1 / 25

Plan

ABV in the avionics context : verification of safety requirements Pierre MOREAU Hardware Methodology & Certification – Airbus Operations S.A.S . Ludovic LETELLIER Hardware Methodology On behalf of Alyotech Laurence PIERRE TIMA, Université de Grenoble. Plan.

otis
Download Presentation

Plan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ABV in the avionicscontext : verification of safetyrequirementsPierre MOREAUHardware Methodology & Certification – Airbus Operations S.A.S.Ludovic LETELLIERHardware Methodology On behalf of AlyotechLaurence PIERRETIMA, Université de Grenoble

  2. Plan • Overview & Safety Requirements • PSL formalization & ISIS Monitors • Safety Monitors Integration • Conclusion Workshop - November 2011

  3. Plan • Overview & SafetyRequirements • PSL Standard & ISIS Tools • Safety Monitors Integration • Conclusion Workshop - November 2011

  4. Socket Design Flow System requirements System Properties Global SoC spec. Metrics Metrics Trafficgenerators SoCArchitecture HLS Requirement traceability Platform assembly Header generation HW Properties SW Properties IP-XactSoC C/C++/ASM TLMLT Software Functionality Functional validation Instruction Set Simulator Software Functionality+timing TLMAT SW Performance validation Software RTL HLS Co-simulation/Co-emulation Software Silicon Device execution

  5. Socket Design Flow System requirements System Properties Global SoC spec. Metrics Metrics Trafficgenerators SoCArchitecture HLS Requirement traceability Platform assembly Header generation HW Properties SW Properties IP-XactSoC C/C++/ASM TLMLT Software Functionality Functional validation Instruction Set Simulator Software Functionality+timing TLMAT SW Performance validation Software RTL HLS Co-simulation/Co-emulation Software Silicon Device execution

  6. Safety Requirements and Virtual Platform Spécification Req SDF PSL Req SDF PSL Req SDF ISIS Hardware Virtual Platform TLM SystemC Model Check Req SDF SystemC Model Check Req SDF SystemC Model

  7. Timed DMAs Proc. MS MS AHB S S S DSP Mem. DATA Mem. CODE Di Di Ai ANI ANO Ai DSI DSO DSAIR Chain Do ANO Di Ai DSI/DSO Safety requirements : Goals • Identify and experiment methods and tools, in order to check if platform design, respects functional safety requirement • Example : CoeffMem • CoefMem memory => data needed to process analog inputs (ANI). • Those data represent digital filter coefficients and analog input calibration coefficients • Data are loaded from flash memory at reset • Safety: Data integrity checking needed (SEU) F3 - DSP function C A o e RAM config ANI A f H N M I B e D o e m n S g i n e A N O e n g i n e F A l i M p H , e F l m B o D o p S D S I Ai O e n g i RAM local D n i e Workshop - November 2011

  8. Safety requirements : CoeffMem R1 : E_HRD_TS_IP_1441-New CoefMem memory must be protected by a checksum monitoring. #EndText #Allocate HW R2 : E_HRD_TS_IP_1442-New CoefMem memory monitoring shall be implemented in cycle (cycle period less than 100ms). #EndText #Allocate HW #Allocate SW R3 : E_HRD_TS_IP_1443-New When an error is detected on content of CoefMem memory by checksum monitoring, the SoC shall be turned in SoC_FAULT state. #EndText #Allocate SW Workshop - November 2011

  9. Plan • Overview & SafetyRequirements • PSL Standard & ISIS Tools • Safety Monitors Integration • Conclusion Workshop - November 2011

  10. PSL formalization • Illustration on the third requirement: R3: When a checksum error is detected, the DSP function must be deactivated (within LIMIT ms) • Disambiguation • "Checksum error is detected" ? • The bit number 1 of the STATUS register of the DSP unit equals ‘1’ • "DSP function is deactivated" ? • A ‘0’ is written in bit number 0 of the COMMAND register of the DSP unit Workshop - November 2011

