Meeting Audi’s Failsafe Standard
With modern vehicles using many embedded processors, some for safety critical applications, absolutely reliable embedded software is a must. However, ensuring failsafe operation in complex embedded subsystems requires extensive test systems that stress the design with many different scenarios.
NIRA Dyamics (a subsidiary of Audi) have leveraged Imperas virtual platforms to drive the performance necessary for their exhaustive verification environment, and the company’s multicore debug tools to track design and process issues. With this system they have found problems not just in the design but even the compilers that are used for development. Nira will not ship product without a clean bill of health through their Imperas-based environment.
Embedded Software Verification for Failsafe Reliability
For a number of applications, absolute reliability is essential. For systems that are inaccessible, high cost, or most importantly, for which a failure could be life threatening, ensuring failsafe behavior represents more than just a business trade-off.
Critical car components clearly come into this category and modern cars are festooned with safety devices that rely on embedded software for a fast reaction to an emergency situation.
The ISO 26262 standard has emerged to control the use of electronics in cars and ensure safety standards are met, not surprisingly given that the average car today utilizes over 60 processors.
With all these systems having to meet the rigorous ISO 26262 standard, exhaustive verification of embedded software is vital, and this has emerged as an application where the Imperas™ Multicore Software Design Kit (M*SDK™) is often employed.
M*SDK exhibits several characteristics that make it ideal for this purpose:
- High-performance simulation that allows tests to be run faster on a virtual platform (on a standard X86 host) than on the actual final hardware
- Powerful, non-intrusive coverage analysis and execution profiling to ensure that the code is fully tested from multiple perspectives
- Specialized testing technology such as fault injection, memory and cache analysis, and introspection to further ensure rigorous verification
- Multicore analysis to target potential hazard scenarios created by complex interaction between independently operating units.
- Slipstreamer™ technology, which ensures that code execution integrity is maintained, regardless of applied tooling, in a non-intrusive manner.
A verification environment with these capabilities that utilize both directed tests and real world recorded data, has the best chance of completely eliminating any bugs from the code.
The Audi (NIRA Dynamics) Tire Pressure System
NIRA Dynamics, a subsidiary of Audi, have produced a unique product that is able to analyze car tire pressure by inspecting data, such as wheel spin characteristics and braking performance. As well as the obvious safety benefit, the product also improves fuel economy and reduces tire wear. The system avoids the complications of installing a direct sensor in the wheel and linking it to the car, a costly and unreliable solution.
The system utilizes a custom processor sub-system to store and analyze data from various sensors in real time, looking for signs of under-inflation and other tire problems. Processors used include an ARM7TDMI™, an ARM® Cortex™-M3, and a Renesas® V850, running bare metal (i.e. no operating system). A large amount of data must be processed efficiently through various algorithms to arrive at a reliable result and, therefore, software performance, as well as quality, is a key factor.
Peter Lindskog, head of development for NIRA noted:
“In the automotive electronics industry we always need to do more testing of our embedded systems software. Finding that the simulation performance of the Imperas/OVP V850 model was 50 times faster than our previous solution opened up new possibilities for us in software testing, and enabled us to increase our test coverage and product reliability.”
Utilizing Imperas for Exhaustive Verification
NIRA’s development environment revolves around the use of Matlab® for algorithm development and tuning. Once the Matlab algorithm is fully tested, code is generated and cross-compiled to the respective target processor, whereupon the entire system is retested. For testing purposes, NIRA have generated vast amount of data through thousands of miles of test-driving over a wide range of conditions. This data is applied at the algorithmic level and then replayed through the embedded software to ensure that the translation was performed correctly and with the right accuracy.
NIRA have modeled their processor subsystem using the Imperas processor libraries and OVP™. They have built up an extensive verification environment with many of these platforms running concurrently on a farm of host machines, processing the test data in a continuous fashion.
The system also utilizes customized memory analysis checkers to monitor stack and heap behavior, checking for a variety of potential problems. The multiprocessor system (given that is data coming from four wheels) is also verified carefully. M*SDK with 3Debug™ has been leveraged to identify bugs across the multi-processor system and then track their root cause, which may even occurs in the compilation tools.
Relying on Imperas for Failsafe Operation
Imperas has become a key component in NIRA’s environment. Perhaps the most important factor is the raw performance of the system, vital to allow NIRA to get through all of their required testing. Imperas’ JIT CodeMorphing simulation technology maximizes test performance and allows the system to be run faster than real time on X86 host machines, creating an extremely high, test throughput system.
The operation on the Imperas platform can be thought of as an equivalency check against the original design running in Matlab. As such, any bug is either going to be resident in the original algorithm (and would often be found at that level), or in the compilation and porting process. As system accuracy is a key feature, the precision of the entire process is important, and this can lead to some unusual bug conditions. Bugs have been found not just in the software itself but in the compilers that are used to cross compile from the Matlab C to the target processor.
Once the code has been run through this test system, it is considered ready to be loaded into a car and taken out for road trials.
Peter Lindskog continued: “Imperas M*SDK helps us not only to find bugs in our code, but also in the compilers we use. We will not ship software without testing with Imperas tools.”