functional safety in linux-ap
TRANSCRIPT
1Automotive Linux Summit Fall 2013
Functional Safety in Linux-AP
* ETRI=Electronics and Telecommunications Research Institute, Korea
2Automotive Linux Summit Fall 2013
SoCs in Automotive
SafeSafe SmartnessSmartness ComfortComfort
* Source : ETRI Industry Analysis Report 2010
Airbag
Smart door Window
Engine Control
Smart Dashboard(Nav, Audio)
TransmissionControl
TPMS(Tire Pressure
Monitoring System)
Seat Control
ABS Control Unit
Steering
Blackbox
ASV (Advanced Safety Vehicle)ASV (Advanced Safety Vehicle)
3Automotive Linux Summit Fall 2013
ADAS and CPU
2000 2020
ADAS (Advanced Driver Assistance System)
2010
Reduce Injuries PAS1) Danger Warning(LDWS2), Immediate Braking)
Safe Driving Control(LKAS3))
1) PAS:Parking Assist System 2) LDWS: Lane Departure Warning System3) LKAS : Lane Keeping Assist System
V2V4), V2I5), ITS6)
4) V2V: Vehicle-to-Vehicle5) V2I: Vehicle to Infrastructure6) ITS: Intelligent Transportation System
Driving-Central Smart Car
Simple SWComplex SW
Driving Smartness & Comfort
Standardized Software
High-Performance APs
4Automotive Linux Summit Fall 2013
ADAS for Smart/Safe Driving; Future of Cars
Safe DrivingSmart Driving
Automotive OS(Future of AGL?) Vehicle AP
Automotive Embedded System
Lane Detection Traffic Sign Recog.
Pedestrian Detection Night Vision
Multi-Radar/ACC
V2V/ITS
IVI(In-Vehicle Infotainment) Voice Recognition
Route/ParkingGuidance
Gesture Recognition
Mixed Reality Display Collision Warning Brake
5Automotive Linux Summit Fall 2013
Why Fault-Tolerance in Linux-AP?
Fault TolerantAutomotive SW-SoC
Automotive App.on Linux
Vehicle AP
Brake-by-Wire =Control by SW-SoC
6Automotive Linux Summit Fall 2013
Malfunction of Linux-AP
ADAS(Advanced Driver Assistance)+Steeringrequests High-Quality Fault-Tolerant SW-CPU
Steer-by-Wire
Brake-by-WireDrive
monitoring
ECU
Sources of Transient Erros
MCU/CPU/AP
Cosmic rayNoise
Voltage/Current fluctuation
Temperaturevariation
Error ModelingSET
(Single Event Transient)
SEU (Single Event Upset)
6
7Automotive Linux Summit Fall 2013
Challenges in Fault-Tolerant Linux-AP
Automotive Linux
Fault-tolerance in high-performance AP (>800MHz, ~1.2GHz)
* Plenty of researches in MCU
Redesign of the ‘Core’ for protectingtransient error
Redesign of the ‘Core and OS’ toDetect faults and Recover status
Linux kernel/drivers’ designfor fault-tolerance
* Previous works are for firmwares
Approval of ‘Core and OS’ as a ‘Safety Element’ in Vehicles
8Automotive Linux Summit Fall 2013
9Automotive Linux Summit Fall 2013
ISO 26262 Roadmap for Automotive APs
AP
SystematicFaults
HW randomfaults
Avoidance ofFaults in the process
Avoidance ofBugs in SW
Requirements tracking, conf. mgmt.
Control & Verification of the design process
Control & Verification of usage, maintenance, and
changes
Control & Verification ofTool suites (compiler,..)
Control & Verification ofSW test design
Doc. & Verification ofHW-SW interfaces
AnalysisSafety
Mechanisms
10Automotive Linux Summit Fall 2013
ISO 26262 Roadmap for Automotive APsAP
HW randomfaults
AnalysisSafety
Mechanisms
SystematicFaults
QualitativeAnalysis
Dependent failures(CCF) analysis
QuantitativeAnalysis
HW metrics analysis(SPFM, LFM, PMHF)
HW metrics verification(fault injection)
HW diagnosticMechanisms
(e.g ECC, DCLS, etc.)
