Vision-Based System Design Part 5 – Designing Safety and Security into an Embedded Vision System

Article Index

Giles Peckham, Regional Marketing Director at Xilinx

Adam Taylor CEng FIET, Embedded Systems Consultant

So far, this series has examined techniques and devices for implementing the functions of an Embedded Vision (EV) System. This article will describe tools and techniques to ensure the system meets applicable safety and security requirements.

A suitable design methodology should include a risk assessment to understand the likelihood of technical failure, accident or incorrect operation, and its possible consequences. Equipment such as medical imaging equipment, industrial vision systems or automotive applications such as an Advanced Driver Assistance System (ADAS) typically require formalised assessment, referencing standards such as ISO 14971 for medical systems. In any case, teams should be able to demonstrate that safety has been given due consideration.

The results of risk assessment may call for functional safety measures. These are active systems designed to prevent dangerous failures. The IEC 61508 series are general international standards governing electrical/electronic and programmable functional-safety systems. Other application-specific safety standards include ISO 26262 for automotive applications, IEC 62061 for machinery, or DO178 / DO254 for flight applications. Each defines several safety integrity or assurance levels according to the time to failure of the safety system; the longest time to failure represents the highest safety assurance.

Safety-related design decisions can be evaluated and documented by following an engineering lifecycle and agreed standards. The engineering lifecycle (figure 1) will be determined by the end application and the resultant certification required. Within this life cycle, the engineering review gates which control the progress of the project can be defined. During these reviews, independent technical experts will examine requirements, designs, technical reports and test results to allow the design to progress to the next stage, or demand further work to achieve the desired standard of evidence.

The engineering plan will also outline the verification and validation process at every level, which is undertaken to gain the body of evidence to achieve compliance against the applicable standard. This may require testing of the EV system across environmental operating ranges, dynamic vibration and shock. Accelerated life testing may also be necessary, to ensure the operating life of the system can be achieved.

Security-Conscious Design
As far as security is concerned, the high-level issues engineers deal with include the following:
• Competitors reverse engineering the design
• Unauthorized modification of the design
• Unauthorized access to the data within the design
• Unauthorized control or manipulation of the end application

There are several ways to address some of these challenges. Access to the design and manufacturing files can be controlled. Encrypting bit streams can prevent spoofing attacks or theft of data by eavesdropping. The physical design can be protected by limiting access to JTAG ports in the final product, and by implementing software security measures depending upon the architecture of the device chosen.

The heart of any EV System is the image processing pipeline, which combines high-bandwidth processing with supervisory and control capability. By enabling a more tightly integrated architecture than is achieved using a processor and logic implemented in a separate FPGA, the All Programmable Zynq AP SoC®-7000 not only allows for a better SWaP-C solution (discussed in part 2 of this series) but also provides for a more secure system because data passing between the processor and logic fabric is not presented at external pins where it can be intercepted or monitored.

Moreover, the Zynq AP SoCdevice provides an embedded security architecture that can be used to support secure configuration. Within both the Processor System (PS) and the Programmable Logic (PL) a three-stage process can be used to ensure system partitions are secure. This comprises a Hashed Message Authentication Code (HMAC), Advanced Encryption Standard (AES) decryption, and RSA Authentication. Both the AES and HMAC use 256-bit private keys while the RSA uses 2048-bit keys. The security architecture of the Zynq AP SoCdevice also allows for JTAG access to be enabled or disabled.

These security features are enabled when generating the boot file and the configuration partitions for the non-volatile boot media. It is also possible to define a fall-back partition. In this case, should the initial first-stage boot loader fail to load its application, it will fall back to another copy of the application stored at a different memory location.

Creating a Trusted Environment
Once the device is successfully up and running, ARM® TrustZone® hardware-based security supported in the Zynq AP SoCdevice can be used to divide the system into secure and non-secure worlds. TrustZone technology implements secure and non-secure virtual cores on the Cortex-A9 processor, and encompasses memory, L2 cache, software, bus transactions, interrupts and peripherals. Hardware logic partitions the secure and non-secure worlds, and a software-based secure monitor manages switching between the two. This creates a Trusted Execution Environment (TEE) comprising TrustZone-based hardware isolation, trusted boot and a trusted OS. Applications that need to be trusted can be run in the TEE.

When it comes to implementing the image-processing pipeline within the Zynq AP SoC PLAll Programmable Zynq-7000 programmable logic fabric, TrustZone can also be used to provide secure or non-secure access to IP cores embedded in the fabric. These may be either custom-developed modules, or modules from the IP library. Securing access to critical aspects of the image-processing chain helps prevent unauthorized changes to the configuration.

Isolation Design Flow
Some safety and security implementations, such as IEC61508, may require certain elements of the system to be isolated from each other. This may be needed to achieve modular redundancy, or to support different safety areas or test functions. Xilinx’s Isolation Design Flow (IDF) helps designers enforce physical separation between the identified zones (figure 3). This is supported for the Zynq device when used with Vivado® Design Suite.

The IDF is similar to the conventional Zynq APdevice design flow, and enables users to implement a secure or safety-critical solution using familiar design techniques and coding styles. Engineers should, however, consider floorplanningfloor planning earlier in the design project to ensure proper isolation of elements such as logic, routing and I/O buffers. One important difference in the development flow is that partitions are used to isolate functions, which can simplify modification of isolated partitions if design changes are needed.

When it comes to implementing the design, several device and tool-specific implementation considerations can be used. The end application and overall engineering management plan will help determine which of these techniques should be used.

• Use of Error Detecting and Correcting (EDAC) codes on memories, if necessary this can be combined with a scrubbing function which periodically reads and corrects the data in memory
• Exploiting the Hamming difference when defining control words. Increasing the Hamming distance between command words while requiring more bits to implement can help with the reliability of the design.
• For critical commands use the “arm and fire” approach which requires two separate commands to action critical functions.
• Use of EDAC codes on external communication interfaces
• Built-In Test (BIT) capability. The Zynq XADC can support BIT my monitoring the device voltages and temperatures, as well as capturing external signals.

Identifying the applicable safety standards and establishing a suitable engineering management plan are essential to ensure the end product will achieve the required certification. Important components, tools and development methodologies are available to designers of All Programmable SoC devices, to help achieve the required standards for functional safety and security.

For more information, please visit:



T&M Supplement

The Annual T&M Supplement, sponsored by Teledyne LeCroy, was published in July. Click on the image above to read this exclusive report for free.

Follow us