safety mit professionellen sw-komponenten › fileadmin › documents › misc › ... ·...
TRANSCRIPT
Building a safe and secure embedded world
Michael Weiß, Senior Account Manager
Safety mit professionellen SW-Komponenten
“Sicherheit” – What is Security and Safety?
Security
Protect the System against
unauthorized
external influence
Safety
Avoid harm and injuries caused by
malfunctioning
of the System
Security SafetySafe and Secure System
211.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Functional safety definition
Functional safety is about “absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems”
Hazards: “potential source of harm”
Harm: “physical injury or damage to the health of persons”
Failures are the main impairment to safety:
Systematic failures: “failure, related in a deterministic way to a certain cause, that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors”
Random HW failures: “failure that can occur unpredictably during the lifetime of a hardware element and that follows a probability distribution”
311.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Systematic Failures vs. Random Failures
Systematic-Inherently Unsafe Random-Sometimes Unsafe
411.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Safety Standards
511.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
ISO26262Automotive
ISO13849Machinery
IEC 501xxRailway
IEC 60335Household appl.
IEC 60601Medical
IEC61508Electrical, electronic and
programmable electronic systems
Safety Standards
611.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
ISO26262Automotive
ISO13849Machinery
IEC 501xxRailway
IEC 60335Household appl.
IEC 60601Medical
IEC61508Electrical, electronic and
programmable electronic systems
Class A
Class B
Class C
SIL 1
SIL 2
SIL 3
SIL 4
ASIL A
ASIL B
ASIL C
ASIL D
Cat 1
Cat 2
Cat 3
PL A
PL B
PL C
PL D
Demands of the standards (Safety)
Reduction of
systematically
failures
Reduction of
random
failures
Analyse failures
Reduction of
failures to fulfil
Safety Integrity
Level
711.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
In all stages of the development process measures have to be
planned
executed and
documented
to
manage
verify and
assess
functional safety.
V-Model approach
Traceability
Demands of the standards (Systematically failures)
811.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Total failure rate
The proportion of safe failures (Safe Failure
Fraction SFF) describes the proportion of safe
failures towards the total failure rate of a
subsystem.
𝑺𝑭𝑭 =𝚺𝝀𝑺 + 𝚺𝝀𝑫𝑫𝚺𝝀𝒕𝒐𝒕𝒂𝒍
= 𝟏 −𝚺𝝀𝑫𝑼𝚺𝝀𝒕𝒐𝒕𝒂𝒍
The diagnostic coverage (DC) describes how
many dangerous failures can be detected. 𝑫𝑪 = 𝟏 −𝜮𝝀𝑫𝑼
𝜮𝝀𝑫=
𝝀𝑫𝑫
𝝀𝑫
Demands of the standards (Statistical failures)
Detected
Undetected
𝜆𝑆𝐷
𝜆𝑆𝑈
Detected
Undetected
𝜆𝐷𝐷
𝜆𝐷𝑈
Safe 𝜆𝑆
Dangerous 𝜆𝐷
𝜆𝑡𝑜𝑡𝑎𝑙
911.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Copyright © Hitex GmbH 2018. All rights reserved. 11
Risk Reduction to fulfil Safety Integrity Level
11.09.2018
0
Ris
k
Tolerable Risk
With
Safety
Measure
n
With
Safety
Measure
…
With
Safety
Measure
5
With
Safety
Measure
4
With
Safety
Measure
3
With
Safety
Measure
2
With
Safety
Measure
1
Product
without any
safety
measures
Residual Risk
Necessary minimal risk reduction
Actual risk reduction
Safety Mechanism – Overview
Safety Element out of Context (SEooC) Safety System/Item
Hardware
Safety
Mechanisms
(ESM)
External Safety
Mechanisms
Safety
Mechanisms
1211.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Safety mechanism = Technical solution to detect faults or control failures in order to achieve or maintain a safe state.
