Professional Documents
Culture Documents
net/publication/326563648
CITATIONS READS
4 1,606
3 authors:
Ryan Huang
Industrial Technology Research Institute
32 PUBLICATIONS 167 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
The feasibility study for automotive Ethernet communication systems View project
Development and Verification of System-Level Fault-Robust Techniques for Safety-Critical FlexRay Network Systems View project
All content following this page was uploaded by Kuen-Long Lu on 14 September 2018.
Abstract—With the growing demand on automotive phase, product development phase and the product and
electronics for the advanced driver assistance systems and operation planning phase. During the safety life cycle, the
autonomous driving, the functional safety becomes one of the considering issues cover initialization of the product concept,
most important issues in the hardware development. Thus, the specification establishment, product design and pre-production
safety standard for automotive E/E system, ISO-26262, becomes test. All these issues are treated with functional safety
state-of-the-art guideline to ensure that the required safety level consideration. At the product development phase, V-model is
can be achieved. In this study, we base on ISO-26262 to develop a adopted as the primary design, verification and validation flow.
FMEDA-based fault injection and data analysis framework. The This phase is further divided into three different levels: system
main contribution of this study is to effectively reduce the effort
level, hardware level and software level. For these levels,
for generating FMEDA report which is used to evaluate
functional safety requirements are verified and validated
hardware's safety levelġġbased on ISO-26262 standard.
through Failure Modes and Effect Analysis (FMEA), Fault-
Keywords—ISO-26262, Functional Safety, FMEDA, Fault Tree Analysis (FTA), Failure Mode Effect and Diagnostic
Injection Analysis (FMEDA) and safety-related metrics. Among these
safety analysis, FMEDA is adopted to verify the safety at HW
level by calculating the HW architecture metrics to evaluate the
I. INTRODUCTION HW safety level.
Automotive E/E systems, electronic control unit (ECU), In this study, we develop a FMEDA-based fault injection
micro-controller unit (MCU), system-on-chip (SoC) and and data analysis framework in compliance with the functional
intellectual property (IP) used, become prevalent in the safety- safety standard ISO-26262 for safety-critical automotive SoC.
critical automotive applications, which require a stringent The effectiveness of the framework is demonstrated by an
dependability while the systems are in operation. Therefore, exemplary RISC-based SoC to show how to reduce the effort
the safety and reliability issues must be addressed in the for generating FMEDA report. This paper is organized as
development of safety-critical hardware (HW) system. follows: FMEDA and fault injection in ISO-26262 are
Nevertheless, the incorporation of the safety/reliability introduced in Section II. In Section III, our FMEDA-based
requirements into the design specification will raise the design Fault Injection and data analysis framework is proposed. Case
complexity significantly. Thus, an important and valuable study appears in Section IV. Then conclusions are given in
research topic is emerged: how to develop an effective safety Section V.
process following the guidelines of international functional
safety standard, i.e. ISO-262626, to assist designer in tackling II. FMEDA AND FAULT INJECTION IN ISO-26262
the complexity of the HW design and verification. Therefore,
we need to incorporate the safety standard into the present A. FMEDA in ISO-26262
automotive HW design and verification process such that the The definition of FMEDA is a systematic analysis
new integrated safety design process can facilitate the technique to obtain subsystem / product level failure rates,
designers in assessing and enhancing the safety/robustness of failure modes and diagnostic capability. The main purpose of
an automotive hardware in an efficient manner. FMEDA in ISO-26262 is to evaluate HW architectural metrics
ISO-26262 [1] was first published in 2009 for needs and safety goal violations due to random HW failures for
specific to the application sector of electrical and/or E/E providing sufficient information to improve the gaps if the
systems within road vehicles. The primary purpose for this demanded HW safety level is not fulfilled. The HW
standard is to conduct a safety life cycle for the electronic architectural metrics include single-point fault metric (SPFM),
systems. In ISO-26262, a safety life cycle includes: concept latent-fault metric (LFM) and probabilistic metric for hardware
276
and accumulate the amount of “SoC failures”. Once all fault Matrix multiplication (Matrix). Two simulation configurations
simulation results are compared, the total number of SoC are shown in the following: one is for failure mode
failures is acquired. Then FIDA can calculate the diagnostic classification and the other is for FMEDA.
coverage (DC) or called failure mode coverage (FMC) in
FMEDA report through dividing the number of SoC failures by
total number of injected faults. Finally, the HW architecture
metrics can be calculated and filled in FMEDA report.
On the other hand, a failure mode analysis report is
generated to help users further recognize which failure modes
are main contributors among all SoC failures. Currently, FIDA
classifies SoC failures into 12 different failure modes, as Table
II summarized.
Table II SoC failure mode classification
Failure mode Description
Simulation ends incorrectly (earlier than
EIT/ID
expectation) with incorrect results
Simulation ends incorrectly (earlier than
EIT/CD
expectation) with correct results Fig. 3 ORPSoC block diagram
Simulation ends incorrectly (earlier than
EIT/ND
expectation) with no results A. Simulation configuration 1:failure mode classification
Simulation ends incorrectly (later than In this simulation configuration, we inject permanent faults
LIT/ID
expectation) with incorrect results to better demonstrate the failure mode classification for the
LIT/CD
Simulation ends incorrectly (later than original ORPSoC without safety mechanism protection. Table
expectation) with correct results III shows the failure mode classification results for three test
LIT/ND
Simulation ends incorrectly (later than programs. For each test program, the same 1000 permanent
expectation) with no results faults were injected to observe the fault impact on different
IIT/ID Simulation breaks down with incorrect results program features.
