E2E Protection - What Delays Your Time-Out Could Miss

E2E ISO26262 “end to end protection’’
E2E protection, or end-to-end protection, is a vital aspect of ensuring the safety of vehicles on the road. It is a process of ensuring that safety-critical systems and components are designed, developed, and tested to meet the required safety standards and regulations. In the automotive industry, E2E protection can be seen as an Automotive Safety Integrity Level (ASIL) decomposition for both hardware and software, addressing both random and systematic faults. This is different from the ISO 26262 ASIL decomposition, which addresses only systematic faults.
It’s also pertinent to note that E2E protection allows the QM medium to not meet ASIL requirements for hardware random faults, whereas ISO 26262 ASIL decomposition does not have this flexibility. This means that E2E protection can provide a more cost-effective approach to ensuring the safety of vehicles on the road, as it allows manufacturers to use less expensive components without compromising safety.

Benefits of E2E Protection

One of the key benefits of E2E protection is that the Quality Managed (QM) medium does not need to meet ASIL requirements for hardware random faults. This means that any random fault would be captured by the E2E mechanism, assuming the appropriate mechanisms are used (such as the correct profile as per AUTOSAR). However, the risk of systematic faults remains and must be addressed.

Risks of Systematic Faults

Systematic faults are faults that occur due to a specific cause; they can happen repeatedly, unlike random faults. One of the key risks of systematic faults is undetected cumulative delays. A delay that is gradually added, for example, due to a growing buffer over time, would violate the safety throughput requirement. The time-out between two messages would always be within range. If each message arrives later and later by a constant time, there would be no way to know that the data is, for example, 200 ms old and increasing. This can lead to a dangerous situation in which the vehicle’s safety systems are not able to respond in time.

Mitigating Risks of Systematic Faults

To mitigate the risk of systematic faults, time sync is often used to compare throughput time and ensure it is within range. With network stacks and switches handling traffic on a FIFO (first in, first out) basis, this can mitigate the risk. However, a residual risk, which is systematic, could be that the software handling the safety data uses a separate buffer from that used for time sync. In this case, time sync would indicate the delay is okay but data would still be delayed. Moreover, if priority-based traffic is dynamic and suddenly causes safety traffic to be queued with cumulative delays, this can lead to a dangerous situation.

Secondly, changes in the hardware or software of the Quality Managed (QM) medium can affect the performance of the E2E safety mechanism, potentially causing it to fail. A complete assessment of the E2E safety mechanism is necessary to guarantee that it continues to function appropriately and provide the intended level of protection. This assessment may include evaluating the system’s ability to detect and respond to various types of faults, as well as ensuring compatibility with any updated hardware or software of the QM medium.
A safety-aware QM requirement to mitigate this may satisfy the residual risk allowance in most systems. However, if a message would go through 3rd-party networks, this residual risk may be a false assumption suddenly. This highlights the importance of testing and validating the safety-critical systems and components under real-world conditions, including different driving scenarios and environmental factors, to ensure that the vehicles are safe to operate in various situations.

Implementing Solutions

To address these risks, several solutions can be implemented including:
  1. Risks of Systematic Faults: Risks of Systematic Faults can be used to ensure that QM(x) is used where x is the ASIL being decomposed for a safety-bag approach. A similar notation can be used for QM hardware and software that depends on safety.
  2. Failure Analysis: Failure analysis to ensure freedom from interference (FFI) can be done to identify which E2E protection is needed and additional QM requirements.
  3. Testing: Testing with fault injection and worst-case scenarios of the E2E mechanism can be done to ensure the safety of the system.
  4. Complete Re-Testing: Any change in QM hardware or software would require complete re-testing as defined in the previous point.

E2E Protection With Experts

E2E protection is an important aspect of ensuring the safety of vehicles on the road. It addresses both random and systematic faults, and it is important to understand the risks associated with systematic faults, such as undetected cumulative delays. By implementing solutions such as ASIL decomposition, failure analysis, testing with fault injection, and re-testing with any changes in QM hardware or software, car manufacturers can ensure the safety of their vehicles on the road. Contact a DConsulted representative today to learn how.

Other Articles