SW diagnostic mechanisms
(e.g. SW tests)
※DCLS=Dual-Core Lockstep
Measures forCCF avoidance
11Automotive Linux Summit Fall 2013
ASIL Definition
C1 C2 C3
S1
E1 QM QM QME2 QM QM QME3 QM QM AE4 QM A B
S2
E1 QM QM QME2 QM QM AE3 QM A BE4 A B C
S3
E1 QM QM AE2 QM A BE3 A B CE4 B C D
QM=Quality Managed, For function but is not a safety concern
ExposureClass
E0 E1 E2 E3 E4
Desc. IncredibleVery low
probabilityLow
probabilityMedium
ProbabilityHigh
Probability
ControllabilityClass
C0 C1 C2 C3
Desc.Controllable in general
SimplyControllable
NormallyControllable
Difficult to control or
uncontrollable
SeverityClass
S0 S1 S2 S3
Desc.No
injuries
Light and moderate injuries
Severe and life-
threatening(probably survive)
Life-threatening(survival?)
12Automotive Linux Summit Fall 2013
SEooC8.3.1 ... Microcontrollers are an integral component of modern automotive systems. They can be developed as a safety element out of context(SEooC).
9.1...An SEooC is a safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle.
Position of SEooC
Part-10, 9.2.3. Assumptions and SEooC Development
Assumptions onsystem-level,
safety requirements,system-level design
Hardware(MCU)development
Work products(report of safety goal)
Integration of the SEooCinto the item
13Automotive Linux Summit Fall 2013
Fault Detection (Current Technology)
Protection
Redundancy
PerturbedRedundancy
Mem1 Mem2 Mem3Original Data
+ECC
Thread1-1
Thread1-2
Thread1-3
Core1 Core2
Thread1
Thread2
Thread3
Core1
Core2
13
Physical Isolation gives space diversity Delayed lockstep gives time diversity It may weak to CCF(Common Cause Failure)
14Automotive Linux Summit Fall 2013
Redundancy suppressing Failures
*Re-analysis of Infineon’s Presentation
Type Cause Effects Lifetime
EOSElectrical Over-Voltage/Current Stress
Hot spots > 1ms
ESDElectro-Static Discharge
Upto 1A dischargecurrent
100ps to 1us
Cosmic Radiation
External environment(>1MeV)
~100fC chargelocalized in a few um
< 100ps
Intrinsic Radiation
Alpha from package(~8MEV)
Hole-electron pair generation in a few um
< 100ps
14
purpose
redundancy
perturbedredundancy
error sources
15Automotive Linux Summit Fall 2013
DCLS (1)
PrimaryCore
CheckerCore
Compare
Physical Isolation gives space diversity Delayed lockstep gives time diversity It may weak to CCF(Common Cause Failure)
16Automotive Linux Summit Fall 2013
Physical separation
DCLS (2)
F DEC E
F’ DEC’ E’
AntiCore
XORXOR
XOR
Reduced delay lines Shadow core does inverse of the core Physical separation
17Automotive Linux Summit Fall 2013
DCLS in Action
Logic BIST
ECC FlashIF
ECC Flash
SPF
MPU(mem)
CPUMaster
INT DMA
ECC RAM IFPBUSIF
V850E2M
ECCRAMBIST
Peripherals
LogicBIST ECC BIST
RAM
2 clockdelay
2 clockdelay
2 clockdelay
CPUChecker
DMA
SPF
MPU(mem)
INT
RAM IF ECCPBUS
IF
Logic BIST
ECCFlashIF
V850E2M
SafetyGuardian
Compare Unit
Clock monitor
Clock monitor
Clock monitor
WDT
Clock Gen
Clock input
Ring OSC
18Automotive Linux Summit Fall 2013
DCLS in Actions
* Excerpts from Infineon
Thread 1a
Thread 1b
Thread 2
19Automotive Linux Summit Fall 2013
20Automotive Linux Summit Fall 2013
Automotive AP Dev. Process in ETRI
Appropriate development procedure Measurement for analysis (FMEA) Review by required organization Documentation
Requirements in the Development Process
OverallArchitecture
Design
Fault injection &analysis
FaultTolerance
Mechanism
FunctionVerification
Final Design
Tape-out
IntermediateReview
Synthesis P&R ReliabilityAnalysis Fab. Packaging
ReliabilityTest
(AEC-Q100)
Review &Final
Document
20
ACCDEP (Automotive CPU Core Design Process in ETRI)
21Automotive Linux Summit Fall 2013
Basic SoC Design Methodology
Requirements
SimulateRTL Model
Gate-levelModel
Synthesize
Simulate Test Bench
ASIC or FPGA Place & Route
TimingModel Simulate
22Automotive Linux Summit Fall 2013
ACCDEP in V Model
Hazard andRisk Analysis
Safety requirements
from Customer
ASIL safety goal
Safety requirements(generic, architecture,
assumption)
Specification ofSafety Integrity Measures
(SoC+SW)
ACCDep
Safety Analysisand Validation
Safety Report(FMEA, Metrics)
Item integration, Safety Validation &
Assessment
SW-SoC Design Group
Inputs for Part 5,6 Outputs for Part 5,6
22
23Automotive Linux Summit Fall 2013
Required Expertise in ACCDEP
Involvement & Understanding of Standardization
Safety Analysis ExperimentsFor Automotive Applications(LKAS, Braking, Airbag, ..)
