Going back for a moment to the ISO 26262 requirements: while ASIL D is the highest ISO 26262 defined safety level, not every component or subsystem in the car or even within a single component/SoC must meet this level. ISO 26262 introduces the concept of ASIL decomposition via software partitioning. For example, an ASIL C subsystem can be composed of an ASIL B partition and an ASIL A partition, as long as the partitioning/freedom of interference can be adequately verified and the overall safety function of the subsystem can be validated and verified to ASIL C. Thus, a high assurance partitioning operating system or hypervisor (itself certified to ASIL D) can reduce overall system cost by reducing the ASIL level requirements of constituent components and permitting the (careful) use of complex software packages that are impractical to assure at higher levels.
2. Zero Trust
One of the most dominant threads of 2014, and continuing now in 2015, is the connected car and the inherent security risks associated with bringing wireless communications (especially WANs) into the car. Ideally, safety-critical subsystems in the car are physically isolated (air gap) from multimedia or telematics subsystems that may take advantage of such connectivity. System designers, however, are increasingly replacing air gap with logical gap, enforcing subsystem isolation with software firewalls. Unfortunately, as researchers have demonstrated, once the wires are joined, vulnerabilities in various subsystems can be exploited to jump the logical gap between safety and non-safety critical systems. While it may seem like a simple problem to solve (keep the air gap!), in practice, there are numerous demands that force these connections. For example, size, weight, and cost pressures promote a reduction in wiring and hardware components. This consolidation