Analysis and RTL Correlation of Instruction Set Simulators for Automotive Microcontroller Robustness Verification

© ACM 2015 This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in ACM, In Proceedings of the 52nd Annual Design Automation Conference (p. 40). http://dx.doi.org/10.1145/2744769.2744798.Increasingly complex microcontroller designs for safety-relevant automotive systems require the adoption of new methods and tools to enable a cost-effective verification of their robustness. In particular, costs associated to the certification against the IS026262 safety standard must be kept low for economical reasons. In this context, simulation-based verification using instruction set simulators (ISS) arises as a promising approach to partially cope with the increasing cost of the verification process as it allows taking design decisions in early design stages when modifications can be performed quickly and with low cost. However, it remains to be proven that verification in those stages provides accurate enough information to be used in the context of automotive microcontrollers. In this paper we analyze the existing correlation between fault injection experiments in an RTL microcontroller description and the information available at the ISS to enable accurate ISS-based fault injection.The research leading to these results has received funding from the ARTEMIS Joint Undertaking VeTeSS project under grant agreement number 295311. This work has also been funded by the Ministry of Science and Technology of Spain under contract TIN2012-34557 and HiPEAC. Jaume Abella is partially supported by the Ministry of Economy and Competitiveness under Ramon y Cajal postdoctoral fellowship number RYC-2013-14717.Espinosa García, J.; Hernández Luz, C.; Abella, J.; Andrés Martínez, DD.; Ruiz García, JC. (2015). Analysis and RTL Correlation of Instruction Set Simulators for Automotive Microcontroller Robustness Verification. ACM. https://doi.org/10.1145/2744769.2744798SARTEMIS Joint Undertaking.VeTeSS project:www.vetess.eu.J.-C. Baraza, et al. Enhancement of fault injection techniques based on the modification of vhdl code.IEEE Transactions on VLSI, 16(6):693--706, June 2008.Alfredo Benso et al.Fault Injection Techniques and Tools for Embedded Systems Reliability Evaluation.Kluwer Academic Publishers, 2003.D. Borodin et al. Protective redundancy overhead reduction using instruction vulnerability factor. InCF, 2010.R. N. Charette. This car runs on code. InIEEE Spectrum online, 2009.Pedro Gil, et al. Fault representativeness. Technical report, DBench project, IST 2000-25425 [Online]. Available: http://www.laas.fr/DBench, 2002.C. Hernandez et al. Live: Timely error detection in light-lockstep safety critical systems. InDAC, 2014.Infineon. AURIX - TriCore datasheet. highly integrated and performance optimized 32-bit microcontrollers for automotive and industrial applications, 2012. http://www.infineon.com/.International Organization for Standardization.ISO/DIS 26262. Road Vehicles--Functional Safety, 2009.E. Jenn, et al. Fault injection into VHDL models: the mefisto tool. InFTCS, 1994.G. Leen et al. Expanding automotive electronic systems.IEEE Computer, 35(1), 2002.Man-Lap Li, et al. Accurate microarchitecture-level fault modeling for studying hardware faults. InHPCA, 2009.Michail Maniatakos, et al. Instruction-level impact analysis of low-level faults in a modern microprocessor controller.IEEE Transactions on Computers, 60(9):1260--1273, 2011.S. S. Mukherjee, et al. A systematic methodology to compute the architectural vulnerability factors for a high-performance microprocessor. InMICRO, 2003.J.-H. Oetjens, et al. Safety evaluation of automotive electronics using virtual prototypes: State of the art and research challenges. InDAC, 2014.J. Poovey.Characterization of the EEMBC Benchmark Suite.North Carolina State University, 2007.M. Psarakis, et al. Microprocessor software-based self-testing.Design Test of Computers, IEEE, 27(3):4--19, May 2010.S. Rehman, et al. Reliable software for unreliable hardware: Embedded code generation aiming at reliability. InCODES+ISSS, 2011.S. Rohr, et al. An integrated approach to automotive safety systems.SAE Automotive Engineering International magazine, September 2000.B. Sangchoolie, et al. A study of the impact of bit-flip errors on programs compiled with different optimization levels. InEDCC, 2014.STMicroelectronics.32-bit Power Architecture microcontroller for automotive SIL3/ASILD chassis and safety applications, 2014.http://www.gaisler.com/cms/index.php?option=com_content&task=view&id=13&Itemid=53.Leon3 Processor.Areroflex Gaisler

