New ARM Cortex-R52 enables autonomous systems with the highest functional safety standards

Across multiple markets, electronic systems are becoming more complex - including automotive, industrial control and healthcare. Vehicles are beginning to drive themselves, industrial robots are becoming increasingly collaborative, and medical systems are automated to assist with surgery or deliver medication. More of these systems are demanding functionally safe operation and requiring that functional safety be provided at a higher safety level than previous generations of systems demanded. The new ARM® Cortex®-R52 processor has been introduced to addresses the challenging needs of these types of system.

cortex r-52.png

This rise in complexity can be demonstrated in vehicles, where the car compute is expected to rise by 100 times by 2020. For example, engine management systems continue to increase in complexity to meet ever more stringent emission controls and must safely control the engine to prevent damage or hazards like unintended acceleration.  Vehicle electrification requires control of very powerful motors and sophisticated management of batteries with a huge amount of stored energy – the large 90kWh lithium ion battery pack in a Tesla contains the equivalent amount of energy as 77kg of TNT explosive - so the consequences of errors are significant. On the industrial side, factory automation is increasing with autonomous robotics using machine learning and vision systems to enable them to work more flexibly and with less direct control.

Outside the factory, robotics will be used in environments too harsh for humans, such as the nuclear industry, where there is a need to maintain precise and assured operation. They can also be used in the medical operating theaters with remote surgery. In both areas functionally safe operation is critical.

Functional safety

It’s obvious that a car’s brakes need to work exactly when required in order to drive safely. Systems such as these require functional safety. Hazards or errors may occur however; hence a functionally safe system must be capable of detecting these to avoid unsafe situations.

A functionally safe system has to be protected against two types of errors: random or systematic.

Kite Safety 101.PNG

The impact of random errors, for example a memory bit flipping due to radiation, can be protected against through the inclusion of features in the processor. Cortex-R52 integrates the highest level of safety features of any ARM processor to guard against this type of error.

Kite Safety Summary.PNG

Systematic errors on the other hand are typically as a result of software or design errors. Protection against these is provided by the use of appropriate processes and procedures at design. Cortex-R52 has been developed from the ground up within a robust process to help protect it from these systematic issues. A comprehensive safety pack is available to SoC partners which simplifies and reduces the effort needed in certifying the end system.

There are a number of different standards and guidelines related to functional safety. As an example, ISO 26262 was developed for the automotive industry in which four Automotive Safety Integrity Levels (ASIL) are defined, of which D is the highest level.

You can read more about functional safety in The Functional Safety Imperative in Automotive Design whitepaper .

The rise of autonomous systems

There are a range of different applications where functional safety  and fast deterministic execution is necessary. In many real time control systems the application can be managed either with a single Cortex-R52 processor or across multiple homogeneous processors. This might be typical in a conventional control systems like an automotive engine management system or industrial controller.

As mentioned, more and more systems are moving towards autonomous behaviour.  We can divide the functions found in an autonomous system in to a set of stages: sense, perceive, decide, actuate.

Kite-SPDA.PNG
  • Sense: a broad range of sensors are used to gather raw information
  • Perceive: data from the sensors is used along with complex algorithms such as machine learning to interpret more about the environment in which the system is operating
  • Decide: the outputs from the various systems are gathered and a decision made
  • Actuate: the decision is carried out or communicated

ARM enables all aspects of these autonomous systems with processors from across the Cortex-A, Cortex-R and Cortex-M families being used according to the need of each stage. The decide and actuate stages must be functionally safe. As an example, the decision stage can take inputs from the navigation system, speed sensors and all of the vision and radar systems and decide when to change lane or to get ready to exit the highway.

Automotive is a prime example of the move to autonomous systems.  We are already seeing driver assistance systems such as lane detection, where the driver is notified, moving to lane keeping where action is taken. Vehicles are introducing functionality on the way to autonomy such as automatic lane changing, that only experimental had previously supported.

The trend is also being seen in other areas. Conventional robotic production lines, where robots carry out a defined fixed task and are segregated from operators, are being replaced by collaborative industrial robots. These have unconstrained interaction with human operators, sensing their environment and taking action safely.  They may be capable of selecting and placing the correct component while working in conjunction with a human operator on the same assembly and avoiding a hazardous conflict. Surgical robots are also increasingly being used to help provide improved patient outcomes and future commercial autonomous drones are expected to be in need of these characteristics.

Autonomous system.PNG

As with the previous real time control system there is a need to take inputs from sensors, decide what to do and then command action.

