ebook img

in airborne electronic hardware – failure mode and mitigation PDF

241 Pages·2013·6.94 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview in airborne electronic hardware – failure mode and mitigation

Research Project EASA.2012/04 COTS-AEH – Use of complex COTS (Commercial-Off-The-Shelf) in airborne electronic hardware – failure mode and mitigation Disclaimer This study has been carried out for the European Aviation Safety Agency by an external organization and expresses the opinion of the organization undertaking the study. It is provided for information purposes only and the views expressed in the study have not been adopted, endorsed or in any way approved by the European Aviation Safety Agency. Consequently it should not be relied upon as a statement, as any form of warranty, representation, undertaking, contractual, or other commitment binding in law upon the European Aviation Safety Agency. Ownership of all copyright and other intellectual property rights in this material including any documentation, data and technical information, remains vested to the European Aviation Safety Agency. All logo, copyrights, trademarks, and registered trademarks that may be contained within are the property of their respective owners. Reproduction of this study, in whole or in part, is permitted under the condition that the full body of this Disclaimer remains clearly and visibly affixed at all times with such reproduced part. COTS-AEH EASA Failure Mode & Mitigation EASA.2012.C15 “COTS-AEH” Project. COTS-AEH - USE OF COMPLEX COTS (COMMERCIAL-OFF-THE-SHELF) IN AIRBORNE ELECTRONIC HARDWARE – FAILURE MODE AND MITIGATION THALES AVIONICS Dossier ref. CCC/13/001303– Rev. 05 Authors: Philippe BIETH, Vincent BRINDEJONC Thales Avionics page 1 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation REVISIONS Revision Date Effect on § Description 00.1 13/02/2013 - Creation of the document 00.2 01/03/2013 All First draft delivery to EASA 00 11/03/2013 All First Release of the COTS-AEH Report 01 09/04/2013 All First Release with integration of EASA comments 02 31/05/2013 All Second Release of the COTS-AEH Report 03 07/06/2013 All Third release for Cologne meeting 04 20/09/2013 5, 6, 7, 8, 9, 10 Fourth release: final draft for comments 05 27/11/2013 3, 5, 6, 9, 10 Final version with comments taken into account Thales Avionics page 2 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation Table of Content THALES DISCLAIMER ............................................................................................................................................................... 11 ACKNOWLEDGEMENTS ............................................................................................................................................................ 13 EXECUTIVE SUMMARY ............................................................................................................................................................. 15 1 BACKGROUND .................................................................................................................................................................. 17 1.1 Concern ............................................................................................................................................. 17 1.2 Purpose of the Survey ...................................................................................................................... 19 1.3 Methodology Outline ....................................................................................................................... 20 1.4 Structure of the Report ................................................................................................................... 21 2 AIMS AND OBJECTIVES ................................................................................................................................................. 23 2.1 EASA Expectations .......................................................................................................................... 23 2.2 Project objectives ............................................................................................................................. 23 3 GLOSSARY ......................................................................................................................................................................... 25 3.1 Acronyms .......................................................................................................................................... 25 3.2 Key Definitions ................................................................................................................................. 26 3.2.1 Definitions relatives to hardware items classification ............................................................... 26 3.2.2 Definitions relative to Board and COTS Architectures ............................................................. 27 3.2.3 Definitions relative to risk analysis ........................................................................................... 29 4 LITERATURE REVIEW ................................................................................................................................................... 31 4.1 Safety related avionic standards & guidelines .............................................................................. 31 4.2 Others industrial sectors standard ................................................................................................. 32 4.3 Studies on COTS–AEH usage in Avionics..................................................................................... 32 5 STATE OF THE ART ......................................................................................................................................................... 35 5.1 Generic Embedded Computing Architecture ............................................................................... 35 5.2 COTS Selection ................................................................................................................................ 36 5.3 State of the art of embedded COTS ............................................................................................... 37 5.3.1 Bridges and switches ................................................................................................................. 37 5.3.2 Avionics Specific interface drivers ............................................................................................ 40 5.3.3 Memories ................................................................................................................................... 42 5.3.4 Microcontrollers ........................................................................................................................ 47 6 METHODOLOGY .............................................................................................................................................................. 