Modeling RTL Fault Models Behavior to Increase the Confidence on TSIM-based Fault Injection

Future high-performance safety-relevant applications require microcontrollers delivering higher performance than the existing certified ones. However, means for assessing their dependability are needed so that they can be certified against safety critical certification standars (e.g ISO26262). Dependability assessment analyses performed at high level of abstraction inject single faults to investigate the effects these have in the system. In this work we show that single faults do not comprise the whole picture, due to fault multiplicities and reactivations. Later we prove that, by injecting complex fault models that consider multiplicities and reactivations in higher levels of abstraction, results are substantially different, thus indicating that a change in the methodology is needed.The research leading to these results has received funding from the Ministry of Science and Technology of Spain under contract TIN2015-65316-P and the HiPEAC Network of Excellence. Carles Hern´andez is jointly funded by the Spanish Ministry of Economy and Competitiveness (MINECO) and FEDER funds through grant TIN2014-60404-JIN. Jaume Abella has been partially supported by the MINECO under Ramon y Cajal postdoctoral fellowship number RYC-2013-14717.Postprint (author's final draft

Software-only triple diverse redundancy on GPUs for autonomous driving platforms

Autonomous driving (AD) imposes the need for safe computations in high-performance computing (HPC) components such as GPUs, thus with capabilities to detect and recover from errors since a safe state may not exist anymore. This can be achieved with Triple Modular Redundancy (TMR) for computation components. Furthermore, error detection capabilities need to provide some form of diversity to avoid the case where a single fault leads all redundant executions lead to the same error, which would go undetected. In our past work, we assessed GPUs against dual modular redundancy (DMR) with diversity, showing their potential and limitations to provide diverse redundancy building on reset and restart for recovery. However, such recovery scheme may be too slow for some applications. This paper proposes a software-only solution to deliver diverse TMR on commercial off-the-shelf (COTS) GPUs. Our work details how staggered execution can be achieved and assesses the performance of TMR on COTS GPUs. Moreover, we identify those elements where diversity cannot be guaranteed and provide some discussion comparing the case of DMR and TMR for those elements.This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 871467 (SELENE). Leonidas Kosmidis has been partially supported by the Spanish Ministry of Economy and Competitiveness (MINECO) under a Juan de la Cierva Formacion postdoctoral fellowship with number FJCI-2017-34095.Peer ReviewedPostprint (author's final draft

Software-only diverse redundancy on GPUs for autonomous driving platforms

Autonomous driving (AD) builds upon high-performance computing platforms including (1) general purpose CPUs as well as (2) specific accelerators, being GPUs one of the main representatives. Microcontrollers have reached ASIL-D compliance by implementing diverse redundancy with lockstep execution. However, ASIL-D compliant GPUs rely on either fully redundant lockstep GPUs (i.e. 2 GPUs), which doubles hardware costs, or fully redundant systems with a GPU and another accelerator, which virtually doubles design and validation/verification (V&V) costs. In this paper we analyze the degree of diversity achieved when implementing redundancy on a single GPU, showing that diverse redundancy is not achieved in many cases, and propose software strategies that guarantee achieving diverse redundancy for any kernel on systems using commercial off-the-shelf (COTS) GPUs, thus showing how to achieve ASIL-D compliance on a single COTS GPU in controlled scenarios.This work has been partially supported by the Spanish Ministry of Economy and Competitiveness (MINECO) under grant TIN2015-65316-P and the HiPEAC Network of Excellence. Jaume Abella has been partially supported by the MINECO under Ramon y Cajal postdoctoral fellowship number RYC2013-14717Peer ReviewedPostprint (author's final draft

An approach to quantifying hardware diversity against common cause failures

In this thesis, we cover the gapof quantifying diversity by introducing DIMP, a low-cost diversity metric based on analyzing the paths of the circuits and relating it to the particular case of automotive microcontrollers that implement lockstep cores