Advancing automotive application development: Page 4 of 8

February 08, 2017 //By Alexander Herz, Tasking
Advancing automotive application development
Safety-critical software functions required in a car are traditionally placed in separate, single-core Electronic Control Unit (ECU). With this practice, it’s easy to ensure that different functions with potentially different functional safety requirements and Automotive Safety Integrity Level (ASIL) are physically insulated and protected against interference from each other.

Expert note

Next to the common ASIL levels shown above (A-D), any additional safety classes can be defined to detect and prohibit interference between different software components. For example, we could define safety classes LEFT_DOOR (5U) and RIGHT_DOOR (6U) to restrict access between the two software components that handle the left and right door respectively, although they may have the same ASIL level.

Typically, just the lower granularity access rights that protect only the different ASIL levels (A-D) from each other are configured into the MPU since this is sufficient to fulfill the requirements from ISO 26262 and limits the performance impact of using the MPU. Nevertheless, using such additional, high granularity memory access rights with the TASKING Safety Checker allows more bugs to be caught early during development with no performance penalty.

2. Defining Access Rights Between Different Safety Classes

Access rights are defined in an array of structs, where each entry has the format {Src, Dest, Rights}. By default, all safety classes may only access themselves and no other classes. This ensures that no access rights are enabled by accident.



/* Src Dst Rights */

{ QM, QM, N }, /* Disallow access between QM and itself */

{ ASIL_D, ASIL_B, W }, /* An ASIL D function is allowed to write ASIL B data */

{ ASIL_A, ASIL_B, X }, /* An ASIL A function is allowed to execute an ASIL B function */

{ ASIL_C, ASIL_D, R }, /* An ASIL C function is allowed to read ASIL D data */

{ LEFT_DOOR, RIGHT_DOOR, R }, /* only read access allowed */

{ RIGHT_DOOR, LEFT_DOOR, R } /* only read access allowed */


For the last step, we need to define which functions and variables belong to the different safety classes.

Design category: 

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.