Fault-Tolerant Platforms for Automotive Safety-CriticalApplicationsM. Baleani, A. Ferrari, L. Mangeruca, A.Sangiovanni-VincentelliPARADES EEIGVia San Pantaleo 66Rome, Italymbaleani, aferrari, leon,[email protected] Peri, Saverio PezziniST MicroelectronicsVia C. Olivetti 2Agrate Brianza, Italymaurizio.peri, [email protected] electronic sub-systems are becoming a stan-dard requirement in the automotive industrial sector as elec-tronics becomes pervasive in present cars. We address the is-sue of fault tolerant chip architectures for automotive appli-cations. We begin by reviewing fault-tolerant architecturescommonly used in other industrial domains where fault-tolerant electronics has been a must for a number of years,e.g., the aircraft manufacturing industrial sector. We thenproceed to investigate how these architecture could be imple-mented on a single chip and we compare them with a metricthat combines traditional terms such as cost, p erformanceand fault coverage with flexibility, i.e. the ability of adapt-ing to changing requirements and capturing a wide range ofapplications, an emerging criterion for platform design. Fi-nally, we des cribe in some details a cost effective dual lock-step platform that can be used as a single fail-operationalunit or as two fail-silent channels trading fault-tolerance forperformance.Categories and Subject DescriptorsB.8 [Performance and Reliability ]: Performance Anal-ysis and Design Aids; C.0 [General]: System architectures;C.1.2 [Processors Architectures]: Multiple Data StreamArchitectures (Multiprocessors)—Interconnection architec-ture s (e.g., common bus, multi-port memory, crossbar switch),Multiple-instruction-stream, multiple-data-stream processors(MIMD); C.3 [Special-Purpose and Application-BasedSystems]: Microprocessor/microcomputer applications, Real-time and embedded systems; C.4 [Performance of Sys-tems]: Design studies, Fault-tolerance, Reliability, Avail-ability, and Serviceability; C.5.4 [Computer System Im-plementation]: VLSI SystemsPermission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.CASES’03, Oct. 30–Nov. 2, 2003, San Jose, California, USA.Copyright 2003 ACM 1-58113-676-5/03/0010 ...$5.00.General TermsDesign, ReliabilityKeywordssystem-on-a-chip, fault-tolerant, VLSI, multi-processor, au-tomotive, safety critical1. INTRODUCTION1.1 Electronics in the CarThe introduction of digitally controlled combustion en-gines with fuel injection and digitally controlled anti-lockbrake systems (ABS) in the late 70’s was just the first steptowards a pervasive use of electronics in the car. Close syn-ergy between mechanics and electronics yields several ben-efits that we can measure in terms of better fuel economy,better vehicle performance in adverse conditions, driver as-sisting functions such as ABS, traction control (TCS), elec-tronic stability control (ESP), and brake assistant (BA) andsafety features such as collision warning and even automaticcollision avoidance systems.To design cars with better performance and higher level ofsafety, engineers must substitute mechanical interfaces be-tween the driver and the vehicle with electronic systems.These systems are common in the aerospace industry andare generically called X -by-wire systems. X-by-wire systemsconsist of a driver’s operating unit (throttle pedal, brakepedal, gear selector, steering wheel) whose electrical outputis processed by micro-controllers that manage the power-train, braking and steering activities v ia electrical actua-tors. Throttle-by-wire, s hift-by-wire, and driver assistancesystems have been used successfully for many years.1.2 Fault-Tolerance RequirementsThe fault-tolerance requirements in cars are minimal sincethe scenario considered is the single-fault one [8]. In the caseof the previously mentioned electronic sub-systems, either amechanical backup exists, or a fail-safe mechanism is guar-anteed by mechanical sub-systems in the event of electronicfailures. In the case of throttle-by-wire, the throttle springsystem provides a reduced engine speed in the event of elec-tronic failure. Similarly, when electronic braking functions(ABS, TCS, ESP, BA) fail, the brake system b ehaves like aconventional one providing a mechanical backup. Mechan-ical backups relieve electronics of stringent fault-tolerancerequirements, but they are costly, heavy, potentially criticalin the case of accident (e.g. steering column) and somehowlimit the potential of electronics in terms of performance andflexibility. Moving to X-by-wire systems without mechanicalbackup (brake-by-wire, steer-by-wire), as it is done today infly-by-wire aircraft, will require to build highly reliable andfault-tolerant electronic systems. Indeed, the real challengeis to build these fault-tolerant systems with hard real-timerequirements for mass market and at a reasonable cost.With respect to fly-by-wire systems in the aerospace, au-tomotive electronic systems present some distinctive fea-tures in terms of safety requirements. Particularly, a safestate can be reached easier and faster in the event of haz-ardous failures. For automobiles, standstill or low speed ata non-hazardous place represent a safe state. This fail-safecondition propagates differently to electronic componentsaccording to their hazard severity for failures and the inher-ent fault-tolerance possibilities due to mechanical backupsand/or intrinsic redundancy. In the case of a brake-by-wiresystem, the hazard severity is mitigated by the intrinsic re-dundancy of the braking system (four braking wheels).1.3 Fault-Tolerant Design ApproachesAny form of fault-tolerance is based on redundancy thatcan be spatial, or temporal, or p ertaining to information.Redundancy alone does not guarantee fault-tolerance. Onthe contrary, redundant structures show a higher fault ar-rival rate compared to a non-redundant system. It is ofparamount importance how redundancy is managed. Oneof the most important issues is the definition of fault-con-tainment regions (FCR’s) i.e. “collection of components thatop e rate correctly regardless of any arbitrary logical or elec-trical