AUTOSARAUTOSAR &&
Functional SafetyFunctional Safety
John Favaro Intecs
Jochen Olig Elektrobit
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 2
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 3
Mixed CriticalityMixed Criticality
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 4
Unsafe Airplanes?Unsafe Airplanes?
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 5
Strange BedfellowsStrange Bedfellows
• Are modern airplanes safe? Much controversy
• One reason: modern onboard flight systems include
– Extremely critical functions (e.g. flight control)
– Extremely non-critical functions (e.g. movies)
• This is mixed criticality
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 6
A Hot Topic Around the WorldA Hot Topic Around the World
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 7
EU Mixed Criticality ProjectsEU Mixed Criticality Projects
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 8
Why the Trend?Why the Trend?
“Because we can”
Modern multicore processors have
the power to support an incredible
amount of functionality
Lightweight, power efficient,
space saving, …
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 9
Integrated ArchitecturesIntegrated Architectures
Modern integrated
architectures make
it possible to host
all of the system
functionality on a
single platform
Integrated Modular Avionics (IMA)
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 10
AUTOSARAUTOSAR
(Uni Potsdam)
AUTOSAR enables integration of all kinds of functionality,
from applications to basic software, on the same platform
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 11
Functional SafetyFunctional Safety andand
Mixed CriticalityMixed Criticality
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 12
Functional Safety = ISO 26262Functional Safety = ISO 26262
• What does ISO 26262 say about mixed criticality?
• Part 9, Clause 6 describes the Criteria for Coexistence of Elements
Element
ASIL D
ASIL B
ASIL A
ASIL D ASIL B ASIL A
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 13
Freedom From InterferenceFreedom From Interference
• The key to mixed criticality software in ISO 26262 is to demonstrate freedom from interference
• Freedom from interference means that a software element is unable to make another software element fail through erroneous behavior
Failing
element
Affected
element
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 14
Kinds of Software InterferenceKinds of Software Interference
(erharoldsen.com)
TIME TIME SPACE SPACE
COMMUNICATION COMMUNICATION
“Babbling idiot”
“My personal space”
“Hogging the stage”
Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 15
“Do“Do--ItIt--Yourself”?Yourself”?
• Why not just “do it yourself?”
– Construct your applications “very carefully”
• Unrealistic! Broken software cannot “heal itself”
– Too many unknown ways
– Too many unk-unks
• The only realistic path is platform-level support
– ISO 26262 agrees
No “do-it-yourself”