SAFERTOS for Automotive
The complexities of embedded software within automotive applications has increased exponentially in the past few years. More than ever there is a need for safe, secure embedded solutions that can provide responsive, feature rich functionality within a networked environment.
Pre-Certified to ISO 26262 ASIL D by TÜV SÜD.
SAFERTOS is available pre-certified to ISO 26262 ASIL D by TÜV SÜD.
The standard ISO 26262 is an adaptation of the Functional Safety standard IEC 61508 for Automotive Electric/Electronic Systems. ISO 26262 defines functional safety for automotive equipment applicable throughout the lifecycle of all automotive electronic and electrical safety-related systems.
ASIL D is the highest possible safety rating of this standard, and is established by performing a risk analysis of a potential hazard by looking at the severity, exposure and controllability of the vehicle operating scenario. As the final application where SAFERTOS is used is not known, SAFERTOS has been certified as a “Safety Elements out of Context” (SEooC). When designing SAFERTOS, the developers have made assumptions about the required safety goals and ASIL level required. These Safety goals are described within the SAFERTOS Safety Manual along with the installation and integration instructions. Developers using SAFERTOS need to confirm that the safety goals defined by SAFERTOS meet the requirements of their projects.
SAFERTOS supports certification to ISO 26262 ASIL D for use within automotive safety products, but SAFERTOS is not OSEK compliant so therefore may not be suitable for some European Automotive applications.
SAFERTOS supports all the common architectures used within automotive devices. We have worked closely with Texas Instruments to create a highly optimized port of SAFERTOS for the Hercules safety controller family, Infineon for the AURIX Tri-core, and many other semiconductor companies.
Safety & Performance
SAFERTOS provides high performance without compromising safety. SAFERTOS is a highly deterministic micro kernel that has a minimum ROM footprint in the region of 10 K Bytes. SAFERTOS contains no dead code, or unused code and is statically defined at compile time.
It uses deterministic, pre-emptive, priority based Task scheduling to ensure the primary safety goal - that the highest priority Task able to execute is the Task currently running. SAFERTOS contains intrinsic safety checking of key data variables by using inverted mirrored data, and enhanced parameter checking.
SAFERTOS contains features that assist designers of safety critical systems. For example, the Task Isolation and Separation feature of SAFERTOS enables developers to co-locate safety critical code with non-safety critical code. This feature uses the processors Memory Management Unit (MMU) or the Memory Protection Unit (MPU), configuring the permitted memory areas for each new Task, on each context switch. Used effectively this can greatly reduce the amount of safety critical code required within an Automotive Device
With an imperceptible boot time SAFERTOS is an ideal choice in systems that need to protect users and equipment from hazards quickly after a power on or brown out event.
Security in Your Automotive Application
Security, always important, has become even more of a priority over the last few years. We take security very seriously, and can provide a variety of solutions. To speak to an engineer about SAFERTOS and Security, contact us.
One cyber security risk factor to consider is the length of the supply chain. The more companies you have in your software supply chain, the greater the risk. SAFERTOS is developed completely in-house here at WHIS, with every line of software accounted for and verified, providing a very strong justification for using SAFERTOS within security applications.
For additional security, we offer CRC Checker, a safety component from WHIS that can be used in conjunction with SAFERTOS. CRC Checker guards against corruption and malicious attack by confirming the correctness of your program memory. More about CRC Checker here.
Design Assurance Pack
SAFERTOS is supplied as source code and accompanied by a Design Assurance Pack (DAP). The DAP contains all the design and verification artifacts required to support ISO 26262 ASIL D certification. SAFERTOS is delivered for a specific processor/compiler combination, removing the need for retesting on the target hardware, and creating a smooth path to re-certifying SAFERTOS within an application. The DAP ensures:
- No retesting on target hardware is required
- Easy installation and integration into your development environment
- Reduced development costs and improved time to market
- Smooth path to certifying SAFERTOS within an application
Runtime Verification Monitoring (Optional)
There is an expectation within ISO 26262 that runtime verification monitors will be used to detect, indicate and handle systematic faults within software rated ASIL C and D.
SAFERTOS includes a range of intrinsic error checking routines. Additionally there is the optional Checkpoints Safety Component module which provides SAFERTOS with a sophisticated task monitoring capability, ensuring the scheduling of tasks is occurring as intended. The Checkpoint mechanism allows the user to specify timing tolerances for critical sections of code; this can be used to ensure that:
- Periodic tasks run within tolerances.
- Sections of processing within tasks complete on time.
- Interrupt event to handler task processing completes with allowable tolerances.
- Complex functionality involving multiple tasks completes within allowable tolerances.
Individual checkpoints can specify their own call back function or the system error hook can be activated.
- Single shot and Periodic checkpoints can be created.
- Periodic checkpoints can operate in fixed or relative timing modes.
Support and Services
For every RTOS purchased, we supply 12 months free Support and Maintenance. For any question you want answered, any support or guidance that you need during design decisions, we are right there ready to help you. Our engineers enjoy sharing their engineering experiences, and take great pride in providing a responsive, friendly and helpful service. To see more about the support offered, including technical help and updates, view our support page.
One of the advantages of a Support and Maintenance contract is the re-validation of SAFERTOS. Once per year, upon request, WHIS will re- validate SAFERTOS for a newer version of the compiler, meaning you always have access to the latest tools.
Exceptional High Quality
WHIS uses a high integrity lifecycle to develop, maintain and support SAFERTOS and its Design Assurance Packs that’s supported by a deeply institutionalised Quality Management System (QMS). Work started on the QMS in 1999, when WHIS was developing flight control systems. Over the subsequent years WHIS has developed its QMS to encompass the range of applications and standards it supports today, as demand for its services and products from its customers have broadened and deepened.
Lloyds Register LRQA UK independently certifies the WHIS QMS to ISO 9001, with the applicable scope:
Lloyds Register LRQA UK
Beyond SAFERTOS for Automotive
- SAFERTOS CORE: for automotive devices that only need to consider safety and don’t require full certification.
- Safety Components: bring greater robustness to safety critical automotive designs. WHIS Safety components are available with a Design Assurance Pack supporting certification to automotive standards.
- Networking and Data Storage solutions: available tightly integrated with SAFERTOS using the Task Separation and Isolation functionality.
- Board Support Packages and Drivers: delivered either as commercial grade components, or with a Design Assurance Pack supporting submissions and certifications.
- Training: maximise the use of your RTOS and middleware components, and increase development proficiency by attending one of our comprehensive training courses.
- Peer review services: sometimes just a few hours of consultancy to review a preliminary automotive design, and check the proposed design approach is taken is correct, can deliver significant benefits to the outcome of a project.
- Consultancy services: designed to support our automotive customers, allowing us to share our knowledge and experience of automotive device development to help optimise the final design, improve the design processes and smooth the route to certification.