Empirical Evaluations of Safety-Critical Embedded Systems

Embedded systems based on different types of hardware platforms are nowadays increasingly used in safety-critical applications. These different hardware platforms lead to fundamental differences in design, particularly regarding the corresponding software. In this work, potential influences of hardware platforms on safety properties were gathered and open issues were identified. The most relevant of these open issues were evaluated for popular embedded hardware platforms (microcontroller, CPLD/FPGA). In detail, the impacts of hardware platform selection on software diversity, encapsulation, reviewability, reusability and the development according to ISO26262 were chosen for investigation. Furthermore, the approach of software diversity was compared with a fault removal approach. The evaluation was realized in form of six experiments conducted for this work. During these evaluations, the following similarities and differences were observed for the considered hardware platforms. Despite the diversity between the hardware platforms, failures observed in the software versions, which were developed for these different platforms, contained high numbers of dependent (coincident) failures. Although failure dependency between two versions was reduced by the use of diverse hardware platforms, this effect was low. Most dependent failures were identified as implementation independent so that improvements of the software diversity by hardware diversity were limited. Thus, a comparison of software fault tolerance with a fault removal approach based on tests and reviews was conducted. As a result, different types of failures were mitigated by these alternative approaches. On the other hand, differences between microcontrollers and FPGAs were observed. First, certain advantages of FPGAs with respect to encapsulation and reuse of real-time functions could be demonstrated. Moreover, differences regarding the reviewability of software versions written for FPGAs and microcontrollers were observed. Finally, the development according to ISO26262 revealed only minor differences between the investigated hardware platforms but between the different safety concepts of device supervision and function supervision.