This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
Techniques and Measures for Improving Domain Controller Availability while Maintaining Functional Safety in Mixed Criticality Automotive Safety Systems
Technical Paper
2013-01-0198
ISSN: 0148-7191, e-ISSN: 2688-3627
Annotation ability available
Sector:
Language:
English
Abstract
With the advent of AUTOSAR version 4 and the availability of automotive specific multicore microcontrollers in volume production it is now possible to make very large scale integrations of different vehicle functions in a single ECU, running on a single high performance microcontroller. These microcontrollers typically provide all the hardware diagnostic mechanisms to achieve functional safety up to ISO 26262 ASILD, however careful consideration must be made in regard to the overall availability when undertaking large scale integrations in a single MCU. The motivation is clear. Up integration reduces costs, energy usage, wire harness complexity, and system bus traffic. However, when a multicore microcontroller is running different software for different applications on each of the available cores, if a fault is detected in one core the side effects and fault reactions must be contained, to prevent the fault propagating to other cores and applications. AUTOSAR version 4 does not implement any specific measures for fault containment, and, to the contrary, relies on a cooperative OS application model to work successfully. The challenge is to retain a high level of system availability but still meet the rigorous fault metrics defined in ISO 26262 by providing additional strategies for fault containment, fault classification, and function degradation. This paper describes the motivation for up-integration of functions on a domain controller ECU, shows the technologies required, and provides some solutions and workarounds for multicore microcontrollers running AUTOSAR version 4 in a mixed criticality safety system.
Recommended Content
Topic
Citation
Gandhi, S. and Brewerton, S., "Techniques and Measures for Improving Domain Controller Availability while Maintaining Functional Safety in Mixed Criticality Automotive Safety Systems," SAE Technical Paper 2013-01-0198, 2013, https://doi.org/10.4271/2013-01-0198.Also In
References
- Automated Emergency Braking Systems Technical Requirements Costs and Benefits TRL Ltd. http://ec.europa.eu/enterprise/sectors/automotive/files/projects/report_aebs_en.pdf
- EURO NCAP to Drive the Availability of Autonomous Emergency Braking Systems for safer Cars in Europe http://www.euroncap.com/Content-Web-Article/c79b2bdcf914-4ad0-8d49-54254cda0ddc/euro-ncap-to-driveavailability-of-autonomous-emer.aspx
- Factsheet from EVITA Project http://evita-project.org/EVITA_factsheet.pdf
- TC27 x AURIX microcontroller Target Specification version3.3 2012 07 www.infineon.com/AURIX
- ISO 26262 is the adaptation of IEC 61508 to comply with needs specific to E/E systems within road vehicles The International Standard is publicly available since November 2011
- Brewerton , S. , Willey , N. , Gandhi , S. , Rosenthal , T. et al. Demonstration of Automotive Steering Column Lock using Multicore AutoSARĀ® Operating System SAE Technical Paper 2012-01-0031 2012 10.4271/2012-01-0031
- AUTOSAR Technical Safety Concept Status Report http://www.autosar.de/download/R4.0/AUTOSAR_TR_SafetyConceptStatusReport.pdf
- Elektrobit AUTOSAR http://www.elektrobit.com/what_we_deliver/automotive_software/products
- RECOMP project (Reduced Certification of Multicore Processors) http://atc.ugr.es/recomp/
- Normenausschuss Kraftfahrzeuge (FAKRA) Road Vehicle Engineering Standards Committee 2006 http://www.fakra.din.de/index.php?lang=en&na_id=fakra
- HIS 2002 Requirements for Protected Applications under OSEK http://www.automotivehis.de/download/HIS%20Protected%20OS.pdf
- HIS 2003 OSEK OS Extensions for Protected Applications http://www.automotivehis.de/download/HIS_ProtectedOSEK10.pdf
- Schneider , R. , Kalhammer , M. , Eberhard , D. , and Brewerton , S. Basic Single-Microcontroller Monitoring Concept for Safety Critical Systems SAE Technical Paper 2007-01-1488 2007 10.4271/2007-01-1488
- Brewerton , S. , Schneider , R. , and Eberhard , D. Implementation of a Basic Single-Microcontroller Monitoring Concept for Safety Critical Systems on a Dual-Core Microcontroller SAE Technical Paper 2007-01-1486 2007 10.4271/2007-01-1486
- Sundaram , P. and D'Ambrosio , J. Controller Integrity in Automotive Failsafe System Architectures SAE Technical Paper 2006-01-0840 2006 10.4271/2006-01-0840
- Brewerton , S. , Schneider , R. , and Grosshauser , F. Practical Use of AUTOSAR in Safety Critical Automotive Systems SAE Int. J. Passeng. Cars - Electron. Electr. Syst. 2 1 249 257 2009 10.4271/2009-01-0748
- Eberhard , D. , Schneider , R. , Grosshauser , F. , and Brewerton , S. Timing Protection in Multifunctional and Safety-Related Automotive Control Systems SAE Technical Paper 2009-01-0757 2009 10.4271/2009-01-0757
- Leteinturier , P. , Brewerton , S. , and Scheibert , K. MultiCore Benefits & Challenges for Automotive Applications SAE Technical Paper 2008-01-0989 2008 10.4271/2008-01-0989