A Case Study in Obtaining Freedom from Interference in a Mixed-ASIL Architecture

SummaryIn this paper we describe our experience in identifying and developing safety mechanisms to improve spatial isolation within the AUTOSAR Operating System (OS) in order to allow the usage of cores with mixed integrities. We show that simple write operations on shared OS data structures performed by OS core running on low ASIL cores, e.g. ASIL A core, can impact on the behavior of code running on higher ASIL cores and may lead to AUTOSAR OS malfunctions. In particular, we focus on cross-core AUTOSAR API calls, by which a core executes an AUTOSAR API over some other core, like activating a task or retrieving a task status running on some other core.Therefore, we firstly show that the usage of well-known redundancy mechanisms increases the detectability of such cascading failures. Then, we performed a reformat of some internal data structures of our AUTOSAR OS implementation in order to reduce the possibility for low ASIL core to interfere with higher ASIL cores. In particular, we analyzed the entire OS source code in order to reduce the size and number of data structures that are not needed to be shared among cores. Next, we propose and implement a delegation mechanism coming from the networking domain, i.e., the Remote Procedure Call (RPC). With this mechanism, in case a cross-core API is used by a low ASIL core, all the operations on data structures are performed by the higher ASIL core, so that the spatial isolation among cores is guaranteed.Finally, we evaluated the impact on the OS performance of the redundancy and RPC mechanisms allowing the usage of low ASIL cores on a Tricore architecture. In fact, using the redundancy mechanisms after the data structure reformat increases the overhead for executing a single AUTOSAR OS API function (e.g., ActivateTask). In contrast, we show that the RPC mechanism introduces an acceptable overhead for the high ASIL cores in case cross-core AUTOSAR OS APIs are used. Hence, the overhead introduced by the proposed mechanisms can be acceptable since it allows to increase the computational power by using mixed ASIL cores without cascading failures from the safety point of view.