You are on page 1of 54

Functional Safety in Linux-AP

Automotive Linux Summit Fall 2013

* ETRI=Electronics and Telecommunications Research Institute, Korea
1

SoCs in Automotive
ASV (Advanced Safety Vehicle)
Safe

Smartness

Comfort

Smart
Dashboard
(Nav, Audio)

Blackbox

Airbag

Seat Control

Engine Control
Steering

Transmission
Control

TPMS
(Tire Pressure
Monitoring System)

Automotive Linux Summit Fall 2013

Smart door

Window

ABS Control Unit

* Source : ETRI Industry Analysis Report 2010
2

ADAS and CPU
ADAS (Advanced Driver Assistance System)

Reduce Injuries

PAS1)

Danger Warning Safe Driving Control
(LDWS2), Immediate Braking) (LKAS3))

V2V4), V2I5), ITS6)

Driving  Smartness & Comfort
Smart Car

Driving-Central

Standardized Software
Simple SW

Complex SW

High-Performance APs

2000
1) PAS:Parking Assist System
2) LDWS: Lane Departure Warning System
3) LKAS : Lane Keeping Assist System

Automotive Linux Summit Fall 2013

2010

2020

4) V2V: Vehicle-to-Vehicle
5) V2I: Vehicle to Infrastructure
6) ITS: Intelligent Transportation System

3

ADAS for Smart/Safe Driving; Future of Cars
Automotive Embedded System
Automotive OS
(Future of AGL?)

Smart Driving

IVI
Voice Recognition
(In-Vehicle Infotainment)

Mixed Reality Display

Automotive Linux Summit Fall 2013

Route/Parking
Guidance

Vehicle AP

Safe Driving

Gesture Recognition

V2V/ITS

Lane Detection

Pedestrian Detection

Traffic Sign Recog.

Multi-Radar/ACC

Night Vision

Collision Warning Brake

4

Why Fault-Tolerance in Linux-AP?

Brake-by-Wire =
Control by SW-SoC
Fault Tolerant
Automotive SW-SoC
Automotive App.
on Linux

Vehicle AP

Automotive Linux Summit Fall 2013

5

Malfunction of Linux-AP ADAS(Advanced Driver Assistance)+Steering requests High-Quality Fault-Tolerant SW-CPU Drive monitoring Brake-by-Wire Sources of Transient Erros Steer-by-Wire Noise Cosmic ray Error Modeling Voltage/Current fluctuation ECU MCU/CPU/AP Temperature variation SET (Single Event Transient)  SEU (Single Event Upset) Automotive Linux Summit Fall 2013 66 .

~1.Challenges in Fault-Tolerant Linux-AP Fault-tolerance in high-performance AP (>800MHz.2GHz) * Plenty of researches in MCU Automotive Linux Redesign of the ‘Core’ for protecting transient error Redesign of the ‘Core and OS’ to Detect faults and Recover status Linux kernel/drivers’ design for fault-tolerance * Previous works are for firmwares Approval of ‘Core and OS’ as a ‘Safety Element’ in Vehicles Automotive Linux Summit Fall 2013 7 .

Automotive Linux Summit Fall 2013 8 .

ISO 26262 Roadmap for Automotive APs AP Systematic Faults Avoidance of Faults in the process HW random faults Avoidance of Bugs in SW Requirements tracking. Control & Verification of Tool suites (compiler. mgmt.. maintenance.. and changes Doc.) Control & Verification of the design process Control & Verification of SW test design Control & Verification of usage. & Verification of HW-SW interfaces Automotive Linux Summit Fall 2013 Analysis Safety Mechanisms 9 . conf.

) Qualitative Analysis Dependent failures (CCF) analysis Quantitative Analysis SW diagnostic mechanisms (e. SW tests) Measures for CCF avoidance HW metrics analysis (SPFM.ISO 26262 Roadmap for Automotive APs AP HW random faults Systematic Faults Safety Mechanisms Analysis HW diagnostic Mechanisms (e. PMHF) ※DCLS=Dual-Core Lockstep Automotive Linux Summit Fall 2013 HW metrics verification (fault injection) 10 . etc. DCLS. LFM.g ECC.g.