Automotive AP/MCUDesign Technologies
SW-SoC Technology Core development DCLS, Assertion, Voting, ECC, ..
Cooperation with external institutes
For safety assessment
FMEA Methodology SetupFault injection & Simulation
23
24Automotive Linux Summit Fall 2013
Faults and Errors in ACCDEP
Systematic Error Error in the process
Bugs in SW
Bugs in HW design
Permanent Chip FailureRandom Error
Transient Error
ErrorDiscrepancy
FaultAbnormal condition
causing failure
FailureTermination of
The ability
Control & Verification
Simulation, Testing,Static analysis
Simulation, Testing, Formal verification
Stress test(AEC-Q100)
Fault-ToleranceTechniques
24
25Automotive Linux Summit Fall 2013
ETRI’s Roadmap for Embedded Processors
DSP Core
Video Core
2006 2008 2010 2012 2014 2016
Single-Core DSP160 instructions180MOPS@130nm
“EMP-S”
“EMP-D”Dual-CoreMulti-Port SPM160 inst.500MOPS@130nm
“Aldebaran-S”
x2 1.6GOPS@800MHz32-bit Dual-CoreMMU(TLB, Cache)
Touch Sensor2
Sound EffectSoC
Touch SensorMedia SoC Audio
SoC
AP for EmbeddedSystems
“Aldebaran-R”
x32-x64 core CPUReliability, Perf., Power0.1mW/MHz
MOSAICMulti-Core Video SoC
“Aldebaran-V”
x4 4GOPS@1GHzFault-Tolerant CPU asSEooC in ISO 26262
“MOSAIC”
“Aldebaran-C”Multi-Channel
Video Codec APx2 1.6GOPS@800MHzHEVC (4K/8K video codec)SPMD Array Processor
Fault-TolerantVehicle AP
Many-Core CPU
Compact Embedded DSP(35Kgates, 3mW@130nm/core)
AP for Embedded Products(300Kgates, 99.8mW@65nm/core)
26Automotive Linux Summit Fall 2013
Positioning
Cortex-A9, x2, 4000DMIPS,500mW,1GHz@40nm
Cortex-A8, x1, 1200DMIPS,300mW,600MHz@40nm
2000
Cortex-A15 (to come), x2, 8400DMIPS, ~900mW, 1.2GHz@28nm
60004000 8000
300
600
900
Power(mW)
Performance(DMIPS)
Simple “number of cores” war will face the end.The power efficiency war is the next round.
