Reducing SEU Sensitivity in
LIN Networks:
Selective and Collaborative Hardening Techniques
A. Vaskova, A. Fabregat, M. Portela-García, M.
García-Valderas, C. López-Ongil
Electronic Technology Department
Carlos III University of Madrid
Leganés, Spain
[email protected]
Abstract.— Digital electronic systems in automotive applications
are in charge of different tasks, ranging from very critical control
functions (e.g., airbag, ABS, ESP) to comfort services (e.g.,
handling of mirrors, seats, windows, wipers). Hardening these
systems involves suitably trading off cost and reliability. Due to
standards and regulations in the area, the reliability of subsystems
involved even in the least critical applications has to be evaluated,
and in most cases hardening has to be performed with very low
extra cost. In this work, two approaches are proposed for
hardening the LIN bus, which implements a serial communication
network typically used in low-throughput and low-cost sub-systems
in automotive applications. First, critical elements in LIN nodes
are identified and some techniques to harden them are proposed
following a selective hardening approach. Secondly, collaborative
hardening techniques are proposed for reducing global sensitivity
in a LIN network built with commercial devices, trying to achieve a
high degree of robustness in the network with low cost solutions.
We report some experimental results allowing evaluating the
hardware cost and the robustness of the proposed techniques.
Keywords- SEUs, Mitigation Techniques,
Collaborative Hardening, Selective Hardening
I.
LIN
Bus,
INTRODUCTION
Digital electronic systems working in automotive
applications are in charge of different tasks, ranging from very
critical control functions (e.g., airbag, ABS, ESP) to comfort
services (e.g., handling of mirrors, seats, windows, wipers).
Even in the latter case, safety is an issue, and regulations and
standards mandate a detailed evaluation of the effects of
possible faults, as well as actions to achieve a minimum level
of dependability.
Every digital device working at the earth surface could be
affected by ionizing radiation coming from the sun and passing
through the earth’s atmosphere, generating secondary radiation
where neutrons have the main role. This radiation can provoke
transient faults in memory elements of any unprotected digital
device [1]. Hardening these devices, especially when working
in safety critical applications, implies a careful analysis of their
reliability, and in many cases the adoption of some hardening
solution, with an extra effort and cost for their development, as
well as with a probable reduction in the device’s performances,
but assuring the target dependability of the system.
Adopting a complete hardening solution for every digital
circuit working in a system is clearly unfeasible (from the
M. Sonza Reorda
Dipartimento di Automatica e Informatica. Politecnico
di Torino. Torino, Italy
[email protected]
point of view of cost, performance and effort) and hardening is
typically performed only on those devices / parts in charge of
the most critical tasks. Hence, a detailed analysis of the
different components of a system with respect to their
robustness and their contribution to system’s dependability, as
well as a “critical” study of the effects of their possible
hardening, is mandatory, and could provide very effective
solutions with low cost overhead.
In the recent years, companies and institutions in the
automotive domain have defined a range of safety levels,
which are now standardized in the IEC-61508 and ISO 26262
documents, and that refer to all electric/electronic systems
mounted on passenger cars. This standard imposes a safety
level for every sub-system and defines a quality assessment
process during the development cycle of these systems.
Assessing the robustness even of not very critical sub-systems
within the car allows manufacturers to know potential risks and
to find effective solutions. Potential risks must be considered if
they could affect human life, even if their occurrence
probability is small.
In this work, two approaches are proposed for hardening
the LIN bus (Local Interconnect Network), which implements
a serial communication network, typically used in lowthroughput and low-cost sub-systems for which safety is not a
major issue. First, LIN nodes robustness has been assessed and
critical elements have been identified and hardened in early
design stages. Different approaches have been explored in the
hardening process, including passive and active redundancy
techniques. The costs in terms of area overhead and
performance degradation have been analyzed and discussed, as
well as the robustness achieved. Secondly, global robustness of
LIN network is considered and a collaborative hardening
technique is proposed in order to reduce network sensitivity
without modifying the LIN interface modules. This low-cost
solution is suitable to be applied when networks built with
commercial devices (which are not accessible for sensitivity
assessing or for selective hardening) are considered.
The paper is organized as follows. Section II summarizes
previous works related to LIN bus reliability. Section III
studies different implementation options. Section IV describes
the fault injection campaigns performed for early identifying
the most critical elements and the selective hardening
techniques applied. Section V describes the proposed
collaborative hardening technique. Finally, section VI states
the conclusions of this work.
II.
RELATED WORK
Some research works in the scientific literature studied the
robustness of serial communication links. In automotive
industry, there are four main serial protocols adopted for
communication: FlexRay, CAN (Controller Area Network),
MOST (Media Oriented Systems Transport) and LIN (Local
Interconnect Network). Each of them is used for different
purposes according to the different constraints, including the
criticality of the application. In general, the LIN protocol is
intended for low-throughput and low-cost sub-systems where
safety is not a major issue (e.g. mirrors, seat control, wipers).
Despite this, standards and good practices still requires a
reliability evaluation for these systems, as well as the adoption
of possible hardening strategies, if required [2]-[5].
Nowadays, automotive applications may be based on
different devices with different origins and technologies, which
may have minimal interaction or intensive communication
with each other. An integrated fault tolerant system for
automation applications is studied in [2].
In [3] a LIN transceiver is analyzed in order to detect the
weak spots of the circuit against permanent faults due to
aging. The proposed method is focused on mixed-signal
circuits.
Soft errors effects in a LIN network are studied in [4]. The
authors propose an evaluation method to analyze the
dependability of LIN networks against bit-flip faults by
combining two methods: a low-level analysis by fault injection
in flip-flops (FFs), and an application-level analysis by vehicle
simulation with MATLAB/Simulink models. In that work, 100
bit-flips were injected, and those faults that produce a failure
are analyzed in more detail at the application level taking as
case study an adaptive front-lighting system. This analysis,
with only 100 injected faults, is not significant enough to
identify the fault tolerance weaknesses of a LIN network.
Testing of CAN, LIN and FlexRay ECUs (Electronic
Control Units) to assess reliability is done in [5]. The scope is
fault simulation for faults in hardware and in the
communication protocol (i.e. affecting the software). All tested
ECUs show defects in the bus implementation, proving the
criticality of the communication channels in the vehicle
networks.
In [6] a more intensive fault injection campaign was
performed on a LIN network composed of two nodes. The
work focused on SEUs affecting memory elements in the
circuits as well as data transmitted through the bus. Critical
areas were located and a passive hardware redundancy
technique was proposed. A comparison with respect to the
CAN bus, in terms of area overhead and fault tolerance is
presented, highlighting the fact that hardening LIN modules
with a passive hardware redundancy technique is cheaper than
hardening CAN modules, although both are considered a
requirement to avoid potential risks.
However, a complete assessment of a LIN network, with
several nodes included and with a realistic workload, has never
been performed until now. In this work, the results of such an
assessment procedure are reported, together with the proposal
of a hardening technique for the most critical areas. The
proposed technique mixes active and passive solutions and
makes profit of the LIN features. A further technique is also
proposed, aimed at global hardening of the network
(collaborative hardening) with less invasive techniques.
III.
CASE STUDY: LIN BUS CONTROLLER
A. The LIN standard
The technical specifications of the LIN protocol have been
originally developed by a group of car makers (Audi, BMW,
Volkswagen, Volvo, Daimler-Chrysler), one semiconductor
supplier (Motorola) and one CAD vendor (Volcano
Communications) [7]. The main characteristics of protocol are:
- Serial communication protocol
- Single master / multiple slaves architecture
- Data rates up to 20 kBit/sec
- Short messages (max. 8 data bytes)
- Simple transmission checking error (parity, checksum)
- Single wire 12V bus (dominant and recessive levels,
ISO9141-NRZ standard).
Currently, the LIN bus is used in several systems based on
sensors and actuators for controlling doors, steering-wheel,
seats, climate, lighting, smart wipers, rear mirrors. Single wire
busses and the elimination of crystal or ceramic resonators in
the slave nodes reduce notably the cost of LIN with respect to
other solutions, and make possible the extension of electronic
devices use within the car, improving safety and comfort.
The LIN protocol efficiently supports the operation of
electronic nodes and devices in the automobile systems for
networks with low baud rate. In particular, the LIN bus is an
integral part of most modern vehicles, although it is often
considered as a subsystem of the CAN network and being
mainly used to relieve the bus load of the supervising CAN
network and to reduce the overall costs.
The communication link is protected by some typical
mechanisms. Errors detected by each LIN node are:
• Checksum Error: the data content of each message is
protected by a checksum byte, which is the inverted
module checksum of the data bytes.
