An Experimental Evaluation of Control Flow Checking for Automotive Embedded Applications Compliant With ISO 26262

Random hardware failures (RHFs) may result in data corruption and Control Flow Errors (CFEs). Hardening strategies are employed to mitigate RHFs in embedded systems, either by adding specialized hardware or using Software-Implemented Hardware Fault Tolerance (SIHFT) methods. Numerous SIHFT methods have been presented over the years to improve the reliability of embedded systems. However, evaluating these methods can be challenging in terms of the introduced overhead to the code size and, particularly important for real-time application execution time. Most of them are implemented in the literature using low-level languages such as Assembly. Unfortunately, writing Assembly code is not the preferred development flow for embedded systems applications since functional safety standards require adopting high-level programming languages such as C. Nowadays, there is still a non-negligible portion of code written in the Assembly language where the compiler can automatically insert the SIHFT methods, but these are limited to some high-optimized routines or device drivers. It is possible to compile an application code and then harden the obtained assembly code. But this introduces a greater overhead than just protecting a single statement in the high-level programming language before compiling. Hence, the approach we present in this paper is to apply SIHFT methods against CFEs, known in the literature as Control Flow Checking (CFC), to the application code written in C language, before compiling the application code. To illustrate the proposal, two established software-based control flow error detection techniques implemented in the C programming language were compared, also considering the effects of the optimizations introduced by the compiler. Most SIHFT methods target only soft errors, such as single-event upsets, which typically appear as bit flips. As a result, the diagnostic figures provided in the literature are insufficient to characterize the techniques effectively. To address this gap, in this paper, we consider a scenario from the automotive industry in which the primary concern is permanent random hardware faults, particularly stuck-at faults. Moreover, we propose a classification compliant with ISO26262 to benefit those developers involved in the automotive market, where software-only strategies may be used to balance cost and safety requirements.