1 功能安全简介
功能安全是AUTOSAR AP开发之初就开始考虑的问题,因为它会影响系统的软件架构。AP 通过提供安全方法和安全机制来支持安全系统的开发。AUTOSAR AP是作为一个SEooC来设计实现功能安全的。也就是说它不是基于特定的相关项,而是基于假设开发的。本文解释了AUTOSAR AP功能安全的一些关键点,解释了如何使用它的功能安全机制和措施。
2 假设AUTOSAR AP的使用和目标
2.1 假设的使用场景
- 自动驾驶:驾驶辅助和全自动驾驶,包括域控制器,使用的传感器控制器
- 网关
- 车身域控制器
- 信息娱乐系统等
2.2 设计目标
- 为软件人员提供抽象层,比如ARA,使AP应用程序可以在不同ECU之间方便移植
- 使软件的开发部署更加灵活
- 执行应用之间可以进行隔离,使得不同ASIL等级之间相互不干扰
2.3 顶层的特征或用例
[SUC_01] Provide flexible execution time and resources for multiple, mixed criticality applications.
[SUC_02] Provide dynamically configurable, updateable and upgradable runtime for multiple, mixed criticality applications.
[SUC_03] Provide information exchange between multiple, mixed criticality applications.
[SUC_04] Provide information exchange between mixed criticality application and other external components such as sensors, actors or ECUs inside the vehicle.
[SUC_05] Provide information exchange between mixed criticality application and other external components outside the vehicle.
[SUC_06] Maintain correct configuration and monitor correct operation during the driving cycle
3 系统描述
AP作为一个独立于应用的模块应该满足的需求:AUTOSAR规范、其他OEM或供应商的的需求
3.1 假设系统的内容
- 车辆:车辆系统的设计
- ECU:PMIC 看门狗 输入输出通道等
- 微控制器内容
- 硬件加速器
- 软件内容
- 动态内存分配
3.2 常见的软件和硬件错误
本节收集和描述了可能直接影响AP的典型硬件和软件错误,以及相关的安全措施。
硬件错误包括瞬时的、间歇性的、永久性的错误
以下是为检测/避免上述硬件故障而可采取的典型措施清单:
- Cyclic Configuration Test
- Cyclic Hardware Part Test (using known test vectors)
- Shutdown Path Test ("Can the safe state be reached?")
- Memory Walk-Through Tests (e.g. test for writeability)
- Clock Monitoring, Power Monitoring, Timing Monitoring (timing predictions may be very inaccurate in high-performance microprocessors due to the inherent complexity of such systems)
- Plausibility Checks (but only applicable if checks are significantly easier to calculate than the functions to be monitored)
- External Watchdog
- End-to-End Protection
- Hardware Lockstep CPU Cores (although this may not always be present in highperformance microprocessors)
- ECC Memory (Error detection for data and address links)
- Redundant Execution (2oo2, 2oo2D, 2oo3)
- Proper Hardware Design (the choices in high-performance microprocessors may be very limited due to the complexity of hardware architecture and may result in common cause failures)
- Proper Communication Bus
- Proper Shielding
- Proper Electromagnetic Compatibility (EMC)
检测或避免软件错误的措施有:
- Redundant Execution (2oo2, 2oo2D, 2oo3)
- Program Flow Control ("Does the software pass-by known points in the right order?")
- Checksums
- Arbitration
- Collision Detection
- Signatures
- Software Lockstep
- Parallel Execution
- Safety Checker
3.3 AUTOSAR AP架构概述
主要功能有:
- 安全启动
- 应用的执行
- 应用的调度
- 应用状态管理
- 运行时的监控:总线负载、执行时间、内存的消耗等
- 应用数据的访问
- 持久化数据的存储
- ECU和应用数据的配置
- 部署应用的升级
- 新应用的部署
- 系统监控
- 通过车辆网络发送和接收消息
AUTOSAR平台的架构:
- AUTOSAR AP基础库
- AUTOSAR AP服务
- 用户应用
4 Hazard分析
最常见的安全相关的失效有:
- CPUs、RAM、Flash、MCU的总线或外设的硬件错误
- 软件中的系统或安全相关的错误
- 通信线路上的电磁干扰
- 通信硬件单元上的硬件错误
- 通信驱动中导致崩溃、丢帧、延迟、乱序、重复等的软件错误
对以上进行分类:
- 内存
- 时序
- 执行
- 信息交换
- 应用或服务的认证
- 权限管理
高层次的失效:
[TLF_01] Unintended, untimely and/or incorrect execution of applications
[TLF_02] Unintended, untimely and/or incorrect configuration, update and upgrade of applications
[TLF_03] Unintended, untimely and/or incorrect exchange of information between applications
[TLF_04] Unintended, untimely and/or incorrect exchange of information between applications and external components inside the vehicle
[TLF_05] Unintended, untimely and/or incorrect exchange of information between applications and external components outside the vehicle
[TLF_06] Corruption of configuration
5 安全需求
[RS_SAF_00001] Safe Execution:AUTOSAR shall provide supporting mechanisms to monitor the control flow and manage the execution order of multiple applications with mixed safety criticality.
[RS_SAF_00002] Safe Configuration:AUTOSAR shall provide mechanisms to support correct configuration during the entire driving cycle of the vehicle.
[RS_SAF_00003] Safe Update or Safe Upgrade: AUTOSAR shall provide mechanisms to support correct update and upgrade of multiple platform
and non-platform applications with mixed criticality.
[RS_SAF_00004] Safe Exchange of Information: AUTOSAR shall provide mechanisms to support safe exchange (transmission and reception) of
information between safety critical applications.
[RS_SAF_00005] Detection of Data Corruption: AUTOSAR shall provide mechanisms to detect faults and failures while processing data, commu
nicating with other systems or system elements.
[RS_SAF_00006] Safe Storage: AUTOSAR shall provide mechanisms to support safe storage for applications.
[RS_SAF_00007] Recovery upon failure: AUTOSAR shall Monitor, detect and provide means to react on detectable failures.
6 功能安全概念
- Ensure correct computation, execution and execution order of multiple applications with mixed criticality
- AUTOSAR shall ensure correct configuration during the entire life cycle of the platform
- AUTOSAR shall ensure correct update and upgrade of multiple platform and non-platform applications with mixed criticality
- AUTOSAR shall ensure correct exchange (transmission and reception) of information
- AUTOSAR shall detect faults and failures while processing data, communicating with other systems or system elements
- AUTOSAR shall provide mechanisms to support safe storage for applications
- AUTOSAR shall Monitor, detect and provide means to react on detectable failures