Codesign and Simulated Fault Injection of Safety-Critical Embedded Systems Using SystemC

1. Codesign and Simulated Fault Injection of Safety-Critical Embedded Systems Using SystemC Jon Perez, Mikel Azkarate-askasua, Antonio Perez Embedded Systems Group IKERLAN-IK4 Technology Research Centre Mondragon, Spain

2. Motivation • Design of safety-critical embedded systems require careful analysis of: • Fault forecasting • Fault prevention • Fault removal • Fault tolerance • IEC-61508 highly recommends fault injection techniques in all steps of the development process to analyze the reaction of the system in a faulty environment and validate implemented Fault Tolerance Mechanisms (FTM) • Late discovery of a design pitfall might require a expensive redesign of the product! • Simulated Fault Injection (SFI) enables and early dependability assessment • Could we have a design environment for the codesign and accelerated SFI?

3. Outline • Preliminaries • SFI with SystemC • Conclusion and future work

4. Preliminaries – SystemC • SystemC is an standardized system level design language, IEEE-1666, that provides codesign and simulation environment: • Open source C++ library • Codesign, both hardware and software components can be described using a common language • Provides multiple abstraction levels from architectural level down to Register Transfer Level (RTL) • SystemC provides an event driven simulation kernel that: • Provides a simulation environment • Global notion of time Black, D. C. and J. Donovan (2004). SystemC: From the Ground Up, Eklectic Ally, Inc.

5. Preliminaries – Fault Injection • SWIFI (Software Implemented Fault Injection), the objective is to reproduce at software level errors that would have been produced upon occurring faults in the execution hardware or software. • HWIFI (Hardware Implemented Fault Injection), fault injection is performed on the final system or early prototype hardware • SFI (Simulated Fault Injection) enables an early dependability assessment of the system, using a simulation model of the system under analysis. • The use of fault injection techniques in SystemC is still scarce, but SFI in HDL models is a well examined area with three main methods for fault injection: • Saboteurs: an additional fault injection module is inserted between modules • Mutants: a component is modified / replaced by an extended component that provides faulty behavior • Simulator command: the values of variables and signals are modified manually / automatically using simulator commands

6. Preliminaries – ETCS odometry • ERTMS (European Railway Traffic Management System) is an European union backed initiative for the definition of a unique train signaling standard. • ETCS (European Train Control System) is the on-board automatic train protection, safety-critical embedded system, that protects the train by supervising the traveled distance and speed, activating the emergency brake if authorized values are exceeded. • It relies on the distance and speed measurements of the odometry system based on a set of diverse sensors. For a maximum speed of 500 km/h error must be bounded to:

7. SFI with SystemC – Proposed approach • Modules: • System model, is the design under analysis • Fault injection module, executes simulator commands with the progression of time by updating a table of variables • Transactor module, converts fault injection variables into custom variables, signals and ports as required by the system model under analysis • Checker module, the custom module that verifies the correct operation of the system • Three consecutive abstraction levels are proposed: behavioral, architectural and system implementation level.

8. SFI with SystemC – Fault Injection Commands • Command <window, idx, value> • Time window • Idx: Variable index • Value: Given variable value • Window <id, offset, duration> • Id: Time reference identifier • Offset..offset+duration: Command time section • Special value, forever: <id, offset, -1> • Special value, default: <-1, -1, -1>

9. SFI with SystemC – Behavioral level • Combination of diverse sensors, which type and how many. • Analysis of sensor-fusion algorithms • Analysis of sensor fault-error-failure • Injected faults (FMEA): • Relative angles • Adhesion factor • Wheel diameter • Etc.

10. SFI with SystemC – Architectural level • TMR, Triple Modular Redundancy • Each node implements the sensor-fusion algorithm • Distribution of sensors in nodes • Distribution of information (interfaces) • Fail-silent node • Voting algorithm • Etc. • Injected faults (FMEA): • Communication channel failure • Node failure • Node sends incorrect value • Etc.

11. SFI with SystemC – System implementation level • Hardware / Software partition • More detailed interface design • Custom design refinement level: • Sensor model • Hardware • Microprocessor • Etc. • Injected faults (FMEA): • Statistical bit-flips • Statistical signal glitches • Etc.

12. SFI with SystemC – Command Table Default values Speed set-point Fault-injection variables Distance

13. SFI with SystemC – Experimental result

14. Conclusion and Future Work • Summary • The use of SystemC for the codesign and SFI provides multiple advantages: • The system is codesigned using a single standard modeling language • Simulations include SFI • Eases the design space exploration and FMEA analysis • Multiple abstraction-refinement levels are supported • Helps reduce the risk of late pitfall discovery • Meets IEC-61508 recommendation, use of fault injection techniques in all steps of the development process • Complementary with SWIFI and HWFI • Future work • Maintenance oriented fault injection, to ensure that spurious malfunctions of interest (e.g. transient faults) are detected and registered.

15. Thank you!