• Parity Error: the command byte uses 2 parity bits to
protect the other 6. These need to be recalculated and
compared. If there is an error, the command is ignored
and the error logged.
• Bit Error with error status: the master may request error
status as part of a normal message protocol. The
Response_Error bit is a slave required status to report to
the master with one of transmitted frames. When any
error is detected, the master reports it to the processor, in
order to repeat the command or to take another action.
B. Hardware Implementation
Different hardware implementation solutions are currently
available. The LIN bus interface can be implemented resorting
to commercial devices (COTS), reconffigurable devices
(FPGAs) or Application Specific Integrated Circuits (ASICs).
L
nodes should
Together with the LIN interface tasks, LIN
include additional functionalities for sensedd data processing
and/or motor/actuator command generation.
A very cheap and straightforward solution is the
o the LIN node in
development of a software implementation of
a commercial microprocessor. This solutioon applies for the
master and for the slave nodes. A better optioon is to use a serial
communication module (USART) within a microcontroller
device, in order to allocate transmitting and receiving tasks in a
p
in data
hardware module and to use software programs
processing and sensors/motors control actionns. This is the case
of the PIC18 microcontroller by Microchip®
®, whose USART
can be used for slave and master interfaces [88].
It is also possible to use reconfigurabble devices (e.g.,
FPGAs), where some LIN IP-core could be included, together
with other modules in charge of other functioons apart from the
LIN interface. These devices are very flexxible and some of
them provide very low power consumption. This
T solution must
be carefully analyzed, especially if the SR
RAM-based FPGA
technology (which is particularly prone to traansient faults [15])
is chosen and the final application will be
b working in an
unfriendly environment.
functionality and interfaces. Fiinally, the fifth column estimates
the reliability of the LIN nettwork, built with these devices,
when affected by ionizing raadiation, considering technology
robustness. In general, ASIICs and PIC microcontrollers
present medium-high robusttness, as only user memory
elements are sensitive, while SRAM-based FPGAs present a
very sensitive configuration memory. On the other hand,
m
fault tolerance than SRAMFlash-based FPGAs present more
based FPGAs [9].
a
below, an experimental
In order to complete the analysis
evaluation of the probability for faults occurring in a LIN
network to evolve into failuress is needed. This is the subject of
the following Sub-Sections.
C. Case study
We selected a hardware im
mplementation of a LIN controller
developed by Xilinx Inc. [11]. The design is provided in
VHDL, and prototyping haas been proven on a CPLD
(CoolRunner-II ™[9][11]). This
T
design is divided into eight
blocks, as shown in Figure 1. The Transmitter and Receiver
blocks are in charge of seerialize/de-serialize data, while
Parity_Gen and Checksum_G
Gen are in charge of detecting
errors in the received data. The
T control part of the circuit is
composed of some Configurration_Registers and a Control
block, which is composed of a set of finite state machines.
TABLE 1. IMPLEMENTATION OPTIONS FOR A 16-NOD
DES LIN NETWORK
Max.
freq
(MHz)
40
C of
Cost
neetwork
Robustness
M
Medium
Medium
40
M
Medium
Medium
IglooAGL1000
Flash FPGA (Microsemi®)
160
High
High
ProASIC3A3P1000-2
Flash FPGA (Microsemi®)
350
High
High
Spartan-3E 3S1200E-5
SRAM FPGA (Xilinx™)
300
High
Low
CoolRunnerII XC2C256
SRAM/Flash FPGA (Xilinx™)
114
M
Medium
Medium
ASIC (TSMC 0.18 µm) CAST®
LIN Core
4
High
High
PIC18F (Microchip®)
PIC 18F with USART/ UART
(Microchip®)
Figure 1. Architecture of a LIN bus coontroller
Finally, when large volumes are expected, ASIC design
and development is interesting. TABLE 1 anallyzes the cost and
reliability of a LIN network composed of one
o master and 15
slave nodes, when built with different technologies and
manufacturers. The second column in the table details the
maximum operating frequency of the devicees; although these
data are not relevant as LIN speed is limiteed to 4MHz, it is
interesting to know the available speed for otther functionalities
included in the network node. The third coluumn lists the price
per unit obtained from a general electrronic components
supplier (lower prices could obviously be obtained when
directly dealing with the device manufacturerr, or ordering large
volumes). The fourth column reports the gloobal cost of every
network (once designed and developed). Although ASIC
solutions seem cheaper, additional devicees for controlling
sensors and actuators must be added in the
t system, while
microcontroller and FPGA solutions couldd include all the
This LIN controller node has
h been studied in [6] in order to
detect the weak elements that must be hardened. In that work,
author reported a fault injecction campaign of 7.6 Mfaults,
based on a standard workloaad. Although very interesting
results were obtained, an enhhanced workload is necessary in
order to perform a test closeer to real operating conditions.
