You are on page 1of 54

Functional Safety in Linux-AP

Automotive Linux Summit Fall 2013

* ETRI=Electronics and Telecommunications Research Institute, Korea


1

SoCs in Automotive
ASV (Advanced Safety Vehicle)
Safe

Smartness

Comfort

Smart
Dashboard
(Nav, Audio)

Blackbox

Airbag

Seat Control

Engine Control
Steering

Transmission
Control

TPMS
(Tire Pressure
Monitoring System)

Automotive Linux Summit Fall 2013

Smart door

Window

ABS Control Unit

* Source : ETRI Industry Analysis Report 2010


2

ADAS and CPU


ADAS (Advanced Driver Assistance System)

Reduce Injuries

PAS1)

Danger Warning Safe Driving Control


(LDWS2), Immediate Braking) (LKAS3))

V2V4), V2I5), ITS6)

Driving Smartness & Comfort


Smart Car

Driving-Central

Standardized Software
Simple SW

Complex SW

High-Performance APs

2000
1) PAS:Parking Assist System
2) LDWS: Lane Departure Warning System
3) LKAS : Lane Keeping Assist System

Automotive Linux Summit Fall 2013

2010

2020

4) V2V: Vehicle-to-Vehicle
5) V2I: Vehicle to Infrastructure
6) ITS: Intelligent Transportation System

ADAS for Smart/Safe Driving; Future of Cars


Automotive Embedded System
Automotive OS
(Future of AGL?)

Smart Driving

IVI
Voice Recognition
(In-Vehicle Infotainment)

Mixed Reality Display

Automotive Linux Summit Fall 2013

Route/Parking
Guidance

Vehicle AP

Safe Driving

Gesture Recognition

V2V/ITS

Lane Detection

Pedestrian Detection

Traffic Sign Recog.

Multi-Radar/ACC

Night Vision

Collision Warning Brake

Why Fault-Tolerance in Linux-AP?

Brake-by-Wire =
Control by SW-SoC
Fault Tolerant
Automotive SW-SoC
Automotive App.
on Linux

Vehicle AP

Automotive Linux Summit Fall 2013

Malfunction of Linux-AP
ADAS(Advanced Driver Assistance)+Steering
requests High-Quality Fault-Tolerant SW-CPU
Drive
monitoring

Brake-by-Wire

Sources of Transient Erros


Steer-by-Wire

Noise

Cosmic ray

Error Modeling
Voltage/Current
fluctuation
ECU

MCU/CPU/AP

Temperature
variation

SET
(Single Event Transient)

SEU
(Single Event Upset)

Automotive Linux Summit Fall 2013

66

Challenges in Fault-Tolerant Linux-AP


Fault-tolerance in high-performance AP
(>800MHz, ~1.2GHz)
* Plenty of researches in MCU

Automotive
Linux

Redesign of the Core for protecting


transient error

Redesign of the Core and OS to


Detect faults and Recover status
Linux kernel/drivers design
for fault-tolerance
* Previous works are for firmwares
Approval of Core and OS
as a Safety Element in Vehicles

Automotive Linux Summit Fall 2013

Automotive Linux Summit Fall 2013

ISO 26262 Roadmap for Automotive APs


AP

Systematic
Faults

Avoidance of
Faults in the process

HW random
faults

Avoidance of
Bugs in SW

Requirements tracking,
conf. mgmt.

Control & Verification of


Tool suites (compiler,..)

Control & Verification of


the design process

Control & Verification of


SW test design

Control & Verification of


usage, maintenance, and
changes

Doc. & Verification of


HW-SW interfaces

Automotive Linux Summit Fall 2013

Analysis

Safety
Mechanisms

ISO 26262 Roadmap for Automotive APs


AP

HW random
faults

Systematic
Faults

Safety
Mechanisms

Analysis

HW diagnostic
Mechanisms
(e.g ECC, DCLS, etc.)

