An overview of the approaches for automotive safety integrity levels allocation

YesISO 26262, titled Road Vehicles–Functional Safety, is the new automotive functional safety standard for passenger vehicle industry. In order to accomplish the goal of designing and developing dependable automotive systems, ISO 26262 uses the concept of Automotive Safety Integrity Levels (ASILs), the adaptation of Safety Integrity Levels. ASILs are allocated to the components and subsystems that can cause system failure and malfunctions that lead to hazards. ASILs allocation is a hard problem consists of finding the optimal allocation of safety levels to the system architecture which must guarantee that the highest safety requirements are met while development cost of the automotive system is kept minimum. There were many successful attempts to solve this problem using different techniques. However, it is worth pointing out that there is an absence of a review that provides an in-depth study of all the existing methods and highlights their merits and demerits. This paper presents an overview of different approaches that were used to solve ASILs allocation problem. The review provides an overview of safety requirements including the related standards followed by a study of the resolution methods of the existing approaches. The study of each approach provides a detailed explanation of the used methodology and a discussion of its strength and weaknesses including the main open challenges

Scalable allocation of safety integrity levels in automotive systems

The allocation of safety integrity requirements is an important problem in modern safety engineering. It is necessary to find an allocation that meets system level safety integrity targets and that is simultaneously cost-effective. As safety-critical systems grow in size and complexity, the problem becomes too difficult to be solved in the context of a manual process. Although this thesis addresses the generic problem of safety integrity requirements allocation, the automotive industry is taken as an application example.Recently, the problem has been partially addressed with the use of model-based safety analysis techniques and exact optimisation methods. However, usually, allocation cost impacts are either not directly taken into account or simple, linear cost models are considered; furthermore, given the combinatorial nature of the problem, applicability of the exact techniques to large problems is not a given. This thesis argues that it is possible to effectively and relatively efficiently solve the allocation problem using a mixture of model-based safety analysis and metaheuristic optimisation techniques. Since suitable model-based safety analysis techniques were already known at the start of this project (e.g. HiP-HOPS), the research focuses on the optimisation task.The thesis reviews the process of safety integrity requirements allocation and presents relevant related work. Then, the state-of-the-art of metaheuristic optimisation is analysed and a series of techniques, based on Genetic Algorithms, the Particle Swarm Optimiser and Tabu Search are developed. These techniques are applied to a set of problems based on complex engineering systems considering the use of different cost functions. The most promising method is selected for investigation of performance improvements and usability enhancements. Overall, the results show the feasibility of the approach and suggest good scalability whilst also pointing towards areas for improvement

A Survey of Scheduling in Time-Sensitive Networking (TSN)

TSN is an enhancement of Ethernet which provides various mechanisms for real-time communication. Time-triggered (TT) traffic represents periodic data streams with strict real-time requirements. Amongst others, TSN supports scheduled transmission of TT streams, i.e., the transmission of their packets by edge nodes is coordinated in such a way that none or very little queuing delay occurs in intermediate nodes. TSN supports multiple priority queues per egress port. The TAS uses so-called gates to explicitly allow and block these queues for transmission on a short periodic timescale. The TAS is utilized to protect scheduled traffic from other traffic to minimize its queuing delay. In this work, we consider scheduling in TSN which comprises the computation of periodic transmission instants at edge nodes and the periodic opening and closing of queue gates. In this paper, we first give a brief overview of TSN features and standards. We state the TSN scheduling problem and explain common extensions which also include optimization problems. We review scheduling and optimization methods that have been used in this context. Then, the contribution of currently available research work is surveyed. We extract and compile optimization objectives, solved problem instances, and evaluation results. Research domains are identified, and specific contributions are analyzed. Finally, we discuss potential research directions and open problems.Comment: 34 pages, 19 figures, 9 tables 110 reference

Timing in Technischen Sicherheitsanforderungen für Systementwürfe mit heterogenen Kritikalitätsanforderungen

