Embodiments of the present disclosure generally relate to diagnostic self-testing of functional safety of digital circuits, and in particular to a program flow monitoring (PFM) device for a gateway device, a method of operating such a PFM device, and a corresponding computer program.
Automotive gateway electronic control units (ECUs) must be safeguarded against faults that endanger the correct execution of their gateway applications. In particular, faults that could lead to a part of the application, i.e., a program sequence, being stopped before it finishes executing or exceeding its allocated time budget, or that could lead to an unintended change in the program sequence execution order, must be detected.
Therefore, to detect faults in clocks or processing units, more specifically to interrupt handler and control logic (i.e., sequencer, coding and execution logic including flag, registers and stack control) of microcontroller units (MCUs), it is useful to implement mechanisms that monitor the correct execution of program sequences.
These mechanisms shall detect failure modes of semiconductor elements such as:
Indeed, to achieve the highest possible Automotive Safety Integrity Level (ASIL), semiconductor manufacturers and system integrators shall implement such program sequence monitoring mechanism.
Also, the Road Vehicle—Functional Safety standard, ISO 26262:2018, recommends, for best coverage of the above-mentioned failure modes, to implement a temporal and logical monitoring of program sequences.
Nowadays, temporal monitoring of program sequences is done with a hardware timeout or window watchdog. Logical monitoring, however, is done by software using features of an operating system when available. In some implementations, temporal monitoring and sometimes even logical monitoring is realized on an external chip.
An implementation of logical monitoring in software is very complex, because of many applications running in parallel in one single ECU. Logical monitoring shall be able to monitor the execution time and order of execution of all program sequences in an automotive ECU. It shall do so in all situations and all phases of the ECU, and shall consider all the vehicle dynamics and the environmental conditions to which the ECU is exposed to. Such a software is very costly in terms of processing power. Currently this requires adding further processing resources. This drawback is accentuated by the fact that this software is safety related and shall be executed redundantly on diverse CPU resources (e.g., lockstep CPU).
Moreover, this very complex and costly software is not reusable for another ECU without high porting efforts.
The present disclosure thus aims at providing a generic IP core for temporal and logical monitoring of a program or processing sequence executing on a gateway ECU or SoC.
A first aspect of the present disclosure relates to a program flow monitoring (PFM) device for a gateway (GW) device. The PFM device comprises: a configurable functional state machine configured to model a behavior of a monitored processing stage of the GW device. The PFM device is configured to predict an expected behavior of the monitored processing stage in dependence of an input of the monitored processing stage and the behavioral model; compare the expected behavior with an actual behavior of the monitored processing stage based on an output of the monitored processing stage; and selectively generate a fault notification in dependence of a result of the comparison.
A GW device as used herein may refer to a network function that allows traffic to flow from one discrete network to another, and that can operate at any of the seven functional layers of the open systems interconnection (OSI) model.
A behavior as used herein may refer to a model describing a processing function in terms of its expected processing times and/or expected processing results in dependence of a stimulus of the processing function, such as ingress traffic.
In an implementation of the first aspect, the expected behavior may comprise a temporal behavior of the monitored processing stage. The temporal behavior may depend on at least one of: a network topology and configurable expected processing types of the monitored processing stage, configurable expected processing times and margins of the expected processing types, and actual processing types and actual frame types as given by the input of the monitored processing stage.
In an implementation of the first aspect, the expected behavior may comprise a logical behavior of the monitored processing stage. The logical behavior may depend on an error control coding of the input of the monitored processing stage.
In an implementation of the first aspect, the PFM device may further be configured to associate a respective generated fault notification with a response.
In an implementation of the first aspect, the response may comprise routing the generated fault notification to an output terminal of the PFM device.
In an implementation of the first aspect, the response may further comprise forwarding the generated fault notification on a differential signaling transmission line connected to the output terminal.
In an implementation of the first aspect, the PFM device may further be configured to inject an error into the input of the monitored processing stage used by the FSM for prediction.
In an implementation of the first aspect, the injected error may comprise an inverted input of the monitored processing stage.
In an implementation of the first aspect, the PFM device may further comprise a further processing stage corresponding to an unmonitored processing stage of the GW device adjoining the monitored processing stage.
In an implementation of the first aspect, the PFM device may further be configured to receive a clock supply different from a clock domain of the GW device.
In an implementation of the first aspect, the PFM device may further be configured to receive a voltage supply different from of a voltage domain of the GW device.
A second aspect of the present disclosure relates to a method of operating a program flow monitoring device for a gateway device. The PFM device comprises a configurable functional state machine configured to model a behavior of a monitored processing stage of the GW device. The method comprises predicting an expected behavior of the monitored processing stage in dependence of an input of the monitored processing stage and the behavioral model; comparing the expected behavior with an actual behavior of the monitored processing stage based on an output of the monitored processing stage; and selectively generating a fault notification in dependence of a result of the comparison.