Qualitative
Analysis
Dependent failures
(CCF) analysis

Quantitative
Analysis

SW diagnostic
mechanisms
(e.g. SW tests)
Measures for
CCF avoidance

HW metrics analysis
(SPFM, LFM, PMHF)

DCLS=Dual-Core Lockstep
Automotive Linux Summit Fall 2013

HW metrics verification
(fault injection)
10

ASIL Definition

Severity
Class

Desc.

S0

No
injuries

S1

Controllability
Class

C0

C1

C2

C3

Desc.

Controllable
in general

Simply
Controllable

Normally
Controllable

Difficult to
control or
uncontrollable

S2

Light and
moderate
injuries

S3

Severe and
lifeLifethreatening threatening
(probably
(survival?)
survive)

S1

S2

S3

E1
E2
E3
E4
E1
E2
E3
E4
E1
E2
E3
E4

C1
QM
QM
QM
QM
QM
QM
QM
A
QM
QM
A
B

C2
QM
QM
QM
A
QM
QM
A
B
QM
A
B
C

C3
QM
QM
A
B
QM
A
B
C
A
B
C
D

QM=Quality Managed, For function but is not a safety concern

Exposure
Class

E0

E1

E2

E3

E4

Desc.

Incredible

Very low
probability

Low
probability

Medium
Probability

High
Probability

Automotive Linux Summit Fall 2013

11

SEooC
8.3.1 ... Microcontrollers are an integral component of modern automotive
systems. They can be developed as a safety element out of context(SEooC).
9.1...An SEooC is a safety-related element which is not developed for a
specific item. This means it is not developed in the context of a particular
vehicle.

Position of
SEooC

Assumptions on
system-level,
safety requirements,
system-level design

Hardware(MCU)
development

Work products
(report of safety goal)

Integration of the SEooC


into the item
Part-10, 9.2.3. Assumptions and SEooC Development
Automotive Linux Summit Fall 2013

12

Fault Detection (Current Technology)


Protection

Mem1

Mem2

Mem3

Redundancy

Thread
1-1

Thread
1-2

Thread
1-3

Original Data
+
ECC

Core1

Core2

Core1

Perturbed
Redundancy

Thread
1

Thread
2

Thread
3

Core2

Physical Isolation gives space diversity


Delayed lockstep gives time diversity
It may weak to CCF(Common Cause Failure)
Automotive Linux Summit Fall 2013

1313

Redundancy suppressing Failures


purpose
redundancy
perturbed
redundancy
error sources
Type

Cause

Effects

Lifetime

EOS

Electrical OverVoltage/Current Stress

Hot spots

> 1ms

ESD

Electro-Static
Discharge

Upto 1A discharge
current

100ps to 1us

Cosmic
Radiation

External environment
(>1MeV)

~100fC charge
localized in a few
um

< 100ps

Intrinsic
Radiation

Alpha from package


(~8MEV)

Hole-electron pair
generation in a few
um

< 100ps

*Re-analysis of Infineons Presentation


Automotive Linux Summit Fall 2013

1414

DCLS (1)

Primary
Core
Compare

Checker
Core

Physical Isolation gives space diversity


Delayed lockstep gives time diversity
It may weak to CCF(Common Cause Failure)

Automotive Linux Summit Fall 2013

15

DCLS (2)

DEC

XOR

Physical separation

XOR
XOR

DEC

AntiCore

Reduced delay lines


Shadow core does inverse of the core
Physical separation

Automotive Linux Summit Fall 2013

16

DCLS in Action
ECC

Safety
Guardian

Flash
2 clock
delay

Logic
BIST

SPF

V850
E2M

MPU
(mem)
INT

PBUS
IF

Flash
IF

Flash
IF

ECC

CPU
Master

2 clock
delay

Compare
Unit

CPU
Checker

SPF
MPU
(mem)

