In this article , we will see about the features provided by AUTOSAR to be compliant to ISO26262. ISO26262 is a safety standard for on-road vehicles . In layman terms, ISO26262 tries to reduce the probability of vehicle accidents which could potentially injure or kill driver/passengers arising out of fault in Electrical and electronics component fault or/and control SW (ECU SW). To be complaint with ISO26262, AUTOSAR provides some features which can be utilized.
ISO26262 classifies system into 4+1 levels(ASIL A,B,C,D +QM) with ASIL D level of compliance being the most safe(or less prone to fault) and ASIL A being the least
According to ISO26262 , if the ECU SW contains SW components with low and high ASIL levels, the entire SW should be developed in accordance to the regulations of the highest ASIL level or the high ASIL level component should have freedom from interference of the low ASIL level component. AUTOSAR supports this freedom from interfence with mechanisms in the following areas
The functional safety mechanism Memory Partitioning provides protection by means of restricting access to memory and memory-mapped hardware. Memory partitioning means that OS-Applications reside in different memory areas (partitions) that are protected from each other. In particular, code executing in one partition cannot modify memory of a different partition. Moreover, memory partitioning enables to protect read-only memory segments (e.g. code execution), as well as to protect memory-mapped hardware.
When data is transmitted (between ECUs via CAN , Ethernet or any communication medium ), there is possibility that it gets lost , corrupt,delayed,incorrectly sequenced or repeated because of the communication medium issue or any other issue. To avoid this AUTOSAR has the facility End to End protection (E2E)
The End-2-End protection adds additional control information to Data of Application to be transmitted during send. This info is called the End-2-End header. The control information usually contains a Checksum, a Counter and other options. The extended data is provided to the RTE for transmission. Data is verified at the receiver side by processing the contents of the End-2-End header After the received data is processed and accepted as correct, the control information is removed and Application Data is provided to the target Software Component
The extended data is typically made of counters, CRC , ID etc.. and with these elements faults can be detected in different ways as shown below
ISO26262 classifies system into 4+1 levels(ASIL A,B,C,D +QM) with ASIL D level of compliance being the most safe(or less prone to fault) and ASIL A being the least
According to ISO26262 , if the ECU SW contains SW components with low and high ASIL levels, the entire SW should be developed in accordance to the regulations of the highest ASIL level or the high ASIL level component should have freedom from interference of the low ASIL level component. AUTOSAR supports this freedom from interfence with mechanisms in the following areas
- Memory
- Timing
- Execution
- Exchange of Information
Memory:
Software Components which are developed according to a low ASIL rating may interfere by wrongfully accessing memory regions of software components with a higher ASIL rating. An execution of software components in separate memory regions or memory partitions supports the prevention of such memory access violations
The functional safety mechanism Memory Partitioning provides protection by means of restricting access to memory and memory-mapped hardware. Memory partitioning means that OS-Applications reside in different memory areas (partitions) that are protected from each other. In particular, code executing in one partition cannot modify memory of a different partition. Moreover, memory partitioning enables to protect read-only memory segments (e.g. code execution), as well as to protect memory-mapped hardware.
In AUTOSAR, Runnables of the application SW-Cs are grouped and executed in a task and one or more tasks are grouped to form a OS application. By grouping the high ASIL Level components to one or more OS applications and grouping low ASIL level components in different applications we create a separation from scheduler view. Os will take care that one OS application is not corrupting the other OS application's memory(provided the OS and Memory are configured correctly)
Timing
According to ISO26262 , below circumstances in SW wrt execution ,will create safety issues
Timing
According to ISO26262 , below circumstances in SW wrt execution ,will create safety issues
- Blocking of execution
- Deadlocks
- Livelocks
- Incorrect allocation of execution time
- Incorrect synchronization between software elements
The AUTOSAR component WdgM (along with Wdg and WdgIf and the watchdog hardware) takes care of these problems by supervised entities.Supervised entities are not SW unit rather logic which could be spread over multiple SW-Cs. Deadline supervisor and Alive Supervisor are examples of supervisors.We will see these supervisors in detail in coming articles
Execution
Execution errors are handled with logical supervision.Logical Supervision is a technique for checking the correct execution of software and focuses on control flow errors. Control flow errors cause a divergence from the valid (i.e. coded/compiled) program sequence during the error-free execution of the application. An incorrect control flow occurs if one or more program instructions are processed either in the incorrect sequence or are not even processed at all. Control flow errors can for example lead to data inconsistencies, data corruption, or other software failures.We will see this supervisor in detail in coming articles
Exchange of Information
The extended data is typically made of counters, CRC , ID etc.. and with these elements faults can be detected in different ways as shown below
Posts
No comments:
Post a Comment