Results of the fault injectionn campaign performed for this
paper are shown in Section IV..
IV.
SEU SENSITIVITY ANALYSIS AND SELECTIVE
HARD
DENING
A. Experimental Setup
A detailed analysis on thee SEU sensitivity of LIN nodes
has been performed. For thhis analysis, fault injection is
required in order to check the node
n
response in the presence of
soft errors. SEU analysis iss performed by means of an
intensive fault injection campaaign. The system under test (LIN
network) consists in three LIN
N cores connected. In particular, a
master and two slave controlleers are implemented, although up
to 16 slaves can be considered..
The workload includes tenn different tests. Each test checks
different data and command managements
m
in order to make the
test more realistic. First, there are four basic transmission tests
from controller 1 to controller 2 and 3. The first three tests
send 2, 4 and 8 bytes several times consecutively, while the
fourth test sends an ID data and waits for an answer from
controller 2 and 3. Basic tests verify that the three nodes
communicate successfully. Other tests check correct activation
of parity error, checksum error and framing error, by forcing
values directly onto the bus. The typical test scheme involves
writing to a configuration register, waiting for an interruption,
and then acting on that interruption, reading a received byte or
checking the various status registers. For this work we have
improved the workload applied to the LIN network departing
from the original workload provided by Xilinx [11]. With
respect to the original workload, a more complete use of
internal registers and their functions has been added.
The fault injection campaign has been performed by using
Autonomous Emulation [13], which is a fault injection tool
based on hardware emulation on reprogrammable devices. In
this tool, all the injection tasks are performed in the hardware,
following the scheme shown in Figure 2. Autonomous
Emulation system can achieve fault injection rates of millions
of faults per second. The fault injection system is prototyped
on an XUPV5-LX110T Development System from Xilinx®.
Emulation Board
Interface
Fault Classification
(RAM)
FPGA
Emulation Controller
Execution
Management
b.
A fault is classified as Silent if its effect has completely
disappeared from the circuit
A fault is classified as Latent if its effects are still
remaining in some memory elements of the circuit.
B. Experimental Results
The fault injection campaign has been performed over the
three LIN cores in the network (a master and two slaves).
Only master results are included in this paper, as including the
complete results does not add any additional information (the
most critical elements are the same in all the nodes).
A single fault has been injected in every master flip-flop
(out of the 194 FFs) and in every clock cycle of the workload
(out of the 356,693 clock cycles). The total number of injected
faults is thus 69,198,442. Hence, we can claim that our Fault
Injection campaign was exhaustive for this workload.
TABLE 2 shows the results of the Fault Injection campaign
reporting the fault classification by circuit blocks. The
considered blocks (see Figure 2) are the configuration
registers, the reception blocks (receiver and majority sampler),
the frequency divider, the control block, the checksum
generator and the transmitter. As a global result, 20% of the
injected faults cause a bad communication result (failure).
Moreover, 43% of the injected faults do not have any effect
(silent), while 2% of them are detected by the circuit checking
mechanisms (detected), and about 36% remain latent in the
circuit at the end of the workload execution. This result differs
from [6] as intensive use of internal registers is included in
this new work.
TABLE 2. FAULT INJECTION RESULTS
Fault List
Fault
injection
a.
Fault
Classification
#FF
CKSUM
Figure 2. Fault injection system architecture
Faults are injected in every clock cycle during the
execution of the developed workload (enhanced network
traffic) and in every flip-flop of the three controller cores. The
injected faults are classified by the produced effect on the
system behavior according to the following categories:
1. The effect of the fault is propagated to the outputs
a. A fault is classified as Detected when some of the error
detection mechanisms implemented in the LIN module
is able to detect the SEU (i.e., the interruption flag
becomes active when not expected or vice versa).
b. A fault is classified as Failure when a faulty
transmission is performed but the LIN core does not
detect any misbehavior (i.e., Data are corrupted but
Parity and Checksum are correct).
