Robustness of automotive embedded systems

New automotive modular multi-layered software organization particularly favours the use and interoperability of Off-The-Shelf components. However, the integration of software components is error-prone, if their coordination is not rigorously controlled. The risk of failure is increased with the possibility to multiplex software components with heterogeneous levels of criticality. Most of dependability mechanisms, today, address locally errors within each component or report them to further diagnosis services. Instead, we consider a global wrapping-based approach to deal with multilevel properties to be checked on the complete multilayered system at runtime.

To address this problem, we introduce a framework to design robust software, from analysis to implementation issues, and we have done a proof of concept of the methodology on simple case studies.

Our approach follows the steps given below:

1)  Analysis of the target system and its provided services;

2)  Selection of the faults that are considered at various levels of abstraction;

3)  Definition of the dependability properties that must be verified on-line;

4)  Definition of the error detection and recovery mechanisms;

5)  Definition and implementation of the corresponding observation and control mechanisms;

6)  Implementation of the fault tolerance mechanisms based on software sensors and actuators;

7)  Evaluation by fault injection of the coverage of such fault tolerance mechanisms.

Error detection and error recovery mechanism must be carefully selected in automotive embedded applications mainly because of limited resources and economical reasons. However, major safety concerns, brought by new customer services (i.e. chassis control), motivate the automotive industry to search for new means for improving robustness in operation. The challenge is to study a “low-cost”, portable and flexible dependability solution. The guiding principle is to rigorously control what/when information is essential to get, and what/when instrumentation is necessary, to perform fault-tolerance.

According to these principles, we developed application-dependent instances of a defence software, as an external customizable component, based on observation and control mechanisms provided by current standard in the automotive industry. The platform used for the experiments is AUTOSAR compliant.

The defence software is responsible to the detection and recovery of integration faults, but also residual software faults in COTS components and COTS tool extensively used to generate important part of the systems. The development process of the defence software is consistent with the ISO26262 development process.

This work was performed with Renault and some experiments are currently investigated with Valeo in the ANR funded SCARLET project.