# Integrating Functional Safety with ARM

#### November, 2015 Lifeng Geng, Embedded Marketing Manager



The Architecture for the Digital World®

#### ARM: The World's Most Scalable Architecture

ARM ecosystem meets needs of vertical markets – from sensors to servers

- Addressing automotive, consumer, industrial, mobile, medical, metering and beyond
- I2bn ARM chips shipped in 2014 alone increasingly becoming connected as part of IoT
- ARM's market share at 37% overall



### Functional Safety support is becoming essential

- Compliance with safety standards is required in many markets
- Visible reminders everywhere of the importance of electronics to automotive industry
- Also applies to other sectors: medical, factory automation, robotics, automotive, transport...





ARM white papers provide more detail

#### Functional Safety – Standards



#### How the standard is being used in the industry?



5

# Functional Safety Example

#### **Electric Power Steering**

- An example of a control system which must demonstrate functional safety
  - Must continue to function or at least behave predictably in event of a fault
  - By predictable behaviour we mean it must shut down, fail safe, reset and restart etc.
- Functionally safe systems aim at preventing hazardous behaviour in event of a fault
- Level of risk resulting from potential malfunctioning behaviours is quantified through hazard analysis and risk assessment
  - Automotive Safety Integrity Levels range from ASIL A to ASIL D
  - The higher ASIL requirement dictates the level of robustness of design and verification processes, and often also leads to inclusion of more fault detection and control features



#### Another Example: ADAS Sensors and Functions





- Lots of sensors cameras, radars, ultrasonic, and many more to come.
- Lots of opportunity for redundancy of functions
- Semi-autonomous driving can be achieve today with embedded control
- V2V and V2I will offer supplemental control from the cloud and greater redundancy
- Fail functional is need for safety features.



# Functional Safety Support for ARM IP

Safety management Requirements management Quality



Processes

Fault detection/control features Memory Protection Error Correction Dual Core Lock-Step



Abort mode System Error Fault containment

#### **Design & Verification**

ARM IP Product Safety Package \* Safety Manual Failure Modes and Effects Analysis Development Interface Report



#### Safety Package

\* Supported IPs have separate licensable package



# Functional Safety Support Levels

#### **Standard level support**

- Focus on systematic aspects
  - Design and verification description
  - FMEA Report with example quantitative analysis
- External fault detection and control mechanisms to ARM IP typically required
  - Software-based solutions
  - System-level solutions
- Example processors
  - Cortex-M0+, Cortex-M3, Cortex-M4
  - Cortex-A53, Cortex-A57, Cortex-A72

#### **Extended level support**

- Covers both systematic and random HW fault aspects
  - Robust fault detection and control mechanisms within the design
- External fault detection and control mechanisms not typically necessary
  - Dependent on overall system architecture
- Example processors
  - Cortex-R5
  - Cortex-M7

#### Levels of Support Explained

|                                                     | Standard level                                                                                                                         | Extended level                                                                               |
|-----------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| Typical safety requirements                         | Up to ASIL B (ISO 26262) /<br>SIL 2 (IEC 61508)                                                                                        | Up to ASIL D (ISO 26262) /<br>SIL 3 (IEC 61508)                                              |
| Target application areas                            | Monitoring, processing, analysis<br>applications, e.g. ADAS, general process<br>control                                                | Real-time control applications, e.g. braking, EPS, industrial safety                         |
| ARM functional safety support documents             | <ul> <li>Safety Manual</li> <li>FMEA Report</li> <li>Development Interface Report</li> </ul>                                           | <ul> <li>Safety Manual</li> <li>FMEA Report</li> <li>Development Interface Report</li> </ul> |
| FMEA format                                         | Functional level analysis with estimated failure rate distribution                                                                     | Detailed analysis with estimated failure rate distribution and diagnostic coverage           |
| Fault detection and<br>diagnostics within<br>ARM IP | Limited or no diagnostic coverage<br>achievable by hardware-only means.<br>Additional diagnostics by system-level or<br>software means | Typically very high diagnostic coverage achievable by hardware-only means                    |



#### Fault Detection and Control Features

#### Processor specific features

- Typically redundant elements in the design
- Not required for normal operation
- Provide additional fault detection capability
- Estimate of diagnostic coverage possible

