Workshop - November 2011 - Toulouse
PlanOverview & Safety Requirements
PSL formalization & ISIS Monitors
Safety Monitors Integration
Conclusion
Workshop - November 2011 2
PlanOverview & Safety Requirements
PSL Standard & ISIS Tools
Safety Monitors Integration
Conclusion
Workshop - November 2011 3
Req
uir
emen
t tr
acea
bili
ty
Socket Design Flow
18/11/2011
C/C++/ASM
System requirementsSystem requirements
Global SoC spec.Global SoC spec.
SW Performance validationSW Performance validationFunctionality
+timing
Instruction Set Simulator
Device executionDevice execution
Metrics Metrics
Co-simulation/Co-emulationCo-simulation/Co-emulation
SoCSoCArchitectureArchitecture
Functional validationFunctional validationFunctionality SoftwareSoftware
Header generation
Platform assembly
18/11/2011
Global SoC spec.Global SoC spec.
SoCSoCArchitectureArchitecture
Functional validationFunctional validation
C/C++/ASM
Functionality
System requirementsSystem requirements
Platform assembly
SoftwareSoftware
Metrics
Header generation
SW Performance validationSW Performance validationFunctionality
+timing
Instruction Set Simulator
Metrics
Co-simulation/Co-emulationCo-simulation/Co-emulation
Device executionDevice executionR
equ
irem
ent
trac
eab
ility
Socket Design Flow
Safety Requirements and Virtual Platform
18/11/2011
Check Req SDFCheck Req SDF
SystemC ModelSystemC Model
Spécification Spécification
Req Req SDF SDF PSLPSL
ISISISISISISISIS
TLM TLM SystemC SystemC
ModelModel
Hardware Virtual PlatformHardware Virtual Platform
Check Req SDFCheck Req SDF
SystemC ModelSystemC Model
Req Req SDF SDF PSLPSLReq Req SDFSDF
Timed DMAs
Proc.
DSPMem.DATA
Mem. CODE
ANIANO
DSIDSO
MS MS
S S S
AHB
Safety requirements : Goals Identify and experiment methods and tools, in order to check if
platform design, respects functional safety requirement
Example : CoeffMem
Workshop - November 2011 7
F3 - DSP function
Flip,F
lop
Me
m
AN
I en
gine
AN
O e
ngin
eD
SIO
engin
e Di
Ai
D o
Coe
f Me
m D o
AHBS
AHBS
Do
Di
Ai
DSAIR Chain
ANO
DSI/DSO
Di
Ai
Di
Ai
RAM config ANI
RAM local
CoefMem memory => data needed to process analog inputs (ANI).
Those data represent digital filter coefficients and analog input calibration coefficients
Data are loaded from flash memory at reset
Safety: Data integrity checking Safety: Data integrity checking needed (SEU)needed (SEU)
Safety requirements : CoeffMem
Workshop - November 2011 8
R1 : E_HRD_TS_IP_1441-NewCoefMem memory must be protected by a checksum monitoring.#EndText#Allocate HW
R2 : E_HRD_TS_IP_1442-NewCoefMem memory monitoring shall be implemented in cycle (cycle period less than 100ms).#EndText#Allocate HW#Allocate SW
R3 : E_HRD_TS_IP_1443-NewWhen an error is detected on content of CoefMem memory by checksum monitoring, the SoC shall be turned in SoC_FAULT state.#EndText#Allocate SW
PlanOverview & Safety Requirements
PSL Standard & ISIS Tools
Safety Monitors Integration
Conclusion
Workshop - November 2011 9
PSL formalizationIllustration on the third requirement:
R3: When a checksum error is detected, the DSP function must be deactivated (within LIMIT ms)
Disambiguation"Checksum error is detected" ?
