This content is not included in your SAE MOBILUS subscription, or you are not logged in.
Virtualization Technology and Using Virtual CPU in the Context of ISO26262: The E-Gas Case Study
ISSN: 0148-7191, e-ISSN: 2688-3627
Published April 08, 2013 by SAE International in United States
Annotation ability available
A new development environment is required where conflict between control systems is minimized, where processing can be executed while maintaining independence between systems, and where quality can be assured easily. This environment must enable flexibility in software layouts to accommodate software changes during the development process and the parallel development of multiple derivative systems. We have developed virtualization technology (virtual CPU), which allows the execution of system control with a single CPU without conflict between systems.
An outstanding virtual CPU architecture that we have developed allows us to execute multiple real-time control tasks with the hardware scheduler, and we have developed hardware that extends the management of address space and interrupt handling, making it possible for a single CPU to be configured as multiple CPUs. Also, we have implemented a bus system that reduces interference between threads. By combining the above three technologies, a single CPU can be used as multiple CPUs, and by operating different OSs on each virtual CPU, independent control systems can be executed together.
As an application, we focused on the ISO26262-compliant E-Gas monitoring concept, and implemented the E-Gas architecture using virtual CPUs. We analyzed the ASIL level (ASIL B, ASIL C, and ASIL D) while comparing the E-Gas architecture implemented in virtual CPUs with the standard E-Gas architecture, the E-Gas architecture implemented in a dual core lock-step microcomputer and implemented in a multi-core microcomputer. We have also compared the impact on the virtual CPUs based E-Gas architecture of different types of HW-based safety mechanisms, both in terms of safety properties and costs (silicon area, memory size and performance). We explored a method of applying case studies to the three-level concept (Level 1, Level 2, and Level 3) while achieving ASIL levels. Also, we are using a hypervisor to analyze the effectiveness of the isolation of the monitoring methods.
The paper will show in detail the ISO26262 requirements (both in terms of HW, SW and development process, including tools) to be fulfilled by such virtual CPU architecture and which are the HW or SW safety mechanisms and verification measures to be considered. The paper will address key issues like interference freeness, guarantee of task separation, permanent and transient failures coverage, avoidance of dependent failures between the different E-Gas levels and hypervisor safety architecture.
CitationNiimi, Y., Ono, T., Arai, S., sugimoto, H. et al., "Virtualization Technology and Using Virtual CPU in the Context of ISO26262: The E-Gas Case Study," SAE Technical Paper 2013-01-0196, 2013, https://doi.org/10.4271/2013-01-0196.
- Gräter A. 2011 Safety of Electric Vehicles During Their Life Cycle ATZ autotechnology 11 05 2011
- Schäuffele , J. and Zurawka , T. Automotive Software Engineering: Principles, Processes, Methods and Tools Society of Automotive Engineers, Inc. Warrendale, PA 978-0-7680-1490-7 2005 123 125 10.4271/R-361
- Schäuffele , J. and Zurawka , T. Automotive Software Engineering: Principles, Processes, Methods and Tools Society of Automotive Engineers, Inc. Warrendale, PA 978-0-7680-1490-7 2005 16 17 10.4271/R-361
- Kato , M. 2010 Automotive Electronics: Systems Nikkei Business Publications, Inc. Tokyo
- Kato , M. 2010 Automotive Electronics: Basic Technologies Nikkei Business Publications, Inc. Tokyo
- Baleani M. et al. Fault-Tolerant Platforms for Automotive Safety-Critical Applications International Conference on Compilers, Architecture and Synthesis for Embedded Systems (CASES'03) San Jose October 2003
- Arbeitskreis EGAS: Standardisiertes E-Gas-Überwachungskonzept für Motorsteuerungen von Otto- und Dieselmotoren Report Version 2.0. Verband der Automobilindustrie May 2005
- faultRobust technology www.yogitech.com
- Mariani R. , Baumeister M. , Fuhrmann P. A single channel, fail-safe microcontroller to simplify SIL3 safety architectures in automotive applications Electronic Systems for Vehicles VDI Conference Baden-Baden, Germany October 2007
- Mariani , R. , Colucci , F. , and Fuhrmann , P. Safety Integrity of Memory Sub-Systems in Automotive Microcontrollers SAE Technical Paper 2007-01-1494 2007 10.4271/2007-01-1494
- Brewerton , S. , Schneider , R. , and Eberhard , D. Implementation of a Basic Single-Microcontroller Monitoring Concept for Safety Critical Systems on a Dual-Core Microcontroller SAE Technical Paper 2007-01-1486 2007 10.4271/2007-01-1486
- Yoshimura T. 2002 Toyota prevention method GD3 JUSE Press, Ltd. Tokyo
- Mariani , R. The impact of functional safety standards in the design and test of reliable and available integrated circuits Test Symposium (ETS), 2012 17th IEEE European 1 28 31 May 2012