norxs Technology LLC | Safety Engineering, Built from the Ground Up.
A production-grade C++ reference implementation of a Safety-Oriented Architecture (SOA) Gateway running on the NXP S32G SoC. It acts as the secure middleware bridge between high-performance AI perception domains (e.g., NVIDIA Orin) and an ASIL-D Cortex-M7 Safety Supervisor, enforcing functional safety, cybersecurity, and communication quality requirements from a single coherent codebase.
This is the software we build for our clients — shown here as a reference.
┌─────────────────────────────────────────────────────┐
│ AI Domain (e.g., NVIDIA Orin) │
│ ADAS Perception · Planning · ROS2/DDS │
└────────────────────────┬────────────────────────────┘
│ Automotive Ethernet (1000BASE-T1)
│ SOME/IP over UDP | DDS over RTPS
▼
┌─────────────────────────────────────────────────────┐
│ NXP S32G SoC — Cortex-A53 Cluster (QNX 8.0) │
│ │
│ ┌───────────────┐ ┌───────────────────────┐ │
│ │NetworkAdapter │────▶│ RateLimiter │ │
│ │(SOME/IP·DDS) │ │ (Token Bucket, │ │
│ └───────────────┘ │ 20 burst, 5tok/ms) │ │
│ └──────────┬────────────┘ │
│ ┌───────────────┐ │ │
│ │ HseAdapter │ ┌──────────▼────────────┐ │
│ │ (AES-CMAC, │────▶│IamSecurityController │ │
│ │ X.509,TRNG) │ │(RBAC, UN R155 audit) │ │
│ └───────────────┘ └──────────┬────────────┘ │
│ │ authorised │
│ ┌───────────────┐ ┌──────────▼────────────┐ │
│ │DdsQosEnforcer │ │ SoaServiceManager │ │
│ │(Reliability, │────▶│ (SD lifecycle, │ │
│ │ Deadline, │ │ SPSC Pub/Sub, │ │
│ │ History) │ │ lock-free dispatch) │ │
│ └───────────────┘ └──────────┬────────────┘ │
│ │ SoaEvent │
│ ┌───────────────┐ ┌──────────▼────────────┐ │
│ │DeadSubscriber │ │ SafetyArbitrator │ │
│ │Monitor │ │ (ASIL-D state mach., │ │
│ │(heartbeat TTL,│ │ degradation matrix, │ │
│ │ 2000ms evict) │ │ 50ms ISO 26262) │ │
│ └───────────────┘ └──────────┬────────────┘ │
│ │ SafeStateCmd │
│ ┌──────────▼────────────┐ │
│ │ IpcBridge │ │
│ │ (SPSC ring, E2E P5, │ │
│ │ seq_cst barriers) │ │
│ └──────────┬────────────┘ │
└────────────────────────────────────┼────────────────┘
│
Shared SRAM ──────────┘ (Cache-Inhibited, MPU-protected)
IpcRingBuffer: 32 slots × 148 bytes
E2E Profile 5: CRC-16/ARC + Sequence Counter
│
┌────────────────────────────────────▼────────────────┐
│ NXP S32G SoC — Cortex-M7 Cluster (AUTOSAR R25-11) │
│ ASIL-D Safety Supervisor │
│ WdgM · ComM · Dem · FiM │
└─────────────────────────────────────────────────────┘
| Module | File(s) | Purpose | Standard |
|---|---|---|---|
| SoaServiceManager | SoaServiceManager.hpp/cpp |
SOME/IP SD lifecycle, lock-free SPSC Pub/Sub event dispatch | AUTOSAR AP SOME/IP |
| NetworkAdapter | NetworkAdapter.hpp |
Pure abstract interface for SOME/IP & DDS protocol adapters | SOME/IP TR |
| IamSecurityController | IamSecurityController.hpp/cpp |
RBAC firewall, wildcard policy, UN R155 audit log (128 entries) | UN R155 §7.3.2 |
| IpcBridge | IpcBridge.hpp/cpp |
Cross-core SPSC ring (32 slots), AUTOSAR E2E Profile 5 CRC-16/ARC + seq counter | AUTOSAR SWS_E2ELibrary §7.6 |
| HseAdapter | HseAdapter.hpp/cpp |
NXP S32G HSE MU driver: AES-128-CMAC, X.509 cert verify, TRNG | NXP HSE FW Ref §4.2 |
| RateLimiter | RateLimiter.hpp/cpp |
Token Bucket per-source anti-DDoS, lock-free CAS, fail-secure table-full | UN R155 §7.3.3 |
| DdsQosPolicy | DdsQosPolicy.hpp/cpp |
DDS QoS profiles: Reliability, Deadline, Latency Budget, History | OMG DDS 1.4 |