Incredible Very low probability Low probability Medium Probability High Probability Automotive Linux Summit Fall 2013 11 . Controllable in general Simply Controllable Normally Controllable Difficult to control or uncontrollable S2 Light and moderate injuries S3 Severe and lifeLifethreatening threatening (probably (survival?) survive) S1 S2 S3 E1 E2 E3 E4 E1 E2 E3 E4 E1 E2 E3 E4 C1 QM QM QM QM QM QM QM A QM QM A B C2 QM QM QM A QM QM A B QM A B C C3 QM QM A B QM A B C A B C D QM=Quality Managed. For function but is not a safety concern Exposure Class E0 E1 E2 E3 E4 Desc. S0 No injuries S1 Controllability Class C0 C1 C2 C3 Desc.ASIL Definition Severity Class Desc.

.3.3. Position of SEooC Assumptions on system-level. safety requirements. Microcontrollers are an integral component of modern automotive systems. 9.. They can be developed as a safety element out of context(SEooC)..An SEooC is a safety-related element which is not developed for a specific item. Assumptions and SEooC Development Automotive Linux Summit Fall 2013 12 . This means it is not developed in the context of a particular vehicle. system-level design Hardware(MCU) development Work products (report of safety goal) Integration of the SEooC into the item Part-10..2.SEooC 8.1 .1. 9.

Fault Detection (Current Technology) Protection Mem1 Mem2 Mem3 Redundancy Thread 1-1 Thread 1-2 Thread 1-3 Original Data + ECC Core1 Core2 Core1 Perturbed Redundancy Thread 1 Thread 2 Thread 3 Core2  Physical Isolation gives space diversity  Delayed lockstep gives time diversity  It may weak to CCF(Common Cause Failure) Automotive Linux Summit Fall 2013 1313 .

Redundancy suppressing Failures purpose redundancy perturbed redundancy error sources Type Cause Effects Lifetime EOS Electrical OverVoltage/Current Stress Hot spots > 1ms ESD Electro-Static Discharge Upto 1A discharge current 100ps to 1us Cosmic Radiation External environment (>1MeV) ~100fC charge localized in a few um < 100ps Intrinsic Radiation Alpha from package (~8MEV) Hole-electron pair generation in a few um < 100ps *Re-analysis of Infineon’s Presentation Automotive Linux Summit Fall 2013 1414 .

DCLS (1) Primary Core Compare Checker Core  Physical Isolation gives space diversity  Delayed lockstep gives time diversity  It may weak to CCF(Common Cause Failure) Automotive Linux Summit Fall 2013 15 .

DCLS (2) F DEC E XOR Physical separation XOR XOR F’ DEC’ E’ AntiCore  Reduced delay lines  Shadow core does inverse of the core  Physical separation Automotive Linux Summit Fall 2013 16 .

DCLS in Action ECC Safety Guardian Flash 2 clock delay Logic BIST SPF V850 E2M MPU (mem) INT PBUS IF Flash IF Flash IF ECC CPU Master 2 clock delay Compare Unit CPU Checker SPF MPU (mem) DMA DMA RAM IF ECC ECC RAM IF Logic BIST ECC V850 E2M INT PBUS IF 2 clock delay ECC RAM WDT BIST Clock Clock monitor Clock monitor monitor Peripherals Logic BIST ECC BIST RAM Clock Gen Ring OSC Clock input Automotive Linux Summit Fall 2013 17 .

DCLS in Actions Thread 1a Thread 2 Thread 1b * Excerpts from Infineon Automotive Linux Summit Fall 2013 18 .

Automotive Linux Summit Fall 2013 19 .

Final Design Tape-out Intermediate Review Reliability Test Packaging (AEC-Q100) Review & Final Document 2020 . Process in ETRI Requirements in the Development Process     Appropriate development procedure Measurement for analysis (FMEA) Review by required organization Documentation ACCDEP (Automotive CPU Core Design Process in ETRI) Overall Architecture Design Synthesis Function Verification Fault injection & analysis P&R Reliability Analysis Automotive Linux Summit Fall 2013 Fault Tolerance Mechanism Fab.Automotive AP Dev.

Basic SoC Design Methodology Requirements RTL Model Simulate Synthesize Gate-level Model ASIC or FPGA Test Bench Place & Route Timing Model Automotive Linux Summit Fall 2013 Simulate Simulate 21 .

