Originally posted by coder
View Post
It has 4 levels from A to D, with A being the weakest one, used for items such as external lighting, where the risk in case of failure is relatively limited while D is the strongest one used for stuff like ABS brakes and ECU, where a failure is very likely to result in injuries or even death, think ECU randomly accellerating with full power during a turn or ABS completely preventing you to brake while doing an emergency brake (on the dry).
Most automotive Electronics falls somewhere in the middle at ASIL B or C.
The first hurdle to clear for ASIL (at least for the highest levels) is that the certification does not only cover the item in itself, but also the whole development process, this requires formally documenting how and why requirements are formulated, how the development process is carried out in order to fill those requirements, and so on.
All of this is very, very, very far from how the linux kernel in particular, and most general purpose software in general is developed, so a full certification of the entire kernel "as is" is basically unthinkable.
The second problem is that for the higher levels of ASIL ( namely C and D) extensive failure analysis is required, to identify all the possible failure modes and how these could affect the safety of the entire vehicle and what mitigations are put in place so that such failure does not lead to catastrophic consequences. Doing such a detailed analysis on a project with the scale of the entire kernel (with upwards of 20 milion lines of code) is basically unthinkable.
The final issue (and probably the biggest) is that all these analyses and documentation requirements do no apply to the kernel itself (or rather to any single component) but to the complete product being developed (the entire ECU for example, and not to the processor running the firmware alone). And thus need to be tailored to each specific case, and can not be just done once.
Now all of this work is only valid for a single point in time ( a specific kernel release for example), a significant chunk of the process must be re-done for all subsequent releases as it must be shown that the changes do not interact negatively with the rest of the design
Now the linux kernel could at some point meet all requirement for use in an ASIL certified product at the lower levels (A or B) i dont belive there is any incentive in adopting it in priducts with higher ratings, as it will be much, much cheaper, safer and faster to develop something from scratch that just include the necessary stuff, minimizing the potential failure points
Leave a comment: