Functional Safety

Hello Readers,
My name is Rakshith M working as a junior software engineer at Luxoft India. while working with different projects and while learning something new I got interest to learn on Functional safety, so I made my best efforts to write this article.

Functional Safety Mechanisms
AUTOSAR supports the development of safety-related systems and others by offering safety mechanisms.
The use of AUTOSAR does now no longer mean ISO26262 compliance. It is still possible that we can build unsafe systems using the AUTOSAR safety mechanisms.
This post focuses on safety mechanisms in AUTOSAR.

Goal of the Functional Safety Mechanisms
Today, ECUs contain highly modular embedded software, which can consist of both non-safety-related and safety-related software components which performs functions with different types of techniques.
According to ISO 26262, if the embedded software consists of software components with different ASIL ratings, then either the entire software must be developed according to the highest ASIL, freedom from interference will be ensured for software program additives with a better ASIL score from factors with a decrease ASIL score. Here are the examples of the cause of interference and how AUTOSAR deals with them. This publish will provide an explanation for approximately every in summary.
•Memory
Partitioning mechanisms of AUTOSAR with the context of Application Software improvement and deployment.
•Timing
Temporal Program Flow Monitoring mechanisms the use of the Watchdog Manager and Timing Protection mechanisms the use of the Operating System.
•Execution
Logical Supervision mechanisms using the Watchdog Manager.
•Exchange of information
Communication fault detection mechanisms the use of the End-2-End Library and Extensions.

Memory Partitioning
Software Components with a low ASIL rating may intrude wrongfully via having access to memory regions of software program additives with a better ASIL score. An execution of software program additives in separate reminiscence areas or reminiscence partitions prevents such reminiscence get entry to violations.
According to ISO 262624, the subsequent memory-associated consequences of faults may be taken into consideration as a cause for interference between software program components:
•Corruption of content material
•Read or write get right of entry to reminiscence allotted to every other software element
•Inconsistent records (e.g. Because of update for the duration of facts fetch)
•Stack overflow or underflow

How the partition is finished
Partition is carried out with the aid of assigning a selected reminiscence place to every OS-Application. OS-Applications in different reminiscence regions (walls) are covered from each different, which means that they cannot alter other OS-Applications reminiscence place.
The photo beneath shows inside of a partition.

The image below which shows the relation between each object in the ECU.

As we can see within the image above, each middle in a micro controller will have zero or extra OS-Applications, which can have 0 or extra Tasks, which could have zero or more Runnable(C-feature).
One OS-Application is related to one partition within the photo, that means that there is most effective one OS-Application assigned per one partition.
OS-Applications are included from each other, as code executing inside the Memory Partition of 1 OS-Application cannot regulate other memory areas.
AUTOSAR OS-Applications are collections of Operating System gadgets which include Tasks, ISRs, Schedule Tables, Counters and Alarms that form a cohesive purposeful unit.
There are two classes of OS-Applications:

Non-Trusted OS-Application
Non-Trusted OS-Applications aren't allowed to run without tracking or safety features at runtime. They have limited get right of entry to reminiscence and Operation System modules API and feature their timing conduct enforced at runtime. They aren't allowed to run in privileged mode whilst supported via the processor. In short, they may be not depended on via the gadget. Thus, so many regulations are imposed on them.

Trusted OS-Application
Trusted OS-Applications are depended on via the system, in contrast to Non-Trusted OS-Application. Therefore, they can paintings without regulations placed on Non-Trusted OS-Applications.

Example of the Memory Partition Implementation
The photo beneath suggests a probable implementation in which all Basic Software Modules are accomplished in a single trusted/supervisor-mode (improved CPU mode) reminiscence partition (highlighted in red).
Some SWCs are logically grouped and installed separate non- depended on/user-mode reminiscence walls (highlighted in green).
Selected SWCs belong to the identical trusted/manager-mode memory partition because the Basic Software Modules (see fourth SWC within the photo highlighted in purple).
There can be numerous non-depended on/user-mode walls, every containing one or extra SWCs. The execution of SWCs in non-trusted/consumer-mode reminiscence partitions is constrained from enhancing different memory regions, while the execution of SWCs of depended on/supervisor-mode reminiscence partitions isn't limited.

Detection and Reaction
Memory Partitioning mechanism can be implemented with the aid of microcontroller hardware along with Memory Protection Unit or Memory Management Unit. The microcontroller hardware should be configured correctly with the aid of the Operating System to facilitate detection and prevention of incorrect reminiscence accesses. The execution of Software Components which are accomplished in non-trusted/consumer-mode reminiscence walls is then monitored.