Konstruktive Zuverlässigkeit: Eine Methodik für zuverlässige Systemsoftware auf unzuverlässiger Hardware

Shrinking transistor sizes and reduced supply voltages, in combination with enhance CPU frequencies, increase the susceptibility of recent processors against external interference, as for example cosmic radiation. These emerge in terms of transient hardware faults, which can temporarily influence the system behavior, without necessarily leading to permanent damage. While this topic is well known in the aerospace domain and generally tackled by costly hardware-based redundancy, the problem spreads to further safety-critical domains, as the automotive industry. Especially in this domain, an increased use of computer-aided applications, from driver assistance systems to autonomous driving, arises, which have to ensure functional safety also under the influence of transient hardware faults. Hardware-based redundancy is often no viable solution, due to unbearable limitations in terms of cost, weight and other resources. On the contrary, especially the automotive domain shows a trend towards the consolidation of different applications onto single control units. Thus, alternative solutions have to be found, to provide functional safety. Software-based measures are a cost-efficient solution to selectively harden applications. Existing solutions often focus solely on the application layer, disregarding the operating system which acts a reliable computing base also for overlaying dependability measures. This thesis describes the design concept of the dOSEK operating system, which aims to provide a reliable computing base even on unreliable hardware. dOSEK was developed from scratch with dependability as the first-class design goal. This dependability is based on two pillars: Strict fault avoidance and constructive integration of fault detection. Based on the inherent robustness of a static system design dOSEK is tailored to the dedicated needs of each specific application scenario. Vulnerable system state is reduced to a minimum. Further, different kinds of indirections, both regarding data flow as well as control flow, act as a major catalyst for silent data corruptions. An extensive static analysis of the entire system allows to determine the expected overall system behavior according to the OSEK specification. This knowledge about all possible system states and transitions leverages further tailoring of the system software up to an almost entire elimination of indirections. Any remaining, unavoidable vulnerable run-time state is then protected by a combination of tailored redundancy measures. Besides assertions on the expected system behavior based on the static system analysis, further fault detection and fault masking measures are applied selectively. Here, dOSEK’s prime directive is the fault containment within the kernel execution: Faults during the execution of the kernel may not silently propagate up to the application layer. Extensive emulation-based fault injections comparing against an industry-grade OSEK operating system and real-world radiation experiments show the effectiveness of the dOSEK design concept.