Too Hot for Mobile Applications ! (1.1W)
Aldebaranx8, 18400DMIPS,150mW@45nm
27Automotive Linux Summit Fall 2013
Aldebaran Development Platform< Architecture >
< Xilinx FPGA Platform >LCD(1200x800)+FPGA b/d+Base b/d
28Automotive Linux Summit Fall 2013
Aldebaran-S2 (Dual-Core)
SCLKNET(p_osc,4)
SJTAG(pjt,5)
FMC(pfm,15)
GPIO(pio,10)
DDR2(pdd, 76)
SDR(psd,58)
VIDEO(plcd,29)
USBHS(pus,6)
SDIO(psi,12)
SMC(psm,37)
AC97(pac,5)
I2C(pic,8)
UART(pua,4)
PWM(pwm,4)
PMU(pjumper,8)
IROM IRAM
INTC DMAC
NIC
ALDEBARAN_CORE
ID 0
ALDEBRAN_CORE
ID 1
TIMER/WDT
< Block Diagram of Aldebaran >
< Aldebaran Layout >
29Automotive Linux Summit Fall 2013
Aldebaran Architecture
M0 M2
S0 S1 S2
aldebaran_nic_7m8s M4
VC(VIDEO,
LCD)SJTAG
DDR2SDR
SNAKE_COREID 0
PMU Timer
S6
M1
DMA
S4
SMC(SRAM I/F)
INTC
M3
USBHS(USB Host)
irom
iram
S3
NFC(NAND Flash)
S5
USB_Slave
DMADDR2GPU PCIe HDMI MFC
USBOTG SATA Ethernet(802.3) CAM
AXI multi-layer bus
AXI multi-layer bus
LS0
LM0
RS0
RM0BL BR
SCLK4NET
AXI
AHB
APB
core_clk
SMC
Video
M5
SDIO0
S7
SDIO1
FMCWDT
NOR
M3
SNAKE_COREID 1
coreb_clk
core_clk
bl_clk
br_clk
sdr_clk
usb_clk
p_osc_clki
video_clk
pdd_sys_clk_p
pac_bit_clk_pad_i
bl_clk br_clk
usb_clk
video_clk
sdr_clk
coreb_clk
pdd_sys_clk_ppdd_clk_ref_ppdd_clk_ref_n RTC
UART0,1
AC97
I2C0,1
SJTAG
PWM
USBHS
p_osc_clk48mpjt_tck_in
CAN0,1
30Automotive Linux Summit Fall 2013
Features of Aldebaran
Dual-issue in-order superscalar with 32bit I/D Target : 800MHz@65nm,1.1V, 1GHz@45nm,1.0V BTB: 2-way x 256-entry x 58-bit =3.7Kbytes BP: 10-bit GHR, 256x16x2b=1Kbyte I/D cache: Each 32K bytes, Tag 2.12Kbytes,
I$+D$ 68.25Kbytes TLB: Each 32-entry PTE(Page Table Entry) for
iTLB/dTLB Separate iTLB/dTLB, each 32 entries Each 65-bit PTE with selective FLUSH/PROBE
Dual-rail decode and in-order scheduler w/ Scoreboard
Execution queue Queue containing decoded/scheduled blocks Run-time OS support for LP execution
Superscalar execution unit 2 integer units, 1 load store, and FPU for
single/double fpu operationsMulti-port register file
800MHz, 2.63mm2@65nm
Core
Clock Net Frequency Description
osc_clki (ref_clk) 50MHz PLL reference clock
SCLKNET/core_clk 500MHz~1GHz Core block
SCLKNET/bl_clk core_clk/2, 250MHz~500MHz
BL bus
SCLKNET/br_clk 200MHz BR bus
SCLKNET/sdr_clk 166MHz SDR clock
SCLKNET/video_clk 80MHz VC clock