In an implementation of the second aspect, the method may be performed by the PFM device of the first aspect or any of its implementations.
A third aspect of the present disclosure relates to a computer program comprising executable instructions which, when executed by a processor, cause the processor to perform the method of the second aspect or any of its implementations.
The present disclosure provides a PFM device representing a generic IP core for temporal and logical monitoring of a program or processing sequence executing on a gateway ECU or SoC.
An IP core as used herein may refer to a reusable unit of digital logic, cell, or integrated circuit layout design that may be used as a building block in the design of application-specific integrated circuits (ASICs) or field-programmable gate arrays (FPGAs).
The PFM device is a fully capable ASIL D Safety Element out of Context (SEooC), or in other words, a system developed for an assumed context and not for a specific vehicle, OEM or industry. This means that engineering of non-reusable, complex and costly software could be replaced by a reusable and configurable digital hardware solution.
Automotive Safety Integrity Level (ASIL) as used herein may refer to a risk classification scheme defined by the ISO 26262 standard (Functional Safety for Road Vehicles). ASIL D dictates the highest integrity requirements on a product.
The PFM device is comprehensively configurable by the user via configuration registers.
The PFM device performs redundant processing using redundant and diverse input and output stages and diverse signal processing compared to the GW device.
The PFM device, by nature/design, eliminates the weaknesses of a SW-based implementation (freedom from interference, time determinism, etc.).
The PFM device avoids common cause failures (CCF) with respect to supply of clock and/or voltage.
A common cause failure (CCF) as used herein may refer to a failure where a plurality of items fails within a specified time such that the success of the system mission would be uncertain, and item failures result from a single shared cause and coupling factor (or mechanism).
The above-described aspects and implementations will now be explained with reference to the accompanying drawings, in which the same or similar reference numerals designate the same or similar elements.
The features of these aspects and implementations may be combined with each other unless specifically stated otherwise.
The drawings are to be regarded as being schematic representations, and elements illustrated in the drawings are not necessarily shown to scale. Rather, the various elements are represented such that their function and general purpose become apparent to those skilled in the art.
However, those skilled in the art will appreciate that the PFM device 1 may alternatively be provided inside a Safety MCU as well.
Besides the PFM device 1, the GW device 2 comprises a monitored processing stage 202, which is subjected to temporal and logical monitoring by the PFM device 1, and may further comprise unmonitored processing stages 201, 203. An optionality of the unmonitored processing stages 201, 203 is indicated by dashed lines in
The PFM device 1 is designed as a fully capable ASIL D Safety Element out of Context (SEooC). As such, it may be instantiated multiple times within a same GW device for monitoring of multiple different monitored processing stages 202.
The PFM device 1 is configurable by a host processing unit 3 controlling the GW device 2 and is configured to notify the controlling host processing unit 3 of any faults.
In an operation phase, a frame received by the GW device 2 at one of a plurality (N) of input ports is network processed and forwarded to an appropriate one of a plurality (N) of output ports. In
With reference to
An output of the FSM 5 is compared to the output 205 of the monitored processing stage 202 of the GW device 2. More specifically, the PFM device 1 is configured to predict an expected behavior of the monitored processing stage 202 of the GW device 2 in dependence of an input 204 of the monitored processing stage 202 and the behavioral model of the FSM 5, and compare the expected behavior with an actual behavior of the monitored processing stage 202 of the GW device 2 based on an output 205 of the monitored processing stage 202.
The PFM device 1 is further configured to selectively generate a fault notification, in particular in dependence of a result of the comparison.
The PFM device 1 may further comprise a clock unit 104 and/or a power management unit 105 (see
The PFM device 1 may be configured to provide further GW safety mechanisms such as voltage and/or temperature monitoring. In case of faults, these safety mechanisms may generate alarms for their part.
The PFM device 1 may further comprise configuration registers 103 (see
The safety checking unit 4 of
The safety monitoring unit 403 receives the input 204 of the monitored processing stage 202 (see
In order to detect mismatches between the output of the FSM 5 and the output 205 of the monitored processing stage 202 of the GW device 2, the PFM device 1 may further be configured to inject an error into the received input 204 of the monitored processing stage 202 and to be used by the FSM 5 for prediction. The injected error may comprise an inverted input 204 of the monitored processing stage 202 and be injected by the safety monitoring unit 403.
The safety monitoring unit 403 forwards the received input 204 of the monitored processing stage 202 to the FSM 5, irrespectively of any error injection.