Measures to avoid faults
Measures to control faults
Safety mechanism effective within the element (Structural & Functional Measures)
Safety measurers applied during development of element (Procedural Measures)
Safety mechanisms are classified as:
Hardware safety mechanism [HW]
External safety mechanisms [ESM
Safety Mechanism – Definition & Classification
1311.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Solutions and Productsfrom Hitex
Only drivers for safety or security critical peripherals have to be developed according to process
Access to peripherals needed by the SafeTpack is included in the SafeTpack
Write from scratch
Low Level Drivers
• AURIX™ User Manual is extensive
• Relations of peripherals may be complex
• If development process needed big effort
AURIX™ Experts can do it faster
1511.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Only drivers for safety or security critical peripherals have to be developed according to process
Access to peripherals needed by the SafeTpack is included in the SafeTpack
Write from scratch
Use free iLLD drivers
Low Level Drivers
• Easier to understand than User Manual
• Examples available
• No safety documentation like specification
and validation documents
1611.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Only drivers for safety or security critical peripherals have to be developed according to process
Access to peripherals needed by the SafeTpack is included in the SafeTpack
Write from scratch
Use free iLLD drivers
Buy MCAL drivers
Low Level Drivers
• AUTOSAR compatible
• SDHB, as Infineon Development Standard,
has been extended to support Safety ISO26262
• ASPICE L2 aligned process for AURIX™ TC3x MCAL
• Configuration with TRESOS Studio
• Configuration and Integration Service
offered by Hitex
1711.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Only drivers for safety or security critical peripherals have to be developed according to process
Access to peripherals needed by the SafeTpack is included in the SafeTpack
Write from scratch
Use free iLLD drivers
Buy MCAL drivers
Buy Hitex industrial drivers
Low Level Drivers
• Developed according to
ISO26262 ASIL B & IEC61508
• Full validation on request
• Available for MCU, IO, ADC, GTM,
MultiCan, Quad Encoder,
Hall Encoder, QSPI, ASC
1811.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
MCAL DriversInfineon MC-ISAR Packages
AUTOSAR MCAL Driver for AURIX™ Family MC-ISAR Product Overview
2011.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Application Layer
AUTOSAR Run Time Enviroment (RTE)
System ServicesMemory Services
Communication Services
I/O Hardware Abstraction
Complex Device Driver
On-Board Device Abstraction
Memory Abstraction
Communication Abstraction
MCU
WD
G
GPT
FLS
RAM
TEST
SPI
LIN
CAN
Fle
xRay
PO
RT
DIO
ICU
PW
M
AD
C
SCI
MEM
Check
FAD
C
...
MCAL
Microcontroller
Infineon MC-ISAR driver (MicroController Infineon Software ARchitecture) Enabled via partners
AUTOSAR in production since 2009
21Copyright © Hitex GmbH 2019. All rights reserved
Product Sheet
Autosar MCAL Drivers for AURIX™ 2G Family
Device AURIX TC3xx TC39xB / TC38x / TC37x / TC36x / TC35x / TC 33x
Safety claim at Production Release PR
AUTOSAR version 4.2.2
MCAL drivers
MC-ISAR Basic
package
MCU
Port
DIO
ICU (supporting GTM, CCU6 and GPT12)
GPT
PWM (supporting GTM and CCU6)
SPI
ADC (feature set 3)
WDG
OCU
FLS
FEE (feature set 2)
CAN
CanTrcv
LIN
BFX
CRC
MC-ISAR COM Enhanced package
FlexRay
Ethernet ASIL D process to ensure freedom from
interference in memory space
MC-ISAR MCD
MCAL Complex Drivers
DS-ADC
DMA
FLSloader
Demo code / App note : HSSL , SENT, SMU
ASIL B functionality claim
Except for FLSloader
ASIL D process to ensure freedom from interference in memory space
Configuration tool Tresos
Compiler - migrate to TASKING 6.2r2- HighTec GNU 4.9.2.0- Wind River v5.9.6.4 -Greenhills (version to be defined) for TC38x, TC35x, TC36x; availability to be discussed on request
Delivery package Source code, Documentation
ASIL B functionality claim
Except for CAN, CanTrcv, LIN
ASIL D process to ensure freedom from interference in memory space
Copyright © Hitex GmbH 2019. All rights reserved
Infineon Microcontroller: Software Quality
22Copyright © Hitex GmbH 2019. All rights reserved
› Standard and tailored development process SDHB established
› SDHB, as Infineon Development Standard, has been extended to support Safety ISO26262
› ASPICE L2 aligned process for AURIX™ TC3x MCAL
› 6 processes at L3
› 4 processes at L2
Qualified software releases
Building a safe and secure embedded world
Hitex SafeTpack– AURIX™ 2G Safety Software
More safety and security inside? We ensure it!
