Safety and security are interesting topics; they are closely related and complementary to one another, despite being distinct disciplines in the context of systems and SoC design. They are so close, that some languages (like French) even use the same word to describe them - although it’s worth noting that secure systems can be unsafe and safe systems can arguably be insecure. It is Arm’s aspiration that systems are always safe and secure, which is why we hire and engage with leading experts in both disciplines, to realize effective solutions. Arm is also a continuous improvement organisation and we look to achieve more as technology advances.
The classical relationship between a system and its environment is shown below in Figure 1, although this view is increasingly misaligned with the connected world. In a simple model, security prevents the environment from adversely affecting the system, which could be an outside agent trying to access assets or take control. Safety prevents the system affecting the environment in an uncontrolled way that could lead to a hazard (for example, a fault occurring within the system that leads to the windscreen wipers malfunctioning, or brakes not working as expected). The two form a complementary ‘firewall’ to isolate the system with control of communication so that both security and safety objectives are met.
Figure 1: Safety and security, a simplified relationship between a system and its environment
A more holistic view defines security as the ‘protection of assets and defence from malicious attack’. The classical view considers protection of assets similarly to a locked box, but ignores the possibility of external interference, which prevents effective operation. External effects are also important for functional safety, as the requirement for freedom from interference may force the system to stop or be less effective, in order to prevent hazardous behaviour.
For example, where V2X is used for autonomous driving the system must secure the communications as part of a trusted relationship. To stay safe the car needs to keep working even if V2X becomes unavailable (maliciously or otherwise).
Another question is how safety fits with the Reliability, Availability and Serviceability (RAS) technology, which Arm first developed to reduce the Failure In Time (FIT) rate of infrastructure and mobile products. Arm’s RAS architecture standardises error reporting to aid diagnosis and recovery. The use of ECC in memories provides resilience to transient and permanent faults. All of these mechanisms are also useful for functional safety, which builds on Arm’s RAS architecture. This is to be expected, as like safety and security - reliability, availability and serviceability are all forms of dependability, as is integrity, which Arm addresses in their product development.
In most systems realizing a practical security capability requires a combination of hardware and software. Although best known for its silicon IP used in SoC devices, Arm is also a developer of security enabling software.
The range of Arm TrustZone technology products, include capabilities within the Arm Cortex-A, Cortex-R and Cortex-M processor families. Arm also provides system IP to help divide resources between the secure and non-secure worlds. Recent products in all families of Arm’s processor cores facilitate a secure execution environment, and are supported by software, such as Arm’s Trusted Firmware and a broad ecosystem of operating system vendors.
Arm TrustZone CryptoCell products build upon Arm’s processor IP to protect assets such as keys, certificates and digital rights. They also provide a root of trust and facilitate secure booting of software. The functionality of CryptoCell includes random number generation and acceleration of encryption.
Collectively the Arm TrustZone products form a solution to help secure the next generation of functional safety systems.
The essence of functional safety is to avoid errors and prevent hazards (including fatality). The developers of safe systems achieve this by designing fault detection and control capabilities into their products, so that faults are identified and their effects mitigated before a hazardous error occurs. The proportion and type of faults to be detected, depends on the development’s safety concept and is often guided by the suggestions and examples given within functional safety standards (such as ISO 26262 and for defined Automotive Safety Integrity Levels (ASILs) or SILs in IEC 61508 terminology). The highest integrity systems require a greater fault detection capability, known as diagnostic coverage. ASIL D and SIL 3 are at the at the upper end of the spectrum (as show by Figure 2) and are recommended to have a Single Point Fault Metric (SPFM) of at least 99% and 90% coverage of latent faults.
Figure 2. Example single point fault metrics by safety integrity level
There’s also a human element to development as all engineers are fallible. Human error leads to systematic faults, those inherent in the design, such as misinterpretation of specifications, forgetfulness, mistakes or faults caused by design tools. Developments for functional safety must guard against such faults and Arm helps partners by developing it’s IP with a rigorous development process using leading EDA tools. Arm has a growing portfolio of products suitable for use in ASIL D systems with many more in development. You can read more detail on functional safety in the whitepaper: The Functional Safety Imperative in Automotive Design.
[CTAToken URL = "/processors/b/blog/posts/white-paper-the-functional-safety-imperative-in-automotive-design" target="_blank" text="Download Arm's Functional Safety whitepaper" class ="green"]
In 2016, Arm launched Cortex-R52, a processor designed from the ground up to meet the real-time and safety needs of many segments including; automotive, robotics, industrial and medical. It has a wide range of applications, including MCU, powertrain and chassis and programmable logic controllers (PLCs), or as a safety island within larger SoCs for Advanced Driver Assist Systems (ADAS) and robotic controllers. You can learn more in the blog New Arm Cortex-R52 enables autonomous systems with the highest functional safety standards.
As electronic systems assume more responsibility for tasks that directly affect our daily lives, it’s crucial that we can rely on them to be both safe and secure. Functional safety and security are two distinct topics that go hand-in-hand to ensure systems are dependable, without exhibiting hazardous behaviour or wrongfully revealing our information assets.
Arm is an IP vendor experienced with both security and functional safety, making its products well placed to enable success in automotive, industrial and other markets where both functional safety and security are essential.
Attending DAC this year? Join me on June 20th, 13:30 – 15:00 in Ballroom G - where I will be speaking about redundant execution for performant high-integrity systems.
[CTAToken URL = "http://pages.arm.com/SoC-design-news.html" target="_blank" text="Sign up for SoC Design updates" class ="green"]
Using terms like "trust" and "security" in relation to firmware, even automotive, is quite funny. These are usually the exact opposite of trustworthy and secure.