6 Specification of Safety Integrity Measures (SoC+SW) Outputs for Part 5. assumption) Safety Report (FMEA.ACCDEP in V Model Hazard and Risk Analysis ASIL safety goal Item integration.6 Safety Analysis and Validation ACCDep SW-SoC Design Group Automotive Linux Summit Fall 2013 2222 . Safety Validation & Assessment Safety requirements from Customer Safety requirements (generic. Metrics) Inputs for Part 5. architecture.

Required Expertise in ACCDEP Involvement & Understanding of Standardization Safety Analysis Experiments For Automotive Applications (LKAS. Assertion.. Airbag.) Cooperation with external institutes For safety assessment Automotive AP/MCU Design Technologies  SW-SoC Technology  Core development  DCLS.. . ECC. Voting. . FMEA Methodology Setup Fault injection & Simulation Automotive Linux Summit Fall 2013 2323 . Braking.

Static analysis Bugs in HW design Simulation. Testing. Formal verification Permanent Chip Failure Stress test (AEC-Q100) Transient Error Fault-Tolerance Techniques 2424 . Testing.Faults and Errors in ACCDEP Error Discrepancy Systematic Error Random Error Automotive Linux Summit Fall 2013 Fault Abnormal condition causing failure Failure Termination of The ability Error in the process Control & Verification Bugs in SW Simulation.

Power 0.1mW/MHz x4 4GOPS@1GHz Fault-Tolerant CPU as SEooC in ISO 26262 “Aldebaran-C” Multi-Channel Video Codec AP x2 1. 500MOPS@130nm Single-Core DSP 160 instructions 180MOPS@130nm Touch Media SoC Sensor 2006 Automotive Linux Summit Fall 2013 2008 Video Core MOSAIC Multi-Core Video SoC Sound Effect SoC Audio SoC 2010 DSP Core Touch Sensor2 2012 2014 2016 25 . Cache) Compact Embedded DSP “Aldebaran-V” Fault-Tolerant Vehicle AP x32-x64 core CPU Reliability.. Perf. 3mW@130nm/core) “MOSAIC” “EMP-D” “EMP-S” Dual-Core Multi-Port SPM 160 inst.ETRI’s Roadmap for Embedded Processors “Aldebaran-R” Many-Core CPU AP for Embedded Products “Aldebaran-S” (300Kgates.6GOPS@800MHz 32-bit Dual-Core MMU(TLB. 99.6GOPS@800MHz HEVC (4K/8K video codec) SPMD Array Processor (35Kgates.8mW@65nm/core) AP for Embedded Systems x2 1.

2GHz@28nm Aldebaran x8.1GHz@40nm 600 300 Cortex-A8. 18400DMIPS. 1.500mW.600MHz@40nm 2000 Automotive Linux Summit Fall 2013 4000 Cortex-A15 (to come). x1. The power efficiency war is the next round. 1200DMIPS. Too Hot for Mobile Applications ! (1.300mW.Positioning Power (mW) Simple “number of cores” war will face the end. x2. 8400DMIPS. ~900mW. 4000DMIPS.1W) 900 Cortex-A9.150mW@45nm 6000 8000 Performance (DMIPS) 26 . x2.

Aldebaran Development Platform < Architecture > < Xilinx FPGA Platform > LCD(1200x800)+FPGA b/d+Base b/d Automotive Linux Summit Fall 2013 27 .

8) NIC GPIO (pio.58) SDIO (psi.29) < Block Diagram of Aldebaran > Automotive Linux Summit Fall 2013 28 .37) USBHS (pus.4) ALDEBARAN _CORE ID 0 FMC (pfm.Aldebaran-S2 (Dual-Core) DDR2 (pdd.4) IRAM AC97 (pac.4) SJTAG (pjt.10) UART (pua.5) INTC DMAC TIMER /WDT PMU (pjumper. 76) SCLKNET (p_osc.8) PWM (pwm.12) VIDEO (plcd.5) SMC (psm.15) ALDEBRAN _CORE ID 1 IROM < Aldebaran Layout > I2C (pic.6) SDR (psd.