osc_clk48m (usb_clk) 48MHz +/- 0.2% USBHS clock
pdd_sys, pdd_ref(ddr2 4 clks)
200MHz SNAKEM_DDR2
psd_clk_in 166MHz SDR feedback
pjt_tck_in 10MHz SJTAG clock
pac_bit_clk_pad_i 12.8MHz SNAKEM_AC97
sdio internal clocks ~50MHz(gated from br_clk)
Clocks in Aldebaran
31Automotive Linux Summit Fall 2013
NFS : NAND Flash controller 128M~32Gbytes NAND supportMax 400Mbps Configurable, for various NAND types
USBHS : Usb controller USB(1.1) Host controller
SDC : SD controller SD card(1/4-bit mode)/SDIO/SPI
Features of Aldebaran
VC: Video Controller EDMA for NoC off-loading 1280x800 resolution, HDMI support
DRAM Controller 256Mbytes DRAM 166MHz SDR(166Mbps) 200MHz DDR2(400Mbps)
iROM : Internal ROMMultiple bootstrap modes
iRAM: Internal RAM 32Kbytes for complex bootstrapping
NoC-Left SMC : SRAM I/F controller Configurable SRAM Interface Interface for LAN9220
INTC : 32-source PIC Timer/WDT: Periodic/One-shot/Watchdog, 4 sets
CAN: 2-wire CAN for OBD-II, 2 sets
PWM: Pulse-Width-Modulation Configurable waves LCD backlight, Dimming
UART: UART 16550 38400/115200 baud rate
AC97: Audio AC97 codec interface Volume management
I2C: Inter-IC Control 7-bit/10-bit address I2C master/slave composite LCD Touch Interface
SJTAG : JTAG Interface PC-Core Communication Core debugging, Program Download On-Chip flash burning
NoC-Right
NoC-Right
32Automotive Linux Summit Fall 2013
Core Architecture
BPBTB
TLB
iTLB dTLB
MMUC
I$
IQVA S
D0U
FS
D1U
D0D D1D
IU0
RF
EQIU2
D$
FPU
LS
EP EE
13 pipeline stagesSB
LegendVA : Virtual Address S : SchedulerBTB : Branch Target Buffer SB : ScoreboardBP : Branch Predictor EQ : Execution QueueFS : Fetch Scheduler RF : Register FileIQ : Instruction Queue IU : Integer UnitDU : Upper Decode LS : Load/Store UnitDD : Down Decode EP/EE : Execute Prolog/Epilog
✔US 12/832313, “Local stack storage for processors” ✔US 7958321, “Apparatus and method for reducing memory access
conflicts among processors” ✔MICPRO 2010, ”Partial access conflict-relieving programmable
address shuffler for parallel memory system in multi-core processor”
33Automotive Linux Summit Fall 2013
Core Internals
SNAKE_CORESNAKE_RESET
I cache
D cache
Decoder Scheduler
Trape0
e1-e3
REGFILEFQUEUE
BTB & BP
FS
EQ & EP
TLB
AXIF
※ Block size is independent of the actual gate count.
