FO-EXP-安全概述

1 功能安全简介

功能安全是AUTOSAR AP开发之初就开始考虑的问题，因为它会影响系统的软件架构。AP 通过提供安全方法和安全机制来支持安全系统的开发。AUTOSAR AP是作为一个SEooC来设计实现功能安全的。也就是说它不是基于特定的相关项，而是基于假设开发的。本文解释了AUTOSAR AP功能安全的一些关键点，解释了如何使用它的功能安全机制和措施。

2 假设AUTOSAR AP的使用和目标

2.1 假设的使用场景

• 自动驾驶：驾驶辅助和全自动驾驶，包括域控制器，使用的传感器控制器
• 网关
• 车身域控制器
• 信息娱乐系统等

2.2 设计目标

1. 为软件人员提供抽象层，比如ARA，使AP应用程序可以在不同ECU之间方便移植
2. 使软件的开发部署更加灵活
3. 执行应用之间可以进行隔离，使得不同ASIL等级之间相互不干扰

2.3 顶层的特征或用例

[SUC_01] Provide flexible execution time and resources for multiple, mixed criticality applications.

[SUC_02] Provide dynamically configurable, updateable and upgradable runtime for multiple, mixed criticality applications.

[SUC_03] Provide information exchange between multiple, mixed criticality applications.

[SUC_04] Provide information exchange between mixed criticality application and other external components such as sensors, actors or ECUs inside the vehicle.

[SUC_05] Provide information exchange between mixed criticality application and other external components outside the vehicle.

[SUC_06] Maintain correct configuration and monitor correct operation during the driving cycle

3 系统描述

AP作为一个独立于应用的模块应该满足的需求：AUTOSAR规范、其他OEM或供应商的的需求

3.1 假设系统的内容

• 车辆:车辆系统的设计

• ECU:PMIC 看门狗 输入输出通道等

• 微控制器内容

• 硬件加速器
• 软件内容
  • 动态内存分配

3.2 常见的软件和硬件错误

本节收集和描述了可能直接影响AP的典型硬件和软件错误，以及相关的安全措施。

硬件错误包括瞬时的、间歇性的、永久性的错误

以下是为检测/避免上述硬件故障而可采取的典型措施清单：

• Cyclic Configuration Test
• Cyclic Hardware Part Test (using known test vectors)
• Shutdown Path Test ("Can the safe state be reached?")
• Memory Walk-Through Tests (e.g. test for writeability)
• Clock Monitoring, Power Monitoring, Timing Monitoring (timing predictions may be very inaccurate in high-performance microprocessors due to the inherent complexity of such systems)
• Plausibility Checks (but only applicable if checks are significantly easier to calculate than the functions to be monitored)
• External Watchdog
• End-to-End Protection
• Hardware Lockstep CPU Cores (although this may not always be present in highperformance microprocessors)
• ECC Memory (Error detection for data and address links)
• Redundant Execution (2oo2, 2oo2D, 2oo3)
• Proper Hardware Design (the choices in high-performance microprocessors may be very limited due to the complexity of hardware architecture and may result in common cause failures)
• Proper Communication Bus
• Proper Shielding
• Proper Electromagnetic Compatibility (EMC)

检测或避免软件错误的措施有：

• Redundant Execution (2oo2, 2oo2D, 2oo3)
• Program Flow Control ("Does the software pass-by known points in the right order?")
• Checksums
• Arbitration
• Collision Detection
• Signatures
• Software Lockstep
• Parallel Execution
• Safety Checker

3.3 AUTOSAR AP架构概述

主要功能有：

• 安全启动
• 应用的执行
• 应用的调度
• 应用状态管理
• 运行时的监控：总线负载、执行时间、内存的消耗等
• 应用数据的访问
• 持久化数据的存储
• ECU和应用数据的配置
• 部署应用的升级
• 新应用的部署
• 系统监控
• 通过车辆网络发送和接收消息

AUTOSAR平台的架构：

• AUTOSAR AP基础库
• AUTOSAR AP服务
• 用户应用

4 Hazard分析

最常见的安全相关的失效有：

• CPUs、RAM、Flash、MCU的总线或外设的硬件错误
• 软件中的系统或安全相关的错误
• 通信线路上的电磁干扰
• 通信硬件单元上的硬件错误
• 通信驱动中导致崩溃、丢帧、延迟、乱序、重复等的软件错误

对以上进行分类：

• 内存
• 时序
• 执行
• 信息交换
• 应用或服务的认证
• 权限管理

高层次的失效：

[TLF_01] Unintended, untimely and/or incorrect execution of applications

[TLF_02] Unintended, untimely and/or incorrect configuration, update and upgrade of applications

[TLF_03] Unintended, untimely and/or incorrect exchange of information between applications

[TLF_04] Unintended, untimely and/or incorrect exchange of information between applications and external components inside the vehicle

[TLF_05] Unintended, untimely and/or incorrect exchange of information between applications and external components outside the vehicle

[TLF_06] Corruption of configuration

5 安全需求

[RS_SAF_00001] Safe Execution:AUTOSAR shall provide supporting mechanisms to monitor the control flow and manage the execution order of multiple applications with mixed safety criticality.

[RS_SAF_00002] Safe Configuration:AUTOSAR shall provide mechanisms to support correct configuration during the entire driving cycle of the vehicle.

[RS_SAF_00003] Safe Update or Safe Upgrade: AUTOSAR shall provide mechanisms to support correct update and upgrade of multiple platform

and non-platform applications with mixed criticality.

[RS_SAF_00004] Safe Exchange of Information: AUTOSAR shall provide mechanisms to support safe exchange (transmission and reception) of

information between safety critical applications.

[RS_SAF_00005] Detection of Data Corruption: AUTOSAR shall provide mechanisms to detect faults and failures while processing data, commu

nicating with other systems or system elements.

[RS_SAF_00006] Safe Storage: AUTOSAR shall provide mechanisms to support safe storage for applications.

[RS_SAF_00007] Recovery upon failure: AUTOSAR shall Monitor, detect and provide means to react on detectable failures.

6 功能安全概念

• Ensure correct computation, execution and execution order of multiple applications with mixed criticality
• AUTOSAR shall ensure correct configuration during the entire life cycle of the platform
• AUTOSAR shall ensure correct update and upgrade of multiple platform and non-platform applications with mixed criticality
• AUTOSAR shall ensure correct exchange (transmission and reception) of information
• AUTOSAR shall detect faults and failures while processing data, communicating with other systems or system elements
• AUTOSAR shall provide mechanisms to support safe storage for applications
• AUTOSAR shall Monitor, detect and provide means to react on detectable failures