technický dokument

Rambus RT-640 road to ISO 26262 certification

Rambus RT-640 proposes a hardware root of trust compliant with the automotive functional safety standard ISO 26262.

Functional safety evaluations were performed using two Siemens tools from the Austemper toolset known as SafetyScope and KaleidoScope

Modern vehicles integrate increasingly more ICs, which at the same time are getting more complex as technology advances. In applications like this, where a failure could lead to life-threatening situations, reliable and secure ICs are crucial. Rambus RT-640 proposes a hardware root of trust compliant with the automotive functional safety standard ISO 26262, which offers protection against a wide range of failures, including permanent, transient and latent faults, in addition to hardware and software attacks with state-of-the-art anti-tamper security techniques. In this paper we describe the functional safety evaluation of RT-640 to achieve ASIL-B certification level.

We present the methodology implemented to successfully evaluate this industry full-scale SoC, with almost three million faults, achieving a total SPFM of 91.9%, and a total LFM of 75%, well in the requirements for ASIL-B level.

ISO 26262 and RT-640's features

The modern automobile industry is unmistakably moving towards fully electric and autonomous vehicles. These include a great amount of electronic control units, which will only increase as technology advances. While this transformation brings many advantages, it also brings new concerns both in safety and security threats. Failures in the ECUs of an autonomous car
can be life-threatening. Moreover, smart cars open a wide range of new vulnerabilities susceptible to cyberattacks. Thus, it is imperative to design hardware that is reliable and secure. The standard ISO 26262 defines procedures and requirements to ensure the reliability of systems at different automotive safety integrity levels (ASIL). The standard defines several metrics to prove the reliability of a system, including single point fault metric (SPFM), and the latent fault metric (LFM).

Achieving the minimal requirements for certification is a highly challenging task. Multiple works have been published on how to conduct a safety evaluation in accordance with the ISO 26262. The work of Grosse et al. proposes formal verification methods for safety evaluations. The downside of these methods is that they are limited by circuit size due to the state explosion problem, making it impossible to find results for all faults. Another technique is to use fault simulation, which provides comprehensive and concrete results. The drawback of this method is that it relies on high-toggling input stimuli and requires substantial computation resources. Nevertheless, this is the preferred method of the ISO 26262. The work of da Silva et al. uses both methods in combination with automatic test pattern generation (ATPG) techniques to achieve very high coverage. While they achieve a very high coverage on their analyses, the designs utilized were of average complexity. To the best of our knowledge, there are no public results of functional safety evaluation efforts on an industry-scale design.

We performed this evaluation via fault simulation, in accordance with the recommendations of ISO 26262. As it is clear from the literature, completing this certification process is highly challenging, and even more so for a design of such magnitude. In this manuscript, we describe the key parameters of the fault campaign to optimize execution time, and the techniques employed beyond fault injection simulation to minimize the unclassified faults. We achieve an average SPFM of 91.9%, and an estimated LFM of 75%, achieving the ASIL-B target.

First we will introduce the evaluation tools and RT-640’s features. Then, we describe the key metrics and techniques employed to accelerate fault campaigns. Subsequently, we present the unclassified faults reduction methods and results.

Sdílení

Související zdroje informací