ISO 26262 meets AUTOSAR

- First Lessons Learned

Dr. Gnther Heling

Agenda

1. ISO 26262 and AUTOSAR

Two Basic Contradictions

Top-Down vs. Reuse

Concentration vs. Distribution

2. Approach Mixed ASIL System

3. Lessons learned from Projects

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 2

Agenda

1. ISO 26262 and AUTOSAR

Two Basic Contradictions

Top-Down vs. Reuse

Concentration vs. Distribution

2. Approach Mixed ASIL System

3. Lessons learned from Projects

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 3

st Contradiction
ISO
26262 meetsTop-down
AUTOSAR vs. Reuse
1

ISO 26262

Guidelines to ensure safety

Project related
top-down approach

AUTOSAR

Standards to support SW reuse

Reuse & configuration
of building blocks

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 4

1st Contradiction Top-down vs. Reuse

Safety Elements out of Context (SEooC) acc. ISO 26262

solve the contradiction

Vehicle Project

SEooC

Hazard analysis &

risk assessment

Concrete use case

is unknown !

ASIL assignment
Safety concept
Safety requirements

Validate

Safety
Manual

Development acc.
ISO 26262 Process
Integration
Safety Case

Development acc.
ISO 26262 Process

Consider
Safety
Case

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 5

Assumptions on
ASIL and
safety
requirements

code partly
generated !

2nd Contradiction Concentration vs. Distribution

Security !

Safety !

Safety !

Connectivity

Driver Assistance

Electrification

Distribution of functionality
many components involved

well supported
by AUTOSAR

but

high effort acc.

ISO 26262
1 single safety
requirement
enforces
development
acc. ISO 26262
process

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 6

2nd Contradiction Concentration vs. Distribution

Functional Safety Concept should be based on few networks and

ECUs only

1. Link safety sensors to a safety ECUs instead of the nearest ECU

2. Avoid small portions of safety related software on one ECU
3. Link safety related actuators to a safety ECU
(not efficient: one safety tell-tale in an Instrument Cluster)
That might lead to extra costs in cabling and/or busload
A system design tool like PREEvision can support

to find the optimal solution

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 7

System and Component Design with PREEvision

Lane Departure Warning
ASIL
Qualification

Sensor

ECU

ECU

with ASIL
mismatch

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 8

ASIL
Function

Agenda

1. ISO 26262 and AUTOSAR

Two Basic Contradictions

Top-Down vs. Reuse

Concentration vs. Distribution

2. Approach Mixed ASIL System

3. Lessons learned from Projects

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 9

Development of Mixed ASIL Software acc. ISO 26262

Options:
a) ASIL Lift-up
QM ASIL
b) Coexistence
Modules of different ASIL exist in one ECU
1. Develop software components according
their individual ASIL
2. Ensure Freedom from Interference between
software components with different ASIL
provide a Safe Environment for safety modules

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 10

Safe Environment enabling Coexistence

Safe Environment

your job

Application specific
algorithms
higher
ASIL

SWC1

our job

SWCn

depending
on your
requirements

Basic functions
RTE
COM

CANDRV

Providing a Safe Environment

Watchdog

E2E Protection

MPU handling

RAM/ROM Test

Silence Check

Core Test

cannot cover all HW failures

ASIL compliant HW needed
(ECC, Lockstep for higher ASIL)

Threat: Propagation of failures

a. across defined interfaces
b. across undefined interfaces

QM
(or lower
ASIL)

SW

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 11

HW

Agenda

1. ISO 26262 and AUTOSAR

Two Basic Contradictions

Top-Down vs. Reuse

Concentration vs. Distribution

2. Approach Mixed ASIL System

3. Lessons learned from Projects

Memory Protection

Timing Protection

Communication Protection

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 12

Base of Experience and General Lessons Learned

MICROSAR Safe used in >150 projects

| SafeContext | SafeWatchdog | SafeCom | SafeRTE | SilentBSW | SafeBSW |

80% ASIL-A/B | 20% ASIL-C/D

Broad range of concepts

different ECU types

different Tier1s

1. Safety is not an Add-on

Big impact on architecture

Consider Functional and Technical

Safety Concept very early !

Legacy solutions sometimes hinder

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 13

Applying Memory Partitioning (MPU) - General

Precondition: Controller with MPU + OS SC3 or SC4

Context switches have big impact on

runtime overhead ball park figures:

SC1:

100%

SC3:

180%

Safe SC3: 200%

Capability of MPUs is different

between different Controllers
e.g. number of memory regions per
partition, software extension possible
but costs runtime

Define partitions and mapping of

runnables early and carefully
Have a close look at C performance
MemMap has to be maintained for all
components
Including MCAL and CDDs

Check MPU configuration during

startup
To ensure that the defined configuration is
active

Access control to HW register partly

need special algorithms
Registers not accessible in some modes

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 14

Applying Memory Partitioning (MPU) - Communication

Assumption:

Communication BSW does not comply with highest ASIL

For intra ECU communication

context switches should be avoided

Try to use sender/receiver

communication

For inter ECU communication number

of context switches should be minimized

Collect data in a proxy data space if

delay is acceptable

Alternatives:

SilentBSW or SafeBSW avoid context switches

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 15

Applying Watchdog
First thing to decide: internal or
external watchdog

Watchdog handling has quite an

effect on runtime

Define and implement checkpoints

early
Activate the watchdog early in the
project

Start and stop of the system need

special attention
>
>

e.g. blocking of interrupts can be critical

e.g. early shutdown of OS can be critical

Handling of window watchdog needs

special consideration

Design and test stop/shutdown early

Dont set watchdog too sensitive

Fast reaction on window-open

trigger needed

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 16

Applying E2E Protection

Synchronization of application to
communication is hard to realize

Make sure the receiver is tolerant

regarding single inconsistencies of the
message counter
If tolerance is not acceptable:
System design based on ECU wide
synchronization with communication
is needed

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 17

Lessons Learned
ISO 26262 and AUTOSAR go together well
when considering safety very early
1

Safety Elements out of Context support reuse

Concentration of safety related elements reduces effort

Coexistence concept supports Mixed ASIL systems

Take benefit from experiences made

2013 . Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector.
Slide: 18

Thank you for

your attention!
Dr. Gnther Heling