Professional Documents
Culture Documents
Copyright © 2019 by Jagadish Narayan Gowda. Permission granted to INCOSE to publish and use.
Abstract
Safety is absence of unreasonable risk. Functional safety emphasis to handle unintended behavior of
the system. ISO26262 recommends the process and development of electrical components in auto-
motive vehicle weighing less than 3000kg. Features are assigned with Automotive safety integrate
levels (ASIL) A,B,C and D by performing Hazard Analysis and Risk Assignment(HARA). ISO
26262 recommends integrity of data communicated between sender and receiver components which
handles data associated with ASIL features. This is achieved by developing each software or
hardware components in compliance with ISO26262 ASIL recommended process and implementa-
tion. The process requires lot of effort to develop and validate each software component as per
ISO26262 recommendations. This is more challenging when data integrity needs to be maintained
between sender and receiver components which resides on two different microprocessors in the ECU.
Also, it is more challenging to achieve freedom from interference between QM (quality managed)
and ASIL feature software with in the software or hardware components. This paper detailed the
decomposition of ASIL as per ISO- 26262 and exploring the end to end verification methods in
AUTOSAR (Automotive Open System Architecture) to achieve safety goals. This paper considers
achieving data integrity between two microprocessors in infotainment. This paper highlights the
software components on sender and receiver that must comply to ISO26262 and recommendations,
instead of developing all software and hardware components as per ISO 26262.
Introduction
Advanced automotive systems provide enhanced vehicle functionality, fuel efficiency, safety, driver
assistance, comfort, ride/handling and performance. It can be comprised of electrical/electronic
sensors, embedded controllers, actuators and communication devices. Many of these systems are
software intensive. Some of these systems can autonomously activate independent of the driver.
Unintended behaviors in some of these systems can be a potential safety concern under certain
conditions. Such systems are considered safety critical systems. Safety-critical systems require dis-
ciplined and comprehensive engineering effort to identify safety related risks and eliminate or control
them. Need to address both systematic and random issues in the design. ISO 26262 recommends the
process, implementation and best practices to address safety analysis to avoid unreasonable risk.
ISO 26262 recommends integrity between lower ASIL level features do not interfere with higher
ASIL level features. AUTOSAR OS (Operating System) allows creation of multiple OS applications
that can operate in their own memory space. One application cannot access the memory partition
allocated to another application. This is known as memory partitioning which is one of the faults
addressed by freedom from interference below.
Driver information ECU which displays safety critical information are instrument panel cluster,
Head’s up display and Rear-view camera is assigned with highest ASIL level B features. In VCS
(Virtual Cockpit System) where multiple displays including center stack are controlled from single
ECU considered for ASIL level B.
As per section 5.4.9 of ISO/FDIS 26262-9:2018(E), ASIL B can be decomposed as QM(B) and ASIL
B. Component which handles the communication of data between vehicle processor (VP) and
graphical processor (GP) to develop as QM(B). And autosar E2E (End to End) component which
diagnoses the communication fault to develop as ASIL B. Below is the architectural view of the data
communication between VP and GP for functional safety data.
ASIL B
QM
The algorithms of protection mechanisms are implemented in the E2E Library. The E2E Profiles can
be used for both inter and intra ECU communication. The E2E profiles were specified for specific
communication infrastructure, such as CAN, CAN FD, FlexRay, LIN, Ethernet.
E2E communication protection aims to detect and mitigate the causes for or effects of communica-
tion faults arising from:
• (systematic) software faults,
• (random) hardware faults,
• transient faults due to external influences.
• Sender: addition of control fields like CRC or counter to the transmitted data;
• Receiver: evaluation of the control fields from the received data, calculation of
control fields (e.g. CRC calculation on the received data), comparison of calculated
control fields with an expected/received content.
Figure 1.1: Safety protocol concept (with exemplary location of the E2E header)
Each E2E Profile has a specific set of control fields with a specific functional behavior
and with specific properties for the detection of communication faults.