3) CAM core_clk AXI multi-layer bus coreb_clk core_clk SATA p_osc_clk48m bl_clk SCLK4NET sdr_clk video_clk pjt_tck_in br_clk video_clk USBHS (USB Host) SJTAG SDIO0 M3 M4 M5 usb_clk bl_clk M0 M1 M2 M3 BL aldebaran_nic_7m8s LM0 RM0 RS0 LS0 S0 S1 br_clk BR S2 S3 S4 S5 S7 SMC (SRAM I/F) USB_Slave SDIO1 S6 AXI sdr_clk pdd_sys_clk_p pdd_sys_clk_p pdd_clk_ref_p pdd_clk_ref_n irom SDR DDR2 AHB iram APB NFC (NAND Flash) AXI multi-layer bus GPU PCIe HDMI MFC PMU Timer Video WDT FMC RTC NOR PWM INTC UART0.Aldebaran Architecture coreb_clk USBOTG SNAKE_CORE ID 1 DMA p_osc_clki VC (VIDEO. LCD) SNAKE_CORE ID 0 Ethernet (802.1 DMA AC97 DDR2 I2C0.1 Automotive Linux Summit Fall 2013 29 .1 SMC SJTAG usb_clk pac_bit_clk _pad_i USBHS CAN0.

12Kbytes. 250MHz~500MHz BL bus SCLKNET/br_clk 200MHz BR bus SCLKNET/sdr_clk 166MHz SDR clock SCLKNET/video_clk 80MHz VC clock osc_clk48m (usb_clk) 48MHz +/. Tag 2. 256x16x2b=1Kbyte I/D cache: Each 32K bytes.7Kbytes BP: 10-bit GHR. pdd_ref(ddr2 4 clks) 200MHz SNAKEM_DDR2 psd_clk_in 166MHz SDR feedback pjt_tck_in 10MHz SJTAG clock pac_bit_clk_pad_i 12. each 32 entries  Each 65-bit PTE with selective FLUSH/PROBE Dual-rail decode and in-order scheduler w/ Scoreboard Execution queue  Queue containing decoded/scheduled blocks  Run-time OS support for LP execution Superscalar execution unit  2 integer units.8MHz SNAKEM_AC97 sdio internal clocks ~50MHz (gated from br_clk) 30 .Features of Aldebaran Core           Dual-issue in-order superscalar with 32bit I/D Target : 800MHz@65nm.0. 2. and FPU for single/double fpu operations  Multi-port register file 800MHz.2% USBHS clock pdd_sys. 1GHz@45nm.1. I$+D$ 68.63mm2@65nm Automotive Linux Summit Fall 2013 Clocks in Aldebaran Clock Net Frequency Description osc_clki (ref_clk) 50MHz PLL reference clock SCLKNET/core_clk 500MHz~1GHz Core block SCLKNET/bl_clk core_clk/2.1. 1 load store.1V.25Kbytes TLB: Each 32-entry PTE(Page Table Entry) for iTLB/dTLB  Separate iTLB/dTLB.0V BTB: 2-way x 256-entry x 58-bit =3.

4 sets CAN:  2-wire CAN for OBD-II. for various NAND types  USBHS : Usb controller  USB(1.Features of Aldebaran NoC-Left   VC: Video Controller  EDMA for NoC off-loading  1280x800 resolution. Program Download  On-Chip flash burning 31 .1) Host controller  SDC : SD controller  SD card(1/4-bit mode)/SDIO/SPI Automotive Linux Summit Fall 2013         NoC-Right SMC : SRAM I/F controller  Configurable SRAM Interface  Interface for LAN9220 INTC : 32-source PIC Timer/WDT:  Periodic/One-shot/Watchdog. 2 sets PWM: Pulse-Width-Modulation  Configurable waves  LCD backlight. Dimming UART: UART 16550  38400/115200 baud rate AC97: Audio  AC97 codec interface  Volume management I2C: Inter-IC Control  7-bit/10-bit address  I2C master/slave composite  LCD Touch Interface SJTAG : JTAG Interface  PC-Core Communication  Core debugging. HDMI support  DRAM Controller  256Mbytes DRAM  166MHz SDR(166Mbps)  200MHz DDR2(400Mbps)  iROM : Internal ROM  Multiple bootstrap modes  iRAM: Internal RAM  32Kbytes for complex bootstrapping NoC-Right  NFS : NAND Flash controller  128M~32Gbytes NAND support  Max 400Mbps  Configurable.