DMA

DMA

RAM IF ECC

ECC RAM IF

Logic
BIST

ECC

V850
E2M

INT
PBUS
IF

2 clock
delay
ECC

RAM

WDT

BIST

Clock
Clock
monitor
Clock
monitor
monitor

Peripherals
Logic
BIST

ECC

BIST
RAM

Clock Gen

Ring
OSC

Clock input
Automotive Linux Summit Fall 2013

17

DCLS in Actions
Thread 1a

Thread 2

Thread 1b

* Excerpts from Infineon


Automotive Linux Summit Fall 2013

18

Automotive Linux Summit Fall 2013

19

Automotive AP Dev. Process in ETRI


Requirements in the Development Process

Appropriate development procedure


Measurement for analysis (FMEA)
Review by required organization
Documentation

ACCDEP (Automotive CPU Core Design Process in ETRI)

Overall
Architecture
Design

Synthesis

Function
Verification

Fault
injection &
analysis

P&R

Reliability
Analysis

Automotive Linux Summit Fall 2013

Fault
Tolerance
Mechanism

Fab.

Final
Design
Tape-out

Intermediate
Review

Reliability
Test
Packaging
(AEC-Q100)

Review &
Final
Document
2020

Basic SoC Design Methodology


Requirements

RTL Model

Simulate

Synthesize

Gate-level
Model

ASIC or FPGA

Test Bench

Place & Route

Timing
Model

Automotive Linux Summit Fall 2013

Simulate

Simulate

21

ACCDEP in V Model
Hazard and
Risk Analysis
ASIL safety goal

Item integration,
Safety Validation &
Assessment

Safety
requirements
from Customer
Safety requirements
(generic, architecture,
assumption)

Safety Report
(FMEA, Metrics)
Inputs for Part 5,6

Specification of
Safety Integrity Measures
(SoC+SW)

Outputs for Part 5,6

Safety Analysis
and Validation

ACCDep

SW-SoC Design Group


Automotive Linux Summit Fall 2013

2222

Required Expertise in ACCDEP


Involvement & Understanding of
Standardization

Safety Analysis Experiments


For Automotive Applications
(LKAS, Braking, Airbag, ..)

Cooperation with
external institutes
For safety assessment

Automotive AP/MCU
Design Technologies
SW-SoC Technology
Core development
DCLS, Assertion, Voting, ECC, ..
FMEA Methodology Setup
Fault injection & Simulation

Automotive Linux Summit Fall 2013

2323

Faults and Errors in ACCDEP


Error
Discrepancy

Systematic Error

Random Error

Automotive Linux Summit Fall 2013

Fault
Abnormal condition
causing failure

Failure
Termination of
The ability

Error in the process

Control & Verification

Bugs in SW

Simulation, Testing,
Static analysis

Bugs in HW design

Simulation, Testing,
Formal verification

Permanent Chip Failure

Stress test
(AEC-Q100)

Transient Error

Fault-Tolerance
Techniques

2424

ETRIs Roadmap for Embedded Processors


Aldebaran-R
Many-Core CPU

AP for Embedded Products


Aldebaran-S

(300Kgates, 99.8mW@65nm/core)

AP for Embedded
Systems
x2 1.6GOPS@800MHz
32-bit Dual-Core
MMU(TLB, Cache)

Compact Embedded DSP

Aldebaran-V
Fault-Tolerant
Vehicle AP

x32-x64 core CPU


Reliability, Perf., Power
0.1mW/MHz

x4 4GOPS@1GHz
Fault-Tolerant CPU as
SEooC in ISO 26262

Aldebaran-C
Multi-Channel
Video Codec AP
x2 1.6GOPS@800MHz
HEVC (4K/8K video codec)
SPMD Array Processor

(35Kgates, 3mW@130nm/core)
MOSAIC
EMP-D

EMP-S

Dual-Core
Multi-Port SPM
160 inst.
500MOPS@130nm

Single-Core DSP
160 instructions
180MOPS@130nm
Touch
Media SoC Sensor

2006

Automotive Linux Summit Fall 2013

2008

Video
Core

MOSAIC

Multi-Core
Video SoC

Sound
Effect
SoC

Audio
SoC

2010

DSP
Core

Touch
Sensor2

2012

2014

2016

25

Positioning

Power
(mW)

Simple number of cores war will face the end.


The power efficiency war is the next round.

