WP_Term Object
(
    [term_id] => 159
    [name] => Siemens EDA
    [slug] => siemens-eda
    [term_group] => 0
    [term_taxonomy_id] => 159
    [taxonomy] => category
    [description] => 
    [parent] => 157
    [count] => 717
    [filter] => raw
    [cat_ID] => 159
    [category_count] => 717
    [category_description] => 
    [cat_name] => Siemens EDA
    [category_nicename] => siemens-eda
    [category_parent] => 157
)
Q2FY24TessentAI 800X100 
WP_Term Object
(
    [term_id] => 159
    [name] => Siemens EDA
    [slug] => siemens-eda
    [term_group] => 0
    [term_taxonomy_id] => 159
    [taxonomy] => category
    [description] => 
    [parent] => 157
    [count] => 717
    [filter] => raw
    [cat_ID] => 159
    [category_count] => 717
    [category_description] => 
    [cat_name] => Siemens EDA
    [category_nicename] => siemens-eda
    [category_parent] => 157
)
Siemens EDA
Posted on by Daniel Payne

Hardware Root of Trust for Automotive Safety

Hardware Root of Trust for Automotive Safety
by Daniel Payne on 04-13-2023 at 10:00 am
Categories: EDA, Siemens EDA

Traveling by car is something that I take for granted and I just expect that my trips will be safe, yet our cars are increasingly using dozens of ECUs, SoCs and millions of lines of software code that combined together present a target for hackers or system failures. The Automotive Safety Integrity Levels (ASIL) are known by the letters: A, B, C, D; where the ISO 26262 standard defines ASIL D as the highest degree of automotive hazard. Reliability metrics for an automotive system are Single Point Fault Metric (SPFM) and Latent Fault Metric (LFM).

Siemens EDA worked together with Rambus on a functional safety evaluation for automotive using the RT-640 Embedded Hardware Security Module with about 3 million faults, reaching ISO 26262 ASIL-B certification, by achieving a SPFM > 90% and a LFM > 60%. The two Siemens tools used for functional safety evaluations were:

  • SafetyScope
    • Failures In Time (FIT)
    • Failure Mode Effect and Diagnostic Analysis (FMEDA) – permanent and transient faults, fault list
  • KaleidoScope
    • Fault simulation on the fault list
    • Fault detected, not detected, not observed

The Rambus RT-640 is a hardware security co-processor for automotive use, providing the root of trust, meeting the ISO 26262 ASIL-B requirements. Architectural blocks for the RT-640 include a RISC-V secure co-processor, secure memories and cryptographic accelerators.

Rambus, RT 640,
Rambus RT-640 Root of Trust

Your automotive SoC would add an RT-640 to provide secure execution of user apps that are authenticated, stop tampering, provide secure storage, and thwart side-channel attacks. Software cannot even reach the critical tasks like key derivation done in hardware. All of the major processor architectures are supported: Intel, RISC-V, Arm.

Security warranties, and hardware cryptographic accelerators are supported, plus there’s protection against glitching and over-clocking.

For the functional safety evaluation there was a manually defined fault list for signals covered by the provided safety mechanism. SafetyScope then reported the estimated FMEDA metrics, so an initial idea of the core’s safety level. Modules that that didn’t affect the core safety or were not safety critical  were pruned from the fault list.

The Fault Tolerant Time Interval (FTTI) tells the tool how long to look for a fault to be propagated before an alarm is set. FTTI impacts fault simulation run times, so a balance is required. The max concurrent fault number was set between 600 to 1,000 faults from experimentation. A two-step fault campaign approach was used to get the best results in the least amount of time.

Unclassified faults were faults not injected and not observed, so to reduce the number of non-injected faults they used two reduction methods:

  • Bus-simplification – when one or more bits are detected for a certain fault, the safety mechanism works well. Faults on the remaining bits of the bus are also considered detected.
  • Duplication-simplification – all faults not injected or observed the are part of a duplicated module are classified as detected.

Both permanent and transient fault campaigns were run on the RT-640 co-processor, taking some 12 days to complete when run on an IBM LSF HPC environment with parallel execution. The estimated SPFM numbers came from the first run of SafetyScope.

RT 640 faults min
RT-640 fault campaign results

These fault campaign results exceed the ISO 26262 requirements of SPFM > 90% and LFM > 60% for ASIL-B certification.

Summary

Siemens and Rambus showed a methodology to evaluate the RT-640 co-processor, with nearly 3 million faults, reaching a total SPFM value of 91.9%, plus a TFM of 75%, exceeded the requirements of the ASIL-B safety level in automotive applications.  This is good news for electronics systems used in cars, ensuring drivers that their travels are safer, drama-free and resistant to hacking efforts. Using a hardware root of trust like the Rambus RT-640 makes sense for safety-critical automotive applications, and the fault campaign results confirm it.

Read the complete 11 page white paper on the Siemens site.

Related Blogs

 

Share this post via:

Comments

There are no comments yet.

You must register or log in to view/post comments.