Skip to content

Commit 401123b

Browse files
Merge pull request #2171 from madeline-underwood/auto_safety
Auto safety_JA to review
2 parents 7090268 + bf39a13 commit 401123b

File tree

10 files changed

+289
-231
lines changed

10 files changed

+289
-231
lines changed

content/learning-paths/automotive/openadkit2_safetyisolation/1_functional_safety.md

Lines changed: 0 additions & 134 deletions
This file was deleted.
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
title: Why functional safety matters in software systems
3+
weight: 2
4+
5+
### FIXED, DO NOT MODIFY
6+
layout: learningpathall
7+
---
8+
9+
## What functional safety means for developers
10+
11+
Functional safety helps systems detect faults and respond in ways that keep people and equipment safe. It ensures that even when errors occur, the system transitions into a known, safe state to prevent harm.
12+
13+
This concept is foundational in domains like automotive, autonomous driving, medical devices, industrial control, robotics, and aerospace. In these systems, failures can have severe real-world consequences.
14+
15+
In software development, functional safety focuses on minimizing risks through careful design, rigorous testing, and thorough validation. The goal is to make sure that critical systems behave predictably, reliably, and verifiably, even under fault conditions.
16+
17+
To design for functional safety, developers must consider:
18+
19+
- Error detection mechanisms
20+
- Exception handling strategies
21+
- Redundant system design
22+
- Development processes that align with safety standards
23+
24+
25+
In the following sections, you'll learn how to apply these principles throughout the software lifecycle, from early risk assessment and architectural design to runtime isolation and ISO 26262 compliance.
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
title: Understand functional safety risks
3+
weight: 3
4+
5+
### FIXED, DO NOT MODIFY
6+
layout: learningpathall
7+
---
8+
9+
## Manage risk with functional safety principles
10+
11+
At its core, functional safety is about managing risk and reducing the impact of system failures.
12+
13+
In autonomous vehicles, for example, functional safety ensures that if sensors produce unreliable or conflicting input, the vehicle can fall back to a known-safe state and maintain control.
14+
15+
The three core objectives of functional safety are:
16+
17+
- **Prevention** reduces the likelihood of errors through rigorous software development processes and testing. For example, electric vehicles monitor battery temperature to prevent overheating.
18+
- **Detection** quickly identifies errors using built-in diagnostic mechanisms, such as self-test routines.
19+
- **Mitigation** controls the impact of failures to ensure the system stays safe, even when something goes wrong.
20+
21+
In practice, these principles might be implemented through:
22+
23+
- Redundant sensor fusion code paths
24+
- Timeout mechanisms for control loops
25+
- Watchdog timers that reset components on fault detection
26+
- Safe-state logic embedded in actuator control routines
27+
28+
Together, prevention, detection, and mitigation form the foundation for building safer, more reliable software systems.
29+
30+
In the next step, you’ll explore how functional safety principles are formalized through safety standards like ISO 26262 and applied to real-world systems.
31+
32+
33+
34+
35+
36+
37+
38+
39+
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
title: Apply ISO 26262 and ASIL levels
3+
weight: 4
4+
5+
### FIXED, DO NOT MODIFY
6+
layout: learningpathall
7+
---
8+
## What ISO 26262 and ASIL levels mean for developers
9+
10+
ISO 26262 is a functional safety standard for automotive electronics and software systems. It defines a structured safety lifecycle aligned with the V-model, spanning everything from initial requirements to final validation and maintenance.
11+
12+
The V-model is a development framework where each design phase is paired with a corresponding test phase. This structure makes it easier to trace safety requirements from early specifications through to system verification.
13+
14+
## Key concepts in ISO 26262
15+
16+
- **Automotive Safety Integrity Level (ASIL)** ranks the safety criticality of components on a scale from A (lowest) to D (highest). For example, ASIL A might apply to a dashboard indicator failure, while ASIL D applies to a brake system malfunction.
17+
18+
- **Hazard Analysis and Risk Assessment (HARA)** identifies potential hazards and evaluates their risks to define the required safety goals and ASIL levels.
19+
20+
- **Safety mechanisms** include techniques such as real-time fault detection, redundancy, and fallback modes like fail-safe and fail-operational behavior.
21+
22+
{{% notice Note %}}In practice, many OEMs default to ASIL D for systems with any potential for passenger harm, even if the statistical likelihood of failure is low.{{% /notice %}}
23+
24+
## Apply ISO 26262 to real-world systems
25+
26+
ISO 26262 applies to many safety-critical vehicle systems:
27+
28+
- **Autonomous driving systems** must respond safely to sensor errors (such as LiDAR, radar, or camera faults). Functional safety ensures the vehicle can enter a safe state and avoid unsafe decisions.
29+
30+
- **Powertrain control** systems monitor throttle and braking inputs. Safety mechanisms such as redundancy, plausibility checks, and overrides prevent unintended acceleration or loss of braking function.
31+
32+
- **Battery management systems (BMS)** protect electric vehicle batteries from overheating, overcharging, or deep discharge. Built-in safety functions monitor temperature, balance voltage, and isolate faulty circuits to prevent thermal runaway.
33+
34+
