SAFERTOS for Automotive
WITTENSTEIN high integrity systems (WHIS) has long recognised that there is an increasing need for safe, secure, embedded solutions that provide responsive, feature rich functionality within a networked environment. In response we have created a complete RTOS package for the Automotive sector:
- SAFERTOS – pre-certified to ISO 26262 ASIL D. A high performance, small footprint RTOS
- SAFECheckpoints – fulfils the requirement of ISO 26262 ASIL C&D software designs to have a runtime monitor
- OSEK OS Adaptation Layer – creating a ‘drop-in’ OSEK OS RTOS package ideal for Automotive designs
This package is modular, meaning you can select just SAFERTOS, SAFERTOS with either SAFECheckpoints or the OSEK OS adaptation layer, or all three, knowing that each component is made to the highest quality. A SAFERTOS for Automotive App Note is available here.
SAFERTOS Pre-Certified to ISO 26262 ASIL D by TÜV SÜD.
SAFERTOS is pre-certified to ISO 26262 ASIL D by TÜV SÜD.
The ISO 26262 standard is an adaptation of the Functional Safety standard IEC 61508 for Automotive Electric/ Electronic Systems. ISO 26262 defines functional safety for automotive equipment applicable throughout the lifecycle of all automotive electronic and electrical safety-related systems.
ASIL D is the highest possible safety rating under this standard, and is achieved by performing a risk analysis of a potential hazard that examines the severity, exposure and controllability of the vehicle operating scenario. As the final application where SAFERTOS will be used is not known, SAFERTOS has been certified as a “Safety Element out of Context” (SEooC). When designing SAFERTOS, our engineers have made assumptions about the safety goals and ASIL level required. These safety goals are described within the SAFERTOS Safety Manual along with the installation and integration instructions. Developers using SAFERTOS need to confirm that the safety goals defined by SAFERTOS meet the requirements of their projects.
SAFERTOS supports certification to ISO 26262 ASIL D for use within automotive safety products.
OSEK OS Adaptation Layer (Optional)
OSEK is an open standard, published by a consortium founded by the automobile industry. OSEK was designed to provide a standard software architecture for the various Electronic Control Units (ECUs) in a vehicle.
SAFERTOS can be supplied with an optional OSEK OS adaptation layer, supporting OSEK OS Conformance Classes BCC1, BCC2, ECC1 and ECC2. This allows SAFERTOS to be used as a drop-in component within OSEK OS compliant systems, which are frequently used within automotive systems.
SAFECheckpoints Runtime Verification Monitoring (Optional)
There is an expectation within ISO 26262 that runtime verification monitors will be used to detect, indicate and handle systematic faults within software rated ASIL C and D.
SAFERTOS includes a range of built-in error checking routines. Additionally, there is the optional SAFECheckpoints module which provides SAFERTOS with a sophisticated Task Monitoring capability, ensuring the scheduling of Tasks is occurring as intended. The Checkpoints mechanism allows the user to specify timing tolerances for critical sections of code; this can be used to ensure that:
- Periodic tasks run within tolerances.
- Sections of processing within tasks complete on time.
- Interrupt event to handler task processing completes within allowable tolerances.
- Complex functionality involving multiple tasks completes within allowable tolerances.
Individual checkpoints can specify their own call back function or the system error hook can be activated.
- Single shot and Periodic checkpoints can be created.
- Periodic checkpoints can operate in fixed or relative timing modes.
SAFERTOS supports all the common architectures used within automotive devices. We have worked closely with Texas Instruments to create a highly optimised port of SAFERTOS for the Hercules safety controller family, with Infineon for the AURIX Tri-core, and with many other semiconductor companies.
Safety & Performance
SAFERTOS provides high performance without compromising safety. SAFERTOS is a highly deterministic micro kernel that has a minimum ROM footprint in the region of 10 K Bytes. SAFERTOS contains no dead or unused code and is statically defined at compile time.