  11. PSL "Modeling layer" • The bit number 1 of the STATUS register equals ‘1’ • A ‘0’ is written in bit number 0 of the COMMAND register if (tsiptarget.b_transport_END() && (dsptarget.b_transport.p1.is_read()) && (dsptarget.b_transport.p1.get_address() == address_STATUS) && (*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x2)) error = true; else error = false; if (dsptarget.b_transport_CALL() && (dsptarget.b_transport.p1.is_write()) && (dsptarget.b_transport.p1.get_address() == address_COMMAND) && !(*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x1)) deactivation = true; else deactivation = false; Workshop - November 2011

  12. PSL assertion • Every time erroroccurs, the next access to the DSP must be a deactivationand less than LIMIT ms must have elapsed always(error => next_event!(dsptarget.b_transport_CALL()) (deactivation && ((sc_time_stamp()- time) <= limit))) updated on each error Workshop - November 2011

  13. Complete assertion for ISIS bool deactivactivation=false, error=false; sc_time limit(LIMIT, SC_MS); sc_time time(0, SC_MS); if (dsptarget.b_transport_END() && (dsptarget.b_transport.p1.is_read()) && (dsptarget.b_transport.p1.get_address() == address_STATUS) && (*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x2)) error = true; else error = false; if (dsptarget.b_transport_CALL() && (dsptarget.b_transport.p1.is_write()) && (dsptarget.b_transport.p1.get_address() == address_COMMAND) && !(*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x1)) deactivation = true; else deactivation = false; if (error) time = sc_time_stamp(); assert always(error => next_event!(dsptarget.b_transport_CALL()) (deactivation && ((sc_time_stamp()-time) <= limit))); Workshop - November 2011

  14. ISIS monitors R1, R2, R3 SystemC instrumented platform XML configuration files PSL assertions Monitors + observation mechanism SystemC platform Platform ISIS int sc_main(int argc, char *argv[]) { generic_noc generic_noc_inst_ memory memory_inst_0("mem eu_pool eu_pool_inst_0("eu_p eu eu_inst_0("eu_inst_0"); memory memory_inst_1("mem os_config os_config_inst_0("o Simulation Workshop - November 2011

  15. Timed DMAs Proc. MS MS AHB S S S DSP Mem. DATA Mem. CODE ANI ANO DSI DSO ISIS observation mechanism Observation Workshop - November 2011

  16. Plan • Overview & SafetyRequirements • PSL Standard & ISIS Tools • Safety Monitors Integration • Conclusion Workshop - November 2011

  17. Timed DMAs Proc. MS MS AHB S S S DSP Mem. DATA Mem. CODE ANI ANO DSI DSO Experiment 1 (HW error) • HW checksum computation period > 50 ms Workshop - November 2011

  18. Experiment 1 (HW error) • Monitors/checkers Statisics (end of log) • Performance : 3 monitors = + 1,2 % CPU time (Verbose mini) Workshop - November 2011

  19. Timed DMAs Proc. MS MS AHB S S S DSP Mem. DATA Mem. CODE ANI ANO DSI DSO Experiment 2 (SW error) • SW checksum error monitoring period > 100 ms Workshop - November 2011

  20. Experiment 2 (SW error) • Monitors/checkers Statisics (end of log) • Performance : 3 monitors = + 1,5 % CPU time (Verbose mini) Workshop - November 2011

  21. Timed DMAs Proc. MS MS AHB S S S DSP Mem. DATA Mem. CODE ANI ANO DSI DSO Experiment 3 (SW error + GDB) Platform Logs GDB Workshop - November 2011

  22. Experiment 3 (SW error + GDB) Workshop - November 2011

  23. Plan • Overview & SafetyRequirements • PSL Standard & ISIS Tools • Safety Monitors Integration • Conclusion Workshop - November 2011

  24. Experimental results • Advantages : • Use IEEE PSL Standard • Useful to monitor/debug system level properties • Easy platform integration • Explicit log messages • Light CPU time overhead, but need to be experimented with more than 3 monitors to be representative • Safety verification improvement (ex : fault injection) • Improvement : • Automatisation of the ISIS integration into Assembling Flow (IP-Xact format) • Enable/disable monitors at execution time • No need to recompile platform to change verbose level Workshop - November 2011

  25. Any Questions ? Workshop - November 2011

More Related