These systems require dedicated hardware and software architectures that enforce functional safety guarantees. One common solution is the *safety island*, which is an isolated compute domain used to run safety-critical control logic independently from the main system.
35+
36+
37+
38+
39+
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
---
2+
title: Implement safety-critical isolation using safety island architecture
3+
weight: 5
4+
5+
### FIXED, DO NOT MODIFY
6+
layout: learningpathall
7+
---
8+
## How safety islands support functional safety
9+
10+
In automotive systems, a non-safety ECU (Electronic Control Unit) typically runs non-critical tasks such as infotainment or navigation. A safety island, by contrast, is dedicated to executing safety-critical control logic (for example, braking and steering) with strong isolation, redundancy, and determinism.
11+
12+
The table below compares the characteristics of an ECU and a safety island in terms of their role in supporting functional safety.
13+
14+
| Feature | ECU | Safety island |
15+
|------------------------|----------------------------|--------------------------------------|
16+
| Purpose | Comfort/non-safety logic | Safety-critical decision making |
17+
| OS/runtime | Linux, Android | RTOS, hypervisor, or bare-metal |
18+
| Isolation | Soft partitioning | Hardware-enforced isolation |
19+
| Functional safety requirement | None to moderate | ISO 26262 ASIL-B to ASIL-D compliant |
20+
| Fault handling | Best-effort recovery | Deterministic safe-state response |
21+
22+
This comparison shows why safety-critical software depends on dedicated hardware domains to meet functional safety goals.
23+
24+
If the main processor fails or becomes inoperable, a safety island can take over critical safety functions such as deceleration, stopping, and fault handling to prevent catastrophic system failures.
25+
26+
{{% notice Tip %}}
27+
Safety islands are often implemented as lockstep cores or separate MCUs that run on real-time operating systems (RTOS), offering guaranteed performance under fault conditions.
28+
{{% /notice %}}
29+
30+
## Key capabilities of a safety island
31+
- **System health monitoring** continuously monitors the operational status of the main processor (for example, the ADAS control unit) and detects potential errors or anomalies
32+
- **Fault detection and isolation** independently detects failures and initiates emergency handling for overheating, execution faults, or unresponsiveness
33+
- **Essential safety functions conitnue to operate**, even if the main system crashes. A safety island can execute fallback operations, such as:
34+
- Autonomous Vehicles → safe stopping (fail-safe mode)
35+
- Industrial Equipment → emergency power cutoff or speed reduction
36+
37+
## Why a safety island matters for functional safety
38+
39+
A safety island provides a dedicated environment for executing critical safety functions. Its key characteristics include:
40+
41+
- **Acting as an independent redundant safety layer**
42+
- Operates safety logic independently of the main processor
43+
44+
- **Supporting the ASIL-D safety level**
45+
- Enables the system to meet the highest ISO 26262 requirements for critical operations
46+
47+
- **Providing independent fault detection and recovery mechanisms:**
48+
- *Fail-safe*: activating a minimal-risk mode, such as limiting vehicle speed or switching to manual control
49+
- *Fail-operational*: allowing high-integrity systems, such as those in aerospace or autonomous driving, to continue functioning under fault conditions
50+
51+
Safety islands play a key role in enabling ISO 26262 compliance by isolating safety-critical logic from general-purpose processing. They're a proven solution for improving system determinism, fault tolerance, and fallback behavior.
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
---
2+
title: Functional safety for automotive software development
3+
weight: 6
4+
5+
### FIXED, DO NOT MODIFY
6+
layout: learningpathall
7+
---
8+
9+
## The software development lifecycle
10+
11+
Functional safety affects both hardware and software development, particularly in areas such as requirement changes, version control, and test validation. For example, in ASIL-D level applications, every code change must go through a full impact analysis and regression testing to ensure it doesn't introduce new risks.
12+
13+
## Software development practices for functional safety
14+
15+
These practices ensure that software meets industry standards and can withstand system-level failures:
16+
- **Defining requirements clearly**
17+
- Specifying safety-critical requirements and conduct formal risk assessments.
18+
19+
- **Following safety-oriented programming standards**
20+
- Using MISRA C or CERT C/C++ and static analysis tools to detect unsafe behavior.
21+
22+
- **Implementing fault-handling mechanisms**
23+
- Using redundancy, health monitoring, and fail-safe logic to manage faults gracefully.
24+
25+
- **Testing and verifying rigorously**
26+
- Using Hardware-in-the-Loop (HIL) testing to validate behavior under realistic conditions.
27+
28+
- **Tracking changes with version control and audits**
29+
- Using tools like Git, JIRA, or Polarion to manage revisions and maintain traceability for audits.
30+
31+
- **Building an ASIL-partitioned development environment and adopting SOAFEE technologies** to help improve software maintainability and ensure consistent compliance with functional safety standards.
32+
33+
{{% notice Note %}}
34+
This Learning Path builds on [Deploy Open AD Kit containerized autonomous driving simulation on Arm Neoverse](/learning-paths/automotive/openadkit1_container/). It introduces functional safety practices from the earliest stages of software development.
35+
{{% /notice %}}

0 commit comments

Comments
 (0)