Jon Perez, Mikel Azkarate-askasua, Antonio Perez
Embedded Systems Group
IKERLAN-IK4 Technology Research Centre
Mondragon, Spain

Motivation





Design of safety-critical embedded systems require careful analysis of:




Fault forecasting
Fault prevention
Fault removal
Fault tolerance
IEC-61508 highly recommends fault injection techniques in all steps of the development process to analyze the reaction of the system in a faulty environment and validate implemented Fault Tolerance
Mechanisms (FTM)
Late discovery of a design pitfall might require a expensive redesign of the product!
Simulated Fault Injection (SFI) enables and early dependability assessment
Could we have a design environment for the codesign and accelerated
SFI?
2/14
EDCC, Valencia, April 2010

Outline
 Preliminaries
 SFI with SystemC
 Conclusion and future work
EDCC, Valencia, April 2010
3/14

Preliminaries – SystemC


SystemC is an standardized system level design language, IEEE-1666 , that provides codesign and simulation environment:
 Open source C++ library


Codesign, both hardware and software components can be described using a common language
Provides multiple abstraction levels from architectural level down to Register
Transfer Level (RTL)
SystemC provides an event driven simulation kernel that:


Provides a simulation environment
Global notion of time
EDCC, Valencia, April 2010
Black, D. C. and J. Donovan (2004). SystemC: From the Ground Up, Eklectic Ally, Inc.
4/14

Preliminaries – Fault Injection




SWIFI (Software Implemented Fault Injection) , the objective is to reproduce at software level errors that would have been produced upon occurring faults in the execution hardware or software.
HWIFI (Hardware Implemented Fault Injection) , fault injection is performed on the final system or early prototype hardware
SFI (Simulated Fault Injection) enables an early dependability assessment of the system, using a simulation model of the system under analysis.
The use of fault injection techniques in SystemC is still scarce, but SFI in
HDL models is a well examined area with three main methods for fault injection:
 Saboteurs : an additional fault injection module is inserted between modules
 Mutants : a component is modified / replaced by an extended component that provides faulty behavior
 Simulator command : the values of variables and signals are modified manually / automatically using simulator commands
5/14
EDCC, Valencia, April 2010

Preliminaries – ETCS odometry



ERTMS (European Railway Traffic Management System) is an European union backed initiative for the definition of a unique train signaling standard.
ETCS (European Train Control System) is the on-board automatic train protection, safety-critical embedded system, that protects the train by supervising the traveled distance and speed, activating the emergency brake if authorized values are exceeded.
It relies on the distance and speed measurements of the odometry system based on a set of diverse sensors. For a maximum speed of 500 km/h error must be bounded to:
6/14
EDCC, Valencia, April 2010

SFI with SystemC – Proposed approach


Modules:




System model , is the design under analysis
Fault injection module, executes simulator commands with the progression of time by updating a table of variables
Transactor module, converts fault injection variables into custom variables, signals and ports as required by the system model under analysis
Checker module, the custom module that verifies the correct operation of the system
Three consecutive abstraction levels are proposed: behavioral, architectural and system implementation level.
7/14
EDCC, Valencia, April 2010

SFI with SystemC – Fault Injection Commands


Command <window, idx, value>


Time window
Idx: Variable index
 Value: Given variable value
Window <id, offset, duration>




Id: Time reference identifier
Offset..offset+duration: Command time section
Special value, forever: <id, offset, -1>
Special value, default: <-1, -1, -1>
EDCC, Valencia, April 2010
8/14

SFI with SystemC – Behavioral level



 Combination of diverse sensors, which type and how many.
Analysis of sensor-fusion algorithms
Analysis of sensor fault-error-failure
Injected faults (FMEA):
 Relative angles



Adhesion factor
Wheel diameter
Etc.
EDCC, Valencia, April 2010
9/14

SFI with SystemC – Architectural level







TMR, Triple Modular Redundancy
Each node implements the sensorfusion algorithm
Distribution of sensors in nodes
Distribution of information (interfaces)
Fail-silent node
Voting algorithm
Etc.
EDCC, Valencia, April 2010
 Injected faults (FMEA):
 Communication channel failure



Node failure
Node sends incorrect value
Etc.
10/14

SFI with SystemC – System implementation level



Hardware / Software partition
More detailed interface design
Custom design refinement level:
 Sensor model



Hardware
Microprocessor
Etc.
EDCC, Valencia, April 2010
 Injected faults (FMEA):
 Statistical bit-flips


Statistical signal glitches
Etc.
11/14

SFI with SystemC – Command Table
Default values
Speed set-point
Distance
EDCC, Valencia, April 2010
Fault-injection variables
12/14

SFI with SystemC – Experimental result
EDCC, Valencia, April 2010
13/14

Conclusion and Future Work
 Summary


The use of SystemC for the codesign and SFI provides multiple advantages:






The system is codesigned using a single standard modeling language
Simulations include SFI
Eases the design space exploration and FMEA analysis
Multiple abstraction-refinement levels are supported
Helps reduce the risk of late pitfall discovery
Meets IEC-61508 recommendation, use of fault injection techniques in all steps of the development process
Complementary with SWIFI and HWFI
 Future work
 Maintenance oriented fault injection, to ensure that spurious malfunctions of interest (e.g. transient faults) are detected and registered.
EDCC, Valencia, April 2010
14/14

EDCC, Valencia, April 2010
Thank you!