Traditionally, timing requirements as (technical) safety requirements have been avoided through clever functional designs. New vehicle automation concepts and other applications, however, make this harder or even impossible and challenge design automation for cyber-physical systems to provide a solution. This thesis takes upon this challenge by introducing cross-layer dependency analysis to relate timing dependencies in the bounded execution time (BET) model to the functional model of the artifact. In doing so, the analysis is able to reveal where timing dependencies may violate freedom from interference requirements on the functional layer and other intermediate model layers. For design automation this leaves the challenge how such dependencies are avoided or at least be bounded such that the design is feasible: The results are synthesis strategies for implementation requirements and a system-level placement strategy for run-time measures to avoid potentially catastrophic consequences of timing dependencies which are not eliminated from the design. Their applicability is shown in experiments and case studies. However, all the proposed run-time measures as well as very strict implementation requirements become ever more expensive in terms of design effort for contemporary embedded systems, due to the system's complexity. Hence, the second part of this thesis reflects on the design aspect rather than the analysis aspect of embedded systems and proposes a timing predictable design paradigm based on System-Level Logical Execution Time (SL-LET). Leveraging a timing-design model in SL-LET the proposed methods from the first part can now be applied to improve the quality of a design -- timing error handling can now be separated from the run-time methods and from the implementation requirements intended to guarantee them. The thesis therefore introduces timing diversity as a timing-predictable execution theme that handles timing errors without having to deal with them in the implemented application. An automotive 3D-perception case study demonstrates the applicability of timing diversity to ensure predictable end-to-end timing while masking certain types of timing errors.Traditionell wurden Timing-Anforderungen als (technische) Sicherheitsanforderungen durch geschickte funktionale Entwürfe vermieden. Neue Fahrzeugautomatisierungskonzepte und Anwendungen machen dies jedoch schwieriger oder gar unmöglich; Aufgrund der Problemkomplexität erfordert dies eine Entwurfsautomatisierung für cyber-physische Systeme heraus. Diese Arbeit nimmt sich dieser Herausforderung an, indem sie eine schichtenübergreifende Abhängigkeitsanalyse einführt, um zeitliche Abhängigkeiten im Modell der beschränkten Ausführungszeit (BET) mit dem funktionalen Modell des Artefakts in Beziehung zu setzen. Auf diese Weise ist die Analyse in der Lage, aufzuzeigen, wo Timing-Abhängigkeiten die Anforderungen an die Störungsfreiheit auf der funktionalen Schicht und anderen dazwischenliegenden Modellschichten verletzen können. Für die Entwurfsautomatisierung ergibt sich daraus die Herausforderung, wie solche Abhängigkeiten vermieden oder zumindest so eingegrenzt werden können, dass der Entwurf machbar ist: Das Ergebnis sind Synthesestrategien für Implementierungsanforderungen und eine Platzierungsstrategie auf Systemebene für Laufzeitmaßnahmen zur Vermeidung potentiell katastrophaler Folgen von Timing-Abhängigkeiten, die nicht aus dem Entwurf eliminiert werden. Ihre Anwendbarkeit wird in Experimenten und Fallstudien gezeigt. Allerdings werden alle vorgeschlagenen Laufzeitmaßnahmen sowie sehr strenge Implementierungsanforderungen für moderne eingebettete Systeme aufgrund der Komplexität des Systems immer teurer im Entwurfsaufwand. Daher befasst sich der zweite Teil dieser Arbeit eher mit dem Entwurfsaspekt als mit dem Analyseaspekt von eingebetteten Systemen und schlägt ein Entwurfsparadigma für vorhersagbares Timing vor, das auf der System-Level Logical Execution Time (SL-LET) basiert. Basierend auf einem Timing-Entwurfsmodell in SL-LET können die vorgeschlagenen Methoden aus dem ersten Teil nun angewandt werden, um die Qualität eines Entwurfs zu verbessern -- die Behandlung von Timing-Fehlern kann nun von den Laufzeitmethoden und von den Implementierungsanforderungen, die diese garantieren sollen, getrennt werden. In dieser Arbeit wird daher Timing Diversity als ein Thema der Timing-Vorhersage in der Ausführung eingeführt, das Timing-Fehler behandelt, ohne dass sie in der implementierten Anwendung behandelt werden müssen. Anhand einer Fallstudie aus dem Automobilbereich (3D-Umfeldwahrnehmung) wird die Anwendbarkeit von Timing-Diversität demonstriert, um ein vorhersagbares Ende-zu-Ende-Timing zu gewährleisten und gleichzeitig in der Lage zu sein, bestimmte Arten von Timing-Fehlern zu maskieren

SafeDM: a hardware diversity monitor for redundant execution on non-lockstepped cores