“Apparatus and method for reducing memory access conflicts among processors” ✔MICPRO 2010.Core Architecture IU0 D0U D1U IU2 VA BTB BP FS IQ S EQ EP EE FPU D0D D1D LS SB TLB 13 pipeline stages RF I$ iTLB dTLB D$ MMUC Legend VA : Virtual Address BTB : Branch Target Buffer BP : Branch Predictor FS : Fetch Scheduler IQ : Instruction Queue DU : Upper Decode DD : Down Decode Automotive Linux Summit Fall 2013 S SB EQ RF IU LS EP/EE : Scheduler : Scoreboard : Execution Queue : Register File : Integer Unit : Load/Store Unit : Execute Prolog/Epilog ✔US 12/832313. “Local stack storage for processors” ✔US 7958321. ”Partial access conflict-relieving programmable address shuffler for parallel memory system in multi-core processor” 32 .

Core Internals SNAKE_CORE SNAKE_RESET I cache SNAKE_C Decoder Scheduler TLB D cache AXIF e0 Trap e1-e3 FQUEUE REGFILE EQ & EP BTB & BP FS ※ Block size is independent of the actual gate count. Automotive Linux Summit Fall 2013 33 .

d.d.Aldebaran Instructions Load-Store LDSB LDSH LDUB LDUH LD LDD LDF LDDF LDFSR LDC LDDC LDCSR STB STH ST STD STF STFSR STDFQ STC STDC STCSR STDCQ LDSTUB SWAP SETHI NOP LDSBA LDSHA LDUBA LDUHA LDA LDDA STBA STHA STA STDA STDF Arithmetic Automotive Linux Summit Fall 2013 Sync Floating-point AND ANDcc SAVE CAS FiTO(s.q) MULScc LDSTUBA SWAPA Flow Register move UMUL UMULcc RDTBR VOR FsMULd SMUL SMULcc WRASR VSHF FdMULq UDIV UDIVcc WRY VSQR FCMP(s.d.q)Toi OR ORcc Bicc STBAR FsTOd ORN ORNcc FBfcc UNIMP FsTOq XOR XORcc CBccc FLUSH FdTOs XORN XORNcc CALL FdTOq SLL JMPL FqTOs SRL RETT SRA Ticc Vector FqTOd VLD FMOVs ADD ADDcc VST FNEGs ADDX ADDXcc VADD FABSs TADDcc TADDccTV VSUB FSQRT(s.d.q) WRWIM Cpop WRTBR 34 .q) ANDN ANDNcc RESTORE CASA F(s.q) RDWIM VAND FDIV(s.q) SUBX SUBXcc RDY VSUM FSUB(s.q) SUB SUBcc RDASR VMUL FADD(s.q) TSUBcc TSUBccTV RDPSR VABS FMUL(s.d.d.d.q) SDIV SDIVcc WRPSR FCMPE(s.d.d.

I Cache. “Apparatus for saving energy of a cache using scratch pad memory” ✔JCSC 2010. ”Application-adaptive reconfiguration of memory address shuffler ” Automotive Linux Summit Fall 2013 35 . VIPT I$ VA[31:2] tag[31:13] Tag size=(28x19bx4) index[12:5] offset[4:2] tag tag TLB PA[35:12] Data size = (28x32bytesx4) Block inst inst tag tag inst PA[11:2] = 4-way Blocks Hit way Mux Miss Block select Inst[31:0] ✔US 출원중.

PIPT Data[31:0] D$ select VA[31:12] Tag size=(28x19bx4) VA[11:2] tag tag TLB tag tag PA[35:2] tag[35:13] index[12:5] Hit inst inst Block inst offset[4:2] = Data size = (28x32bytesx4) Miss Hit Data[31:0] Automotive Linux Summit Fall 2013 Miss Write Buffer 36 .D Cache.

use XOR GHR[4:0]^PC[4:0] GHR(Global History Register) GHR[9:2] PHT (Pattern History Table) PHT Hit ratio 256 entries 32 entries Gshare = Derivative of GAp Automotive Linux Summit Fall 2013 37 . Gshare To reduce “aliasing” by PC.Branch Prediction.

g0 Fast Branch Detection decode_u inst.Instruction Queue & Bandwidth inst0 inst1 inst2 inst3 inst4 inst5 inst6 inst7 cache line inst. g7 Dual instruction Selector Automotive Linux Summit Fall 2013 38 . g1 decode_d inst.