#### Examples

- ECCs
- Lock-step

- Architecture defined features
  - Applicable to all processors implementing the architecture
  - Generic in nature, with potentially lower fault detection capability
  - Estimation of diagnostic coverage difficult
- Examples
  - Exception handling
  - Memory protection and management



# Example: Cortex<sup>®</sup>-R5 Fault Detection and Control

- Processor specific
  - TCM ECC
  - Cache ECC and parity
  - TCM external error
  - Bus protection
  - Dual core lock-step with delay

- ARMv7-R architecture based
  - Memory protection unit (MPU)
  - Exception model





#### Safety Documentation Package Contents

- Essential documentation to support designing SoC / MCU products for safety-related markets
- Three key documents within the Safety Documentation Package:
  - Safety Manual
    - Overall description of functional safety activities within ARM
    - Product specific aspects of functional safety
    - Overview of safety architecture
    - Description of fault detection and control mechanisms
    - Summary of safety analysis results

- Failure Modes and Effects Analysis Report
  - Block and sub-block level partitioning
  - Estimated failure rate distributions
  - Sample quantitative analysis
- Development Interface Report
  - Identification of safety-lifecycle aspects applicable to ARM and IP integrator



### Cortex<sup>®</sup>-R5 Safety Manual

- Contents at top level
  - Introduction
  - Cortex-R5 safety lifecycle
  - Cortex-R5 safety architecture
  - Cortex-R5 configuration options
  - Cortex-R5 fault detection and control mechanisms
  - Cortex-R5 assumptions of use
  - Cortex-R5 safety analysis results
  - Appendix ECC tables
  - Appendix Measures for systematic fault avoidance
  - Appendix Lock-step initialization sequence
- Total contents about 150 pages



# Cortex<sup>®</sup>-R5 Safety Manual

|           | Prefa | ace                                               |      |
|-----------|-------|---------------------------------------------------|------|
|           |       | About this book                                   |      |
|           |       | Feedback                                          | 10   |
| Chapter 1 | Intro | oduction                                          |      |
|           | 1.1   | Role of ARM IP in safety context                  | 1-12 |
|           | 1.2   | Intended use of this document                     | 1-14 |
| Chapter 2 | Cort  | ex-R5 Processor Safety Lifecycle                  |      |
|           | 2.1   | About the Cortex-R5 processor safety lifecycle    |      |
|           | 2.2   | Overall functional safety management              |      |
|           | 2.3   | Project specific functional safety management     | 2-19 |
|           | 2.4   | Functional safety audits                          |      |
|           | 2.5   | Functional safety assessments                     | 2-24 |
| Chapter 3 | Cort  | ex-R5 Processor Safety Architecture Overview      |      |
|           | 3.1   | About the Cortex-R5 processor safety architecture |      |
|           | 3.2   | Single core configuration                         | 3-30 |
|           | 3.3   | Dual core lock-step configuration                 | 3-31 |
| Chapter 4 | Cort  | ex-R5 RTL Configuration Options                   |      |
|           | 4.1   | About Cortex-R5 configuration options             | 4-33 |
|           | 4.2   | RTL configuration for internal TCM ECC            | 4-34 |
|           | 4.3   | RTL configuration for cache ECC                   |      |
|           | 4.4   | RTL configuration for cache parity                | 4-37 |
|           | 4.5   | RTL configuration for TCM external error          |      |
|           | 4.6   | RTL configuration for L2 AMBA bus diagnostics     | 4-39 |
|           | 4.7   | RTL configuration for Memory Protection Unit      |      |
|           | 4.8   | RTL configuration for exceptions                  |      |
|           | 4.9   | RTL configuration for lock-step                   |      |
|           | 4.10  | RTL configuration for split/lock                  |      |

