EN 
DE 
Every year, new, even more powerful microcontrollers are developed
New architectures have been announced. This paves the way for increasingly comfortable and even autonomous transport devices for our everyday lives. Besides the increased computing power – MIPS per watt – the enormous demands on safety and security are one of the biggest challenges.
Autonomous systems operating in enclosed spaces, such as transport robots in manufacturing facilities, are already in use today. For such autonomous vehicles to be operational in our public spaces, designers must implement numerous safety measures. For example, airports already have rail vehicles that transport passengers between terminals without drivers.
There are also a number of research projects underway on the delivery of parcels and packages using drones, and work is being done on the realization of air taxis in the vicinity of larger catchment areas, for example in Berlin, Munich, Stuttgart and Frankfurt, so that these means of transport can accompany our everyday lives.
Our cars are increasingly being equipped with electric drives, and autonomous driving is already on the horizon. The available systems designed to make our vehicles safer and more comfortable are currently still at the "fair-weather" level. In rain or snow, however, adaptive cruise control systems regularly fail, handing responsibility back to the driver. This will, of course, be unthinkable in the future operation of fully autonomous vehicles.
If these autonomous driving systems are to participate in our real traffic, i.e., outside the protected environment of a closed system, they must be able to control vehicles safely and without endangering others, even under adverse weather conditions or when other road users behave non-compliantly. To achieve this, these systems must contain a multitude of microcontrollers, sensors, cameras, actuators (motors), and numerous software programs for control, regulation, and communication tasks.
The development and design of such systems therefore require the highest level of safety. The German word "Sicherheit" (safety) has a corresponding meaning in English. Safety and Security.
Safety
Naturally, we expect autonomously moving devices to guarantee the highest level of safety. Since there is no human operator in the background to take over in the event of an unexpected malfunction, the system must take all possible and necessary measures and constantly monitor everything. In the event of a malfunction, a decision must then be made within a very short time on how to bring the system back to a safe state.
New safety requirements (e.g., the classification of individual project components into different SIL or ASIL classes) must be met, taking into account CPU-private memory resources and shared resources such as global RAM. Furthermore, data integrity and protection against unauthorized access to peripheral components that control safety-relevant processes must be ensured.
To achieve the required level of safety, the latest generations of microcontrollers incorporate numerous continuously running safety monitoring systems and functions. The entire microcontroller system includes these safety mechanisms.
The essential prerequisites for a microcontroller's operation are paramount: Voltage and clock monitoring ensure that the system's control can only begin once these minimum requirements are met. These two monitoring functions are linked to the chip reset and only enable it when the voltage and clock are within their predefined operating ranges.
With the reset enabled and the necessary clocking applied, the basic initialization of the component can be performed. All program and application data in the microcontroller's memory (flash and RAM) are monitored via error correction codes (ECC) before being used. Even during internal communication of this data between memory and CPU, the address and data are monitored.
To comply with safety requirements, CPUs executing the program have the option of processing the task, for example, with a two-clock offset, across two identical CPU cores. The result of a program instruction is processed in the main CPU and passed directly to the system. A second CPU (checker core or lock-step core) processes everything with a time offset of, for example, two clock cycles. The two results are then compared. If a discrepancy is detected, this error message can be reported to a Safety Management Unit (SMU).
Another monitoring option for CPUs is the implementation of memory access control units (MPUs). An MPU allows you to configure which memory areas a particular program is permitted to read or write to. This can, for example, prevent unauthorized memory access to a security-relevant software module. The data integrity of individual software components is thus ensured.
Even the peripheral modules with external communication via a bus system and the control modules designed to regulate and monitor motor operation offer safety functionalities. For example, in a multi-core CPU, access to a single CPU can be enabled, or access to unauthorized CPUs can be blocked. Furthermore, there are two identically designed modules for each safety-relevant peripheral component. Both modules can be assigned the same task. The output information, such as PWM signals for speed control of an electric motor, can be compared in a compare unit. If signal deviations are detected, the output can be shut down, and an error signal can be sent to the safety control unit (SMU).
All error indications (voltage errors, clock deviations, memory, communication, CPU errors) detected within a microcontroller are connected to the central safety control unit.
The existing hardware requirements for safety have been briefly described.
Now the software developers' task begins: The response to each detected and reported error must be individually enabled in the safety control unit, and the required error response must be triggered depending on the potential impact of the error. An SMU offers the following responses for this purpose:
- A recoverable error can optionally be handled by a software routine in the form of an interrupt service routine or an exception routine (non-maskable interrupt, NMI).
- If an irreparable error is detected, a reset must be initiated.
It is therefore the responsibility of the programmers to determine how a system should or must react to a detected error.
Security
The security of internally stored data and the possibility of protected or encrypted data transmission can be ensured by security modules (e.g. High Security Module, HSM).
These microcontroller modules are self-contained CPUs, protected behind a firewall. The rest of the microcontroller system cannot access the HSM resources.
This "safety world" has its own private CPU, dedicated memory (flash and RAM), various crypto processors, and a random number generator. The secured system has access to the microcontroller bus system, allowing it to address all internal components and communicate with the outside world via communication peripherals (e.g., CAN, Ethernet, etc.).
Essential communication components, such as the Ethernet module, which are responsible for ensuring system-relevant and therefore encrypted data transmissions (e.g., via the High Security Module (HSM)), must be particularly well protected against unauthorized internal and external access. Software updates will become increasingly necessary in complex projects with a large number of lines of code. It is therefore essential to enable over-the-air (SOTA) software updates. This method is already used today, for example, in Tesla vehicles.
The use of autonomous/mobile systems
In order to develop mobile systems, all developers involved are confronted with completely new challenges.
All autonomously operating systems require a high level of expertise in the field of safety and security, as these devices must perform their tasks without the backup of an operator. Their operation must not endanger, injure, or even kill any person.
Multicore testing expertise for safety-relevant systems
This requires knowledge of how software components, which
– are to be processed on different CPUs,
– are assigned to different safety classes (e.g. ASIL-A to ASIL_D) or
– individual protection through Memory Protection Units (MPUs with read and/or write protection at the software task level)
They must be tested correctly and comprehensively in accordance with the software requirements.
New challenges for developers and testers
Everyone involved in the development chain of such autonomously operating systems must be able to think holistically to ensure that truly safe devices are ultimately deployed. This includes skills and knowledge in, among other areas, the following:
- Requirements Management / Requirements Engineering
- Architectural Design
- Safety and Security
- various programming languages
- Embedded multicore software development and design
- Embedded multicore microcontrollers with modern architectures that ensure safety support and include security modules.
- Multicore operating systems (OS/RTOS)
- Debugging and Trace
- Hypervisor application
- Software simulation and testing
The aforementioned requirements apply to the project designers, embedded software developers, and testers involved. To meet these new requirements, they need more in-depth and comprehensive knowledge.
Prepare yourself for the new challenges – deepen your knowledge with MicroConsult's tailor-made training programs:
Requirements engineering and management for embedded systems
Embedded software design and patterns with C
Software architectures for embedded and real-time systems
Software quality in the program code
Software security (Safety and Security)
Object-Oriented Software Development – The Path to Clean Code for C++
Embedded multicore microcontrollers in practice
Real-time operating systems for embedded applications – RTOS
Further information
MicroConsult Expertise: Multicore & Microcontrollers
MicroConsult Expertise: Embedded Software Development