2. The effect of the fault is not propagated to the outputs:
9
CONFREG
54
DIVIDER
17
RECEIVER
21
SAMPLER
4
STATE
MACHINE
75
TRANSMITTER
Total
14
194
Failure
Latent
Silent
Detected
3,210,219
(5%)
1,094,490
(2%)
1,238,091
(2%)
6,669,637
(10%)
1,413,484
(2%)
14,453,170
(20%)
1,357,716
(2%)
29,436,807
43%
9
(0%)
856,826
(1%)
57,312
(0%)
4,980
(0%)
317
(0%)
169,960
(0%)
14
(0%)
1,089,418
2%
#/(%total)
0
(0%)
9,858,101
(14%)
524,837
(0%)
51,690
(0%)
12,796
(0%)
3,451,538
(5%)
0
(0%)
13,898,962
20%
9
(0%)
7,452,005
(11%)
4,243,541
(6%)
764,246
(1%)
175
(%)0
8,677,307
(12%)
3,635,972
(5%)
24,773,255
36%
Analyzing the different fault classifications for every block,
ConfReg and StateMachine are the least robust ones,
providing a failure rate of 14% and 5%, as well as presenting
a high number of latent faults. Therefore, hardening these two
blocks will eliminate most of the failures. These blocks
should be hardened whatever the network implementation we
choose.
C. Hardening techniques
SEU mitigation techniques range from passive solutions to
actives ones. All of them are related to redundancy. There are
different types of redundancy: hardware, software redundancy,
time redundancy, information redundancy. Generally,
hardware redundancy is the most common solution because
timing and data format is maintained. Hardware redundancy
covers passive and actives techniques [12]. Each one of these
techniques present different advantages and drawbacks, and it
can be more suitable for some specific architecture. According
to the results of the fault injection campaign, the blocks to be
hardened in a LIN node are the Configuration Registers and
the control part (State Machine). The next subsections detail
some mitigation techniques.
1) Triple Modular Redundancy for the critical blocks
In this technique, faults are eliminated with hardware
redundancy. When this technique is applied for hardening
against SEUs, critical memory cells are triplicated and a
majority voter is added to their outputs. The correct value,
when single error occurrence is detected, is re-stored in the
three registers, thus eliminating the error. It is possible to
tolerate one error for each memory element. In the best case, N
errors in an N bits word can be tolerated. In this work, the most
critical registers of the LIN controller have been chosen, but
the complete hardening of every memory element in the
controller would also be possible. Once flip-flop robustness is
known, designers can enhance the fault tolerance by hardening
a given number of FFs. Similarly to proposal in [9], a selective
hardened TMR technique is applied, only 27% of registers
(configuration registers) are triplicated, thus decreasing the
number of failures by 50%.
The Configuration Registers block has been hardened with
a passive hardware redundancy technique (TMR). This
solution increases significantly the area of memory cells,
while the voter is implemented with a small number of logic
gates. Up to 9,8Mfaults producing Failures became Silent by
increasing the number of FFs by 55% (from 194 to 302).
2) Error detection mechanisms added
Active hardware redundancy technique added to LIN bus
controller implements active correction of errors and consists
in changing the main Finite State Machine (FSM) encoding. A
One-hot encoding has been selected, with error flag activation.
This is one of the cheapest and most effective techniques in
relation with area overhead and fault tolerance achieved. In the
next subsection a comparison of the implementation of this
technique with previous work presented in [9] is detailed.
The FSM has eight reachable states: by coding them with a
One-hot method, 5 extra FFs are required, introducing a
negligible overhead in the combinational area (7%). With this
new encoding, any single error in a FF of the FSM will be
detected and reported, as error detection is also included.
TABLE 3. FAULT CLASSIFICATION WITH ONE-HOT TECHNIQUE
#
FF
FSM
75
FSM
one-hot
80
Failure
Latent
Silent
3,451,538
(5%)
64
(0%)
8,677,307
(12%)
13,705,774
(19.8%)
14,453,170
(20%)
5,274,733
(7.6%)
Detected
169,960
(0%)
8,128,097
(12%)
Total
26,751,975
(38%)
27,108,668
(39%)
Table 3 shows the fault classification for FFs in the new
FSM after hardening it with the One-hot encoding. Though
the number of Latent faults is increased, the failure rate is
drastically reduced. Also, the majority of faults previously
classified as Failure are now classified as Detected (12%).
