Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

Grasping architectures for ISO 26262 systems

Posted: 23 Feb 2015 ?? ?Print Version ?Bookmark and Share

Keywords:in-vehicle electronics? electronic control units? ISO 26262? ASIL? OS?

More significantly, responsibility for an in-vehicle safety-related software system does not end when the vehicle rolls off the assembly line, but continues throughout the life of the vehicle. When something goes wrong, the automaker must remedy the situation. The automaker or its suppliers must be prepared, therefore, to maintain and assume the cost of the dual development infrastructures inherent in a two-OS solution throughout the lifespan of the vehicle.

Isolation and dependability
Whether or not virtualisation is used to isolate safety-related components from non-safety-related components, an ISO26262 system must be designed so that:
???Safety-related components meet their dependability requirements
???Safety-related components are protected from interference from other components, both non-safety-related and safety-related

OS architectures
OS architecture is crucial in an ISO 26262 system, both because it is fundamental to overall system dependability and because it determines how easy it is to isolate and protect components with different or equivalent ASIL requirements. Table 2 below lists the most common OS architectures used in embedded systems and summarises how these architectures affect component isolation.

Table 2: OS architectures and how they address component isolation.

Figure 6: A microkernel OS isolates components from each other; a fault in one component can't percolate across the system.

An in-vehicle system will likely incorporate a multimedia component that uses high-end 3D graphics to display non-critical information on the head unit screen. This component may only require an ASIL of B or even A, while the safety-critical components (managing braking, adaptive cruise control, assisted parking, etc.) will require ASIL C certification or better. We suggest that a single microkernel OS can provide both sufficient dependability and sufficient protection from interference for an ISO 26262 system.

Protection from interference
In general, in a system with safety-related components, it is best to isolate as many components as possible, using a variety of complementary techniques. These techniques are applicable to different stages of the project, from design to validation of the completed components and system. The following OS features can help address the types of interference described in the "Interference" section, above.

Preventing resource deprivation
By using resource limit (rlimit) parameters, system designers can set upper limits on the size and quantity of resources allocated to a process or application (address space, memory, number of processes or threads, number of file descriptors, etc.). Thus, no process or application can monopolise resources and starve other processes.

To provide another line of defence, the system can include an anomaly detection program. This program would learn what constitutes normal behaviour for a particular system, then monitor resource allocations and take corrective action when it detects that a process is making abnormal use of resources.

Bound multi-processing (BMP) can also help protect resources needed by safety-related components. BMP is an advanced form of processor affinityor symmetrical multi-processing (SMP)that lets designers assign threads or entire hierarchies of threads to specific cores. In an ISO 26262 system running on dual-core processor, Core A could be dedicated to threads for safety-related components, excluding all other threads, while Core B could run the threads for all the non-safety-related components. Thus, a multimedia component running on Core B could not starve the safety-related processes of needed CPU resource. For a more in-depth discussion of SMP and BMP, see Shiv Nagarajan's paper, "Processor Affinity or Bound Multiprocessing?".

Preventing time starvation
Time partitioning helps ensure that all processes have access to sufficient CPU cycles to meet their time constraints. It separates CPU time into partitions, guaranteeing each process or group of processes a specific portion of CPU cycles, so that no process can starve other processes.

A specific form of time partitioning, called adaptive partitioning, can provide these guarantees while also ensuring that system resources aren't wasted. It assigns minimum levels of processor time to a group of threads if the threads need it (figure 7). The pre-set partition boundaries are enforced when the system is running to capacity. However, if a process in one partition can benefit from more CPU cycles, and processes in other partitions are not using their allocated time, the OS adapts the partition boundaries to lend the unused cycles to the process that can use them.

Figure 7: An example of adaptive time partitioning.

?First Page?Previous Page 1???2???3???4???5?Next Page?Last Page

Article Comments - Grasping architectures for ISO 26262...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top