| Chapter 5  | Cort | ex-R5 Processor Fault Detection and Control Mechani    | isms       |
|------------|------|--------------------------------------------------------|------------|
|            | 5.1  | About Cortex-R5 fault detection and control mechanisms |            |
|            | 5.2  | Internal TCM ECC                                       |            |
|            | 5.3  | Cache ECC                                              |            |
|            | 5.4  | Cache parity                                           |            |
|            | 5.5  | TCM external error                                     |            |
|            | 5.6  | L2 AMBA bus diagnostics                                |            |
|            | 5.7  | Memory Protection Unit                                 |            |
|            | 5.8  | Exceptions                                             |            |
|            | 5.9  | Lock-step                                              |            |
|            | 5.10 | Split/lock                                             |            |
| Chapter 6  | Cort | ex-R5 Processor Assumptions of Use                     |            |
|            | 6.1  | About the assumptions of use                           |            |
|            | 6.2  | Assumptions of use for the system integrator           |            |
|            | 6.3  | Assumptions of use for the system developer            | 6-123      |
| Chapter 7  | Cort | ex-R5 Processor Safety Analysis Results                |            |
|            | 7.1  | About safety analysis results                          |            |
|            | 7.2  | Failure modes and effects analysis                     |            |
|            | 7.3  | Sample core implementation results                     |            |
|            | 7.4  | Dependent failures                                     |            |
|            | 7.5  | Systematic faults                                      |            |
|            | 7.6  | Security considerations                                |            |
| Appendix A | ECC  | Encoding Tables                                        |            |
|            | A.1  | Introduction                                           | Appx-A-137 |
|            | A.2  | 64-bit ECC scheme                                      | Аррх-А-138 |
|            | A.3  | 32-bit ECC scheme                                      | Аррх-А-140 |
|            | A.4  | 3-bit ECC scheme                                       | Аррх-А-141 |
| Appendix B | Meas | sures for Systematic Fault Avoidance                   |            |
|            | B.1  | Systematic fault avoidance measures                    | Аррх-В-143 |
| Appendix C | Sugg | gested Initialization Code for Lock-Step Operation     |            |
|            | C.1  | Suggested initialization code for lock-step operation  | Appx-C-149 |
| Appendix D | Revi | sions                                                  |            |
|            | D.1  | Revisions                                              | Appx-D-152 |
|            |      |                                                        |            |



# Cortex<sup>®</sup>-R5 Safety Manual

- Safety lifecycle description
- Overall and product specific safety management
  - Lifecycle aspects
  - V&V activities
  - Supporting processes
- Functional safety audits and assessments
  - Description of planned and completed activities
  - Summary of findings



Figure 1-1 Allocation of roles and responsibilities



# Cortex<sup>®</sup>-R5 FMEA Report

- General structure
  - Description of contents
  - ARM IP partitioning for safety analysis
  - Summary results of safety-related metrics
  - Example quantitative FMEA analysis
- Designed for usability
  - Standard Excel workbook
  - Fully modifiable / customizable by licensee
  - No macros required
- Complemented with an application note
  - Detailed description of analysis method

| Component level                        | Block level                | Sub-block level<br>(end point) | Safety Relev ant | Detailed faul                                                            |                                                                     |
|----------------------------------------|----------------------------|--------------------------------|------------------|--------------------------------------------------------------------------|---------------------------------------------------------------------|
|                                        | Cortex R5 CPU0             |                                | 1                | Permanent fault caus<br>wrong instruction loa<br>opcode feeding the p    | Symbol                                                              |
| CPU                                    | (Master)<br>Processor Core | Core Prefetch Unit             | 1                | Transient fault causir<br>wrong instruction loa<br>opcode feeding the pr | $\lambda \left( \lambda_{\text{SR}} + \lambda_{\text{NSR}} \right)$ |
| CPU                                    | Cortex R5 CPU0<br>(Master) | Core Prefetch Unit             | 1                | Permanent fault in th<br>taken/not-taken decis                           | $\lambda_{ m SR}$<br>$\lambda_{ m NSR}$                             |
|                                        | Processor Core             |                                | 1                | Transient fault in the<br>taken/not-taken decis                          | λs                                                                  |
|                                        |                            | Residual a                     | and singl        | e point faults                                                           | $\lambda_{RF} + \lambda_{SPF}$                                      |
|                                        |                            | Multiple <sub>1</sub>          | point fau        | lts                                                                      | $\lambda_{MPF}$                                                     |
| Latent multiple point faults $\lambda$ |                            | $\lambda_{MPFL}$               |                  |                                                                          |                                                                     |
|                                        |                            | Architect                      | urally sat       | fe faults (by F <sub>sa</sub>                                            | $_{fe}$ ) $\lambda_{s-ARCH}$                                        |
|                                        | 1                          | ransient fau                   | lts              |                                                                          |                                                                     |
|                                        |                            | Overall failu                  | ire rate:        |                                                                          | $\lambda (\lambda_{op} + \lambda_{app})$                            |



