Mitigating Timing Error Propagation in Mixed-Criticality Automotive Systems

For mixed-criticality automotive systems, the functional safety standard ISO 26262 stipulates freedom from interference, i.e., Errors should not propagate from low to high criticality tasks. To prevent the propagation of timing errors, the automotive software standard AUTOSAR provides monitor-based timing protection, which detects and confines task timing errors. As current monitors are unaware of a criticality concept, the effective protection of a critical task requires to monitor all tasks that constitute a potential source of propagating errors, thereby causing overhead for worst-case execution time analysis, configuration and monitoring. Differing from the indirect protection of critical tasks facilitated by existing mechanisms, we propose a novel monitoring scheme that directly protects critical tasks from interference, by providing them with execution time guarantees. Overall, our approach provides efficient low-overhead interference protection, while also adding transient timing error ride-through capabilities.