57 6.1 Breakdown level ............................................................................................................................... 57 6.2 Abstraction Level ............................................................................................................................. 58 6.3 Failure modes at logical level .......................................................................................................... 58 6.3.1 List of failure modes .................................................................................................................. 58 6.3.2 Comprehensiveness of the failure model ................................................................................... 61 6.3.3 Particular failure modes at the hardware – software interface .................................................. 63 6.4 Fault classification ........................................................................................................................... 63 Thales Avionics page 3 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation 6.5 General procedure ........................................................................................................................... 65 6.5.1 General overview ....................................................................................................................... 65 6.5.2 Top - down approach ................................................................................................................. 66 6.5.3 Bottom - up approach ................................................................................................................ 66 6.5.4 Failures Detection and mitigation .............................................................................................. 67 7 COTS INTERFACE FAILURE MODE ANALYSIS ....................................................................................................... 69 7.1 introduction ...................................................................................................................................... 69 7.2 Discrete I/O ....................................................................................................................................... 70 7.2.1 Description ................................................................................................................................. 70 7.2.2 Failure modes ............................................................................................................................. 71 7.2.3 Intrinsic failure mitigation mechanisms .................................................................................... 72 7.3 Serial Peripheral Interface (SPI) bus ............................................................................................. 72 7.3.1 Description ................................................................................................................................. 72 7.3.2 Failure modes ............................................................................................................................. 73 7.3.3 Intrinsic failure mitigation mechanisms .................................................................................... 75 7.4 Arinc 429 ........................................................................................................................................... 75 7.4.1 Description ................................................................................................................................. 75 7.4.2 Failure modes ............................................................................................................................. 76 7.4.3 Intrinsic robustness of the physical layer................................................................................... 77 7.4.4 Intrinsic failure mitigation mechanisms .................................................................................... 78 7.5 MIL-STD-1553 ................................................................................................................................. 78 7.5.1 Description ................................................................................................................................. 78 7.5.2 Failure modes ............................................................................................................................. 82 7.5.3 Intrinsic robustness of the physical layer................................................................................... 84 7.5.4 Intrinsic failure mitigation mechanisms .................................................................................... 85 7.6 PCI bus ............................................................................................................................................. 85 7.6.1 Description ................................................................................................................................. 85 7.6.2 Failure modes ............................................................................................................................. 88 7.6.3 Intrinsic failure mitigation mechanisms .................................................................................... 90 7.7 PCIe bus ............................................................................................................................................ 91 7.7.1 Description ................................................................................................................................. 91 7.7.2 Failure modes ............................................................................................................................. 94 7.7.3 Intrinsic robustness of the physical layer................................................................................... 97 7.7.4 Intrinsic failure mitigation mechanisms .................................................................................... 97 8 COTS INTERNAL FAULTS ............................................................................................................................................ 101 8.1 introduction .................................................................................................................................... 101 8.2 Bridges ............................................................................................................................................ 102 8.2.1 Introduction and Available data ............................................................................................... 102 8.2.2 Architecture description ........................................................................................................... 103 8.2.3 Block study .............................................................................................................................. 