| DeadSubscriberMonitor | DeadSubscriberMonitor.hpp/cpp |
Heartbeat TTL 2000ms, ScanAndEvict(), on-death callback |
AUTOSAR AP |
| SafetyArbitrator | SafetyArbitrator.hpp/cpp |
ASIL-D degradation matrix (8 states), 50ms transition deadline, physical envelope ROM invariants, E-stop latch | ISO 26262 Part 3/4/6 |
| Fault Condition | Safe State | Speed Cap | Transition |
|---|---|---|---|
| All nominal | kFullOperation |
130 kph | — |
| LiDAR failed | kRadarCameraFallback |
100 kph | ≤ 50 ms |
| Radar failed | kLidarCameraFallback |
100 kph | ≤ 50 ms |
| Camera failed | kLidarRadarFallback |
30 kph | ≤ 50 ms |
| GNSS failed | kDeadReckoningMode |
30 kph | ≤ 50 ms |
| IMU failed | kReducedDynamics |
30 kph | ≤ 50 ms |
| LiDAR + Radar | kMinimalRiskCondition |
20 kph → pull over 10s | ≤ 50 ms |
| ASIL-D / E2E violation | kEmergencyStop ⚠ |
0 kph (latch) | Immediate |
IpcBridge:memset+ dualseq_cstfence beforemagicwrite = cache coherency guaranteeIpcRingBuffer*injected via linker-script address; A53 holds write-only access to IPC SRAM- Zero
std::mutexon any data path; all cross-thread state viastd::atomic<T>
SafetyArbitrator: 8-level degradation matrix, 50ms bounded transition, ISO 26262 §7.4.2 audit trailE2eProfile5Header: CRC-16/ARC (256-entryconstexprtable) + sequence counter [0..255]- Physical invariants (
kMaxSteeringAngleDeg,kMaxFrictionCoeff, etc.) in.rodata
IamSecurityController: principal × service × method RBAC, default-deny, 128-entry audit logHseAdapter: AES-128-CMAC SecOC, RSA/ECDSA X.509 chain, TRNG — all via NXP HSE MURateLimiter: Token Bucket, lock-free CAS, fail-secure on table exhaustion (32 sources max)
SoaServiceManager: SD offer/stop withDown→Available→Stopping→Downstate machine- Zero-copy pipeline: stack-allocated
SoaEvent → IpcSlot, no heap on hot path DdsQosEnforcer: per-topic Reliability, Deadline, LatencyBudget, History enforcementDeadSubscriberMonitor: heartbeat TTL 2000ms,ScanAndEvict(), on-death callback
| Check | Result |
|---|---|
try/catch/throw |
0 (all production files) |
std::mutex |
0 |
new / malloc |
0 |
std::vector / std::map |
0 |
| Doxygen headers | 17 / 17 files |
| Include guards | 9 / 9 headers |
static_assert on IPC structs |
6 assertions |
| Unit test cases | 118 / 118 passed (GoogleTest, MC/DC) |
| Line / function / branch coverage (host) | 80.0 % / 86.7 % / 70.8 % (gcovr) |
| cppcheck (warning · performance · portability) | 0 findings |
GCC -Wall -Wextra -Wpedantic -Wshadow -Wconversion |
0 warnings |
| Operation | Measured | Budget |
|---|---|---|
IpcBridge::Send() full path with E2E |
< 15 μs | < 50 μs |
IamSecurityController::Authorise() (64 policies) |
< 2 μs | < 10 μs |
SafetyArbitrator::Arbitrate() (8 domains) |
< 800 μs | < 2 ms |
SafetyArbitrator::ExecuteTransition() |
< 5 ms | < 50 ms (ISO 26262) |
RateLimiter::Admit() CAS fast path |
< 200 ns | < 1 μs |
| E2E CRC-16/ARC (148 bytes) | < 3 μs | < 10 μs |
- CMake ≥ 3.16
- GCC ≥ 11 or Clang ≥ 14 (host build)
- QNX SDP 8.0 (target build, see
cmake/Toolchain-QNX.cmake) - GoogleTest (for tests)
- lcov + genhtml (for coverage reports)
- cppcheck (for static analysis)
mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)cmake .. -DBUILD_TESTS=ON -DCMAKE_BUILD_TYPE=Debug
make -j$(nproc)
./soa_gateway_tests --gtest_output=xml:test_core.xml
./safety_arbitrator_tests --gtest_output=xml:test_arbitrator.xmlcmake .. -DBUILD_TESTS=ON -DENABLE_COVERAGE=ON
make -j$(nproc)