Version 1.8 2019-07-19
What‘s new in AURIXTM second Generation (A2G) TC3xx
More productivity with Hitex SafeTpackfor ISO 26262 &
IEC 61508
Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
Hitex A2G SafeTpack is a complete safety manager for the AURIX™ second generation (A2G) 32-bit safety microcontrollers that provides a shortcut to implementing the Safety Manual requirements.
Like the PRO- SILTM SafeTlib for AURIX™ TC2xx first generation, it provides a rapid and straightforward way to achieve ISO26262 or IEC61508 certification for safety applications using TC3xx second generation devices.
Retains the existing PRO-SILTM SafeTlib APIs.
Migration of TC2xx safety applications to TC3xx is made simpler.
AURIX™ 2G TC3xx SafeTpack – Key Facts
25Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
AURIXTM 2G does not need the SafeTlibTM MicroTest library but…
You still need to:
Manage and test the TLF35584 safety watchdog
Manage the internal watchdogs
Run the LBIST (Logical Built-In Self Test), MBIST (Memory BIST), MONBIST (Monitor BIST) … for details see end of presentation …
Run ASIL-D checks of critical SFRs (Special Function Register)
Run the CPU and SPU SBSTs (self-test for non-lockstep core)
Implement the ESMs (External Safety Mechanism) functions
Handle safety-relevant errors
These functions have a huge effect on the overall SPFM (Single Point Fault Metric), LFM (Latent Fault Metric) and overall FIT (Failure In Time) rate of the system.
SafeTlibTM vs SafeTpack
26Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
A2G SafeTpack has four main sections:
Test library/Test Handler
Internal/external safety watchdog interface and associated drivers
Signature Monitor/error reporting system
Safety Management Unit (SMU) driver (provided by IFX)
A2G SafeTpack can be used either with or without AUTOSAR (AS4.x.x).
Constitutes an AUTOSAR complex driver.
100% compatible with the Infineon MCAL
Can still be used independently
Inside A2G SafeTpack
27Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
Inside A2G SafeTpack
28Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
The Test Library includes a Test Handler that launches the TC3xx built-in hardware test functions:
LBIST, MONBIST and MBIST
LBIST replaces SafeTlib (A1G) Latent Fault Metric tests
• User can configure LBIST activation method and result handling
Optional SBST for the non-lockstep mode of the Signal Processing Units (ASIL-C) and non-lockstep AURIX™ CPU cores (ASIL-B).
Support for redundant SFR configuration checking for ASIL-D.
Test Manager reports any errors via
Application call-back.
Predefined 32-bit test result signature value, which is passed to the Signature Monitor.
Tests are activated and configured using the Tresos Studio environment.
Test Library & Test Manager
29Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved
SafeTpack Overview
30Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
APPLICATION SW STARTUP:
During Application SW startup, the user isresponsible for executing a number ofoperations for ensuring the absence oflatent faults and correctly initialize theMCU before starting the runtimeexecution.