Too Hot for Mobile Applications ! (1.1W)


900

Cortex-A9, x2,
4000DMIPS,500mW,1GHz@40nm

600

300

Cortex-A8, x1,
1200DMIPS,300mW,600MHz@40nm

2000

Automotive Linux Summit Fall 2013

4000

Cortex-A15 (to come), x2,


8400DMIPS, ~900mW, 1.2GHz@28nm

Aldebaran
x8, 18400DMIPS,150mW@45nm

6000

8000

Performance
(DMIPS)

26

Aldebaran Development Platform


< Architecture >

< Xilinx FPGA Platform >


LCD(1200x800)+FPGA b/d+Base b/d

Automotive Linux Summit Fall 2013

27

Aldebaran-S2 (Dual-Core)
DDR2
(pdd, 76)
SCLKNET
(p_osc,4)

SJTAG
(pjt,5)

INTC

DMAC

TIMER
/WDT

PMU
(pjumper,8)
PWM
(pwm,4)

ALDEBARAN
_CORE
ID 0

FMC
(pfm,15)

ALDEBRAN
_CORE
ID 1

IROM

< Aldebaran Layout >

I2C
(pic,8)

NIC

GPIO
(pio,10)

UART
(pua,4)

IRAM

AC97
(pac,5)
SMC
(psm,37)

USBHS
(pus,6)
SDR
(psd,58)

SDIO
(psi,12)

VIDEO
(plcd,29)

< Block Diagram of Aldebaran >

Automotive Linux Summit Fall 2013

28

Aldebaran Architecture
coreb_clk

USBOTG

SNAKE_CORE
ID 1

DMA

p_osc_clki

VC
(VIDEO,
LCD)

SNAKE_CORE
ID 0

Ethernet
(802.3)

CAM

core_clk

AXI multi-layer bus

coreb_clk

core_clk

SATA

p_osc_clk48m

bl_clk

SCLK4NET

sdr_clk

video_clk

pjt_tck_in

br_clk

video_clk

USBHS
(USB Host)

SJTAG

SDIO0

M3

M4

M5

usb_clk

bl_clk

M0

M1

M2

M3

BL

aldebaran_nic_7m8s
LM0
RM0
RS0

LS0
S0

S1

br_clk

BR

S2

S3

S4

S5

S7

SMC
(SRAM I/F)

USB_Slave

SDIO1

S6

AXI

sdr_clk
pdd_sys_clk_p
pdd_sys_clk_p
pdd_clk_ref_p
pdd_clk_ref_n

irom
SDR

DDR2

AHB

iram

APB

NFC
(NAND Flash)

AXI multi-layer bus


GPU

PCIe

HDMI

MFC

PMU

Timer

Video

WDT

FMC

RTC

NOR

PWM

INTC

UART0,1

DMA

AC97

DDR2

I2C0,1

SMC

SJTAG

usb_clk

pac_bit_clk
_pad_i

USBHS
CAN0,1

Automotive Linux Summit Fall 2013

29

Features of Aldebaran
Core

Dual-issue in-order superscalar with 32bit I/D


Target : 800MHz@65nm,1.1V, 1GHz@45nm,1.0V
BTB: 2-way x 256-entry x 58-bit =3.7Kbytes
BP: 10-bit GHR, 256x16x2b=1Kbyte
I/D cache: Each 32K bytes, Tag 2.12Kbytes,
I$+D$ 68.25Kbytes
TLB: Each 32-entry PTE(Page Table Entry) for
iTLB/dTLB
Separate iTLB/dTLB, each 32 entries
Each 65-bit PTE with selective FLUSH/PROBE
Dual-rail decode and in-order scheduler w/
Scoreboard
Execution queue
Queue containing decoded/scheduled blocks
Run-time OS support for LP execution
Superscalar execution unit
2 integer units, 1 load store, and FPU for
single/double fpu operations
Multi-port register file
800MHz, 2.63mm2@65nm

Automotive Linux Summit Fall 2013

Clocks in Aldebaran
Clock Net

Frequency

Description

osc_clki (ref_clk)