104 8.2.4 Concluding remarks ................................................................................................................. 122 8.3 ARINC 429 Interface Drivers ....................................................................................................... 122 8.3.1 Introduction and available data ................................................................................................ 122 8.3.2 Architecture description ........................................................................................................... 123 8.3.3 Failure modes ........................................................................................................................... 125 8.3.4 Failure Detection & Mitigation ............................................................................................... 128 Thales Avionics page 4 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation 8.3.5 Concluding remarks ................................................................................................................. 128 8.4 MIL-STD-1553 Interface Drivers ................................................................................................ 128 8.4.1 Introduction and available data ................................................................................................ 128 8.4.2 Architecture description ........................................................................................................... 128 8.4.3 Failure modes ........................................................................................................................... 130 8.4.4 Intrinsic robustness of the physical layer and failure mitigation mechanisms ........................ 132 8.4.5 Concluding remarks ................................................................................................................. 132 8.5 DDRx SDRAM memories ............................................................................................................. 133 8.5.1 Introduction and available data ................................................................................................ 133 8.5.2 Architecture description ........................................................................................................... 133 8.5.3 Block study .............................................................................................................................. 137 8.5.4 Failure Detection & Mitigation ............................................................................................... 142 8.5.5 Concluding remarks ................................................................................................................. 142 8.6 Flash memories .............................................................................................................................. 143 8.6.1 Introduction and available data ................................................................................................ 143 8.6.2 Architecture description ........................................................................................................... 143 8.6.3 Failure modes ........................................................................................................................... 145 8.6.4 Intrinsic robustness .................................................................................................................. 146 8.6.5 Intrinsic failure mitigation mechanisms .................................................................................. 146 8.6.6 Concluding remarks ................................................................................................................. 146 8.7 Microcontrollers ............................................................................................................................ 147 8.7.1 Introduction and available data ................................................................................................ 147 8.7.2 Architecture description ........................................................................................................... 148 8.7.3 Block study .............................................................................................................................. 149 8.7.4 Concluding remarks ................................................................................................................. 162 8.8 Multicore Microcontrollers ........................................................................................................... 162 8.8.1 Introduction and available data ................................................................................................ 162 8.8.2 Architecture description ........................................................................................................... 164 8.8.3 Block study .............................................................................................................................. 166 8.8.4 Concluding remarks ................................................................................................................. 179 9 DETECTION ISOLATION AND MITIGATION OF COTS DESIGN FAILURES .................................................. 181 9.1 introduction .................................................................................................................................... 181 9.2 COTS Specification and test base mitigation .............................................................................. 183 9.2.1 Inputs data and associated studies ........................................................................................... 183 9.2.2 COTS specifications ................................................................................................................ 184 9.2.3 Tests with regard to specification and usage domain limitation.............................................. 185 9.2.4 Test results and constraints on COTS specification ................................................................ 193 9.3 Mechanisms for detection and mitigation of design errors ....................................................... 195 9.3.1 Introduction .............................................................................................................................. 195 9.3.2 Internal failure detection / mitigation mechanisms ................................................................. 197 9.3.3 Mixed mechanisms .................................................................................................................. 199 9.3.4 Architectural mechanisms ....................................................................................................... 200 9.3.5 Monitoring Mechanisms for latent failures ............................................................................. 218 10 CONCLUSION AND RESULT SUMMARY .................................................................................................................. 