WDT in security requirements
With the prevalence of microcontrollers (MCUs) as processing items in safety-related methods (SRS) comes the necessity for diagnostic measures that can guarantee secure operation. IEC 61508-2 specifies self-test supported by {hardware} (one channel) as one of many beneficial diagnostic methods for processing items. This measure makes use of particular {hardware} that will increase pace and extends the scope of the failure detection, as an illustration, a watchdog timer (WDT) IC that cyclically displays the output of a sure bit sample from the MCU.
The fundamental useful security (FS) normal IEC 61508-2 Annex A Desk A.10 recommends a number of diagnostic methods and measures to regulate {hardware} failures in this system sequences of digital gadgets. Such methods embrace a watchdog with a separate time base with or and not using a time window, in addition to a mix of temporal and logical monitoring of program sequences. Whereas every of those has corresponding most claimable diagnostic protection, all these methods make use of WDTs.
This text will present the way to implement these diagnostic features utilizing WDTs. Moreover, the article will present insights into the variations of program sequence monitoring diagnostic measures by way of operation and diagnostic protection when applied with ADI’s high-performance supervisory circuits with watchdog operate.
Low diagnostic protection
Half 2 of IEC 61508 describes easy watchdogs as exterior timing components with a separate time base. Such gadgets enable the detection of program sequence failures in a pc gadget, corresponding to MCUs, inside a specified interval. That is finished by having a mechanism that permits both:
- The MCU is to difficulty a sign to reset the watchdog earlier than it reaches the timeout
- The watchdog timeout interval to be reached in order that the watchdog can difficulty a reset sign to the MCU
Step #1 happens when this system sequence is operating easily, whereas step #2 occurs when it’s not.
Determine 1a reveals an instance of the watchdog implementation with a separate time base however and not using a time window by the MAX6814. Notably, MCUs often have an inner WDT, however it can’t be solely relied on to detect a fault whether it is a part of the faulty MCU, which might be a problem contemplating widespread trigger failures (CCF).
To handle such CCF considerations, a separate WDT is used to make sure the MCU is positioned in reset [1, 2]. Via a flowchart, Determine 1b illustrates the conduct of the WDT as embedded within the MCU’s program execution. Earlier than the stream begins, it’s vital to set the watchdog timeout interval or the WDT’s most reset interval. When such a interval or interval is outlined, the WDT will run upon execution of this system. The MCU should have the ability to ship a sign to the MAX6814’s WDI pin earlier than it reaches timeout, because the gadget will difficulty a reset sign to the MCU if the timeout interval is reached. When the MCU resets, the system might be positioned right into a secure state.
Determine 1 Easy watchdog operation exhibiting (a) an instance of the watchdog implementation with a separate time base however and not using a time window and (b) the conduct of the WDT as embedded within the MCU’s program execution. Supply: Analog Units
Such a WDT’s timeout interval will seize program sequence points; for instance, a program sequence will get caught in a loop, or an interrupt service routine doesn’t return in time. For example, solely 5 of the ten subroutines meant to be run on each loop of the software program are executed.
Nonetheless, the WDT’s timeout interval won’t cowl different points regarding program sequence points—whether or not execution of this system took longer or shorter than anticipated, or if the sequence of this system sections is appropriately executed. This may be solved by the subsequent sort of WDTs.
Medium diagnostic protection
Because the existence of a separate time window permits for the detection of each extreme delays and untimely execution, windowed WDTs prohibit the MCU from responding longer or shorter than the WDT’s open window. That is additionally known as a sound window specification. As in comparison with easy watchdogs, it ensures that every one subroutines are executed by this system in a well timed method; in any other case, it should assert the MCU into reset [3].
Determine 2 reveals an instance implementation of program sequence monitoring utilizing the MAX6753. It comes with a windowed watchdog with external-capacitor-configurable watchdog durations.
Determine 2 Pattern implementation of a windowed watchdog operation with external-capacitor-configurable watchdog durations.
Determine 3, however, reveals one other implementation utilizing the MAX42500, whose watchdog time settings may be configured by I2C—successfully lowering the variety of exterior parts. This enables for the aptitude to extend fault protection by a packet error checking (PEC) byte as proven in Determine 4. The PEC byte will increase diagnostic protection towards I2C communication-related failures corresponding to bus errors, stuck-bus circumstances, timing issues, and improper configuration.
Determine 3 One other implementation: windowed watchdog by I2C, lowering the variety of exterior parts in comparison with Determine 2. Supply: Analog Units
Determine 4 PEC byte protection to I2C interface failures, corresponding to bus errors, stuck-bus circumstances, timing issues, and improper configuration. Supply: Analog Units
Whereas watchdogs with a separate time base and time window provide increased diagnostic protection in comparison with easy WDTs, they nonetheless can not seize points regarding whether or not the software program’s subroutines have been executed within the right sequence. That is what the subsequent sort of diagnostic approach addresses.
Excessive diagnostic protection
Diagnostic methods involving the mixture of temporal and logical monitoring present excessive diagnostic protection to program sequences based on IEC 61508-2. One implementation of this system entails a windowed watchdog and a functionality to examine whether or not this system sequence has been executed within the right order.
An instance may be visualized when the circuit in Determine 2 is mixed with the sequence in Determine 5, the place the MCU has every of its program routines using a singular mixture of characters and digits. Such distinctive combos are then positioned in an array every time a routine is executed. After the final routine, the MCU will solely kick, or ship a reset sign to, the watchdog if all phrases are appropriately set within the array.