The PFM comparison unit 401 receives the expected behavior of the monitored processing stage 202 of the GW device 2 predicted by the FSM 5 (see
The voltage monitoring unit 402 may signal an alarm on its part to the safety monitoring unit 403 when detecting an improper voltage level supplied by the power management unit 105 (see
The safety checking unit 4 may further be configured to control, among other features, an error pin/output terminal 106. When an alarm is raised, the PFM device 1 may selectively generate a fault notification. In this connection, the PFM device 1 may further be configured to associate a respective generated fault notification with a configurable response. The response may comprise routing the generated fault notification to the error pin/output terminal 106 of the PFM device 1 so as to notify the host processing unit 3 via the error pin 106.
The response may further comprise forwarding the generated fault notification on a differential signaling (i.e., inverted dual) transmission line 206 connected to the output terminal 106 to ensure that no fault notification will be lost because of a fault on the transmission line.
The FSM 5 implements a configurable diverse signal processing. In accordance with
The frame identification unit 501 is configured to receive the input 204 of the monitored processing stage 202, and to identify a respective frame type of the received frames.
The frame buffering unit 503 is configured to re-synchronize the frames.
In between, the path calculation unit 502 is configured to receive the input 204 of the monitored processing stage 202 as well, and to match processing commands of the input 204 of the monitored processing stage 202 (more precisely, specific codes of a control bus of the GW device 2) against a list of expected processing types 601 (see
For each one of the expected processing types 601, an expected processing/execution time 602 (for example, in clock cycles) and an expected processing time margin 603 (in %), if any, may be configured into a lookup table as shown in
In other words, respective time budgets are calculated for the expected processing. Thus, the expected behavior may comprise a temporal behavior of the monitored processing stage 202. The temporal behavior may depend on at least one of: the network topology and the configurable expected processing types 601 of the monitored processing stage 202, the configurable expected processing times 602 and margins 603 of the expected processing types, and actual processing types and actual frame types as given by the input 204 of the monitored processing stage 202.
Based on the calculated time need of the various tasks handled by the GW device 2, a plurality of watchdog timers (not shown) of the safety monitoring unit 403 may be configured to reflect the expected execution/processing times 602. When a timer expires, an alarm may be raised.
Besides, the expected behavior may comprise a logical behavior of the monitored processing stage 202. The logical behavior may depend on an error control coding of the input 204 of the monitored processing stage 202. In particular, the FSM 5 may be configured to generate a cumulative cyclic redundancy check (CRC) checksum over the processing commands of the input 204 of the monitored processing stage 202.
While all these actions are being executed, a Flow Health Monitoring is done in parallel in the FSM 5 to ensure that the FSM 5 is not running into any issue.
The PFM device 1 comprises a configurable functional state machine (FSM) 5 configured to model a behavior of a monitored processing stage 202 of the GW device 2.
The method 7 comprises a step of predicting 701 an expected behavior of the monitored processing stage 202 in dependence of an input 204 of the monitored processing stage 202 and the behavioral model.
The method 7 comprises a step of comparing 702 the expected behavior with an actual behavior of the monitored processing stage 202 based on an output 205 of the monitored processing stage 202.
The method 7 comprises a step of selectively generating 703 a fault notification in dependence of a result of the comparison.
The method 7 may be performed by the PFM device 1 of the first aspect or any of its implementations.
The technical effects and advantages described above in relation with the PFM device 1 equally apply to the method 7 having corresponding features.
A processor or processing circuitry of the PFM device 1 may comprise hardware and/or the processing circuitry may be controlled by software. The hardware may comprise analog circuitry or digital circuitry, or both analog and digital circuitry. The digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital signal processors (DSPs), or multi-purpose processors.
The PFM device 1 may further comprise memory circuitry, which stores one or more instruction(s) that can be executed by the processor or by the processing circuitry, in particular under control of the software. For instance, the memory circuitry may comprise a non-transitory storage medium (not shown) storing a computer program (i.e., executable program code) which, when executed by the processor or the processing circuitry, causes the method 7 according to the second aspect or any of its embodiments to be performed.
The subject-matter defined below has been described in conjunction with various examples as well as implementations. However, other variations can be understood and effected by those persons skilled in the art and practicing the claimed subject-matter, from the studies of the drawings, this disclosure and the independent claims. In the claims as well as in the description the word “comprising” does not exclude other elements or steps and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in the mutual different dependent claims does not indicate that a combination of these measures cannot be used in an advantageous implementation.
This application is a continuation of International Application No. PCT/EP2021/057268, filed on Mar. 22, 2021, the disclosure of which is hereby incorporated by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/EP2021/057268 | Mar 2021 | US |
Child | 18472065 | US |