221 10.1 Summary of report activities ........................................................................................................ 221 10.1.1 Breakdown and Abstraction levels ........................................................................................ 221 Thales Avionics page 5 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation 10.1.2 Global analysis process .......................................................................................................... 221 10.2 Implementation strategy proposal ............................................................................................... 222 11 REFERENCES .................................................................................................................................................................. 225 ANNEX 1: MAPPING OF A MULTICORE CONFIGURATION, CONTROL AND STATUS REGISTER (CCSR) .... 229 ANNEX 2: SUMMARY OF SUGGESTIONS .......................................................................................................................... 235 Thales Avionics page 6 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation List of Figures Figure 1: Typical evolution from microprocessor (IS0) to microcontroller (IS2 & IS3). ............................. 18 Figure 2: Typical Computer architecture. ...................................................................................................... 35 Figure 3: example of PCI sub-network architecture through PCI-PCI Bridges. ........................................... 38 Figure 4: schematic view of a switch ............................................................................................................ 39 Figure 5: A switch in an A664 network. ........................................................................................................ 40 Figure 6: DDC MIL-STD-1553 driver evolution (from http://www.ddc- web.com/Images/New/Evolution.jpg). .......................................................................................................... 42 Figure 7: Memory access evolution between SRAM (no controller) and DDR SDRAM (complex controller). ..................................................................................................................................................... 43 Figure 8: Transfer of data on both edges of clock signal in a DDR (source [22]) ........................................ 44 Figure 9: Simplified view of DDRx architecture. ......................................................................................... 45 Figure 10: NAND and NOR Flash from [80] ................................................................................................ 46 Figure 11: a typical board architecture around a MPC 4748. ........................................................................ 47 Figure 12 : Internal Block diagram for the MPC8610. .................................................................................. 48 Figure 13: typical MCU architecture with internal bus ................................................................................. 49 Figure 14: MCU architecture with Switch. .................................................................................................... 49 Figure 15: Moore law (src. Wikipedia [8]) .................................................................................................... 50 Figure 16: IBM power 4 architecture. ........................................................................................................... 52 Figure 17: Cell: example of a heterogeneous multicore processor. ............................................................... 53 Figure 18: Black box (left) and grey box (right) point of view on a COTS. Note: the white box point of view has not been represented here. .............................................................................................................. 57 Figure 19: Example of a logical state diagram for information transfer. Although some transition have been hidden on the scheme, all are in principal possible unless some applicative restrictions. ............................ 59 Figure 20: representation of message loss. .................................................................................................... 59 Figure 21: representation of untimely transfer of message. .......................................................................... 60 Figure 22: Untimely transfer of message (Delay) ......................................................................................... 60 Figure 23: representation of abnormal sequence of messages. ...................................................................... 60 Figure 24: Representation of untimely transition between information states. The green dashed lines represent the requested transitions. The red empty lines the realized transitions. ......................................... 61 Figure 25: Representation of Impossible Transition between information states. . The green dashed lines represent the requested transitions. The red empty lines the realized transitions. ......................................... 61 Figure 26: Tree representation of failure cases .............................................................................................. 62 Figure 27 : General View on COTS with embedded SW. The lines represent flows that can failed, dashed lines represent flows that shall not exist. The partitionning symbolized here can be spatial or temporal. ... 63 Figure 28: General positioning of COTS faults ............................................................................................. 66 Figure 29: GPIO undetermined band and corresponding logical level state diagram; .................................. 71 Figure 30: SPI bus basic principle ................................................................................................................. 72 Figure 31: ARINC 429 topologies: star (on left side), bus-drop (on right side). .......................................... 75 Figure 32: ARINC 429 encoding. .................................................................................................................. 76 Figure 33: General ARINC 429 word structure. ........................................................................................... 76 Figure 34: MIL-STD-1553 Bus topology. ..................................................................................................... 79 Figure 35: MIL-STD-1553 data encoding; .................................................................................................... 79 Figure 36: General MIL-STD-1553 word structure. ..................................................................................... 80 Figure 37: Sequence diagram of a typical message compound of 4 words in MIL-STD-1553. ................... 81 Figure 38: Summary of MIL-STD-1553 failures states ................................................................................ 