Jon Perez, Mikel Azkarate-askasua, Antonio Perez Embedded Systems Group IKERLAN-IK4 Technology...

Jon Perez, Mikel Azkarate-askasua, Antonio Perez

Embedded Systems GroupIKERLAN-IK4 Technology Research CentreMondragon, Spain

Codesign and Simulated Fault Injection of Safety-Critical Embedded Systems Using SystemC

2/14

Motivation

Design of safety-critical embedded systems require careful analysis of: Fault forecasting Fault prevention Fault removal Fault tolerance

IEC-61508 highly recommends fault injection techniques in all steps of the development process to analyze the reaction of the system in a faulty environment and validate implemented Fault Tolerance Mechanisms (FTM)

Late discovery of a design pitfall might require a expensive redesign of the product!

Simulated Fault Injection (SFI) enables and early dependability assessment

Could we have a design environment for the codesign and accelerated SFI?

EDCC, Valencia, April 2010

3/14

Outline

Preliminaries

SFI with SystemC

Conclusion and future work



Preliminaries – SystemC

SystemC is an standardized system level design language, IEEE-1666, that provides codesign and simulation environment: Open source C++ library Codesign, both hardware and software components can be described using a

common language Provides multiple abstraction levels from architectural level down to Register

Transfer Level (RTL) SystemC provides an event driven simulation kernel that:

Provides a simulation environment Global notion of time

Black, D. C. and J. Donovan (2004). SystemC: From the Ground Up, Eklectic Ally, Inc.4/14

Preliminaries – Fault Injection

SWIFI (Software Implemented Fault Injection), the objective is to reproduce at software level errors that would have been produced upon occurring faults in the execution hardware or software.

HWIFI (Hardware Implemented Fault Injection), fault injection is performed on the final system or early prototype hardware

SFI (Simulated Fault Injection) enables an early dependability assessment of the system, using a simulation model of the system under analysis.

The use of fault injection techniques in SystemC is still scarce, but SFI in HDL models is a well examined area with three main methods for fault injection: Saboteurs: an additional fault injection module is inserted between modules Mutants: a component is modified / replaced by an extended component that

provides faulty behavior Simulator command: the values of variables and signals are modified manually /

automatically using simulator commands

EDCC, Valencia, April 2010 5/14

Preliminaries – ETCS odometry

ERTMS (European Railway Traffic Management System) is an European union backed initiative for the definition of a unique train signaling standard.

ETCS (European Train Control System) is the on-board automatic train protection, safety-critical embedded system, that protects the train by supervising the traveled distance and speed, activating the emergency brake if authorized values are exceeded.

It relies on the distance and speed measurements of the odometry system based on a set of diverse sensors. For a maximum speed of 500 km/h error must be bounded to:


SFI with SystemC – Proposed approach

Modules: System model, is the design under analysis Fault injection module, executes simulator commands with the progression of time

by updating a table of variables Transactor module, converts fault injection variables into custom variables,

signals and ports as required by the system model under analysis Checker module, the custom module that verifies the correct operation of the

system Three consecutive abstraction levels are proposed: behavioral, architectural and

system implementation level.


SFI with SystemC – Fault Injection Commands

Command <window, idx, value> Time window Idx: Variable index Value: Given variable value

Window <id, offset, duration> Id: Time reference identifier Offset..offset+duration: Command time section Special value, forever: <id, offset, -1> Special value, default: <-1, -1, -1>


SFI with SystemC – Behavioral level


Combination of diverse sensors, which type and how many.

Analysis of sensor-fusion algorithms Analysis of sensor fault-error-failure Injected faults (FMEA):

Relative angles Adhesion factor Wheel diameter Etc.

SFI with SystemC – Architectural level


TMR, Triple Modular Redundancy Each node implements the sensor-

fusion algorithm Distribution of sensors in nodes Distribution of information (interfaces) Fail-silent node Voting algorithm Etc.

Injected faults (FMEA): Communication channel failure Node failure Node sends incorrect value Etc.

SFI with SystemC – System implementation level


Hardware / Software partition More detailed interface design Custom design refinement level:

Sensor model Hardware Microprocessor Etc.

Injected faults (FMEA): Statistical bit-flips Statistical signal glitches Etc.

SFI with SystemC – Command Table


Default values

Speed set-point

Fault-injection variables

Distance

SFI with SystemC – Experimental result


14/14

Conclusion and Future Work

Summary The use of SystemC for the codesign and SFI provides multiple

advantages: The system is codesigned using a single standard modeling language Simulations include SFI Eases the design space exploration and FMEA analysis Multiple abstraction-refinement levels are supported Helps reduce the risk of late pitfall discovery Meets IEC-61508 recommendation, use of fault injection techniques in all

steps of the development process Complementary with SWIFI and HWFI

Future work Maintenance oriented fault injection, to ensure that spurious

malfunctions of interest (e.g. transient faults) are detected and registered.


Thank you!


Jon Perez, Mikel Azkarate-askasua, Antonio Perez Embedded Systems Group IKERLAN-IK4 Technology...

Documents

Transcript of Jon Perez, Mikel Azkarate-askasua, Antonio Perez Embedded Systems Group IKERLAN-IK4 Technology...