Computing systems in the safety domain, such as those in avionics or space, require specific safety measures related to the criticality of the deployment. A problem these systems face is that of transient failures in hardware. A solution commonly used to tackle potential failures is to introduce redundancy in these systems, for example 2 cores that execute the same program at the same time. However, redundancy does not solve all potential failures, such as Common Cause Failures (CCF), where a single fault affects both cores identically (e.g. a voltage droop). If both redundant cores have identical state when the fault occurs, then there may be a CCF since the fault can affect both cores in the same way. To avoid CCF it is critical to know that there is diversity in the execution amongst the redundant cores. In this paper we introduce SafeDM, a hardware Diversity Monitor that quantifies the diversity of each redundant processor to guarantee that CCF will not go unnoticed, and without needing to deploy lockstepped cores. SafeDM computes data and instruction diversity separately, using different techniques appropriate for each case. We integrate SafeDM in a RISC-V FPGA space MPSoC from Cobham Gaisler where SafeDM is proven effective with a large benchmark suite, incurring low area and power overheads. Overall, SafeDM is an effective hardware solution to quantify diversity in cores performing redundant execution.EU’s Horizon 2020 grant no. 871467 and Spanish MSI grant PID2019-107255GB-C21/AEI/10.13039/501100011033.Peer ReviewedPostprint (author's final draft

Real-Time Scheduling for Time-Sensitive Networking: A Systematic Review and Experimental Study

Time-Sensitive Networking (TSN) has been recognized as one of the key enabling technologies for Industry 4.0 and has been deployed in many time- and mission-critical industrial applications, e.g., automotive and aerospace systems. Given the stringent real-time communication requirements raised by these applications, the Time-Aware Shaper (TAS) draws special attention among the many traffic shapers developed for TSN, due to its ability to achieve deterministic latency guarantees. Extensive efforts on the designs of scheduling methods for TAS shapers have been reported in recent years to improve the system schedulability, each with their own distinct focuses and concerns. However, these scheduling methods have yet to be thoroughly evaluated, especially through experimental comparisons, to provide a systematical understanding on their performance using different evaluation metrics in various application scenarios. In this paper, we fill this gap by presenting a comprehensive experimental study on the existing TAS-based scheduling methods for TSN. We first categorize the system models employed in these work along with their formulated problems, and outline the fundamental considerations in the designs of TAS-based scheduling methods. We then perform extensive evaluation on 16 representative solutions and compare their performance under both synthetic scenarios and real-life industrial use cases. Through these experimental studies, we identify the limitations of individual scheduling methods and highlight several important findings. This work will provide foundational knowledge for the future studies on TSN real-time scheduling problems, and serve as the performance benchmarking for scheduling method development in TSN.Comment: 22 pages, ac

Increased reliability on Intel GPUs via software diverse redundancy

In the past decade, Artificial Intelligence has revolutionized various industries, including automotive, avionics, and health sectors. The installation of Advanced Driver Assistance Systems (ADAS) is now a reality, with the goal of achieving fully self-driving cars (SDCs) in the near future. ADAS and Autonomous Driving (AD) systems require processing vast amounts of data at high frequency using complex algorithms (Deep Learning (DL)) to meet tight time constraints (Real Time (RT)). Traditional computing has become a bottleneck, with CPUs unable to handle the data efficiently. High-performance GPUs have partially fulfilled these timing constraints, leading to continuous innovation in device performance and efficiency. For example, Nvidia introduced the Jetson AGX Xavier SoC in 2017, designed for machine learning applications in the automotive sector. However, AD and ADAS challenges also involve safety constraints, such as functional safety. Redundancy is necessary for identifying and correcting erroneous outcomes. To ensure high safety levels, diverse redundancy is used to avoid common cause faults (CCF). High-performance hardware for AD must be verified and validated (V&V) to ensure safety goals, but these processes can be costly. The automotive industry seeks to avoid non-recurring costs by using commercial off-the-shelf products (COTS). However, COTS devices have drawbacks, including limited redundancy and guarded implementation details. Researchers are developing software-only diverse redundancy solutions on top of COTS devices to overcome these limitations. Two main challenges are ensuring redundant computation for error detection and guaranteeing diverse redundancy to detect errors even when they affect all replicas. Current solutions are limited and mostly focused on NVIDIA GPUs. This thesis presents a software-only solution for diverse redundancy on Intel GPUs, providing strong diversity guarantees for the first time. Built on OpenCL, a hardware-agnostic programming language, the technique relies on intrinsics-special functions optimized by integrators. The intrinsics enable identifying hardware threads on the GPU and smart tailoring of workload geometry and allocation to specific computing elements. As a result, redundant threads use physically diverse execution units, meeting diverse redundancy requirements with affordable performance overheads. Several scenarios are developed to measure the impact of modifications to a standard OpenCL kernel execution. First, allocating only half of the available GPU resources; then, overriding the scheduler to use half of the resources; next, duplicating the work to mimic two kernel execution; and finally, executing both kernels in independent parts of the GPU