This selective hardening method allows designers to
improve significantly the robustness with a relatively limited
area overhead. In TABLE 4, a summary of selective hardening
techniques applied is shown. Area and sensitivity of the
original LIN bus controller and the new versions with the two
hardening techniques included are shown. The second row
details the FF number of different versions of the LIN module,
together with the changes in the area overhead figure with
respect to the original version. The third row shows the
percentage of injected faults which are provoking failures in
the module. Finally, the fourth row presents the percentage of
injected faults which are activating the error detection
mechanisms.
TABLE 4. RESULTS ON SELECTIVE HARDENING IN A LIN CONTROLLER
Original
LIN
LIN +
one-hot FSM
LIN + TMR
LIN + onehot + TMR
FFs
194
199(1%)
302(55.6%)
307(58%)
Failures
20%
15%
6%
0%
Detected
2%
12%
2%
14%
The TMR technique increases significantly the required
area for every LIN bus controller, while it reduces notably the
failure rate. Applied only to the configuration registers block,
the global area overhead is 55.6%, while the global failure
rate reduction is 70%. On the other hand, One-Hot encoding
produces a small increase in the number of memory cells
(1%), while it needs larger encoders and decoders, with some
increase in the area (7%) and in the delay of the critical path.
However, considering the reduction in the number of failures
(25%) with respect to the global area overhead (7%) this is an
interesting technique to be considered by design teams.
V.
COLLABORATIVE HARDENING
When internal elements in a distributed network are not
accessible, not only early fault injection campaigns but also
selective hardening is very difficult to carry out. This is the
case when commercial devices (COTS) are used, as well as
IP-cores embedded in reconfigurable devices (FPGAs).
In this case, another type of hardening can be considered.
Many design teams for critical applications are applying
collaborative hardening in distributed systems [14]. This
technique profits from the concurrent execution of different
nodes in a network, forcing them to execute similar
calculations and performing a global voting in order to
identify erroneous nodes.
In this sense, a collaborative hardening technique is
proposed in this work for LIN networks. The LIN master
node, which is sending commands to LIN slave nodes,
collects periodically signatures of command and data sent
through the LIN bus, which are calculated on every LIN node
interface. In our proposal, the signature calculation block is
connected to LIN nodes inputs and outputts. As said in the
previous section, the weakest elements inn LIN controller
nodes are the configuration registers; the periodic
p
access to
these registers from the master will cause wrong
w
values to be
produced. External observation of the bus traffic, per node,
and periodic majority voting is proposed (Figgure 3). Assuming
all the contents of configuration registers inn a LIN node are
accessible from outside, and signature calculation
c
is not
masking errors in data processed, the robustness achieved by
this proposal is the same as TMR selectivve hardening and
reduces the number of failures at least from 20%
2
to 6%.
fault injection experiments.
With selective hardening, One-Hot encoding and TMRTriple Modular Redundancy mitigation
m
techniques imply low
or medium area increases annd significant reductions in the
number of failures, minimizinng the possible effects of faults
and undesired propagation to upper
u
and more critical levels in
the distributed system. With collaborative hardening, a noninvasive hardening technique is implemented. This solution is
especially useful for networks built with IP-cores or COTS.
The proposed technique addss external blocks observing bus
traffic on every LIN node interface. Data observed are
compacted and sent periodiically to the master node for
majority voting. To the best of our knowledge, this is the first
time that a LIN network (in both its original and hardened
version) is extensively beeing analyzed with realistic
workloads.
VII. REFERENCES
E
[1]
[2]
Figure 3. Collaborative hardening in a LIN networkk
In terms of implementation, when the LIN network is
implemented with microcontrollers, one additional device
must be included per original LIN node; thiis new device will
be in charge of “spying” inputs and outputss of the LIN node
and of calculating the signature for majorrity voting in the
master. The global cost of the hardened LIN network is
around the double of the non-hardened versiion. In the case of
a LIN network built with FPGAs, thee required extra
functionality can be included within every device,
d
exploiting
the available resources, and thus maintaininng the number of
original devices. The global cost of the hardeened LIN network
is similar to non-robust one if LIN IP-cores are used. Finally,
when the LIN network is built with ASICs, extra
e
devices must
be included (FPGAs or microcontrollerrs), making this
solution more expensive. In terms of timinng, no penalty is
included as idle periods are used by master for
f collecting data
from slaves.
