMA for NoC off-loading 1280x800 resolution, HDMI support

DRAM Controller 256Mbytes DRAM 166MHz SDR(166Mbps) 200MHz DDR2(400Mbps)

iROM : Internal ROMMultiple bootstrap modes

iRAM: Internal RAM 32Kbytes for complex bootstrapping

NoC-Left SMC : SRAM I/F controller Configurable SRAM Interface Interface for LAN9220

INTC : 32-source PIC Timer/WDT: Periodic/One-shot/Watchdog, 4 sets

CAN: 2-wire CAN for OBD-II, 2 sets

PWM: Pulse-Width-Modulation Configurable waves LCD backlight, Dimming

UART: UART 16550 38400/115200 baud rate

AC97: Audio AC97 codec interface Volume management

I2C: Inter-IC Control 7-bit/10-bit address I2C master/slave composite LCD Touch Interface

SJTAG : JTAG Interface PC-Core Communication Core debugging, Program Download On-Chip flash burning

NoC-Right

NoC-Right


Core Architecture

BPBTB

TLB

iTLB dTLB

MMUC

I$

IQVA S

D0U

FS

D1U

D0D D1D

IU0

RF

EQIU2

D$

FPU

LS

EP EE

13 pipeline stagesSB

LegendVA : Virtual Address S : SchedulerBTB : Branch Target Buffer SB : ScoreboardBP : Branch Predictor EQ : Execution QueueFS : Fetch Scheduler RF : Register FileIQ : Instruction Queue IU : Integer UnitDU : Upper Decode LS : Load/Store UnitDD : Down Decode EP/EE : Execute Prolog/Epilog

✔US 12/832313, “Local stack storage for processors” ✔US 7958321, “Apparatus and method for reducing memory access

conflicts among processors” ✔MICPRO 2010, ”Partial access conflict-relieving programmable

address shuffler for parallel memory system in multi-core processor”


Core Internals

SNAKE_CORESNAKE_RESET

I cache

D cache

Decoder Scheduler

Trape0

e1-e3

REGFILEFQUEUE

BTB & BP

FS

EQ & EP

TLB

AXIF

※ Block size is independent of the actual gate count.

SNAKE_C


Aldebaran Instructions

LDSB LDSBALDSH LDSHALDUB LDUBALDUH LDUHALD LDALDD LDDALDFLDDFLDFSRLDCLDDCLDCSRSTB STBA STH STHAST STASTD STDASTF STDFSTFSRSTDFQSTCSTDCSTCSRSTDCQLDSTUB LDSTUBASWAP SWAPASETHINOP

AND ANDcc

ANDN ANDNcc

OR ORcc

ORN ORNcc

XOR XORcc

XORN XORNcc

SLL

SRL

SRA

ADD ADDcc

ADDX ADDXcc

TADDcc TADDccTV

SUB SUBcc

SUBX SUBXcc

TSUBcc TSUBccTV

MULScc

UMUL UMULcc

SMUL SMULcc

UDIV UDIVcc

SDIV SDIVcc

SAVE

RESTORE

Bicc

FBfcc

CBccc

CALL

JMPL

RETT

Ticc

RDASR

RDY

RDPSR

RDWIM

RDTBR

WRASR

WRY

WRPSR

WRWIM

WRTBR

CAS

CASA

STBAR

UNIMP

FLUSH

FiTO(s,d,q)

F(s,d,q)Toi

FsTOd

FsTOq

FdTOs

FdTOq

FqTOs

FqTOd

FMOVs

FNEGs

FABSs

FSQRT(s,d,q)

FADD(s,d,q)

FSUB(s,d,q)

FMUL(s,d,q)

FDIV(s,d,q)

FsMULd

FdMULq

FCMP(s,d,q)

FCMPE(s,d,q)

Cpop

Load-Store Arithmetic Flow Sync Floating-point

Register move

VectorVLD

VST

VADD

VSUB

VMUL

VSUM

VABS

VAND

VOR

VSHF

VSQR


I Cache; VIPT

I$

Inst[31:0]

index[12:5] offset[4:2]tag[31:13]

inst inst inst

=

select

Tag size=(28x19bx4) Data size = (28x32bytesx4)

PA[11:2]PA[35:12]

VA[31:2]

TLB

Hit way

Miss

tagtag

tagtag

BlockBlock

Mux

4-way Blocks

Block

✔US 출원중, “Apparatus for saving energy of a cache using scratch pad memory” ✔JCSC 2010, ”Application-adaptive reconfiguration of memory address shuffler ”