These autonomous systems need to apply another level of judgement by interpreting more about the environment in which they are operating. These tasks can be confidence based and require high levels of throughput to process large amounts of data. Such operations are well suited to Cortex-A class of processors.

These systems still need to be functionally safe with deterministic execution. When combined together in a heterogeneous processor, the Cortex-R52 can provide a safety island protecting the operation of the system.

In the case of an ADAS system, inputs can be gathered from sensors such as cameras, Radar and Lidar. This data is processed and combined by the Cortex-A processors to identify and classify targets.  This information can be passed to the Cortex-R52 to decide what action to take and perform the necessary checks on the operation to ensure safe operation.

Increasing software complexity

As the functionality of a system has evolved, the complexity of both hardware and software has also increased. Systems are now integrating more software from multiple sources and with multiple safety criticality needs. This is a complex integration challenge.

Safety critical software needs to be validated and certified; a time consuming and complex exercise. Because of the interaction between the software, the entire software stack would typically be safety certified, even if only a small proportion is safety critical. The more complex the system, the harder this becomes.

Kite SW complexity.PNG

A better solution would be the ability to guarantee the independence of safety critical code.  This would simplify the development and integration of functional safety software,  with clear separation between different levels of software criticality. Safety code, critical safety code and non-safety code can each be validated and certified to their required level. Providing this independence means that changes to one module do not require wholesale re-certification of all of the software, thus saving time and effort.

For many of these systems it is important to remember that this separation must be achieved whilst still maintaining deterministic execution.

Cortex-R52 is unique in providing the hardware to support both isolation and real-time execution, and this is achieved through the addition of a new exception level and 2-stage MPU, introduced in the ARMv8-R architecture. This can be used by monitor or hypervisor software to manage access to resources and create sandboxes to protect each task. The design of the Cortex-R52 allows for fast switching between protected applications and maintains deterministic execution.

At the same time as offering protection of software it also simplifies the integration of code together into a single processor. Through the use of a hypervisor, multiple operating systems can be supported more easily, thus enabling consolidation of applications.

Delivering real time performance

Many of these systems I described above require deterministic operation, with the appropriate action being not only controlled but also performed at the right time and without significant delay, regardless of what else is happening in the system.

The Cortex-R family offers real-time processors with high-performance for embedded systems. Cortex-R52 is the first processor in the ARMv8-R architecture and further extends the capabilities of the Cortex-R5, both in terms of functional safety and increased performance.

Cortex-R52 delivers up to 35% higher single core performance over Cortex-R5, when running standard benchmarks. EEMBC has independently certified and published the results of their Automotive Industrial benchmark confirming the processor’s increased capability. Results were achieved using the Green Hills Compiler 2017.

This benchmark performance increase is enhanced by additional real time performance gains. Through fast access and integration of the interrupt controller within the cluster, interrupt latency has been reduced to half that of the Cortex-R5. The improved Memory Protection Unit, with finer granularity and faster reconfiguration, significantly reduces context switching time, to 14 times faster than the Cortex-R5. Compared to the Cortex-R5, system performance is further increased as twice as many Cortex-R52's can integrated within a cluster.

Cortex-R52 supports an adaptable memory architecture with deterministic Tightly Coupled Memories integrated within the processor. These enable assured memory latencies and they can be flexibly allocated to Instruction or Data and configured in a range of sizes to meet the application needs. The processor supports a rich set of interface ports around which the system can be built. Interfaces include a Low Latency Peripheral Port, AXI interfaces and a dedicated wide Flash memory interface to provide access to resources with managed arbitration.

Leveraging the power of ARM

The adoption of Cortex-R52 comes with a lot more than just the processor. The ARM architecture has amassed a broad following of adopters and developers within its ecosystem. With silicon partners delivering hardware to the market, it’s the number one architecture with, at the time of writing, more than 86 billion chips shipped.

Ecosystem partners provide the widest choice of software packages, drivers, stacks, while operating systems and tools - simplifying development for users. Adopters of the Cortex-R52 can leverage this common architecture to reduce costs through availability of multiple suppliers capable of addressing their requirements with the architecture. They can develop on a single platform and implement heterogeneous systems and port solutions between different platforms faster and with more reliable results. For more information check out ARM's software development tools for ARM Cortex-R.

ARM EcoSystem.PNG

Cortex-R52 addresses increased sophistication in safety applications

A high level of deterministic functional safety is needed in automotive, industrial, aerospace and medical markets (amongst others) where there is the need to devolve more autonomy in electronic systems. The Cortex-R52 processor has been designed to address the trend of increasing sophistication in safety applications which are driving a need for higher levels of performance, greater support for functional safety and an improved approach to software separation.

Anonymous
Related