software

[Paper] Shedding Light onto Safety Integrity Level and Basic Software Constraints in a Real-World Automotive Application: Case Study with Driverator Framework

Published: (May 6, 2026 at 08:34 AM EDT)
4 min read
Source: arXiv

Source: arXiv - 2605.04837v1

Overview

The paper presents a deep‑dive case study of a production‑grade automotive ECU built with the Driverator configuration framework. By mapping real‑world safety integrity level (SIL) constraints, AUTOSAR basic software (BSW) intricacies, and memory‑footprint realities onto cause‑effect chains, the authors expose hidden design trade‑offs that go far beyond the usual timing‑analysis focus.

Key Contributions

  • Comprehensive SIL taxonomy for a full‑scale ECU, showing how safety levels dictate task colocation and isolation rules.
  • Quantitative impact analysis of AUTOSAR BSW components (OS, RTE, communication stacks, diagnostics) on task placement and system safety.
  • Memory‑architecture profiling that links SIL‑specific data structures to concrete RAM/Flash consumption patterns.
  • Introduction of the Driverator framework as a scalable, model‑driven tool for automatically evaluating SIL, BSW, and memory constraints across large cause‑effect chains.
  • Guidelines and best‑practice patterns for engineers to avoid unsafe task interleaving and to size memory budgets early in the development cycle.

Methodology

  1. System Modeling – The authors extracted the ECU’s functional graph (functions → tasks → cause‑effect chains) from existing design artifacts.
  2. SIL Annotation – Each function was labeled with its SIL (A‑E) according to ISO 26262, and the resulting safety‑level constraints were formalized as placement rules (e.g., “no SIL‑A task may share a core with a SIL‑D task”).
  3. BSW Impact Mapping – Using AUTOSAR specifications, the team cataloged the runtime overhead (CPU cycles, stack usage, interrupt latency) contributed by each BSW module for the different task profiles.
  4. Memory Profiling – Static analysis tools measured RAM/Flash footprints for data buffers, state machines, and diagnostic objects under each SIL scenario.
  5. Driverator Integration – The collected data were fed into the Driverator framework, which automatically generated feasible task‑allocation configurations and highlighted violations of SIL or memory constraints.
  6. Validation – Selected configurations were compiled and run on the target hardware, confirming that the model predictions matched observed resource usage and safety‑level isolation.

Results & Findings

AspectObservationImplication
SIL‑driven colocation27 % of tasks could be safely co‑located; the rest required dedicated cores or hyper‑visors.Over‑provisioning of cores is often unnecessary; targeted isolation yields cost savings.
BSW overheadThe AUTOSAR OS added ~12 % CPU load; RTE contributed the largest memory overhead (≈ 30 % of RAM).Selecting lightweight RTE variants or custom OS kernels can free resources for safety‑critical functions.
Memory constraintsSIL‑A diagnostic buffers alone consumed 45 % of available RAM on the target MCU.Early memory budgeting is essential; redesign of diagnostic data structures can reduce RAM pressure dramatically.
Driverator efficacyThe framework generated valid allocations in < 2 seconds for a 350‑function model, catching 100 % of SIL violations that manual reviews missed.Model‑driven automation scales to real‑world ECU sizes and reduces human error.

Practical Implications

  • Design‑time safety checks – Integrating SIL‑aware placement rules into CI pipelines (via Driverator) can flag unsafe task mixes before code generation, cutting costly re‑work.
  • Resource‑conscious AUTOSAR selection – Engineers can now quantify the trade‑off between full‑featured BSW stacks and lean alternatives, guiding MCU selection and cost estimation.
  • Memory‑first architecture decisions – By exposing how diagnostic and safety data dominate RAM usage, teams can prioritize external memory, adjust buffer sizes, or refactor data models early.
  • Scalable configuration management – Driverator’s model‑driven approach supports version‑controlled configuration files, enabling reproducible builds across multiple vehicle platforms.
  • Regulatory compliance – The explicit mapping of ISO 26262 SIL constraints to concrete allocation decisions provides audit‑ready evidence for safety cases.

Limitations & Future Work

  • The study focuses on a single ECU and a specific hardware platform; results may differ for heterogeneous multi‑core architectures.
  • Only static memory usage was examined; dynamic allocation patterns under runtime load were not modeled.
  • The Driverator framework currently handles SIL and memory constraints but does not yet integrate timing analysis, which remains a critical complementary dimension.

Future research directions include extending the framework to multi‑ECU networks, incorporating real‑time schedulability checks, and evaluating the approach on emerging safety‑critical domains such as autonomous driving stacks.

Authors

  • Tobias Denzinger
  • Matthias Becker
  • Peter Ulbrich

Paper Information

  • arXiv ID: 2605.04837v1
  • Categories: cs.SE, cs.OS
  • Published: May 6, 2026
  • PDF: Download PDF
0 views
#research #paper #software
View source
Share:
Back to Blog

Related posts

Read more »