D Cache; PIPT

D$

Data[31:0]

=

select

Tag size=(28x19bx4)

Data size = (28x32bytesx4)

TLB Hit

Miss

tagtag

tagtag

VA[11:2]VA[31:12]

index[12:5] offset[4:2]tag[35:13]PA[35:2]

Data[31:0] Write Buffer

HitMiss

Blockinst inst inst


Branch Prediction; Gshare

GHR[9:2]

PHT

GHR(Global History Register)

PHT (Pattern History Table)

Gshare = Derivative of GAp

GHR[4:0]^PC[4:0]

256 entries

To reduce “aliasing” by PC, use XOR

32 entries

Hit ratio


inst. g0

Instruction Queue & Bandwidth

inst. g1

inst. g7

decode_u

decode_d

FastBranch

Detection

inst0inst1inst2inst3inst4inst5inst6inst7

cache line

Dual instruction Selector


Scheduler

Scheduler & Fire-and-go

Hazard Resolution

int0_e0 int1_e0 ldst_e0

int0_e1 int1_e1 ldst_e1

int0_e2 ldst_e2

ldst_e3

fp_e0

fp_e1

Flow Control

e0

e1 e2

e1

e1 e2 e3

e1

Fire-and-go


TLB

iTLB

Page Table and TLB

r_ctpr(12b) L1 pPTD

L1 pPTD

L1 pPTD

L1 PTD/E L2 PTD/E L3 PTD/E

256 entries 64 entries 64 entries

Index1 Index2 Index3 Offset

31

24 23 18 17 12 11 0

VA

entry 0

entry 1

entry 31

dTLBentry 0

entry 1

entry 31

VA tags ctx PTE

c_ctx

r_ctpr

r_fsr

r_far

PPN C M R ACC ET8

36-bit physical address

VAPA Flush(partial/full) Probe


Traps

Trap name #ttreset 0x2bdata_store_error 0x3cinstruction_access_error 0x21instruction_access_exception 0x01privileged_instruction 0x03illegal_instruction 0x02fp_disabled 0x04cp_disabled 0x24window_overflow 0x05window_underflow 0x06mem_address_not_aligned 0x07fp_exception 0x08cp_exception 0x28data_access_error 0x29data_access_exception 0x09tag_overflow 0x0adivision_by_zero 0x2a

Trap name #tttrap_instructions 0x80~0xff

Trap name #ttinterrupt_level_15 0x1finterrupt_level_14 0x1einterrupt_level_13 0x1dinterrupt_level_12 0x1cinterrupt_level_11 0x1binterrupt_level_09 0x1ainterrupt_level_09 0x19interrupt_level_08 0x18interrupt_level_07 0x17interrupt_level_06 0x16interrupt_level_05 0x15interrupt_level_04 0x14interrupt_level_03 0x13interrupt_level_02 0x12interrupt_level_01 0x11


IDE w/ GCC

Core verification, performance measurement for Aldebaran

such as SpecCPU, CoreMark, etc.

C/C++ Compiler+LibrariesC/C++ Compiler

ar as cppgcc g++ gcj

gcov gprof ld objcopy objdump read_elf

crt1.o libc libmlib

pthread librtlib

stdc++

Debugger

The small-sized server SW to communicate with JTAG-based OCD implemented in the chip

※ OCD : On-Chip Debugger

OCD

Client software for C/C++ Source-Level Debugging

EmulatorModeling of core, tlb, mmu,

and the main memory

Monitor

Probing and control of the corethrough JTAG

Linux

Linux Kernel(3.3)

MMU mgt.

Flash driver

Mediadrivers

Bootloader

Applications

GraphicsLibrary

Web OpenGLOpenCL

Frame buffer

Verification Apps

IDEIntegrated development

environment GUI with Compiler, Assembler, Debugger

Aldebaran SWEcosystem


Verification Basics

Application(C/C++)

ELF(executable)

Image(.text, .data, .bss..)

