A Distributed Safety Mechanism using Middleware and Hypervisors for AutonomousVehicles

Tjerk Bijlsma1, Andrii Buriachevskyi2,a, Alessandro Frigerio3,f, Yuting Fu2,b, Kees Goossens3,g, Ali Osman Örs4, Pieter J. van der Perk2,c, Andrei Terechko2,d and Bart Vermeulen2,e

1Embedded Systems Innovations TNO Eindhoven, the Netherlands
tjerk.bijlsma@tno.nl
2CTO NXP Semiconductors Eindhoven, the Netherlands
aandrii.buriachevskyi@nxp.com
byuting.fu_1@nxp.com
cpeter.vanderperk@nxp.com
dandrei.terechko@nxp.com
ebart.vermeulen@nxp.com
3Electrical Engineering Eindhoven University of Technology Eindhoven, the Netherland
fa.frigerio@tue.nl
gk.g.w.goossens@tue.nl
4BL AMP NXP Semiconductors Ottawa, Canada
ali.ors@nxp.com

ABSTRACT

Autonomous vehicles use cyber-physical systems to provide comfort and safety to passengers. Design of safety mechanisms for such systems is hindered by the growing quantity and complexity of SoCs (System-on-a-Chip) and software stacks required for autonomous operation. Our study tackles two challenges: (1) fault handling in an autonomous driving system distributed across multiple processing cores and SoCs, and (2) isolation of multiple software modules consolidated in one SoC. To address the first challenge, we extend the state-of-the-art E-Gas layered monitoring concept. Similar to E-Gas, our safety mechanism has function, controller and vehicle layers. We propose to distribute these safety layers on processors with different ASILs (Automotive Safety Integrity Level). Besides, we implement self-test, fault injection and challenge-response protocols to detect faults at runtime in the safety mechanism itself. To facilitate distributed operation, our mechanism is built on top of the DDS (Data Distribution Service) software middleware for safety-critical embedded applications, as well as DDS-XRCE (eXtremely Resource Constrained Environment) for resourceconstrained processor cores of the highest ASIL. To address the second challenge, our safety mechanism employs hardwareassisted hypervisors to isolate software modules and implement fail-silent behavior of faulty software stacks. We validate our safety mechanism on the NXP BlueBox hardware platform using the LG SVL simulator, Baidu Apollo software framework for autonomous driving, and Xen hypervisor. Our fault injection experiments demonstrate that the distributed safety mechanism successfully detects faults in an autonomous system and safely stops the vehicle when necessary.

Keywords: Autonomous Vehicle, Automated Driving, Safety, Middleware Software, Hypervisor, Fault Injection, E-Gas, DDS, DDS XRCE, Xen



Full Text (PDF)