Talk

Safety Critical System Design on ARM Cortex-M

Watch Now

43:35

EOC 2024

Login to Watch

Suraj Joseph

Suraj Joseph has over 15 years of experience in developing embedded systems for consumer electronics, self-driving vehicles, and military robotics applications. He is currently a technical lead on the embedded firmware team at Aurora Innovation, where the team is busy building autonomous vehicle technology for self-driving trucks and robo-taxi applications. Suraj enjoys being on the bleeding edge of technology and discovering legacy embedded protocols from the past in equal measure. He would love to share some of his hard-learned lessons in the industry, as well as learn from everyone attending the EOC.

View full profile

Topics Covered

High Reliability Software RTOS Architecture Software Design

Talk

Safety Critical System Design on ARM Cortex-M

Suraj Joseph

43:35 EOC 2024

Suraj Joseph

43:35

Learn how to build resilient, safety-critical embedded systems, and discuss practical techniques to implement:

Freedom from Interference (FFI) in mixed criticality systems
Program Flow Monitoring
Memory Partitioning and Task Isolation
Fault Management
Security

The talk will be structured as a case study of an automotive ECU used on a modern self-driving vehicle, utilizing FreeRTOS and an ARM Cortex CPU.

1 / 4

Please log in or create an account to test your knowledge and see the answers.

Why does Suraj recommend using the Cortex-M MPU and running tasks unprivileged when building safety partitions?

A To boost overall CPU performance by allowing the MPU to run code faster than normal memory accesses.

B To enforce spatial isolation so tasks cannot access each other's memory or protected peripherals, and to detect stack overflows via memory faults.

C To replace the RTOS scheduler so tasks are switched using MPU region changes instead of context switches.

D To provide secure key storage for cryptographic operations instead of using an HSM or TPM.

E To allow tasks to dynamically change memory permissions at runtime for flexible sharing.

In a mixed-criticality system, what is the most important requirement to achieve Freedom From Interference (FFI) according to the talk?

A Ensure all software runs at the same ASIL level so no isolation is required.

B Guarantee lower-integrity components cannot negatively impact higher-integrity components by enforcing temporal, spatial, and communication isolation.

C Rely solely on frequent manual code reviews to prevent interference between components.

D Place all critical and non-critical tasks on separate threads but allow them to share memory for efficiency.

E Use only faster microcontrollers so timing interference never occurs.

What problem does the "gatekeeper task" pattern solve, and how does it accomplish that?

A It speeds up CAN bus throughput by allowing multiple tasks direct concurrent access to the CAN driver for better latency.

B It avoids having to validate a third-party driver by moving the driver into the safety partition so safety code can call it directly.

C It decouples an unvalidated or non-safety CAN driver from the safety partition by routing all CAN interactions through a controlled gatekeeper task and validating messages end-to-end.

D It eliminates the need for IPC frameworks by allowing tasks to communicate directly via shared global variables guarded by the gatekeeper.

E It provides triple-redundant voting on CAN messages by running three separate CAN drivers in parallel inside the safety partition.

What is the primary purpose of program-flow monitoring with checkpoints and a program-flow graph as described in the talk?

A To replace unit and integration testing by proving the code will never have bugs at runtime.

B To detect unexpected control-flow or timing deviations (e.g., wrong transitions or timing violations) such as those caused by bit-flips or logic errors.

C To provide automatic code optimization hints so the compiler can rearrange task code for performance.

D To detect hardware ECC memory errors exclusively, so software checks are unnecessary.

E To guarantee deterministic execution time for all tasks regardless of system load by statically enforcing execution order.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
inline code	surround text with single `backticks`
code block (multi-line)	wrap on its own lines with three backticks: ``` your code here ```
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

DJC

Score: 0 | 2 years ago | no reply

Great talk!

SimonSmith

Score: 0 | 2 years ago | 1 reply

Great talk and Q&A! It ties in with Elicia’s well on hard fault handlers. There was a detailed talk on MPUs in a previous EOC by Jean Labrosse. I worked on an aerospace project once to DO178C Level A where they used qualified code generators from a model for the application (manual code for lower layers), which helped with the safety case.

SurajSpeaker

Score: 1 | 2 years ago | no reply

Thanks for the recommendations! A qualified code generator can definitely be a viable strategy, and help ensure program correctness.

Partners & Sponsors

STMicroelectronics

Memfault

NXP

Micro Digital, Inc.

MySQL

Become a Sponsor