CompilerLinker

Objcopy

Emulator

Aldebaran core RTL simulation

SnakemuCoreState Buffer

IPC channel(host machine)

shmget(), shmat()

Cycle-by-Cycle Comparison

RTL DirectPortInterface

RTL Sim

ulatorHost

machine


Energy Management

PMU

Core 0

NoC-Left

NoC-Right

Core 1

DRAM

VC

USB

AC97

PLL

PLL

PLL

PLL

PLL

PLL

1/2

core_clk

coreb_clk

bl_clk

br_clk

sdr_clk

vc_clk

usb_clk

PMIC

VoltageRegulation

Control

ac97_bit_clk

IO PadsIO Power

core0, 0.8~1.1V

core1, 0.0V, 0.75~1.1V


Comparison

Area and Power

Core_C0.87mm2@65nm

300K gates

I$0.88mm2@65nm

305K gates

D$0.88mm2@65nm

305K gates

CORE2.63mm2@65nm 980K gatesMax 99.8mW@800MHz

(PT-PX Simulation)

Aldebaran Core0.125mW/MHz

MIPS 1074kf0.36mW/MHz

ARM Cortex-A90.625mW/MHz

* Excerpted from MIPS, ARM’s website* Power efficiency depends on synthesis constraints


Fault Analysis in ACCDEP

Modeling

Architecture

BPBTB

TLB

iTLB dTLB

MMUC

I$

IQVA S

D0U

FS

D1U

D0D D1D

IU0

RF

EQIU2

D$

FPU

LS

EP

EE

SB

mBTB

mBP

mFSmDE

O1 O2

O3

),(),()( ij

jmimi oiPomPoP

Fault Simulation SWStimulus vector

Modulewithout Error

Modulewith Errorinjection

FaultRate

Extraction(VPI)

Error Generation

(VPI)

Injection(VPI)

46


Aldebaran-V (Concept)

47

BPBTB

TLBiTLB dTLB

MMUCMMUC

IQVA S

D0U

FS

D1U

D0D D1D

IU0

RF

EQIU2

FPU

LS

EP

EE

SB

F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0



2 cycle delay

2 cycle delay

V V V V V V V V V V V V

Internal pipeline architecture

detection : spatial, time, logical diversity tolerance : 2oo3 voting recovery : micro-flushing on failure detection

Micro-flushing for fault detection and recovery

Pipeline redundancy

R.Mem

R.Mem

Failure detected Micro-Reset


Register File

Aldebaran-V (Register-based Micro-flushing)




r0 r0-eccr1 r1-ecc

r31 r31-ecc

TMR

r0 r0-eccr1 r1-ecc

r31 r31-ecc

UpdateHistory(for 2

cycles)

Register File

r0 r0-eccr1 r1-ecc

r31 r31-ecc

UpdateHistory(for 2

cycles)

Register File

Pre-Core 0

Pre-Core 1

Core (actual)

Failure detected Micro-Reset


Kernel-AP Interaction in Aldebaran-V

Normal operation

Fault detected

Micro-flushing

yes

Linux

Thread ID

2oo3 matches?

noAP-driven

fault history

Rewind

Fault Table

PC

Interval

Timer isr

Do backupfor faulty process

Kernel AP


Implementation

AldebaranCore 0

AldebaranCore 1

50


Summary

Development of High-performance CPU for Next-generation Automotive CPU is required.

(Integrity + Functional Safety)

The Functional Safety Expert Group calls forparticipants interested in Functional Safety/Fault-Tolerance

in AGL


Automotive V-Model

Development of Car System

Development of Sub-System

Development of Mechanical Parts

ECU Development

ECU SWDevelopment

ECU HWDevelopment

ECU SWImplementation

ECU SWIntegration and Test

ECU HWSign-Off

ECU HW/SWIntegration and Test

ECU Sign-Off

ECU sensors, actuators,Mechanical parts Integration, Calibration, and Test

Sub-System Sign-Off

Sub-Systems integrationTest, and validation

Car SystemSign-Off


Trends of High-Performance Automotive AP

Need for Functional Safety 100 MCUs, 150 pounds of wiring 107 lines of code

Automotive’s Complexity Increases Exponentially

(Source: Design News, Apr. 2013 & ITPro Portal Apr. 2013)

Freescale QuorrivaMPC5748G

Renesas R8A7790X(R-Car H2)

Freescale MPC5748G : Multi-Core MCU Renesas R8A7790X : Octa(8x) Automotive MCU

High-Performance Multi-Core Automotive MCUs

Freescale PX

Infineon TriCore

Functional Safety in Linux-AP · Functional Safety in Linux-AP ... Gesture Recognition Mixed...

Documents

Transcript of Functional Safety in Linux-AP · Functional Safety in Linux-AP ... Gesture Recognition Mixed...