functional safety in automotive grade...
TRANSCRIPT
1© 2016 Tata Elxsi | Confidential |
Functional Safety in
Automotive Grade Linux
Renjith G | Shilu S L July 13, 2016, AGL Summit, Tokyo, Japan
2© 2016 Tata Elxsi | Confidential |
General - AGL
Agenda
Functional Safety - AGL
Roadmap – AGL
Functional Safety Analysis - AGL
About Case Study
3© 2016 Tata Elxsi | Confidential |
Audience, Takeaways
Areas / Intended AudienceFunctional safety – ISO26262IC,HUD use casesSoftware Development - AutomotiveGNU/Linux Subsystem
TakeawaysBasics of FS feasibility in AGLBasics of FS process for AGLFS specific Design strategies for IC & HUD SW
ConsolidationQnAFurther interests
4© 2016 Tata Elxsi | Confidential |
Background / Key Motivation / Interest
Background / Key motivation/Interest
Quoting from “https://www.automotivelinux.org/about”
“Automotive Grade Linux (AGL) is a Linux Foundation Workgroup dedicated to creating open source software solutions for automotive applications. Although the initial target for AGL is In-Vehicle-Infotainment (IVI) systems,
additional use cases such as “instrument clusters” and
telematics systems will eventually be supported.”
This case study checks the feasibility of implementing Instrument cluster + Head up displayuse cases in AGL where functional safety is a requirement.
5© 2016 Tata Elxsi | Confidential |
Architecture Approaches – Safety Perspective
Hardware Platform
Hypervisor (ASIL B)
RTOS
(ASIL B)OS
(Non ASIL)
ASIL B IC
Features
Non ASIL
IC
Features
Hardware Platform
Safety
PartitionNon Safe
Partition
ASIL B IC
Features
Non ASIL
IC
Features
Opensource ASIL B Hypervisors?
Opensource ASIL B RTOS?
Performance?
Complexity?
Cost?
6© 2016 Tata Elxsi | Confidential |
Roadmap – in AGL
7© 2016 Tata Elxsi | Confidential |
General – from AGL
BSP and SOC Renesas R-Car
Version Agile Albacore
Kernel 3.10.31 LTSi
8© 2016 Tata Elxsi | Confidential |
Functional Safety – Analysis in AGL
Functional Safety : Absence of unacceptable risk due to hazards caused by malfunction behavior of systems
Risk = Exposure * Effect * Probability
High Risk Low Risk
9© 2016 Tata Elxsi | Confidential |
Current Software Architecture - AGL
Source: AGL Specification 1.0
10© 2016 Tata Elxsi | Confidential |
Derived - Software Architecture with Safety Stack – in AGL
11© 2016 Tata Elxsi | Confidential |
Way To Functional Safety Compliance – in AGL Arch
Identify existing components in AGL for
IC,HUD use cases
Other components for IC,HUD (to be
developed)
Safety V/S Non-safety Partitioning Freedom From
Interference(FFI)
Safety Lifecycle
12© 2016 Tata Elxsi | Confidential |
Existing components and Tools used – in AGL
Kernel (v3.10)
Task management
Memory Management
Protection
Other Tools used
gcc for arm Compiler (v4.9.1)
DOORS/Microsoft Office Excel for SRS.
Enterprise Architect 12.0 for SAD
Enterprise Architect 12.0 for SUD
Source code editor (Vim)
Static analyzing tool (QAC 8.1)
Unit testing tool(TESSY 2.3)
Version control tool (SVN) Libraries
GLIBC (v2.20)
POSIX
ALSA (v1.0.28)
DRM (v2.4)
KMS (v1.4.0)
Device Drivers
13© 2016 Tata Elxsi | Confidential |
Other components for IC,HUD use cases – in AGL
Instrument Cluster Middleware
HUD Middleware
Interface Layer
Safety draw
Safety sound
Safety critical applications
ASIL Compliant HMI Tool (Third party – Option 2)
14© 2016 Tata Elxsi | Confidential |
Derived - Software Architecture with Safety Stack – in AGLASIL B Highlighted – Option 1
15© 2016 Tata Elxsi | Confidential |
Derived - Software Architecture with Safety Stack – in AGLASIL B Highlighted – Option 2
16© 2016 Tata Elxsi | Confidential |
Safety Software Architecture(Partitioning) – in AGL
Hardware Platform
Safety
WorldNormal
World
Safe
ApplicationNormal
Application
FFI
17© 2016 Tata Elxsi | Confidential |
Safety Software Architecture – Freedom From Interference
Shared Hardware resources
(CPU, Memory, Peripherals etc)
Shared Software resources(Kernel, drivers, libraries etc )
FFI Analysis
Limited interaction
Static allocation
Duplication
Grouping
Protection
Monitoring
Minimization of code etc..