SNAKE_C
34Automotive Linux Summit Fall 2013
Aldebaran Instructions
LDSB LDSBALDSH LDSHALDUB LDUBALDUH LDUHALD LDALDD LDDALDFLDDFLDFSRLDCLDDCLDCSRSTB STBA STH STHAST STASTD STDASTF STDFSTFSRSTDFQSTCSTDCSTCSRSTDCQLDSTUB LDSTUBASWAP SWAPASETHINOP
AND ANDcc
ANDN ANDNcc
OR ORcc
ORN ORNcc
XOR XORcc
XORN XORNcc
SLL
SRL
SRA
ADD ADDcc
ADDX ADDXcc
TADDcc TADDccTV
SUB SUBcc
SUBX SUBXcc
TSUBcc TSUBccTV
MULScc
UMUL UMULcc
SMUL SMULcc
UDIV UDIVcc
SDIV SDIVcc
SAVE
RESTORE
Bicc
FBfcc
CBccc
CALL
JMPL
RETT
Ticc
RDASR
RDY
RDPSR
RDWIM
RDTBR
WRASR
WRY
WRPSR
WRWIM
WRTBR
CAS
CASA
STBAR
UNIMP
FLUSH
FiTO(s,d,q)
F(s,d,q)Toi
FsTOd
FsTOq
FdTOs
FdTOq
FqTOs
FqTOd
FMOVs
FNEGs
FABSs
FSQRT(s,d,q)
FADD(s,d,q)
FSUB(s,d,q)
FMUL(s,d,q)
FDIV(s,d,q)
FsMULd
FdMULq
FCMP(s,d,q)
FCMPE(s,d,q)
Cpop
Load-Store Arithmetic Flow Sync Floating-point
Register move
VectorVLD
VST
VADD
VSUB
VMUL
VSUM
VABS
VAND
VOR
VSHF
VSQR
35Automotive Linux Summit Fall 2013
I Cache; VIPT
I$
Inst[31:0]
index[12:5] offset[4:2]tag[31:13]
inst inst inst
=
select
Tag size=(28x19bx4) Data size = (28x32bytesx4)
PA[11:2]PA[35:12]
VA[31:2]
TLB
Hit way
Miss
tagtag
tagtag
BlockBlock
Mux
4-way Blocks
Block
✔US 출원중, “Apparatus for saving energy of a cache using scratch pad memory” ✔JCSC 2010, ”Application-adaptive reconfiguration of memory address shuffler ”
36Automotive Linux Summit Fall 2013
D Cache; PIPT
D$
Data[31:0]
=
select
Tag size=(28x19bx4)
Data size = (28x32bytesx4)
TLB Hit
Miss
tagtag
tagtag
VA[11:2]VA[31:12]
index[12:5] offset[4:2]tag[35:13]PA[35:2]
Data[31:0] Write Buffer
HitMiss
Blockinst inst inst
37Automotive Linux Summit Fall 2013
Branch Prediction; Gshare
GHR[9:2]
PHT
GHR(Global History Register)
PHT (Pattern History Table)
Gshare = Derivative of GAp
GHR[4:0]^PC[4:0]
256 entries
To reduce “aliasing” by PC, use XOR
32 entries
Hit ratio
38Automotive Linux Summit Fall 2013
inst. g0
Instruction Queue & Bandwidth
inst. g1
inst. g7
decode_u
decode_d
FastBranch
Detection
inst0inst1inst2inst3inst4inst5inst6inst7
cache line
Dual instruction Selector
39Automotive Linux Summit Fall 2013
Scheduler
Scheduler & Fire-and-go
Hazard Resolution
int0_e0 int1_e0 ldst_e0
int0_e1 int1_e1 ldst_e1
int0_e2 ldst_e2
ldst_e3
fp_e0
fp_e1
Flow Control
e0
e1 e2
e1
e1 e2 e3
e1
Fire-and-go
40Automotive Linux Summit Fall 2013
TLB
iTLB
Page Table and TLB
r_ctpr(12b) L1 pPTD
L1 pPTD
L1 pPTD
L1 PTD/E L2 PTD/E L3 PTD/E
256 entries 64 entries 64 entries
Index1 Index2 Index3 Offset
31
24 23 18 17 12 11 0
VA
entry 0
entry 1
entry 31
dTLBentry 0
entry 1
entry 31
VA tags ctx PTE
c_ctx
r_ctpr
r_fsr
r_far
PPN C M R ACC ET8
36-bit physical address
VAPA Flush(partial/full) Probe
41Automotive Linux Summit Fall 2013
Traps
Trap name #ttreset 0x2bdata_store_error 0x3cinstruction_access_error 0x21instruction_access_exception 0x01privileged_instruction 0x03illegal_instruction 0x02fp_disabled 0x04cp_disabled 0x24window_overflow 0x05window_underflow 0x06mem_address_not_aligned 0x07fp_exception 0x08cp_exception 0x28data_access_error 0x29data_access_exception 0x09tag_overflow 0x0adivision_by_zero 0x2a
Trap name #tttrap_instructions 0x80~0xff
Trap name #ttinterrupt_level_15 0x1finterrupt_level_14 0x1einterrupt_level_13 0x1dinterrupt_level_12 0x1cinterrupt_level_11 0x1binterrupt_level_09 0x1ainterrupt_level_09 0x19interrupt_level_08 0x18interrupt_level_07 0x17interrupt_level_06 0x16interrupt_level_05 0x15interrupt_level_04 0x14interrupt_level_03 0x13interrupt_level_02 0x12interrupt_level_01 0x11
42Automotive Linux Summit Fall 2013
IDE w/ GCC
Core verification, performance measurement for Aldebaran
such as SpecCPU, CoreMark, etc.
C/C++ Compiler+LibrariesC/C++ Compiler
ar as cppgcc g++ gcj
gcov gprof ld objcopy objdump read_elf
crt1.o libc libmlib
pthread librtlib
stdc++
Debugger
The small-sized server SW to communicate with JTAG-based OCD implemented in the chip
※ OCD : On-Chip Debugger
OCD
Client software for C/C++ Source-Level Debugging
EmulatorModeling of core, tlb, mmu,
and the main memory
Monitor
Probing and control of the corethrough JTAG
Linux
Linux Kernel(3.3)
MMU mgt.
Flash driver
Mediadrivers
Bootloader
Applications
GraphicsLibrary
Web OpenGLOpenCL
Frame buffer
Verification Apps
IDEIntegrated development
environment GUI with Compiler, Assembler, Debugger
Aldebaran SWEcosystem
43Automotive Linux Summit Fall 2013
Verification Basics
Application(C/C++)
ELF(executable)
Image(.text, .data, .bss..)