50MHz

PLL reference
clock

SCLKNET/core_clk

500MHz~1GHz

Core block

SCLKNET/bl_clk

core_clk/2,
250MHz~500MHz

BL bus

SCLKNET/br_clk

200MHz

BR bus

SCLKNET/sdr_clk

166MHz

SDR clock

SCLKNET/video_clk

80MHz

VC clock

osc_clk48m (usb_clk)

48MHz +/- 0.2%

USBHS clock

pdd_sys,
pdd_ref(ddr2 4 clks)

200MHz

SNAKEM_DDR2

psd_clk_in

166MHz

SDR feedback

pjt_tck_in

10MHz

SJTAG clock

pac_bit_clk_pad_i

12.8MHz

SNAKEM_AC97

sdio internal clocks

~50MHz
(gated from br_clk)

30

Features of Aldebaran
NoC-Left

VC: Video Controller


EDMA for NoC off-loading
1280x800 resolution, HDMI support
DRAM Controller
256Mbytes DRAM
166MHz SDR(166Mbps)
200MHz DDR2(400Mbps)
iROM : Internal ROM
Multiple bootstrap modes
iRAM: Internal RAM
32Kbytes for complex bootstrapping
NoC-Right
NFS : NAND Flash controller
128M~32Gbytes NAND support
Max 400Mbps
Configurable, for various NAND types
USBHS : Usb controller
USB(1.1) Host controller
SDC : SD controller
SD card(1/4-bit mode)/SDIO/SPI

Automotive Linux Summit Fall 2013

NoC-Right
SMC : SRAM I/F controller
Configurable SRAM Interface
Interface for LAN9220
INTC : 32-source PIC
Timer/WDT:
Periodic/One-shot/Watchdog, 4 sets
CAN:
2-wire CAN for OBD-II, 2 sets
PWM: Pulse-Width-Modulation
Configurable waves
LCD backlight, Dimming
UART: UART 16550
38400/115200 baud rate
AC97: Audio
AC97 codec interface
Volume management
I2C: Inter-IC Control
7-bit/10-bit address
I2C master/slave composite
LCD Touch Interface
SJTAG : JTAG Interface
PC-Core Communication
Core debugging, Program Download
On-Chip flash burning

31

Core Architecture
IU0
D0U

D1U
IU2

VA

BTB

BP

FS

IQ

EQ

EP

EE
FPU

D0D

D1D
LS

SB

TLB

13 pipeline stages
RF

I$
iTLB

dTLB

D$

MMUC

Legend
VA : Virtual Address
BTB : Branch Target Buffer
BP : Branch Predictor
FS : Fetch Scheduler
IQ : Instruction Queue
DU : Upper Decode
DD : Down Decode

Automotive Linux Summit Fall 2013

S
SB
EQ
RF
IU
LS
EP/EE

: Scheduler
: Scoreboard
: Execution Queue
: Register File
: Integer Unit
: Load/Store Unit
: Execute Prolog/Epilog

US 12/832313, Local stack storage for processors


US 7958321, Apparatus and method for reducing memory access
conflicts among processors
MICPRO 2010, Partial access conflict-relieving programmable
address shuffler for parallel memory system in multi-core processor

32

Core Internals
SNAKE_CORE

SNAKE_RESET

I cache

SNAKE_C
Decoder

Scheduler

TLB

D cache
AXIF
e0
Trap
e1-e3

FQUEUE
REGFILE

EQ & EP

BTB & BP
FS

Block size is independent of the actual gate count.


Automotive Linux Summit Fall 2013

33

Aldebaran Instructions
Load-Store
LDSB
LDSH
LDUB
LDUH
LD
LDD
LDF
LDDF
LDFSR
LDC
LDDC
LDCSR
STB
STH
ST
STD
STF
STFSR
STDFQ
STC
STDC
STCSR
STDCQ
LDSTUB
SWAP
SETHI
NOP

LDSBA
LDSHA
LDUBA
LDUHA
LDA
LDDA

STBA
STHA
STA
STDA
STDF

Arithmetic

Automotive Linux Summit Fall 2013

Sync

Floating-point

AND

ANDcc

SAVE

CAS

FiTO(s,d,q)

