A new development environment is required where conflict between control systems is minimized, where processing can be executed while maintaining independence between systems, and where quality can be assured easily. This environment must enable flexibility in software layouts to accommodate software changes during the development process and the parallel development of multiple derivative systems. We have developed virtualization technology (virtual CPU), which allows the execution of system control with a single CPU without conflict between systems.
An outstanding virtual CPU architecture that we have developed allows us to execute multiple real-time control tasks with the hardware scheduler, and we have developed hardware that extends the management of address space and interrupt handling, making it possible for a single CPU to be configured as multiple CPUs. Also, we have implemented a bus system that reduces interference between threads. By combining the above three technologies, a single CPU can be used as multiple CPUs, and by operating different OSs on each virtual CPU, independent control systems can be executed together.
As an application, we focused on the ISO26262-compliant E-Gas monitoring concept, and implemented the E-Gas architecture using virtual CPUs. We analyzed the ASIL level (ASIL B, ASIL C, and ASIL D) while comparing the E-Gas architecture implemented in virtual CPUs with the standard E-Gas architecture, the E-Gas architecture implemented in a dual core lock-step microcomputer and implemented in a multi-core microcomputer. We have also compared the impact on the virtual CPUs based E-Gas architecture of different types of HW-based safety mechanisms, both in terms of safety properties and costs (silicon area, memory size and performance). We explored a method of applying case studies to the three-level concept (Level 1, Level 2, and Level 3) while achieving ASIL levels. Also, we are using a hypervisor to analyze the effectiveness of the isolation of the monitoring methods.
The paper will show in detail the ISO26262 requirements (both in terms of HW, SW and development process, including tools) to be fulfilled by such virtual CPU architecture and which are the HW or SW safety mechanisms and verification measures to be considered. The paper will address key issues like interference freeness, guarantee of task separation, permanent and transient failures coverage, avoidance of dependent failures between the different E-Gas levels and hypervisor safety architecture.