SafeTpack Overview
31Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
SMC[SW]:MCU:LBIST_CFG
ESM[SW]:MCU:LBIST_RESULT
SMC[SW]:PMS:MONBIST_CFG
ESM[SW]:PMS:MONBIST_RESULT
ESM[SW]:SYS:MCU_FW_CHECK
ESM[SW]:SMU:ALIVE_ALARM_TEST
SMC[SW]:VMT:MBIST
ESM[SW]:VMT:MBIST
ESM[SW]:DTS:DTS_RESULT
ESM[SW]:SMU:REG_MONITOR_TEST
ESM[SW]:AMU.LMU_DAM:REG_MONITOR_TEST
ESM[SW]:CIF.RAM:REG_MONITOR_TEST
ESM[SW]:CPU.DCACHE:REG_MONITOR_TEST
ESM[SW]:CPU.DLMU:REG_MONITOR_TEST
ESM[SW]:CPU.DSPR:REG_MONITOR_TEST
ESM[SW]:CPU.DTAG:REG_MONITOR_TEST
ESM[SW]:CPU.PCACHE:REG_MONITOR_TEST
ESM[SW]:CPU.PSPR:REG_MONITOR_TEST
ESM[SW]:CPU.PTAG:REG_MONITOR_TEST
ESM[SW]:DMA.RAM:REG_MONITOR_TEST
ESM[SW]:EMEM.RAM:REG_MONITOR_TEST
ESM[SW]:ERAY.RAM:REG_MONITOR_TEST
ESM[SW]:GETH.RAM:REG_MONITOR_TEST
ESM[SW]:GTM.RAM:REG_MONITOR_TEST
ESM[SW]:HSPDM.RAM:REG_MONITOR_TEST
ESM[SW]:LMU.RAM:REG_MONITOR_TEST
ESM[SW]:MCMCAN.RAM:REG_MONITOR_TEST
ESM[SW]:PSI5.RAM:REG_MONITOR_TEST
ESM[SW]:SCR.RAM:REG_MONITOR_TEST
ESM[SW]:SDMMC.RAM:REG_MONITOR_TEST
ESM[SW]:SPU.BUFFER:REG_MONITOR_TEST
ESM[SW]:SPU.CONFIG:REG_MONITOR_TEST
ESM[SW]:SPU.FFT:REG_MONITOR_TEST
ESM[SW]:TRACE.TRAM:REG_MONITOR_TEST
SafeTpack implements the following ESMs and SMCs:
SafeTpack Overview
32Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
SFR Test module of SafeTpack can be used to realise:
ESM[SW]:SYS:MCU_STARTUP
ESM[SW]:CPU:AP_CHECK
ESM[SW]:CPU:BUS_MPU_INITCHECK
ESM[SW]:CPU:CODE_MPU_CHECK
ESM[SW]:CPU:DATA_MPU_CHECK
ESM[SW]:CPU:SFR_TEST
SafeTpack’s watchdog driver and the optional Program Flow Monitor module can be used to realise:
ESM[SW]:SYS:SW_SUPERVISION
ESM[SW]:CPU:SOFTERR_MONITOR
SMU driver (from IFX MCAL CD package) can be used to realise SMC[SW]:SMU:CONFIG
Optional CPU SBST module can be used to realise ESM[SW]:CPU:SBST
Optional SPU SBST module can be used to realise ESM[SW]:SPU:SBST
SafeTpack Tresos Configuration
33Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved
TLF35584 driver Tresos configuration menu
TC399 LBIST driver Tresos configuration menu
Signatures from the test library are fed via the Signature Monitor to refresh the watchdog
Incorrect signature(s) causes safe state to be entered.
Safety Watchdog Interface can be extended to collect signatures from optional External Safety Measure (ESM) modules
Hitex Program Flow Monitor (HtxPfm)
ADC self-test, broken wire detection etc.
Redundantly implemented SFR checks
DMA monitor (no signature)
SBST (CPU & SPU)
+ others
Test Signature Management
34Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
HtxTLF35584 Test module provides the ESM TLF35584 startup tests
Window Watchdog Test
Functional Watchdog Test
Error Pin Monitor Test
Analog built-in Self-Test (ABIST) etc.
as per the TLF35584 safety Manual.
HtxPFM Program Flow Monitor (D.2.9.5, ASIL-D)
Add-on is able to verify that tasks and functions are called in the expected order.
