0 to Safety:

Accelerating Functional
Safety Projects
Senior Marketing Manager
Arm
Christopher Seidl

#ArmTechCon
Copyright © 2019 Arm TechCon, All rights reserved. 1
Agenda

Overview of the software process and functional safety

Arm tools and software building blocks for functional safety

Software development process – a practical approach

Summary – Arm’s commitment to functional safety

Copyright © 2019 Arm TechCon, All rights reserved. 2

 Software Process
and Functional
Safety

Copyright © 2019 Arm TechCon, All rights reserved. 3

Software Development Process

System Design
Verification & System testing Test automation
Validation
Access protection
(MPU, TrustZone, Verification
Safety requirements
of safety
Fault Injection
stack overflow)

Model-based Software architecture Analysis of

Integration testing
design design timing behavior

Static code Software module Test completeness

Unit testing
analysis (MISRA) implementation (Code coverage)

Copyright © 2019 Arm TechCon, All rights reserved. 4

Safety - Important in Many Markets

Industrial Automotive Railway Medical

IEC 61508 ISO 26262 EN 50128 IEC 62304

Copyright © 2019 Arm TechCon, All rights reserved. 5

6

Safety Integrity Levels (SIL)

Safety functions in systems protect health of people, the environment, and/or goods

Typical safety functions: emergency shutdown (overheating; dangerous movements)

ALARP ("as low as reasonably practicable“) principle: risks shall be reduced as far as
reasonably practicable
Mapping
Risk of Severity of Consequence
Risk to SIL
matrix Insignificant Minor Severe Major Catastrophic
Rare - - SIL1
1 SIL2
2 SIL3
3
Unlikely - SIL1
1 SIL2
2 SIL3
3 SIL4
4
Probability

Likely SIL1
1 SIL2
2 SIL3
3 SIL4
4 5x
Very Likely SIL2
2 SIL3
3 SIL4
4 5x 6x
Certain SIL3
3 SIL4
4 5x 6x 7x

SIL levels map development process to levels of acceptable risks

Copyright © 2019 Arm TechCon, All rights reserved. 6

SIL Impacts the Design & Validation Requirements
Higher level require more stringent design principals and higher test efforts

Ref. Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4

IEC61508: Table A.2 – Software design and development – software architecture design
1 Fault detection - R HR HR
2… Error detection codes R R R HR
…13b Time-trigger architecture R HR HR HR
13c Event-driven, with guaranteed maximum response time R HR HR -
14… Static resource allocation - R HR HR
IEC61508: Table B.2 – Dynamic analysis and testing
1 Test case execution from boundary value analysis R HR HR HR
7c Structural test coverage (branches) 100% R R HR HR
R = recommended, HR = highly recommended

Copyright © 2019 Arm TechCon, All rights reserved. 7

 Accelerate
Application
Development for
Functional Safety

Copyright © 2019 Arm TechCon, All rights reserved. 8

Functional Safety throughout Arm Released CPUs
Future fault detection and management on Cortex-A CPUs

Cortex-R52

 Virtualization
Cortex-R5  Bus protection
 SW test library (STL)
Cortex-M7  System error
Cortex-M33  Bus ECC  Bus ECC
Cortex-A55 Cortex-M23  Error management  Error management
Cortex-A  TCM ECC interface  TCM ECC
& future Cortex-A  TCM ECC
Cortex-M3/M4  MBIST interface  MBIST interface
Armv8-A  Dual core lockstep†  MBIST interface
 Dual core lockstep 
Cortex-M0+  Cache parity / ECC  Exception handling
 Cache ECC
Dual core lockstep  Dual core lockstep
 Cache parity / ECC†  Exception handling  MPU  Cache ECC  Cache ECC
 Exception handling  Exception handling  Exception handling
 Exception handling  MMU  Stack limit check  Exception handling
 MPU  MPU  MPU
 MMU  RAS features  SW test library (STL)  Two-stage MPU
 SW test library (STL)

SIL2/ASIL B systematic capability SIL3/ASIL D systematic capability

† availability dependent on processor

Copyright © 2019 Arm TechCon, All rights reserved. 9

Arm Compiler Qualification Kit for Safety
Included in Arm DS Gold and MDK-Professional edition

Safety Manual Development Process

Document
Usage information relevant to
software developers Description of ISO 9001:2008
software development process

Test Report Defect Report

ANSI/ISO C++, C90, C99 Details of known safety-related
language conformance test defects
results

Copyright © 2019 Arm TechCon, All rights reserved. 10

Arm FuSa RTS: Run-time system for functional safety
Software components certified for safety-critical applications

User Application code Covered safety standards:

• Automotive: ISO 26262, ASIL D
FuSa RTX RTOS FuSa Software test • Industrial: IEC 61508, SIL 3

Thread
Events Mutex
Semaphore
Event library (STL) • Medical: IEC 62304, Class C
Self-test code for • Railway: EN 50128, SIL 4
Time RTOS Scheduler Memory Recorder run-time verification

Supported processors:
FuSa CMSIS-Core CMSIS-Core
(device-specific) • Cortex-M0/M0+
(Arm-Core specific)
• Cortex-M3
FuSa C library • Cortex-M4
• Cortex-M7
Arm Cortex-M processor
FuSa RTS components certified with safety Arm C/C++ Compiler

Copyright © 2019 Arm TechCon, All rights reserved. www.arm.com/fusa-rts

11
FuSa RTS Benefits
Fast-Track to functional safety applications

FuSa RTS provides several valuable components:

• FuSa RTX RTOS: deterministic real-time operating system for Arm Cortex-M processors
• FuSa Event Recorder implements functionality to easily record events and collect execution statistics in the
application code.
• FuSa CMSIS-Core implements the vendor-independent interface to Cortex-M device
• FuSa C library implements subset of functions specified in the ISO C99 C language standard.
Using CMSIS components, it runs out of the box on 6000+ MCUs from all key vendors.
FuSa RTS is certified in combination with safety qualified Arm compiler and requires no
additional compiler-specific integration and verification.
It naturally integrates with Keil MDK for development, powerful RTOS-aware debugging and
automated validation.

