Global Sources
EE Times-India
Stay in touch with EE Times India
EE Times-India > Embedded

Finding the right processor safety strategies for your system

Posted: 28 Nov 2011     Print Version  Bookmark and Share

Keywords:processor  safety  Software complexity  deadlock monitoring  program sequence 

The current generation of microcontrollers offers the safety-critical developer a wide variety of options when selecting products. The variety is perhaps most evident when evaluating available processor safety strategies for safety integrity. This is an area where the "best" solution depends on the ability of the system developer to judge the strengths and weaknesses of the solution.

When considering common solutions for safe processing, there are a few common architectures across product offerings. Most available CPU safety solutions can be classified as single core, single core with hardware checking, dual-core lockstep, asymmetric dual core or symmetric dual core. These classifications are illustrated in figure.

Watchdog-based solutions, though valuable for program sequence and deadlock monitoring, cannot provide significant diagnostics of processing and thus are not considered here.

To begin our comparison, we must establish a few classes of evaluation criteria: software complexity, silicon complexity, safety analysis complexity and available performance for functional software execution.

Software complexity measures the effort needed to integrate safety mechanisms into application software. Silicon complexity expresses the on-die hardware cost. Safety analysis complexity measures the difficulty of performing safety analysis. Finally, available performance measures how much CPU performance is available to the application relative to a single CPU without any implemented safety constraints.

Figure: Visual representation of common CPU safety strategies.

Single-core CPU solutions are used across a wide range of products and are the baseline for analysis.

A single-core solution must rely on software-based diagnostics and measures such as multiple execution of safety-critical code in order to achieve safety integrity, resulting in high cost to software complexity. Silicon complexity is low, as there is no specific overhead in silicon dedicated to safety support. Safety analysis complexity is high, as it is challenging to prove that the implemented software can detect all relevant faults. This is particularly true for transient faults, which temporarily can change the state of a flip-flop or register but are cleared by subsequent software execution. Available performance is low because of the overhead of software-based diagnostics, which can easily consume more than 30 per cent of the total CPU performance. Redundant execution of safety-critical code will further reduce available performance. Texas Instruments' Stellaris ARM Cortex-M microcontrollers implement a single-core CPU scheme.

Single-core solutions with hardware checking address many of the issues of the single-core solution by replacing the majority of software measures with continuously or periodically operating hardware checkers. Such a solution trades reduced software overhead for increased complexity of silicon. Safety analysis of this solution is challenging. A lack of common standards in design-for-safety means that the strategy of the hardware checker must be uniquely proved to each assessor. Available CPU performance is high, often with less than 5 per cent of the CPU overhead consumed for safety diagnostics. TI's Hercules TMS470M ARM Cortex-M3 microcontrollers are an example of a single-core solution with periodic CPU checking by hardware.

Dual-core lockstep is essentially a special case of a single-core solution with hardware checking. In a dual-core lockstep system, a partially or fully duplicated processor core takes the place of the CPU checking functionality. Software follows a low-complexity single-core programming model with little to no software overhead for safety diagnostics. Silicon complexity varies based on implementation. Complexity ranges from medium-complexity 1oo1D (single channel with diagnostic) schemes, where a single core is always the master core, to higher-complexity 1oo2 (dual-channel) schemes where either core can act as master. The user should take care to understand the impact of additional failure modes present in more complex schemes. The lockstep concept is well-known in industry and trusted by assessors, reducing the safety analysis complexity for the system developer. The vast majority of CPU performance remains available for application usage, often approaching 100 per cent. Asymmetric dual-core solutions use two processors of different hardware architecture (heterogeneous multi-processing) to diagnose faults. Such solutions can achieve very high safety integrity, thanks to their ability to detect systematic issues in both CPU and software through diverse hardware and software implementations. These should be selected with the main and checker CPUs having similar performance. If the performance delta is too large, it may not be possible to execute diverse implementations of the target application, effectively reducing the design to two single-core systems. The software complexity is medium to high because of the need to generate software for two platforms.

1 • 2 Next Page Last Page

Comment on "Finding the right processor safety s..."
*  You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.


Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

Back to Top