Runs on all cores and the status is reported via the signature manager to the external functional watchdog device.
Extended TLF35584 Support
35Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
Allows user to configure internal and external actions for SMU alarms
Driver comes from IFX MCAL and is part of the MCAL package
For non AUTOSAR/MCAL environments SMU driver will be provided as optional module
Alarms may be configured for SafeTpack start-up phase
Alarms may be configured for application run phase
Safety Management Unit Driver & Configurator
36Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
A2G SafeTpack is a software component of a larger user-defined system
For ASIL-B
Supplied as source code with reference application
ISO26262-style Safety Manual and Safety Case Report.
Hitex can provide assistance with the user’s certification procedure by special arrangement.
A2G SafeTpack may be used at up to ASIL-D
subject to special measures being taken by the user.
Roadmap for IEC61508 and ISO13849
SafeTpack Usage In ISO26262, IEC61508 …
37Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved
SBST Non-Lockstep CPUs
Add-on module contains the Infineon SBST for non-locked step CPUs that are to be used for ASIL-B.
Manages the SBST slices and reports the output status through the signature management system.
SBST For Signal Processing Unit
Add-on module contains the Infineon SBST for the non-locked step SPU that is to be used for ASIL-C.
manages the SBST slices and reports the output status through the signature management system.
Optional Modules provided by Infineon
38Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved
Highly recommended to integrate A2G SafeTpack with your application at the earliest possible stage.
The Trial Version package is recommended for this.
Completely representative of the ASIL-B version
Acts as a functional placeholder during early product development on standard Infineon and Hitex A2G boards.
Ensures that the TLF35584 is correctly serviced and that the basic testing and error reporting system is in place from the start of the project.
When transferring to custom hardware, the A2G SafeTpack ASIL-B version is required
Allows full configuration, continued development and final release.
Working With A2G SafeTpack
39Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved
AURIX™ Toolchain Support
Tasking v6.2r2p2
Hightec GCC v4.9.2
On request: GHS, Windriver/Diab.
SafeTpack Compiler Support & Roadmap
40Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved
Device Alpha Beta RC PR
TC39x available Nov 2019 Dec 2019 Q1 2020
TC38x available Oct 2019 Dec 2019 Q1 2020
TC37x On Request Dec 2019 Jan 2020 Q2 2020
RC = Release CandidatePR = Production Release .. 3 months after RC
Consulting
Functional Safety Consulting
How to achieve required ASIL or SIL with AURIXTM and SafeTpack
Training
AURIXTM Training
How to use and integrate SafeTpack
Functional Safety Training
Integration service
Development service to integrate SafeTpack in your special application
Global Support via Partners
Hitex Services for SafeTpack
41Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
Trial / Evaluation version - Free of charge
Fully functional, partial source code/object library with a Getting Started guide, limited configurator and basic documentation, supplied with simple reference application showing A2G SafeTpack usage.
For evaluation purposes only on Infineon and Hitex evaluation boards.
Allows the correct servicing of the internal or TLF35584 safety watchdogs.
ASIL-B Development & Production Version
Fully functional source code with Tresos configurator
Simple reference application showing A2G SafeTpack usage
ISO26262 Safety Manual and Safety Case Report.
A2G SafeTpack Formats
42Copyright © Hitex GmbH & Hitex (UK) Ltd. 2019. All rights reserved.
Summary
AURIX™ has a complete environment feasible for safety and security
AURIX™ hardware is designed for safety
Functional safety has high demands on development cycle and microcontroller tests
Make or buy decision is influenced by safety and security demands
AURIX™ safety and security experts are increasing speed and reliability
Summary
4411.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.
Stay in contact with us …
Michael Weiß
Senior Account Manager
Embedded Solutions
Tel. +49 721 9628-144
Fax. +49 721 9628-149
E-Mail [email protected]
Beray Yilmaz
Account Manager PDH & Middleware
Tel. +49 721 9628-145
Fax. +49 721 9628-149
E-Mail [email protected]
4511.09.2018 Copyright © Hitex GmbH 2018. All rights reserved.