Mechanisms:
The E2E profiles provide a consistent set of data protection mechanisms, designed to
protecting against the faults considered in the fault model. Each E2E profile provides an alternative
way to protect the communication, by means of different algorithms. However, E2E profile have
similar interfaces and behavior. Each E2E Profile shall use a subset of the following data protection
mechanisms:
• A CRC provided by CRC Supervision;
• A Sequence Counter incremented at every transmission request, the value is
checked at receiver for correct incrementation;
• An Alive Counter incremented at every transmission request, the value checked
at the receiver side if it changes at all, but correct incrementation is not checked;
• A specific ID for every port data element sent over a port or a specific ID for every
I-PDU group (global to system, where the system may contain potentially several
ECUs);
• Timeout detection:
▪ Receiver communication timeout.
▪ Sender acknowledgement timeout.
Depending on the system and application, E2E Profile can be used. Autosar document “E2E Protocol
Specification” defines different profiles, control field and mechanism.
Autosar specifies flexible E2E profiles that implementation appropriate combination of E2E pro-
tection mechanisms. Each specified E2E profile has a fixed behavior, but it has some configuration
options by function parameters (e.g. the location of CRC in relation to the data, which are to be
protected).
The use case describes of selecting the profiles and configuration using Autosar Tool for data
communication between VP and GP. Maximum of 4bytes of 20 safety data is sent from VP to GP.
Profile 6 can be configured to address ASIL B data integrity and support Safety data.
Profile 6 format:
Table 1.0: Profile 6 format
Autosar architecture:
E2E component is integrated with E2E transformer as part of Autosar Stack. E2E transformer
(E2EXf ) is invoked from the RTE when Application software writes and reads in to and from RTE
respectively . E2E transformer using E2E component adds control field for data sent from VP to GP
and removes control field for data received from GP to VP. Data is written in to RTE. Fault detected
by E2E is reported to application using RTE.
LIB Application
RTE
E2E
E2EXf
CDD
Serial
IPC COM Layer 1 Communication
Physical Layer
Check -E2EXf_Inv<transformer ID>: This interface as shown in sequence diagram E2E trans-
former is called for Check interface by application periodically
ARTOP tool is used to configure the profiles, parameter and to create arxml. Arxml is imported in to
autosar configuration tool to generate E2E functionality. The configuration can also be done in au-
tosar available developer tool.
Map the E2E transformer to the data element/Signal which needs to be protected. The data ID is
configured for every signal or element. Signal data element of size 9 bytes and maximum of 4kbytes.
Transformer Configuration:
Summary/ Conclusion:
ASIL features assigned to an ECU shall be met as per ISO 26262 recommendation. In this paper, it
describes the recommendation for ASIL B development of software and hardware component to
have data integrity between two processors. It lists the serial communication faults and mechanism to
handle as per ISO 26262. It explains the decomposition of ASIL level in different level and the same
can be applied on serial communication strategy to meet safety goal. This avoids Safety qualification
of tools, hardware, software and process need to achieve for all the components in the transport layer.
This methodology doesn’t require ASIL B qualification for software and hardware component below
application layer.
This paper detailed the usage of autosar E2E component and transformer to meet the decomposition
requirement of diagnosing. The E2E component diagnose and report the fault to application software
to take system to safe state or to retry for system to recover.
Functional safety shall be built with component. It’s challenging to develop functional safety for
already existing ECU’s and this approach can also be applied. It minimizes the effort in redesign the
software and hardware to meet safety goals.
References
ISO/FDIS 26262-6:2018(E), ‘Road vehicles — Functional safety — Part 6: Product development at
the software level
ISO/FDIS 26262-9:2018(E), ‘Road vehicles — Functional safety —Part 9: Automotive safety
integrity level (ASIL)-oriented and safety-oriented analyses
Autosar E2E Library 4.3.1
https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_E2
ELibrary.pdf
Autosar E2E transformer 4.3.1 V
https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_E2
ETransformer.pdf
Biography