ASIL-Decomposition Based Routing and Scheduling in Safety-Critical Time-Sensitive Networking

Due to their real-time constraints and high predictability requirements, safety-critical automotive applications are often implemented using time-triggered communication scheduling, which is supported in the Time-Sensitive Networking (TSN) standards. Applications and network communications are assigned Automotive Safety Integrity Levels (ASILs) based on the ISO 26262 standard for functional safety in automotive systems. ISO 26262 outlines, for each ASIL, requirements on coverage of random hardware errors and systematic errors. Prior research has addressed routing and scheduling for time-triggered messages in TSN in the context of random hardware errors and optimization of reliability metrics. However, no work to date has considered the functional safety aspects of addressing systematic errors. Specific to systematic errors, the ISO 26262 standard defines ASIL decomposition as a vehicle to decompose functions into independent components, each with a lower safety requirement than that of the original function. Since the cost of a component is increasing with its ASIL, decomposition can lower the total cost while still meeting the original safety requirements. In this paper, we propose an ASIL decomposition based technique to introduce redundant communication with lower-ASIL components in Ethernet systems with TSN-based time-triggered communication. The ASIL-aware routing and scheduling of messages are determined such that all safety requirements and end-to-end deadlines are satisfied and, at the same time, the total cost of the employed switches is minimized. Extensive experiments have been conducted to evaluate the efficiency of the proposed framework.