ANDN

ANDNcc

RESTORE

CASA

F(s,d,q)Toi

OR

ORcc

Bicc

STBAR

FsTOd

ORN

ORNcc

FBfcc

UNIMP

FsTOq

XOR

XORcc

CBccc

FLUSH

FdTOs

XORN

XORNcc

CALL

FdTOq

SLL

JMPL

FqTOs

SRL

RETT

SRA

Ticc

Vector

FqTOd

VLD

FMOVs

ADD

ADDcc

VST

FNEGs

ADDX

ADDXcc

VADD

FABSs

TADDcc

TADDccTV

VSUB

FSQRT(s,d,q)

SUB

SUBcc

RDASR

VMUL

FADD(s,d,q)

SUBX

SUBXcc

RDY

VSUM

FSUB(s,d,q)

TSUBcc

TSUBccTV

RDPSR

VABS

FMUL(s,d,q)

RDWIM

VAND

FDIV(s,d,q)

MULScc

LDSTUBA
SWAPA

Flow

Register move

UMUL

UMULcc

RDTBR

VOR

FsMULd

SMUL

SMULcc

WRASR

VSHF

FdMULq

UDIV

UDIVcc

WRY

VSQR

FCMP(s,d,q)

SDIV

SDIVcc

WRPSR

FCMPE(s,d,q)

WRWIM

Cpop

WRTBR

34

I Cache; VIPT
I$
VA[31:2]
tag[31:13]

Tag size=(28x19bx4)

index[12:5]

offset[4:2]
tag
tag

TLB
PA[35:12]

Data size = (28x32bytesx4)

Block

inst inst

tag

tag

inst

PA[11:2]

4-way Blocks

Hit way

Mux
Miss
Block
select

Inst[31:0]
US , Apparatus for saving energy of a cache using scratch pad memory
JCSC 2010, Application-adaptive reconfiguration of memory address shuffler

Automotive Linux Summit Fall 2013

35

D Cache; PIPT
Data[31:0]

D$
select

VA[31:12]

Tag size=(28x19bx4)

VA[11:2]

tag
tag

TLB

tag

tag

PA[35:2]
tag[35:13]

index[12:5]

Hit

inst inst

Block

inst

offset[4:2]

Data size = (28x32bytesx4)


Miss
Hit

Data[31:0]

Automotive Linux Summit Fall 2013

Miss

Write Buffer

36

Branch Prediction; Gshare


To reduce aliasing by PC, use XOR
GHR[4:0]^PC[4:0]

GHR(Global History
Register)

GHR[9:2]

PHT (Pattern History Table)

PHT

Hit ratio
256 entries

32 entries

Gshare = Derivative of GAp

Automotive Linux Summit Fall 2013

37

Instruction Queue & Bandwidth


inst0
inst1
inst2
inst3
inst4
inst5
inst6
inst7

cache line

inst. g0
Fast
Branch
Detection
decode_u
inst. g1

decode_d

inst. g7

Dual instruction Selector


Automotive Linux Summit Fall 2013

38

Scheduler & Fire-and-go


Fire-and-go

Scheduler

e1

e2

Flow Control
e1

Hazard Resolution
int0_e0

int1_e0

ldst_e0

fp_e0

int0_e1

int1_e1

ldst_e1

fp_e1

int0_e2

e1

e2

e3

ldst_e2
ldst_e3

Automotive Linux Summit Fall 2013

e0

e1

39

Page Table and TLB


TLB
VAPA

Flush
(partial/full)

iTLB

dTLB

entry 0

entry 0

entry 1

entry 1

VA tags

Probe

ctx

PTE
8

31
PPN

C M R ACC

ET

36-bit physical
address

c_ctx
r_ctpr
r_fsr

entry 31

entry 31

r_far

24 23
VA

r_ctpr
(12b)