84 Figure 39 : PCI Pin list from PCI Local Bus Specification [29] ................................................................... 86 Thales Avionics page 7 Réf. CCC/13/001303 – rev. 05 COTS-AEH EASA Failure Mode & Mitigation Figure 40: Chronogram for a basic read operation, showing the state of the different signal involved. Signal followed by“#” are active at low voltage level [29] ...................................................................................... 87 Figure 41: a typical PCI architecture with three connected devices of master type and an arbiter. Only main lines have been represented. Bold line stand for multiple wires; R is REQ and G is GNT. ......................... 88 Figure 42: PCIe abstraction layers [32] [31] ................................................................................................. 92 Figure 43: Packet structure with the colour code of Figure 42 [31] .............................................................. 93 Figure 44: PCIe bus topology [32] ................................................................................................................ 94 Figure 45: End-to-End transaction CRC........................................................................................................ 98 Figure 46: Link CRC ..................................................................................................................................... 98 Figure 47: Frame retransmission principle .................................................................................................... 99 Figure 48: Adjacent device’s memory availability principle ........................................................................ 99 Figure 49: Flow control management buffer overview. Here TLP stands for TL Packet, P for Posted, NP for Non-Posted and CPL for Completion, the suffix H stands for Header and D for Data. [31] ................ 100 Figure 50: Fictitious example of non-publicly documented common path: (1) Reference Manual representation, (2) Under NDA representation. ........................................................................................... 101 Figure 51: Typical block diagram of a PCI-PCIe bridge [34]). ................................................................... 103 Figure 52: PCI and PCIe interfaces of the bridge. ....................................................................................... 104 Figure 53: Buffer management block structure. (Adapted from [34]) ........................................................ 105 Figure 54: A scenario for transaction loss in bridge; ................................................................................... 106 Figure 55: A scenario for untimely transaction emission in bridge. Transaction Nr 6 is send with undetermined data; ....................................................................................................................................... 106 Figure 56: A variant scenario for untimely transaction emission in bridge. Transaction Nr 6 is send with transaction Nr7 data; .................................................................................................................................... 106 Figure 57: Abnormal sequence due to selection of the wrong entry in buffers (transaction Nr2 will be sent before Nr1). .................................................................................................................................................. 107 Figure 58: untimely transition of information by direct corruption of data buffer. ..................................... 107 Figure 59 : untimely transition of information by pointer non-synchronization. ........................................ 107 Figure 60: An alternative scenario for transaction loss in bridge; ............................................................... 108 Figure 61: (Non) Detection of buffer management block errors. ................................................................ 109 Figure 62 : Clock structure of Bridge TSI384 (adapted from [34]). ........................................................... 113 Figure 63 : Bridge error handling principle (interpreted from [34]); .......................................................... 115 Figure 64 : Bridge PCIe error handling principle (interpreted from [34]); ................................................. 115 Figure 65 : summary of error handling block possible failures; .................................................................. 116 Figure 66 : Bridge level reset feature summary; ......................................................................................... 118 Figure 67 : Context diagram of Reset Block; .............................................................................................. 119 Figure 68 : Reset state diagram of the bridge; ............................................................................................. 120 Figure 69: HOLT HI-3585/3586 block diagram; ........................................................................................ 123 Figure 70 : DD-00429 ASIC with external analogue adaptors block diagram; .......................................... 124 Figure 71 : Generic block diagram of A429 driver; .................................................................................... 124 Figure 72: DDC AceXtreme block diagram from [41]. .............................................................................. 129 Figure 73: MIL-STD-1553 Driver Block diagram ...................................................................................... 130 Figure 74: Internal architecture of a DDRx SDRAM (from [42])............................................................... 134 Figure 75: Simplified architecture of DDR SDRAM .................................................................................. 134 Figure 76 : DDR3 state diagram (from [42] and [43]). Principal zones have been highlighted. ................ 136 Figure 77: Some possible failure of addressing operation. The incorrect valid address case is treated in forthcoming paragraphs. .............................................................................................................................. 137 Figure 78: Data storage block substructure (from [42]). ............................................................................. 139 Figure 79: Data transfer interface block substructure (from [42]). ............................................................. 141 Thales Avionics page 8 Réf. CCC/13/001303 – rev. 05

Description:
The intent of this report is to provide a global methodology to tackle design errors of COTS in airborne .. ED-80/DO-254: Design Assurance Guidance for Airborne Electronic Hardware. [4] [46] Lattice Semiconductor, Inc., “NAND Flash Controller - RD1055 v01.2,” Lattice Semiconductor, Inc.,. 2010
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.