With automotive innovations ushering in a new era of software-defined vehicles and bringing rapidly evolving features like ADAS and autonomous driving, the stakes are too high for anything less than impeccable safety. By opting for an operating system that has safety and security features built-in, along with pre-certifications to relevant industry standards, automotive OEMs can benefit from better time to market, while instilling confidence in the safety of their vehicles, enhancing their brand reputation, and ultimately, prioritizing the well-being of their customers.
A real-time operating system (RTOS) pre-certified to both ISO 26262 Automotive Safety Integrity Level (ASIL) D and IEC 61508 Safety Integrity Level (SIL) 3 offers the highest level of safety assurance. Achieving ASIL D and IEC 61508 SIL 3 certification involves rigorous testing and validation processes that ensure the software meets the most stringent safety standards, making it more resilient to faults and failures.
Here's why choosing a proven and pre-certified real-time operating system, built with safety and security in mind, is the only responsible path forward:
Real-Time Reliability: Real-time capabilities in an operating system are crucial for safety-critical automotive systems, as they ensure that tasks are executed within strict timing constraints. In automotive applications, timely and deterministic responses are essential for functions such as collision avoidance, autonomous driving, and vehicle control systems. Real-time operating systems are specifically designed to handle these time-sensitive tasks, providing predictable performance and reliable operation.
Unwavering Certainty- ISO 26262 ASIL D Certification: Don't gamble with passenger and driver safety. A pre-certified ASIL D RTOS can save time and effort in the certification process because as the developer, you simply supply the RTOS certification artifacts as part of the application certification. This ensures the highest level of safety is built into the core of your system from the very beginning. Anything less than this level of certification can put lives at risk. Potential errors in a non-certified RTOS could lead to system malfunctions, jeopardizing vehicle control.
Risk Reduction: Certification to IEC 61508 SIL 3 means the functional safety standard has been met for electronic systems requiring a high level of reliability and risk reduction. This standard is critical for safety-critical automotive systems that need to reduce hazardous events from occurring at a rate of 999 out of 1000.
Beyond Features - Building a Safety Net: Developing safety-critical systems is a complex journey. Partnering with an RTOS provider with a proven track record in the automotive industry provides ongoing support and expertise. They become your safety net, guiding you through intricate requirements, helping you develop an organizational safety culture, and ensuring a smooth path from design to production and beyond.
Architecture is Key for Both Safety and Real-Time Performance
When it comes to critical automotive systems that demand unfaltering reliability, like lane assist or airbag deployment, hard real-time performance is needed to meet strict deadlines. Failure to complete a task within that task’s designated timeframe can have serious consequences. An RTOS based on a microkernel architecture is built for reliability and real-time requirements and can meet the need for precise timing and low latency.
Figure 1: Microkernel Architecture vs Monolithic Architecture
Although monolithic OS architectures are widespread, they provide little or no protection between processes, potentially resulting in priority functions failing to get timely access to the processor. When device or process failure isn’t an option, it can make the development process impossibly complex.
A deterministic microkernel OS allows different functions to each run in separate and isolated memory-protected spaces and allows high-priority functions to get the memory and processor access they need to deliver on time, every time.
No Safety Without Security
There can be no safety without security. As the amount of software in automotive systems grows, so does its attack surface, making vehicles more vulnerable to a cyber-attack. Each poorly constructed line of code represents a potential vulnerability that can be exploited.
The operating system vendor should understand the importance of building in security from the start and provide layered security options to help you build a solution that delivers both performance and security.
Here are just some of the ways a commercial RTOS based on a secure microkernel architecture serves the needs of safety-critical automotive systems:
Isolation: Segregates software components, preventing a failure in one part of the system from affecting others. This is vital to contain potential hazards.
Security Updates: Regular updates and patches are crucial to stay ahead of emerging threats. A secure OS must provide mechanisms for timely updates.
Authentication and Authorization: Secure access controls are essential to ensure that only authorized entities can interact with the vehicle's systems. Unauthorized access can lead to catastrophic consequences.
Monitoring and Anomaly Detection: Continuous monitoring allows for the early detection of unusual behavior, which can signal a potential security breach. Rapid response mechanisms must be in place.
ASIL sets the bar for safety and security in automotive systems, and a secure OS provides the foundation that upholds these standards. It ensures that software-defined vehicles are not only technologically advanced but also safe and reliable in the face of evolving challenges.
"BlackBerry QNX is a true partner and has provided us with the foundation we need to produce the safe and secure vehicles of tomorrow”
Mark Mohr, Volvo Group selects BlackBerry QNX for its Dynamic Software Platform, Volvo Group
Using the Right Level of ISO 26262 ASIL-Certified Software
Your choice of operating system can have a major impact on your ability to safety-certify a critical automotive system. The safety certification process is considerably more complex, expensive, and time-consuming with an open-source OS, or with an operating system that does not meet the industry’s highest safety standard than with a pre-certified commercial OS.
The Automotive Safety Integrity Level is the standard for functional safety in road vehicles. ASIL levels, ranging from A (lowest risk) to D (highest risk), play a pivotal role in managing safety within automotive systems and their software components. ASIL levels are not just labels; they are risk classifications that assign levels of risk to potential hazards in vehicle electronic systems. Let's explore their significance:
ASIL A (Lowest Risk): At this level, components pose minimal safety risks. Failures are unlikely to cause significant harm. Examples include non-critical interior lighting systems.
ASIL B: This level signifies a higher risk than ASIL A. Components at this level have safety requirements to address moderately hazardous situations, such as power windows and door locks.
ASIL C: ASIL C involves significant risks where failures could lead to severe or life-threatening situations. Critical systems like airbag deployment and adaptive cruise control fall into this category.