The bit number 1 of the STATUS register of the DSP unit equals ‘1’
"DSP function is deactivated" ? A ‘0’ is written in bit number 0 of the COMMAND register of
the DSP unit
Workshop - November 2011 10
PSL "Modeling layer"The bit number 1 of the STATUS register equals ‘1’
A ‘0’ is written in bit number 0 of the COMMAND register
Workshop - November 2011 11
if (tsiptarget.b_transport_END() && (dsptarget.b_transport.p1.is_read()) && (dsptarget.b_transport.p1.get_address() == address_STATUS) && (*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x2)) error = true; else error = false;
if (dsptarget.b_transport_CALL() && (dsptarget.b_transport.p1.is_write()) && (dsptarget.b_transport.p1.get_address() == address_COMMAND) && !(*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x1)) deactivation = true; else deactivation = false;
PSL assertionEvery time error occurs, the next access to the
DSP must be a deactivation and less than LIMIT ms must have elapsed
Workshop - November 2011 12
always(error => next_event!(dsptarget.b_transport_CALL()) (deactivation && ((sc_time_stamp()- time) <= limit)))
updated on each error
Complete assertion for ISIS
Workshop - November 2011 13
bool deactivactivation=false, error=false; sc_time limit(LIMIT, SC_MS);sc_time time(0, SC_MS);
if (dsptarget.b_transport_END() && (dsptarget.b_transport.p1.is_read()) && (dsptarget.b_transport.p1.get_address() == address_STATUS) && (*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x2)) error = true; else error = false;if (dsptarget.b_transport_CALL() && (dsptarget.b_transport.p1.is_write()) && (dsptarget.b_transport.p1.get_address() == address_COMMAND) && !(*(unsigned int *)(dsptarget.b_transport.p1.get_data_ptr()) & 0x1)) deactivation = true; else deactivation = false;if (error) time = sc_time_stamp();
assert always(error => next_event!(dsptarget.b_transport_CALL()) (deactivation && ((sc_time_stamp()-time) <= limit)));
ISIS monitors
Workshop - November 2011 14
ISISSystemC platform
int sc_main(int argc, char *argv[]) { generic_noc generic_noc_inst_ memory memory_inst_0("mem eu_pool eu_pool_inst_0("eu_p eu eu_inst_0("eu_inst_0"); memory memory_inst_1("mem os_config os_config_inst_0("o
R1, R2, R3
PSLassertions
Simulation
Platform
Monitors +observation mechanism
SystemCinstrumented platformXML configuration
files
ISIS observation mechanism
Workshop - November 2011 15
Timed DMAs
Proc.
DSPMem.DATA
Mem. CODE
ANIANO
DSIDSO
MS MS
S S S
AHB
Observation
PlanOverview & Safety Requirements
PSL Standard & ISIS Tools
Safety Monitors Integration
Conclusion
Workshop - November 2011 16
Experiment 1 (HW error)
Workshop - November 2011 17
Timed DMAs
Proc.
DSPMem.DATA
Mem. CODE
ANIANO
DSIDSO
MS MS
S S S
AHB
HW checksum computation period > 50 ms
Experiment 1 (HW error)Monitors/checkers Statisics (end of log)
Performance : 3 monitors = + 1,2 % CPU time (Verbose mini)
Workshop - November 2011 18
Experiment 2 (SW error)
Workshop - November 2011 19
Timed DMAs
Proc.
DSPMem.DATA
Mem. CODE
ANIANO
DSIDSO
MS MS
S S S
AHB
SW checksum error monitoring period > 100 ms
Experiment 2 (SW error)Monitors/checkers Statisics (end of log)
Performance : 3 monitors = + 1,5 % CPU time (Verbose mini)
Workshop - November 2011 20
Experiment 3 (SW error + GDB)
Workshop - November 2011 21
Timed DMAs
Proc.
DSPMem.DATA
Mem. CODE
ANIANO
DSIDSO
MS MS
S S S
AHB
Experiment 3 (SW error + GDB)
Workshop - November 2011 22
PlanOverview & Safety Requirements
PSL Standard & ISIS Tools
Safety Monitors Integration
Conclusion
Workshop - November 2011 23
Experimental resultsAdvantages :
Use IEEE PSL Standard Useful to monitor/debug system level properties Easy platform integration Explicit log messages Light CPU time overhead, but need to be experimented with more than 3
monitors to be representative Safety verification improvement (ex : fault injection)
Improvement : Automatisation of the ISIS integration into Assembling Flow (IP-Xact
format) Enable/disable monitors at execution time No need to recompile platform to change verbose level
Workshop - November 2011 24
Workshop - November 2011 25
Any Questions ?Any Questions ?