Scheduler & Fire-and-go Fire-and-go Scheduler e1 e2 Flow Control e1 Hazard Resolution int0_e0 int1_e0 ldst_e0 fp_e0 int0_e1 int1_e1 ldst_e1 fp_e1 int0_e2 e1 e2 e3 ldst_e2 ldst_e3 Automotive Linux Summit Fall 2013 e0 e1 39 .

Page Table and TLB TLB VAPA Flush (partial/full) iTLB dTLB entry 0 entry 0 entry 1 entry 1 VA tags Probe ctx PTE 8 31 PPN C M R ACC ET 36-bit physical address c_ctx r_ctpr r_fsr entry 31 entry 31 r_far 24 23 VA r_ctpr (12b) L1 pPTD Index1 18 17 Index2 12 11 Index3 0 Offset L1 PTD/E L2 PTD/E L3 PTD/E 256 entries 64 entries 64 entries L1 pPTD L1 pPTD Automotive Linux Summit Fall 2013 40 .

Traps Trap name reset data_store_error instruction_access_error instruction_access_exception privileged_instruction illegal_instruction fp_disabled cp_disabled window_overflow window_underflow mem_address_not_aligned fp_exception cp_exception data_access_error data_access_exception tag_overflow division_by_zero Automotive Linux Summit Fall 2013 #tt 0x2b 0x3c 0x21 0x01 0x03 0x02 0x04 0x24 0x05 0x06 0x07 0x08 0x28 0x29 0x09 0x0a 0x2a Trap name trap_instructions Trap name interrupt_level_15 interrupt_level_14 interrupt_level_13 interrupt_level_12 interrupt_level_11 interrupt_level_09 interrupt_level_09 interrupt_level_08 interrupt_level_07 interrupt_level_06 interrupt_level_05 interrupt_level_04 interrupt_level_03 interrupt_level_02 interrupt_level_01 #tt 0x80~0xff #tt 0x1f 0x1e 0x1d 0x1c 0x1b 0x1a 0x19 0x18 0x17 0x16 0x15 0x14 0x13 0x12 0x11 41 .

Debugger Debugger Client software for C/C++ SourceLevel Debugging Monitor Emulator Probing and control of the core through JTAG Modeling of core. Core verification. etc.3) Media drivers Flash driver Frame buffer Bootloader Automotive Linux Summit Fall 2013 OCD The small-sized server SW to communicate with JTAG-based OCD implemented in the chip ※ OCD : On-Chip Debugger IDE Integrated development environment GUI with Compiler.o libc ar as ld cpp gcj objcopy objdump read_elf lib pthread libm librt lib stdc++ Linux Applications Graphics Library Web OpenGL OpenCL Linux Kernel (3. and the main memory Verification Apps MMU mgt. 42 . tlb.IDE w/ GCC Aldebaran SW Ecosystem C/C++ Compiler C/C++ Compiler+Libraries gcc g++ gcov gprof crt1. Assembler. performance measurement for Aldebaran such as SpecCPU. mmu. CoreMark.

) IPC channel (host machine) shmget().data.text. shmat() Cycle-by-Cycle Comparison Automotive Linux Summit Fall 2013 Aldebaran core RTL simulation RTL DirectPort Interface RTL Simulator Snakemu CoreState Buffer Host machine 43 . .bss.Verification Basics Emulator Application (C/C++) Compiler Linker ELF (executable) Objcopy Image (.. .

1V 1/2 bl_clk NoC-Left PLL br_clk PLL PMIC sdr_clk NoC-Right PLL PLL Voltage Regulation Control DRAM vc_clk VC usb_clk USB ac97_bit_clk Automotive Linux Summit Fall 2013 AC97 44 . 0.Energy Management IO Pads PMU core_clk PLL PLL IO Power coreb_clk Core 0 Core 1 core0.0V.1V core1.8~1.75~1. 0. 0.