Copyright © 2019 Arm TechCon, All rights reserved. 12

What is a Software Test Library (STL)?
STL checks processor blocks to identify faults that could lead to safety goal violations

Software functions that provide diagnostic capabilities

Device STL
• Provide processor fault detection without Dual Core Lockstep
Scheduler
• Support flexible execution configurations (i.e. RTOS)
• Tests are split into modules that enable flexible execution scheduling Arm STL

• Tests save and restore the processor context to minimize side effects
DMA STL

Accelerator STL
Arm offers STLs that cover processor and core peripherals Peripheral STL
• Enable partners to perform simulation/execution for processor fault grading Peripheral STL
• Limit additional hardware needed for efficient testing of the CPU at run time .........
• Use existing processor resources for STL- execute from deterministic memory

Copyright © 2019 Arm TechCon, All rights reserved. 13

 Software Development
Process
Verification
and Validation

Copyright © 2019 Arm TechCon, All rights reserved. 14

Types of Software Testing
Conforming to industrial/automotive safety standards

Unit Testing Integration Testing Functional Testing System Testing

•Test small parts of code at a •Test how multiple software •Test if given functionality •Test that final system meets
time (function level) components work together works as expected requirements

Regression Testing Workload Testing

• Tests run continuously upon software updates • Tests run on hardware (prototypes)
• Essential for continuous integration (CI) • Verification of system behavior (timing)

Arm Fast Models Arm Debug Adapters

• Scalability, with not hardware dependency • Scripting for test automation
• Fault injection, easy to repeat • Analysis features for event annotations

Copyright © 2019 Arm TechCon, All rights reserved. 15

Benefits of Virtual Prototypes
Programmer’s view models provide good performance, accuracy and flexibility

Hardware
Software development
development

Hardware
Models are available early
development Fast and functionally accurate
TTM Non-intrusive debug, no HW dependency
Software development
Gain
Unlimited memory for unit testing

Copyright © 2019 Arm TechCon, All rights reserved. 16

Test Case Development and Continuous Integration Tests
Debugger with integrated code coverage for software validation and certification

Color-coded debugger views (branch coverage)

Available for simulation models or instruction trace
Summary by function or module
Export for continuous integration
Copyright © 2019 Arm TechCon, All rights reserved. 17
Infrastructure for Easy Integration into Test Systems
Test automation essential for productivity

Scripting and batch modes

Export for code coverage
Remote control interfaces
Python integration

Copyright © 2019 Arm TechCon, All rights reserved. 18

Dynamic Execution and Performance Tests
Event recorder for analysis of dynamic software behavior and operations

Debugger
Application Code
Event Annotations Software
Component Viewer
Description
Event Recorder (SCVD) file

Event Filter
The SCVD file
contains descriptive
Event Buffer information for
output formatting by
Memory the debugger.

Copyright © 2019 Arm TechCon, All rights reserved. 19

Event Statistics – Analysis of Worst-Case Timing
Event category for collecting execution statistics

Debugger
Application Code
while (1) {
EventStartA(0);
// user code
EventStopA(0);
...
EventStartB(0);
// user code
EventStopB(0);
}

Event Recorder

Up to 64 statistic slots can be defined For each statistic slot, statistical data is available:
with start/stop events in user code • Execution timing (total, average, min, max, first, last)
• Program details for min/max execution
Copyright © 2019 Arm TechCon, All rights reserved. 20
FuSa Development with MDK
Verification and validation during the development process

Static code Code Memory Timing Continuous Test

analysis and coverage analysis analysis integration automation
MISRA test
3rd party Simulation Stack System Easy Jenkins Debugger
integration models watermarking Analyzer integration script

MISRA rule Instruction RTOS object Event Remote Debug unit

configuration trace counters Recorder interface with test
wizard for unit test I/O pins for
GCOV Linker based Execution frameworks hardware
reports stack analysis statistics control

Copyright © 2019 Arm TechCon, All rights reserved. 21

 Summary

Copyright © 2019 Arm TechCon, All rights reserved. 22

Software Development Tools and Software Building Blocks
Create products with safety requirements faster

Arm offers a complete set of software tools that support development processes
• Arm Compiler with qualification kit and long-term support & maintenance
• IDE and Debuggers with scripting and features that simplify code and test development
• Simulation models for robust regression testing at function and module level
• Flexible debug adapters with test I/O pins for test automation with hardware

Arm provides ready-to-use software frameworks for Cortex-M processors

• Based on software standards and widely used software components
• Removes further certification efforts at project level
• Utilizes hardware features of the Cortex processor series
• Co-developed and aligned with Arm software development tools

Copyright © 2019 Arm TechCon, All rights reserved. 23

Arm’s Commitment to Functional Safety
Leading features Software components Robust methodologies
and technologies and tools and certification

Broadest functional Certified software Comprehensive safety

safety IP components documentation

Safety Ready

Innovative safety
features for automotive Software tools Systematic
applications certification

Copyright © 2019 Arm TechCon, All rights reserved. 24

 Trademark and copyright statement
The trademarks featured in this presentation are
Thank You!
registered and/or unregistered trademarks of Arm
Limited (or its subsidiaries) in the US and/or
elsewhere. All rights reserved. All other marks
featured may be trademarks of their respective
owners.

Copyright © 2019

#ArmTechCon
Copyright © 2019 Arm TechCon, All rights reserved. 25