IIT/CD Simulation breaks down with correct results
Table III failure mode classification results
IIT/ND Simulation breaks down with no results
CT/ID Simulation ends normally with incorrect results
CT/CD Simulation ends normally with correct results
CT/ND Simulation ends normally with no results
FIDA automatically classifies failure modes according to
the corresponding waveform comparing results. Failure mode
classification is based on a series of comparisons between
fault-free and fault simulation from time and value aspect as From Table III we can observe that LIT/ID is with highest
Fig. 2 shows. For time domain, FIDA compares end time of occurrence among all failure modes which provides a useful
fault simulations with fault-free simulation for the adopted guide for devising effective safety mechanisms.
benchmark. For value domain, FIDA will dump and compare
the contents of data memory at simulation end time for fault B. Simulation configuration 2: FMEDA
simulations and the fault-free simulation for the adopted In this simulation configuration, we inject permanent faults
benchmark. In summary, users only need to prepare the into ORPSoC without and with safety mechanism. It is worthy
Verilog codes and specify related parameters for fault to note that for each fault simulation there is only single fault
simulation, then FIDA will take over the remaining tasks for injected. Thus only SPFM is calculated by FIDA. FMEDA
generating the FMEDA report. Thus, compared to traditional report with LFM is not demonstrated in this paper due to
FMEDA generation by hands, FIDA effectively reduces the limitations on space. The safety mechanism Triple Module
effort through automated FMEDA generation. With the help of Redundancy is adopted for whole OR1200 CPU in ORPSoC.
proposed framework, number of re-design iterations due to FMEDA reports for ORPSoC without and with TMR
insufficient safety level is expected to be reduced also. protection are shown on left hand side and right hand side of
Table IV respectively. Analyzing fault simulation results, we
IV. CASE STUDY observe that faults injected in certain sub-parts of the OR1200
For demonstrating FIDA effectiveness, we adopt a CPU do not cause any effect on the SoC operation. We identify
OpenRISC-core-based SoC – ORPSoC – as the case study [10]. these sub-parts as “NES” which stands for “No Effect on SoC”
This SoC is developed in Verilog RTL. Fig. 3 shows the block in Table IV (red boxes). These NES sub-parts will be excluded
diagram of the ORPSoC. from FMC and SPFM calculation. Comparison of these two
A set of benchmarks including three common programs are FMEDA reports provides the evidence of SPFM improvement
adopted: Fibonacci sequence (Fib), Bubble sort (Sort) and contributed by TMR safety mechanism.
277
V. CONCLUSIONS [2] S. H. Jeon, J. H. Cho, Y. Jung, S. Park, and T. M. Han, “Automotive
hardware development according to ISO 26262,” in 13th (ICACT) 2011,
In this study, a FMEDA-based fault Injection and data pp. 588-592.
analysis framework in compliance with ISO-26262 is proposed. [3] Y. C. Chang, L. R. Huang, H. C. Liu, C. J. Yang, and C. T. Chiu,
Through the proposed three-phase framework with developed “Assessing automotive functional safety microprocessor with ISO 26262
tool – FIDA, fault simulations and data analysis for the hardware requirements,” in Proc.Int.Conf. Symposium on VLSI
simulation results are executed automatically. Furthermore Design,on Automation and Test (VLSI-DAT), 2014, pp. 1-4.
FIDA can also automatically perform failure mode [4] ZOIX User Guide Version 2016.03-6, July, 2016.
classification and FMEDA report generation so that the [5] Randal Childers, “Enabling ISO 26262 Qualification By Using Cadence
Tools”, Cadence white paper, 2014.
designer can rapidly recognize the weakness of HW and
establish safety mechanism to improve the safety level. [6] DOUG SMITH, “How Formal Reduces Fault Analysis for ISO 26262”,
Mentor Graphic white paper, 2017.
Therefore the effort to achieve the demanded HW's safety level
[7] Ludovic Pintard, Jean-Charles Fabre, Karama Kanoun, Michel Leeman,
is effectively reduced. and Matthieu Roy, "Fault Injection In The Automotive Standard ISO
26262: An Initial Approach", European Workshop On Dependable
ACKNOWLEDGMENT Computing,vol. 7869: Springer Berlin Heidelberg, May 2013.
The authors acknowledge the support of MOST under [8] N. Adler, S. Otten, M. Mohrhard, M. K. D, x00Fc, and Glaser ller,
Contract Number 106-2221-E-305-011. “Rapid safety evaluation of hardware architectural designs compliant
with ISO 26262,” in Proc.Int.Conf. Symposium on Rapid System
Prototyping (RSP), Montreal, QC, 2013, pp. 66-72.
REFERENCES [9] M. Kooli and G. Di Natale, “A survey on simulation-based fault
injection tools for complex systems,” in Pric.9th.Int.Conf.On Design &
Technology of Integrated Systems In Nanoscale Era (DTIS), 2014, pp.
[1] ISO/FDIS 26262, “ISO-26262 Road Vehicles --Functional safety,” ed: 1-6.
International Organization for Standardization, 2011.
[10] https://opencores.org/,OpenRISC SoC offical website.
278