L1 pPTD

Index1

18 17

Index2

12 11

Index3

Offset

L1 PTD/E

L2 PTD/E

L3 PTD/E

256 entries

64 entries

64 entries

L1 pPTD

L1 pPTD

Automotive Linux Summit Fall 2013

40

Traps
Trap name
reset
data_store_error
instruction_access_error
instruction_access_exception
privileged_instruction
illegal_instruction
fp_disabled
cp_disabled
window_overflow
window_underflow
mem_address_not_aligned
fp_exception
cp_exception
data_access_error
data_access_exception
tag_overflow
division_by_zero

Automotive Linux Summit Fall 2013

#tt
0x2b
0x3c
0x21
0x01
0x03
0x02
0x04
0x24
0x05
0x06
0x07
0x08
0x28
0x29
0x09
0x0a
0x2a

Trap name
trap_instructions

Trap name
interrupt_level_15
interrupt_level_14
interrupt_level_13
interrupt_level_12
interrupt_level_11
interrupt_level_09
interrupt_level_09
interrupt_level_08
interrupt_level_07
interrupt_level_06
interrupt_level_05
interrupt_level_04
interrupt_level_03
interrupt_level_02
interrupt_level_01

#tt
0x80~0xff

#tt
0x1f
0x1e
0x1d
0x1c
0x1b
0x1a
0x19
0x18
0x17
0x16
0x15
0x14
0x13
0x12
0x11

41

IDE w/ GCC
Aldebaran SW
Ecosystem

C/C++ Compiler
C/C++ Compiler+Libraries
gcc

g++

gcov gprof
crt1.o

libc

ar

as

ld

cpp

gcj

objcopy objdump read_elf

lib
pthread

libm

librt

lib
stdc++

Linux

Applications
Graphics
Library

Web

OpenGL
OpenCL

Linux Kernel
(3.3)
Media
drivers

Flash
driver

Frame
buffer

Bootloader

Automotive Linux Summit Fall 2013

OCD
The small-sized server SW to
communicate with JTAG-based
OCD implemented in the chip
OCD : On-Chip Debugger

IDE
Integrated development
environment GUI with Compiler,
Assembler, Debugger

Debugger
Client software for C/C++ SourceLevel Debugging

Monitor

Emulator

Probing and control of the core


through JTAG

Modeling of core, tlb, mmu,


and the main memory

Verification Apps
MMU
mgt.

Core verification, performance


measurement for Aldebaran
such as SpecCPU, CoreMark, etc.

42

Verification Basics
Emulator

Application
(C/C++)

Compiler
Linker
ELF
(executable)

Objcopy
Image
(.text, .data, .bss..)

IPC channel
(host machine)
shmget(), shmat()

Cycle-by-Cycle
Comparison

Automotive Linux Summit Fall 2013

Aldebaran core RTL simulation

RTL
DirectPort
Interface

RTL Simulator

Snakemu
CoreState Buffer

Host
machine

43

Energy Management
IO Pads
PMU

core_clk

PLL
PLL

IO Power

coreb_clk

Core 0

Core 1

core0, 0.8~1.1V
core1, 0.0V, 0.75~1.1V

1/2

bl_clk
NoC-Left

PLL

br_clk
PLL

PMIC

sdr_clk

NoC-Right

PLL
PLL

Voltage
Regulation
Control

DRAM
vc_clk
VC
usb_clk
USB
ac97_bit_clk

Automotive Linux Summit Fall 2013

AC97

44

Area and Power


CORE
2.63mm2@65nm
980K gates
Max 99.8mW@800MHz
(PT-PX Simulation)
Core_C
0.87mm2@65nm
300K gates

I$
0.88mm2@65nm
305K gates

D$
0.88mm2@65nm
305K gates

Automotive Linux Summit Fall 2013

Comparison

Aldebaran Core
0.125mW/MHz
MIPS 1074kf
0.36mW/MHz
ARM Cortex-A9
0.625mW/MHz
* Excerpted from MIPS, ARMs website
* Power efficiency depends on synthesis constraints

45

Fault Analysis in ACCDEP


Architecture
IU0
D0U
VA

BTB

BP

FS

IQ

S
D0D

EQ

IU2

E
P

FPU

TLB

LS

mBTB

RF

dTL
iTLB
B

E
E

D1D
SB

I$

Modeling

D1U

D$

MMUC

O3
O1

Fault Simulation SW
Stimulus
vector

Module
without
Error
Module
with Error
injection
Injection
(VPI)