CompilerLinker
Objcopy
Emulator
Aldebaran core RTL simulation
SnakemuCoreState Buffer
IPC channel(host machine)
shmget(), shmat()
Cycle-by-Cycle Comparison
RTL DirectPortInterface
RTL Sim
ulatorHost
machine
44Automotive Linux Summit Fall 2013
Energy Management
PMU
Core 0
NoC-Left
NoC-Right
Core 1
DRAM
VC
USB
AC97
PLL
PLL
PLL
PLL
PLL
PLL
1/2
core_clk
coreb_clk
bl_clk
br_clk
sdr_clk
vc_clk
usb_clk
PMIC
VoltageRegulation
Control
ac97_bit_clk
IO PadsIO Power
core0, 0.8~1.1V
core1, 0.0V, 0.75~1.1V
45Automotive Linux Summit Fall 2013
Comparison
Area and Power
Core_C0.87mm2@65nm
300K gates
I$0.88mm2@65nm
305K gates
D$0.88mm2@65nm
305K gates
CORE2.63mm2@65nm 980K gatesMax 99.8mW@800MHz
(PT-PX Simulation)
Aldebaran Core0.125mW/MHz
MIPS 1074kf0.36mW/MHz
ARM Cortex-A90.625mW/MHz
* Excerpted from MIPS, ARM’s website* Power efficiency depends on synthesis constraints
46Automotive Linux Summit Fall 2013
Fault Analysis in ACCDEP
Modeling
Architecture
BPBTB
TLB
iTLB dTLB
MMUC
I$
IQVA S
D0U
FS
D1U
D0D D1D
IU0
RF
EQIU2
D$
FPU
LS
EP
EE
SB
mBTB
mBP
mFSmDE
O1 O2
O3
),(),()( ij
jmimi oiPomPoP
Fault Simulation SWStimulus vector
Modulewithout Error
Modulewith Errorinjection
FaultRate
Extraction(VPI)
Error Generation
(VPI)
Injection(VPI)
46
47Automotive Linux Summit Fall 2013
Aldebaran-V (Concept)
47
BPBTB
TLBiTLB dTLB
MMUCMMUC
IQVA S
D0U
FS
D1U
D0D D1D
IU0
RF
EQIU2
FPU
LS
EP
EE
SB
F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0
F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0
F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0
2 cycle delay
2 cycle delay
V V V V V V V V V V V V
Internal pipeline architecture
detection : spatial, time, logical diversity tolerance : 2oo3 voting recovery : micro-flushing on failure detection
Micro-flushing for fault detection and recovery
Pipeline redundancy
R.Mem
R.Mem
Failure detected Micro-Reset
48Automotive Linux Summit Fall 2013
Register File
Aldebaran-V (Register-based Micro-flushing)
F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0
F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0
F1 F2 F3 D0 D1 S EQ E0 E1 E2 E3VA F0
r0 r0-eccr1 r1-ecc
r31 r31-ecc
TMR
r0 r0-eccr1 r1-ecc
r31 r31-ecc
UpdateHistory(for 2
cycles)
Register File
r0 r0-eccr1 r1-ecc
r31 r31-ecc
UpdateHistory(for 2
cycles)
Register File
Pre-Core 0
Pre-Core 1
Core (actual)
Failure detected Micro-Reset
49Automotive Linux Summit Fall 2013
Kernel-AP Interaction in Aldebaran-V
Normal operation
Fault detected
Micro-flushing
yes
Linux
Thread ID
2oo3 matches?
noAP-driven
fault history
Rewind
Fault Table
PC
Interval
Timer isr
Do backupfor faulty process
Kernel AP
50Automotive Linux Summit Fall 2013
Implementation
AldebaranCore 0
AldebaranCore 1
50
51Automotive Linux Summit Fall 2013
Summary
Development of High-performance CPU for Next-generation Automotive CPU is required.
(Integrity + Functional Safety)
The Functional Safety Expert Group calls forparticipants interested in Functional Safety/Fault-Tolerance
in AGL
52Automotive Linux Summit Fall 2013
53Automotive Linux Summit Fall 2013
Automotive V-Model
Development of Car System
Development of Sub-System
Development of Mechanical Parts
ECU Development
ECU SWDevelopment
ECU HWDevelopment
ECU SWImplementation
ECU SWIntegration and Test
ECU HWSign-Off
ECU HW/SWIntegration and Test
ECU Sign-Off
ECU sensors, actuators,Mechanical parts Integration, Calibration, and Test
Sub-System Sign-Off
Sub-Systems integrationTest, and validation
Car SystemSign-Off
54Automotive Linux Summit Fall 2013
Trends of High-Performance Automotive AP
Need for Functional Safety 100 MCUs, 150 pounds of wiring 107 lines of code
Automotive’s Complexity Increases Exponentially
(Source: Design News, Apr. 2013 & ITPro Portal Apr. 2013)
Freescale QuorrivaMPC5748G
Renesas R8A7790X(R-Car H2)
Freescale MPC5748G : Multi-Core MCU Renesas R8A7790X : Octa(8x) Automotive MCU
High-Performance Multi-Core Automotive MCUs
Freescale PX
Infineon TriCore