VI. CONCLUSIONS
Although often not considered as a criticcal element in the
car electronic system, LIN buses could cauuse some failures
that could put the safety of passengers at riskk.
In this work, we analyzed the robustness of a LIN network
when executing realistic workloads; moreover, two methods
for hardening a LIN network are detailedd. First, selective
hardening of internal elements in LIN noddes is considered.
Both TMR and one-hot encoding have beeen considered and
evaluated. Secondly, collaborative hardeningg is presented and
one technique is proposed for improving thee robustness of the
network, when elements are not accessible for hardening and
for fault injection. The evaluation of thhe (original and
hardened) system robustness is performed through
t
extensive
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
T. Heijmen, “Soft Errors from Space to Ground: Historical Overview,
Empirical Evidence and Future Trends”, chapter in “Soft Errors in
Modern Electronic Systems, Ed. M. Nicolaidis, Springer, Nov. 2010.
H. Kimm, H. Ham, “Integrated Fault Tolerant Systems for Automotive
Bus Networks”, 2nd Internationaal Conference on Computer Engineering
and Applications, pp. 486-490, March
M
2010.
V.Kerzerho, H.G. Kerkhoff, G-J
G Bollen, Y. Xing, “The search for
resilience weak spots in automotive mixed signal circuits”, 17th IEEE
International Mixed-Signals, Seensors and Systems Test Workshop, pp.
137-142, May 2011.
Y.K. Bong, J.K. Yun, “The deppendability analysis of LIN network for
adaptive front-lighting system“,, International SoC Design Conference,
2008, pp. I-425-I-428.
Manfred Schneider, Jens Muennzberg, “Testing of CAN, LIN, and
FlexRay ECU characteristics to assure reliability”, EDN network,
August 22, 2013.
A. Vaskova, M. Portela-Garcia, and M. S. Reorda, “Hardening of serial
communication protocols for pootentially critical systems in automotive
applications: LIN bus,” in 20013 IEEE 19th International On-Line
Testing Symposium (IOLTS), 20013, pp. 13–18.
LIN Consortium, “LIN Specificaation Package. Revision 2.0” Sept, 2003
Microchip® Application Note #235
#
“Implementing a LIN Master Node
Driver on a PIC18 Microcontrolller with USART”
M. Garcia-Valderas, M. Portela--Garcia, C. Lopez-Ongil, L. Entrena, A.
Martin-Ortega, J. de Mingo, M. Alvarez, S. Esteve, and S. Rodriguez,
“The effects of proton irradiatioon on coolrunner-II - CPID technology,”
in 2008 European Conferencce on Radiation and Its Effects on
Components and Systems, 2008, pp. 131–135.
“CoolRunner-II CPLD Family, v3.1, DS090, Product Specification”,
Xilinx Inc. Sept. 2008 (www.xilinx.com)
XAPP432 (v1.1) Xilinx Appplication Note “Implementing a LIN
Controller on a CoolRunner-II CPLD”,
C
April 3, 2007
B. Johnson “Design and analyssis of Fault-Tolerant Digital Systems”,
Addison-Wesley, 1989.
C. Lopez-Ongil, M. Garcia-Valdderas, M. Portela-Garcia, and L. Entrena,
“Autonomous Fault Emulationn: A New FPGA-Based Acceleration
System for Hardness Evaluationn,” IEEE Trans. Nucl. Sci., vol. 54, no. 1,
pp. 252–261, Feb. 2007.
M. Portela-García, M. Garcia-V
Valderas, E. San Millan, C. Lopez-Ongil,
L. Entrena, A. Martin-Ortega, J.
J Ramon de Mingo, and S. Rodriguez.,
“Sensitivity Evaluation Methodd for Aeroespace Digital Systems with
Collaborative Hardening”, IEEE
E Trans. on Nuclear Science, Issue 58,
No 3. Pp 1053-1058, June, 2011
M. Ceschia, M. Violante, M. S. Reorda, A. Paccagnella, P. Bernardi, M.
Rebaudengo, D. Bortolato, M. Bellato,
B
P. Zambolin, and A. Candelori,
“Identification and classificattion of single-event upsets in the
configuration memory of sram--based fpgas,” IEEE Trans. Nucl. Sci.,
vol. 50, no. 6, pp. 2088–2094, Dec.
D 2003.