AUTOSARAUTOSAR &&

Functional SafetyFunctional Safety

John Favaro Intecs

Jochen Olig Elektrobit

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 2

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 3

Mixed CriticalityMixed Criticality

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 4

Unsafe Airplanes?Unsafe Airplanes?

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 5

Strange BedfellowsStrange Bedfellows

• Are modern airplanes safe? Much controversy

• One reason: modern onboard flight systems include

– Extremely critical functions (e.g. flight control)

– Extremely non-critical functions (e.g. movies)

• This is mixed criticality

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 6

A Hot Topic Around the WorldA Hot Topic Around the World

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 7

EU Mixed Criticality ProjectsEU Mixed Criticality Projects

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 8

Why the Trend?Why the Trend?

“Because we can”

Modern multicore processors have

the power to support an incredible

amount of functionality

Lightweight, power efficient,

space saving, …

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 9

Integrated ArchitecturesIntegrated Architectures

Modern integrated

architectures make

it possible to host

all of the system

functionality on a

single platform

Integrated Modular Avionics (IMA)

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 10

AUTOSARAUTOSAR

(Uni Potsdam)

AUTOSAR enables integration of all kinds of functionality,

from applications to basic software, on the same platform

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 11

Functional SafetyFunctional Safety andand

Mixed CriticalityMixed Criticality

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 12

Functional Safety = ISO 26262Functional Safety = ISO 26262

• What does ISO 26262 say about mixed criticality?

• Part 9, Clause 6 describes the Criteria for Coexistence of Elements

Element

ASIL D

ASIL B

ASIL A

ASIL D ASIL B ASIL A

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 13

Freedom From InterferenceFreedom From Interference

• The key to mixed criticality software in ISO 26262 is to demonstrate freedom from interference

• Freedom from interference means that a software element is unable to make another software element fail through erroneous behavior

Failing

element

Affected

element

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 14

Kinds of Software InterferenceKinds of Software Interference

(erharoldsen.com)

TIME TIME SPACE SPACE

COMMUNICATION COMMUNICATION

“Babbling idiot”

“My personal space”

“Hogging the stage”

Favaro 11 Workshop on Automotive Software & Systems, Milano 07 November 2013 15

“Do“Do--ItIt--Yourself”?Yourself”?

• Why not just “do it yourself?”

– Construct your applications “very carefully”

• Unrealistic! Broken software cannot “heal itself”

– Too many unknown ways

– Too many unk-unks

• The only realistic path is platform-level support

– ISO 26262 agrees

No “do-it-yourself”