It uses deterministic, pre-emptive, priority-based Task scheduling to ensure the primary safety goal - that the highest priority Task able to execute is the Task currently running. SAFERTOS delivers intrinsic safety checking of key data variables by using inverted mirrored data and enhanced parameter checking.
SAFERTOS contains features that assist designers of safety critical systems. For example, the Task Isolation and Separation feature of SAFERTOS enables developers to co-locate safety critical code with non-safety critical code. This feature uses the processor's Memory Management Unit (MMU) or the Memory Protection Unit (MPU), configuring the permitted memory areas for each new Task, on each context switch. Used effectively this can greatly reduce the amount of safety critical code required within an automotive device.
With an imperceptible boot time SAFERTOS is an ideal choice in systems that need to protect users and equipment from hazards quickly after a power on or brown out event.
Security in Your Automotive Application
Whilst security has always been important, it has become even more of a priority over the last few years. We take cyber security very seriously, and can provide a variety of solutions.
One cyber security risk factor to consider is the length of the supply chain. The more companies you have in your software supply chain, the greater the risk. SAFERTOS is developed completely in-house here at WHIS, with every line of code accounted for and verified, providing a very strong justification for using SAFERTOS within security applications.
For additional security, we offer SAFECRC Checker, a safety component from WHIS that can be used in conjunction with SAFERTOS. SAFECRC Checker guards against corruption and malicious attack by confirming the correctness of your program memory. More about SAFECRC Checker here.
Automotive Design Assurance Pack
SAFERTOS is supplied as source code and accompanied by a Design Assurance Pack (DAP). The DAP contains all the design and verification artefacts required to support ISO 26262 ASIL D certification. SAFERTOS is delivered tailored to your specific processor/compiler combination, removing the need for retesting on the target hardware, and creating a smooth path to re-certifying SAFERTOS within an application. The DAP ensures:
- No retesting on target hardware is required
- Easy installation and integration into your development environment
- Reduced development costs and improved time to market
- Smooth path to certifying SAFERTOS within an application
Support and Services
For every RTOS purchased, we supply 12 months free Support and Maintenance. For any question you want answered, any support or guidance that you need during design decisions, we are right there ready to help you. Our engineers enjoy sharing their engineering experiences, and take great pride in providing a responsive, friendly and helpful service. To see more about the support offered, including technical help and updates, view our support page.
One of the advantages of a Support and Maintenance contract is the re-validation of SAFERTOS. Once per year, on request, WHIS will re- validate SAFERTOS for a newer version of the compiler, meaning you always have access to the latest tools.
Exceptional High Quality
WHIS uses a high integrity lifecycle to develop, maintain and support SAFERTOS and its Design Assurance Packs that’s supported by a deeply institutionalised Quality Management System (QMS). Work started on the QMS in 1999, when WHIS was developing flight control systems. Over the subsequent years WHIS has developed its QMS to encompass the range of applications and standards it supports today, as demand for its products and services has broadened and deepened.
Lloyds Register LRQA UK independently certifies the WHIS QMS to ISO 9001, with the applicable scope:
Lloyds Register LRQA UK
Beyond SAFERTOS for Automotive
- SAFERTOS CORE: for automotive devices that only need to consider safety and don’t require full certification.
- Safety Components: bring greater robustness to safety critical automotive designs. WHIS Safety components are available with a Design Assurance Pack supporting certification to automotive standards.
- Board Support Packages and Drivers: delivered either as commercial grade components, or with a Design Assurance Pack supporting submissions and certifications.
- Training: maximise the use of your RTOS and increase development proficiency by attending one of our comprehensive training courses.
- Peer review services: sometimes just a few hours of consultancy to review a preliminary automotive design, and check the proposed design approach is taken is correct, can deliver significant benefits to the outcome of a project.
- Consultancy services: designed to support our automotive customers, allowing us to share our knowledge and experience of automotive device development to help optimise the final design, improve the design processes and smooth the route to certification.