In our previous blog, we introduced you to the 11 Safety highlights of Adaptive Autosar. In this blog, let us discuss the first 5 highlights.
1. Safety considerations for high performance oriented hardware
While CA is targeted to run on Microcontrollers that offer hard real time performance, Adaptive AUTOSAR Platform is targeted to run on complex SOCs with hardware accelerators such as accelerators for advanced graphics processing, deep learning accelerators, DSPs, Multi-cores etc in order to achieve high performance. Obviously, this means that there is a lot of concurrent processing going on. To achieve deterministic execution for Safety functions, AA provides design guidelines for using parallel processing technologies.
An ASIL compliant Hypervisor must be used to partition and isolate the Safety critical aspects of the System from the non-Safety related System.
2. Support for Safe and Secure use of C++
While the CA supports only C language, AP support C++ since it is the language of choice for the development of new algorithms and application software in high performance complex applications.
AUTOSAR specifies coding guidelines for use of C++14 in safety and security.
Key highlights:
- It integrates other safety/security related coding standards available for C++ such as CERT C++ Coding Standard, High Integrity C++ Coding Standard Version 4.0, Google C++ Style guide etc.
- It provides traceability to ISO26262 Part 6 (Software) methods on SW Architecture, coding and verification and specifies which rules can be used to implement every method in part 6.
- While it is unclear whether AUTOSAR will continue to update these safety guidelines for future updates in C++, MISRA announced the merging of AUTOSAR coding guidelines into its own established best practice to develop a single ‘go to’ language subset for safety-related C++ development which will support the latest C++ 20 version.
- It permits the use of dynamic memory allocation in Safety systems. However, AA recommends that this allocation must be deterministic. Various techniques of deterministic memory allocators are implemented and used in mass-production systems.
3. Safe Software configuration update
HAD use cases demand the need to have flexible updates of software and related configurations over the air. This is a requirement that is of high safety and security importance. If an attacker hacks into the car through a software update and takes control over the brake or steering system, this can lead to a safety hazard. Hence, AA provides the “Update and Configuration Manager(UCM)” functional cluster. UCM is responsible for updating, installing, removing and keeping a record of the software on an Adaptive Platform and must be implemented at the highest ASIL level of the system.
Key highlights:
- In case of a failed update (i.e., a new SW that was updated was not stable and the system crashes), UCM takes over to transition the system to a safe operating mode.
- UCM verifies the correct installation/update of the newly installed Software
- Even in case of a failed software update, UCM ensures that Safety features works correctly.
- UCM verifies the correctness of configurations and rolls back to a known and consistent configuration if the verification fails.
4. Safe Initialization and shutdown
For Applications that are dynamically upgraded, the correct initialization as well as shutdown of the Applications becomes crucial in order to prevent failures or unintended behavior. Hence, AA defines services to ensure Safe initialization and Safe Shutdown. The “Execution Management” (EM) functional cluster provides this service.
EM is responsible for platform initialization (including the underlying hardware) and startup / shutdown of Applications. It works with the Operating System to perform run-time scheduling of Applications.
Key highlights:
- EM is the first launched platform service.
- EM is responsible for the ordered startup and shutdown of the deployed Applications. It derives an ordering for startup/shutdown based on declared Application dependencies.
- EM is responsible for initialization / configuration of the OS to enable it to perform the necessary run-time scheduling.
5. Safety and Security Merger
AA specifies that the communication channels and communication partners within the vehicle network should not only be secure but also safe. One can reuse state-of-the-art cybersecurity measures for Safety if they help to fulfill the Safety goals. For e.g., measures such as secure boot, secure key storage or authentication of communication partners can also be reused for safety.
The CRYPTO functional cluster must be developed in compliance to ISO 21434 as well as according to ISO 26262, to the highest ASIL level of that System.