Home Articles walking on safety

walking on safety

The importance of security continues to grow in all technical areas. Developers are therefore faced with the challenge of designing decisive security concepts that take individual components, even small details, into account. At the center of a system are its microcontrollers.
In terms of functional safety, the IEC 61508 standard provides the key specifications. It consists of a series of standards for the “functional safety of systems related to electrical / electronic / programmable electronic safety”. In addition, there are slightly adapted standards for certain areas of application that are subordinate to IEC 61508. The respective adaptation of IEC 61508 to the specific conditions in the automotive sector can be found in the ISO 26262 series of standards – “electrical safety-relevant systems /electronics in road vehicles”.
Extensive security features
Apart from meeting the ISO 26262 requirements for ASIL-D, Infineon's Aurix 32-bit microcontroller was developed as a SEooC (Safety Element out of Context). This means that versions of the Aurix range can be integrated into complete safety-relevant systems due to their advanced features. The second generation of the Aurix family is manufactured on 40nm embedded flash technology and is fully qualified for the automotive industry. Thanks to six TriCore processor cores with up to 300 MHz, it offers significantly higher computing power than its predecessor (2st generation TC740x: 3 DMIPS; 2400nd generation TCXNUMXx: XNUMX DMIPS). Functional safety support also makes the Aurix microcontroller particularly interesting in industrial settings. The following hardware and software security features ensure that Aurix drives are especially suitable for safety-critical applications:

  • checker cores
  • Flash & RAM ECC (Error Correcting Code) • Safe SRI (crossbar)
  • Voltage, frequency and peripheral monitoring
  • Safety Management Unit (SMU)
  • SafeTpack security manager
  • Logic Built-In Self-Test (LBIST)

Safety features
Checker cores work in the background and monitor the processor. All operations are executed twice. And, as soon as inconsistent results appear, an error message is output via the SMU. Both Flash and RAM integrate an ECC function. This error detection process determines if there is an error relating to the storage or transmission of data. If such an error is perceived, it can be corrected.
Through SRI (Shared Resource Interconnection), also known as crossbar, data is transmitted back and forth between cores and memory. These connections are secure thanks to hardware mechanisms in the form of end-to-end connections. The second generation of Aurix microcontrollers is based on an operating voltage of 3,3 V and a frequency of 300 MHz. If the permissible tolerances are exceeded or not reached, an alarm is generated. Peripheral devices, for example, can be monitored via a CRC (Cyclic Redundancy Check).
Checksums are used to verify correct data transmission during this procedure. As a hardware IP integrated into the Aurix microcontroller, the Safety Management Unit is responsible for recording, processing and evaluating all safety-related errors. SafeTpack is a complete security manager for the second generation of Aurix microcontrollers developed by Hitex. It coordinates the execution of authorization and cyclic tests that ensure correct operation of the Aurix processor cores and internal buses through a combination of hardware and software modules.
The Logic Built-In Self-Test is part of the SafeTpack software library. It gives developers the opportunity to use the software to ensure that the Aurix microcontroller works properly every time the controller is started. These hardware and software features create a level of security that cannot easily be achieved with a standard microcontroller.
Implementation of functional safety
However, functional safety cannot be achieved with the microcontroller alone; rather, it should be viewed as a central component of the entire design. The security of the system can only be guaranteed when a security concept is developed from the beginning and followed intensively. This complex process can be summarized in five steps.

  1. Conduct a risk and hazard analysis

The risk analysis must determine the scope to be taken into account by critical safety applications and the scope that must be met based on the legal functional safety requirements. A wide variety of methods exist for these purposes. For example, HARA (Hazard Analysis and Risk Assessment), which is one of the most popular, can be used to establish whether it is a safety-related system and, if so, the relevance of the degree of safety.

  1. Define the level of security requirements

Depending on the standard, there are various levels of security requirements. For industrial applications, IEC 61508 defines the so-called “Safety Integrity Level (SIL) – safety integrity level”, which ranges from SIL1 to SIL4. The relevance of the level can be determined in a matrix that combines the parameters 'extent of damage', 'dwell time', 'protection from danger' and 'probability of incident'. Similarly, ISO 26262 defines the security criteria suitable for the automotive sector. In this case, the security levels are referenced from ASIL-A to ASIL-D.

  1. Determine the components and implement the design

The most appropriate component for the implementation of a desired application is chosen. To achieve this goal, specific security functions must be taken into account. Then, it is possible to design the board layout and populate it accordingly. Once the hardware has been installed, the software can be implemented. A definite security concept has to be developed and implemented, especially when programming the microcontroller, since it is the central control unit.

  1. Validate the security function

The validation procedure shows whether security related functions are performing correctly – ie each individual function, independent of the entire system. If one or more features do not work according to specifications, they can be reviewed during the development phase. This method is repeated as many times as necessary until the functions meet the requirements.

  1. check security

Verification is the second part of the review that takes place after validation. It involves checking the "perfect" operation of the system using checklists. Unlike validation, verification considers the system as a whole. Independent certification authorities, such as TÜV in Germany, offer support in this step and certify the security according to legal requirements.
Full support from partner network
Programming a microcontroller like the Aurix is ​​somewhat complex, especially when security aspects are added. To support developers and speed up programming, Infineon has created the PDH (Preferred Design House) concept for all customers. A review with all the partners included in PDH and their experience appears in the following link: www.infineon.com/pdh. The PDH model includes free and paid support services. For example, customers receive first-rate support and free training and consulting services. But, the full implementation of the hardware and software components is available for a fee.
Hitex, Rutronik's partner, also offers its corresponding help. Over the years, the company has built a reputation as a functional safety specialist. While Rutronik provides professionals with full support in the development phase, customers enjoy continuous support from Hitex in carrying out a full and successful implementation of complex functionality.