88mm2@65nm 305K gates D$ 0.63mm2@65nm 980K gates Max 99.125mW/MHz MIPS 1074kf 0.36mW/MHz ARM Cortex-A9 0.8mW@800MHz (PT-PX Simulation) Core_C 0.Area and Power CORE 2.88mm2@65nm 305K gates Automotive Linux Summit Fall 2013 Comparison Aldebaran Core 0.625mW/MHz * Excerpted from MIPS. ARM’s website * Power efficiency depends on synthesis constraints 45 .87mm2@65nm 300K gates I$ 0.

oi )   Pm (i j .Fault Analysis in ACCDEP Architecture IU0 D0U VA BTB BP FS IQ S D0D EQ IU2 E P FPU TLB LS mBTB RF dTL iTLB B E E D1D SB I$ Modeling D1U D$ MMUC O3 O1 Fault Simulation SW Stimulus vector Module without Error Module with Error injection Injection (VPI) Automotive Linux Summit Fall 2013 Fault Rate Extraction mBP O2 mFS mDE (VPI) Error Generation P ( oi )  Pm ( m .oi ) j (VPI) 4646 .

time. Mem VA F0 F1 F2 F3 D0 D1 S EQ E0 E1 E2 V V V V V V V V V V V V E3 R. Mem 2 cycle delay 2 cycle delay E3 Failure detected Micro-Reset IU0 D0U VA BTB BP FS 47 D1U IQ S EQ E P IU2 FPU D0D TLB iTLB E E D1D LS SB dTLB MMUC RF Internal pipeline architecture Automotive Linux Summit Fall 2013 47 .Aldebaran-V (Concept) Micro-flushing for fault detection and recovery  detection : spatial. logical diversity  tolerance : 2oo3 voting  recovery : micro-flushing on failure detection Pipeline redundancy VA F0 VA F0 F1 F2 F3 D0 D1 S EQ E0 E1 E2 F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3 R.

Aldebaran-V (Register-based Micro-flushing) Pre-Core 0 VA F0 F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3 Register File Update History (for 2 cycles) r0 r1 r0-ecc r1-ecc r31 r31-ecc Pre-Core 1 VA F0 F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3 Register File Update History (for 2 cycles) r0 r1 r0-ecc r1-ecc r31 r31-ecc Core (actual) VA F0 F1 F2 F3 D0 D1 S Failure detected Micro-Reset Automotive Linux Summit Fall 2013 EQ E0 E1 E2 E3 Register File r0 r1 r0-ecc r1-ecc r31 r31-ecc TMR 48 .

Kernel-AP Interaction in Aldebaran-V Linux Timer isr AP Kernel Fault Table Thread ID Do backup for faulty process PC Interval Normal operation yes 2oo3 matches? Rewind no Fault detected AP-driven fault history Micro-flushing Automotive Linux Summit Fall 2013 49 .

Implementation Aldebaran Core 0 Aldebaran Core 1 Automotive Linux Summit Fall 2013 5050 .

(Integrity + Functional Safety) The Functional Safety Expert Group calls for participants interested in Functional Safety/Fault-Tolerance in AGL Automotive Linux Summit Fall 2013 51 .Summary Development of High-performance CPU for Next-generation Automotive CPU is required.

Automotive Linux Summit Fall 2013 52 .

Automotive V-Model Car System Sign-Off Development of Car System Sub-Systems integration Test. and Test Development of Mechanical Parts ECU Development ECU Sign-Off ECU SW Development ECU HW Development ECU SW Implementation Automotive Linux Summit Fall 2013 ECU HW/SW Integration and Test ECU HW Sign-Off ECU SW Integration and Test 53 . Calibration. actuators. Mechanical parts Integration. and validation Development of Sub-System Sub-System Sign-Off ECU sensors.

Apr.Trends of High-Performance Automotive AP Automotive’s Complexity Increases Exponentially Freescale PX  Need for Functional Safety  100 MCUs. 2013) Automotive Linux Summit Fall 2013 54 . 150 pounds of wiring  107 lines of code Freescale Quorriva MPC5748G High-Performance Multi-Core Automotive MCUs Infineon TriCore Renesas R8A7790X (R-Car H2)  Freescale MPC5748G : Multi-Core MCU  Renesas R8A7790X : Octa(8x) Automotive MCU (Source: Design News. 2013 & ITPro Portal Apr.