Determine 5 Checking the right logic of the sequence by markers. Supply: Analog Units
Highest diagnostic protection
In some methods, extra diagnostic protection could also be required to seize failures of the MCU, which can imply merely that sending again a pulse in a windowed time just isn’t sufficient. With this, it could be helpful to require the MCU to carry out a posh job, corresponding to calculating, to make sure that it’s absolutely operational. That is the place the MAX42500’s problem/response watchdog can come into play.
On this watchdog mode, there’s a key-value register within the IC that should be learn as the start line of the problem message. The MCU should use this message to calculate the suitable response to ship again to the watchdog IC, guaranteeing the watchdog is kicked inside the legitimate window. This sort of problem/response watchdog operates equally to a easy windowed one, besides that the important thing register is up to date quite than the watchdog being refreshed with a rising edge. That is proven in Determine 6. Notably, for the MAX42500’s WDT, the watchdog enter is applied utilizing the I2C, whereas the watchdog output is the output reset pin.
Determine 6 A problem/response windowed watchdog instance the place the MCU reads the problem message within the IC and calculates an acceptable response to be despatched again to the watchdog IC to permit it to be kicked inside the legitimate window. Supply: Analog Units
The MAX42500 accommodates a linear-feedback shift key (LFSK) register with a polynomial of x8 + x6 + x5 + x4 + 1 that can shift all bits upward in direction of essentially the most vital bit (MSB) and insert the calculated bit as the brand new least vital bit (LSB). With this, the MCU should compute the response on this method and return it to the register of the MAX42500 by I2C. Notably, such a polynomial is recognized as primitive and on the similar time, a maximal size suggestions polynomial for 8 bits. This ensures that every one bit worth combos (1 to 255) are generated by the polynomial, and the order of the numbers is certainly pseudo-random [4][5].
Such a problem/response can provide extra protection than the mixture of temporal and logical program sequence monitoring, because it reveals that the MCU can nonetheless do precise calculations. That is versus an MCU simply implementing decision-making routines, corresponding to solely checking whether or not the array of phrases is right earlier than issuing a sign to reset the watchdog.
Diagnostic protection claims
The fundamental useful security normal has most claimable diagnostic protection for every diagnostic measure beneficial per block in an SRS. Desk 1 corresponds to this system sequence based on IEC 61508, which makes use of WDTs.
|
Diagnostic Method/Measure |
Most DC Thought-about Achievable |
|
Watchdog with a separate time base and not using a time window |
Low |
|
Watchdog with a separate time base and time window |
Medium |
|
Mixture of temporal and logical monitoring of program sequences |
Excessive |
Desk 1 Watchdog program sequence based on IEC 61508-2 Annex A Desk A.10.
Moreover, with the existence of various implementations that might not be coated in the usual, a claimed diagnostic protection can solely be validated by fault insertion testing.
Diagnostic measures utilizing WDTs
This text enumerates three varieties of diagnostic measures that use WDTs as beneficial by IEC 61508-2 to deal with failures in program sequence. The primary sort of watchdog, which has a separate time base however and not using a time window, may be applied utilizing a easy watchdog. This diagnostic measure can solely declare low diagnostic protection.
Alternatively, the second sort of watchdog, which has each a separate time base and a separate time window, may be applied by a windowed watchdog. This measure can declare a medium diagnostic protection.
To enhance diagnostic protection to excessive, one can make use of logical monitoring apart from the standard temporal monitoring utilizing watchdogs. A problem/response windowed watchdog structure can additional improve diagnostic protection towards program sequence failures with its functionality to examine an MCU’s computational capacity.
Bryan Angelo Borres is a TÜV-certified useful security engineer who focuses on industrial useful security. As a senior energy purposes engineer, he helps part designers and system integrators design functionally secure energy merchandise that comply to industrial useful security requirements such because the IEC 61508. Bryan is a member of the IEC Nationwide Committee of the Philippines to IEC TC65/SC65A and IEEE Purposeful Security Requirements Committee. He additionally has a postgraduate diplomat in energy electronics and greater than seven years of intensive expertise in designing environment friendly and strong energy electronics methods.
Christopher Macatangay is a senior product purposes engineer supporting the commercial energy product line. Since becoming a member of Analog Units in 2015, he has performed a key position in enabling buyer success by technical help, system validation, and utility improvement for analog and mixed-signal merchandise. Christopher spent six years previous to ADI as a take a look at improvement engineer at an influence provide firm, the place he targeted on the design and implementation of automated take a look at options for high-reliability merchandise.
References
- “IEC 61508 All Components, Purposeful Security of Electrical/Digital/Programmable Digital Security-Associated ” Worldwide Electrotechnical Fee, 2010.
- “High Misunderstandings About Purposeful Security.” TÜV SÜD,
- “Fundamentals of Windowed Watchdog Operation.” Analog Units, Inc. December
- “Pseudo Random Quantity Era Utilizing Linear Suggestions Shift Registers.” Maxim, June 2010.
- Mohammed Abdul Samad AL-khatib and Auqib Hamid Lone “Acoustic Light-weight Pseudo Random Quantity Generator primarily based on Cryptographically Safe LFSR.” Worldwide Journal of Laptop Community and Data Safety, Vol. 2, February
Associated Content material
- Watchdog versus the truck
- Want a watchdog for improved system fault tolerance?
- WDT assumes diverse roles
The publish Program sequence monitoring utilizing watchdog timers appeared first on EDN.