ASIL D (Highest Risk): ASIL D is the most stringent level, applying to components where a malfunction could result in catastrophic consequences, including ABS and ESC.
The Safety Gap Between ASIL B and ASIL C/D
ASIL levels serve to direct the development of safe and secure software, and the importance of a secure OS cannot be overstated in this context.
Each ASIL level corresponds to specific safety requirements and objectives, reflecting the level of risk associated with a component or system. As ASIL levels escalate from A to D, so do the demands for security and safety.
ASIL A and B: At the lower ASIL levels (A and B), components are associated with lower safety risks. However, even here, a secure OS is essential to ensure that failures or vulnerabilities in the software do not compromise vehicle safety. It forms the foundation for reliable software execution.
ASIL C and D: As we ascend the ASIL scale to C and D, the stakes are much higher. Failure of critical systems at these levels could lead to severe or life-threatening situations. Here, a secure OS is not an option but a necessity. It must provide robust isolation, authentication, and protection against potential vulnerabilities.
ASIL in Practice
ASIL levels guide the development process and influence several key aspects:
Determining ASIL: During system design, engineers assess risks associated with components, considering factors like the likelihood and severity of failure, to determine the appropriate ASIL level.
Safety Requirements: Each ASIL level comes with specific safety requirements, addressing fault tolerance, reliability, and diagnostic coverage. Developers must meet these to achieve ASIL compliance.
Testing and Validation: ASIL levels drive rigorous testing, particularly for critical systems. This includes simulation, testing, and analysis to verify software performance under various conditions.
Safety Case Documentation: ASIL mandates the creation of a safety case – a comprehensive document outlining safety goals and evidence demonstrating goal achievement. This is vital for certification and regulatory compliance.
The Importance IEC 61508 Certification for Automotive Risk Reduction
Certification to IEC 61508 SIL 3 (Safety Integrity Level 3) is significant for risk reduction in automotive systems, although IEC 61508 is more broadly applied to electronic/electrical/programmable electronic safety-related systems in many sectors, including industrial automation and process control. For automotive-specific applications, standards like ISO 26262 (Road vehicles — Functional safety) are more typically referenced, which aligns closely with the safety principles of IEC 61508.
The application of SIL 3 or equivalent standards in automotive safety systems ensures that there is a systematic approach to handling safety risks, enhancing the reliability and overall safety of modern vehicles.
Understanding SIL Levels
IEC 61508 defines SIL levels from 1 to 4, where SIL 4 has the highest level of safety integrity and SIL 1 the lowest. Each level corresponds to a range of target failure measures. SIL are measures designed to ensure a very high level of safety by reducing risks to these levels:
SIL 1: Risk reduction factor of 10 to 100.
SIL 2: Risk reduction factor of 100 to 1,000.
SIL 3: Risk reduction factor of 1,000 to 10,000.
SIL 4: Risk reduction factor of 10,000 to 100,000.
SIL 3 in Automotive Systems
For automotive systems, achieving IEC 61508 SIL 3 means that the system must function correctly with a high degree of reliability, even in the presence of faults. For SIL 3 the acceptable probability of dangerous failure is remarkably low, between 0.000001% and 0.00001% per hour. Here’s how it specifically impacts automotive systems:
1. Reduced Probability of Failures: SIL 3 certification requires rigorous testing and validation to ensure that the system is capable of handling identified risks with a high degree of reliability. This includes the ability to perform safely or to a fail-safe state in the event of specific failures.
2. Systematic and Random Hardware Failures: Measures must be in place to handle both systematic failures (due to errors in design, specification, operating procedures, etc.) and random hardware failures.
3. Functional Safety Management: SIL 3 compliance also requires comprehensive functional safety management throughout the lifecycle of the automotive system. This includes design, development, production, operation, maintenance, and decommissioning.
4. Redundancy and Fail-Safes: Often, systems designed to meet SIL 3 standards incorporate redundancy and other fail-safe mechanisms to ensure that safety functions can still be performed in the event of a failure.
5. Software Quality Assurance: The software within these systems must meet stringent development and assurance criteria to avoid systematic errors.
6. Impact on Automotive Safety: By achieving SIL 3, an automotive system is verified to significantly minimize the risk of failures that could lead to severe injuries or fatalities. This is particularly critical in safety-related automotive systems such as steering, braking, and ADAS.
Providing the Certified Foundation for Safe Vehicles
Safety is in the QNX® DNA. The QNX® OS for Safety and QNX® Hypervisor for Safety are part of the QNX family of proven foundational software that is trusted in the world’s most critical systems, including 235 million vehicles on the road today. The QNX OS for Safety has a unique microkernel architecture that helps ensure safety-critical services keep running, regardless of what else happens in the system. Choosing BlackBerry QNX® pre-certified software gives certification efforts a jump-start and helps significantly reduce the time spent documenting or re-creating uncertified software components. The QNX OS for Safety and QNX Hypervisor for Safety are certified to ISO 26262 ASIL-D, the automotive industry’s highest specified level of safety, and are IEC 61508 SIL 3-certified. This bar is met by few software vendors.
Choose BlackBerry QNX for safety-critical applications and experience the peace of mind that comes with superior safety certification levels.
“We chose BlackBerry QNX due to the company’s history in safety-certified embedded software, combined with its cybersecurity expertise…Using a single OS and hypervisor for high-performance systems in the truck has huge economical and technical benefits to our operations and allows us to bring customer value to market quicker and more efficiently.”
Mikael Adelsberg, Senior Vice President of Connected, Autonomous and Embedded Systems, Scania