Automotive Linux Summit Fall 2013

Fault
Rate
Extraction

mBP

O2

mFS
mDE

(VPI)

Error
Generation

P ( oi ) Pm ( m , oi ) Pm (i j ,oi )
j

(VPI)

4646

Aldebaran-V (Concept)
Micro-flushing for fault detection and recovery
detection : spatial, time, logical diversity
tolerance : 2oo3 voting
recovery : micro-flushing on failure detection

Pipeline
redundancy
VA

F0

VA

F0

F1

F2

F3

D0

D1

EQ

E0

E1

E2

F1

F2

F3

D0

D1

EQ

E0

E1

E2

E3

R.
Mem

VA

F0

F1

F2

F3

D0

D1

EQ

E0

E1

E2

E3

R.
Mem

2 cycle
delay

2 cycle
delay

E3

Failure detected Micro-Reset


IU0
D0U
VA

BTB

BP

FS

47

D1U

IQ

EQ

E
P

IU2
FPU

D0D
TLB
iTLB

E
E

D1D
LS

SB

dTLB

MMUC

RF

Internal pipeline architecture


Automotive Linux Summit Fall 2013

47

Aldebaran-V (Register-based Micro-flushing)


Pre-Core 0
VA

F0

F1

F2

F3

D0

D1

EQ

E0

E1

E2

E3

Register File
Update
History
(for 2
cycles)

r0
r1

r0-ecc
r1-ecc

r31

r31-ecc

Pre-Core 1
VA

F0

F1

F2

F3

D0

D1

EQ

E0

E1

E2

E3

Register File
Update
History
(for 2
cycles)

r0
r1

r0-ecc
r1-ecc

r31

r31-ecc

Core (actual)
VA

F0

F1

F2

F3

D0

D1

Failure detected Micro-Reset

Automotive Linux Summit Fall 2013

EQ

E0

E1

E2

E3

Register File
r0
r1

r0-ecc
r1-ecc

r31

r31-ecc

TMR

48

Kernel-AP Interaction in Aldebaran-V


Linux

Timer isr

AP

Kernel
Fault Table
Thread ID

Do backup
for faulty
process

PC
Interval

Normal operation

yes
2oo3
matches?

Rewind

no
Fault detected

AP-driven
fault
history

Micro-flushing

Automotive Linux Summit Fall 2013

49

Implementation

Aldebaran
Core 0

Aldebaran
Core 1

Automotive Linux Summit Fall 2013

5050

Summary

Development of High-performance CPU for


Next-generation Automotive CPU is required.
(Integrity + Functional Safety)

The Functional Safety Expert Group calls for


participants interested in Functional Safety/Fault-Tolerance
in AGL

Automotive Linux Summit Fall 2013

51

Automotive Linux Summit Fall 2013

52

Automotive V-Model
Car System
Sign-Off

Development of
Car System

Sub-Systems integration
Test, and validation

Development of
Sub-System

Sub-System Sign-Off
ECU sensors, actuators,
Mechanical parts Integration,
Calibration, and Test

Development of
Mechanical Parts
ECU Development

ECU Sign-Off
ECU SW
Development
ECU HW
Development
ECU SW
Implementation

Automotive Linux Summit Fall 2013

ECU HW/SW
Integration and Test
ECU HW
Sign-Off
ECU SW
Integration and Test

53

Trends of High-Performance Automotive AP

Automotives Complexity Increases Exponentially

Freescale PX

Need for Functional Safety


100 MCUs, 150 pounds of wiring
107 lines of code

Freescale Quorriva
MPC5748G

High-Performance Multi-Core Automotive MCUs


Infineon TriCore
Renesas R8A7790X
(R-Car H2)

Freescale MPC5748G : Multi-Core MCU


Renesas R8A7790X : Octa(8x) Automotive MCU
(Source: Design News, Apr. 2013 & ITPro Portal Apr. 2013)

Automotive Linux Summit Fall 2013

54

You might also like