#### Development Interface Report – Contents

|            | Pref  | ace                                                                           |           |
|------------|-------|-------------------------------------------------------------------------------|-----------|
|            |       | About this book                                                               | 7         |
|            |       | Feedback                                                                      | 10        |
| Chapter 1  | Intro | oduction                                                                      |           |
|            | 1.1   | About this book                                                               | 1-12      |
|            | 1.2   | Purpose                                                                       | 1-13      |
|            | 1.3   | Role of ARM IP in a safety context                                            |           |
|            | 1.4   | Assignment of roles and responsibilities                                      | 1-15      |
|            | 1.5   | Intended use of the Development Interface Report                              | 1-16      |
| Chapter 2  | Dev   | elopment Interface for the ARM <sup>®</sup> Cortex <sup>®</sup> -R5 Processor |           |
|            | 2.1   | Communication                                                                 | 2-18      |
|            | 2.2   | Safety management activities                                                  |           |
|            | 2.3   | Technical aspects                                                             |           |
|            | 2.4   | Supporting documentation and deliverables                                     | 2-21      |
| Appendix A | Sum   | nmary of the Processes and Activities                                         |           |
|            | A.1   | Summary of the processes and activities                                       | Аррх-А-23 |
| Appendix B | Info  | rmation related to work products defined in ISO 26262:2                       | 011       |
|            | B.1   | Information related to work products defined in ISO 26262:2011                | Аррх-В-27 |
| Appendix C | Revi  | sions                                                                         |           |
|            | C.1   | Revisions                                                                     | Аррх-С-38 |



# Safety Documentation Information Flow





# Use Case Example: Support Third-party Assessment of an MCU





Access for audit and assessment purposes



#### Use Case Example: MCU / SoC Safety Documentation





# Functional Safety for Integrated Designs

ARM Compiler Qualification Kit and toolchain certificate





safety documentation

# Case: Ecosystem Partner Support from Yogitech

- Yogitech is a provider of services and solutions to silicon vendors and system integrators to help them meet their functional safety challenges
- Currently supports a number of ARM processor designs
  - Hardware solutions
  - Software solutions

#### **YOGITECH offer for ARM cores**

- fRCPU (available for Cortex-M3) (autRobust
  - optimized tightly coupled fault supervisor for low-cost safety concepts, implementing ASILD "asymmetric redundancy" (ISO 26262-5 D.2.3.6).
- fault Robust • fRSmartComp (available for Cortex-R4F, R5)
  - enhanced dual-core lock-step for fail operational safety concepts, included in ISO 26262 as "2-way voting" (ISO 19451 PAS).
- fRSTL (available for Cortex-M0, M0+, M3, M4 in development for A15, A9, A7 – in roadmap for A53, A57)



- Application Independent Software Test Library. Each Test Segment targets a specific function of the CPU. It provides pass/fail information and self-checking signatures (CRC). It may be interrupted at any time by the application SW.
- - Complete solution including fRSTL for Cortex-A, fRSmartWatchdog (a SW layer comparing fRSTL results and handling application redundancy) and fRSVC\_multicore (a safety verification component that provides customers with the safety analysis and safety verification artifacts to combine fRSTL and fRSmartWatchdog with application redundancy to reach up to ASIL C for both permanent and transient faults).



# ARM Compiler 5 Support for Functional Safety

- Compiler Safety Package for software development in safety markets
  - Industrial control, automotive, medical, transportation, military and others



- Access to the Safety Package provided with DS-5 Ultimate and Keil<sup>®</sup> MDK Pro
  - Valid DS-5 or MDK support and maintenance entitlement enables extended maintenance
  - Compiler installation is an add-on to the standard product installation

#### Importance of ARM Ecosystem for Functional Safety

 Functional safety support required for all aspects of designs

| Application software |
|----------------------|
| Middleware           |
| Operating systems    |
| Hardware             |

 ...including design, verification and analysis tools





#### Conclusions

ARM is actively working on functional safety support

- Goal is to enable semiconductor manufacturers to develop SoC and MCU designs for safety applications
- This requires collaboration throughout the ecosystem
- Actively participating in ISO 26262 standardization activities
- We want to understand your needs
  - What is the best way for ARM to support your safety-related designs?
  - Your expectations for semiconductor suppliers' safety documentation and support?





# THANKYOU!

For further information, please contact Lauri Ora <u>lauri.ora@arm.com</u> +44 (0) 7741 272 100