18© 2016 Tata Elxsi | Confidential |
Safety Lifecycle - SEooC – Safety Element Out Of Context
Assumptions
Assume
Requirements
Assumptions on
design external to
SEooC
SEooC
RequirementsSEooC Design
19© 2016 Tata Elxsi | Confidential |
SEooC – S/W Development
Assumptions on
System level
6.Product Development (Software Level)
InitiationSW Safety
Requirements
Unit Design &
ImplementationUnit Testing
Integration &
Testing
Verification of SW Safety
Requirements
Software Arch
Design
4.Product Development
Specification of
Technical Safety
Requirements
System DesignItem Integration &
Testing
Item DevelopmentSoftware SEooC component development
Establish Validity
of Assumptions
8.Change
management
8.Change
management
3.Concept Phase
4. Product
Development
(System Level)
6. Product
Development
(Software Level)
20© 2016 Tata Elxsi | Confidential |
SEooC - Component Integration
SEooC
Component
Development
New Context
Validate
Assumptions
Impact
Analysis
Integrated
Component
SEooC
Component
Change
Management
Fail
Success
21© 2016 Tata Elxsi | Confidential |
SEooC – The Process (V Model)
Software Unit Design
& Implementation
Software Unit
Testing
Software
Architectural Design
Specification of S/W
Safety Requirements
Initiation
Software Integration
and Functional
testing
Verification of S/W
Safety Requirements
Acceptance
Kick off, Safety
Plan , Plan
Documents ,Tool
Evaluation and
Qualification
Reports
Software Safety
Requirements, Safety
Req Analysis
Design, DFA,FMEA
Review Reports
Software code, Static
Analysis Reports
Test Report,
Coverage Reports,
Review Reports
Integration Report,
Review Report
S/W Verification
Report
Item
Developmen
t, Updated
Work
Products,
QA Report
22© 2016 Tata Elxsi | Confidential |
SEooC - PART-6 OutComes
Assumptions System Level
Assumption Document
Initiation of Product Development
S/W Verification
Plan
SafetyPlan *
Design & Coding
Guidelines
Tool Application Guidelines
S/W Safety Requirements
S/W Safety Req. Spec
S/W Verification
Plan*
S/W Verification
Report
HSI Specification*
S/W Architectural Design
S/W Arch Design
Spec
S/W Safety Req. Spec*
Safety Analysis Report
DFA Repor
t
SafetyPlan *
S/W Verification
Report*
Unit Design & Implementation
S/W Unit Design Spec
S/W Unit Implementation
S/W Verification
Report*
Unit Testing
S/W Verification specification
S/W Verification Plan
S/W Verification
Report*
Integration & Testing
Embedded S/W
S/W Verification
report*
S/W Verification
Plan *
S/W Verification
Spec *
Verification of S/W Safety Requirements
S/W Verification
Plan *
S/W Verification Spec *
S/W Verification
Report *
NOTE: For detailed information about process, Refer ISO26262 Part6
23© 2016 Tata Elxsi | Confidential |
SEooC – Tool Classification
Identify Tool Use cases
Identify relevant failure modes
Determine Tool Impact
TI 1 TI 2
No
qualification
required
Determine Tool
error detection
TD 1 TD 2 TD 3
ImpactNo Impact
High Confidence in tool Med Confidence in tool No/Low Confidence in tool
Tool Error Detection
TD1 TD2 TD3
Tool
Impact
TI 1 TCL 1 TCL 1 TCL 1
TI 2 TCL 1 TCL 2 TCL 3
24© 2016 Tata Elxsi | Confidential |
SEooC – Tool Qualification
Method TCL 1 TCL 2 TCL 3
No
Qualificat
ion
method
Required
ASIL ASIL
A B C D A B C D
Increased
confidence from
use
++++
++ + ++ ++ + +
Evaluation of the
development
process
++ ++ ++ + ++ ++ + +
Validation of the
software tool + + + ++ + + ++ ++
Development in
compliance with a
safety standard+ + + ++ + + ++ ++
25© 2016 Tata Elxsi | Confidential |
Conclusion - Feasibility
Risk Dependencies
Effort
TimelineThe Team
Hardware
New Releases
Development
Testing
Review
Certification
Safety Life
cycle Process
Technically
26© 2016 Tata Elxsi | Confidential |
1. https://www.automotivelinux.org2. http://man7.org/linux/man-pages/3. ISO26262:2011 Standard
References
27© 2016 Tata Elxsi | Confidential |
Questions and Answers
28© 2016 Tata Elxsi | Confidential |
ITPB Road Whitefield
Bangalore 560048 India
Tel +91 80 2297 9123 | Fax +91 80 2841 1474
e-mail [email protected]
www.tataelxsi.com
Thank You
Renjith G | Shilu SL
[email protected] | [email protected]
+91 471 666 1138 | +91 471 666 1333