./soa_gateway_tests && ./safety_arbitrator_tests
make coverage
# Open: build/coverage_html/index.htmlmake analyze
# Report: build/cppcheck_report.xml (zero errors required)source /path/to/qnx800/qnxsdp-env.sh
cmake .. \
-DCMAKE_TOOLCHAIN_FILE=cmake/Toolchain-QNX.cmake \
-DCMAKE_BUILD_TYPE=Release
make -j$(nproc)cmake .. \
-DCMAKE_TOOLCHAIN_FILE=cmake/Toolchain-S32G-M7.cmake \
-DGCC_ARM_PATH=/path/to/arm-gnu-toolchain-13 \
-DCMAKE_BUILD_TYPE=Release
make -j$(nproc)soa_gateway/
├── include/ Production header files
│ ├── SoaServiceManager.hpp Core: SD lifecycle, SPSC dispatch
│ ├── NetworkAdapter.hpp Abstract: SOME/IP & DDS interface
│ ├── IamSecurityController.hpp Security: RBAC + audit log
│ ├── IpcBridge.hpp IPC: shared SRAM + E2E Profile 5
│ ├── HseAdapter.hpp Security: NXP HSE MU driver
│ ├── RateLimiter.hpp Security: Token Bucket anti-DDoS
│ ├── DdsQosPolicy.hpp Middleware: DDS QoS enforcement
│ ├── DeadSubscriberMonitor.hpp Middleware: heartbeat TTL
│ └── SafetyArbitrator.hpp Safety: ASIL-D state machine
├── src/ Production source files (8 modules)
├── tests/
│ ├── test_soa_gateway.cpp Core module tests (64 cases)
│ └── test_safety_arbitrator.cpp ASIL-D MC/DC tests (54 cases)
├── cmake/
│ ├── Toolchain-QNX.cmake QNX SDP 8.0 cross-compilation
│ └── Toolchain-S32G-M7.cmake ARM bare-metal (Cortex-M7)
├── docs/
│ ├── architecture.md Full architecture deep dive
│ ├── verification-report.md Test · coverage · static-analysis evidence
│ └── compliance/
│ ├── openchain-iso5230.md OpenChain ISO/IEC 5230 mapping
│ ├── openchain-iso18974.md OpenChain ISO/IEC 18974 mapping
│ └── nist-csf.md NIST CSF 2.0 mapping
├── sbom/
│ └── norxs-soa-gateway.spdx.json SPDX 2.3 SBOM (per-file SHA-1)
├── .github/
│ ├── workflows/ci.yml Build · Test · Analyze · Compliance · Supply-Chain CI
│ ├── ISSUE_TEMPLATE/ Bug report template
│ └── PULL_REQUEST_TEMPLATE.md
├── CMakeLists.txt
├── LICENSE norxs Reference Implementation License v1.0
├── NOTICE.md Third-party attributions (ISO 5230)
├── SECURITY.md Vulnerability disclosure policy (ISO 18974)
├── CHANGELOG.md Full version history
├── CONTRIBUTING.md Coding standards & contribution guide
└── README.md This file
- Architecture Deep Dive — System context, data flow, concurrency model, E2E protocol, memory layout, performance figures, standards traceability
- Verification Report — Executed test results (118/118), coverage, static analysis, compliance scan evidence
- CHANGELOG — Complete version history
- CONTRIBUTING — Coding standards, AUTOSAR compliance checklist, PR process
- LICENSE — norxs Reference Implementation License v1.0
| Program | Artifact |
|---|---|
| OpenChain ISO/IEC 5230:2020 (OSS license compliance) | docs/compliance/openchain-iso5230.md · NOTICE.md · SPDX SBOM |
| OpenChain ISO/IEC 18974:2023 (security assurance) | docs/compliance/openchain-iso18974.md · SECURITY.md |
| NIST CSF 2.0 | docs/compliance/nist-csf.md |
- SBOM: SPDX 2.3, per-file SHA-1, regenerated each release; CI fails on SBOM ↔ source drift.
- Vulnerability disclosure: private reporting via
contact@norxs.com([SECURITY]) or GitHub Private Vulnerability Reporting — seeSECURITY.mdfor CVD timelines. - Zero third-party runtime dependencies in the production library.
This reference implementation is published under the norxs Reference Implementation License v1.0. Commercial use requires a separate license agreement.
norxs Technology LLC offers:
- Full production source rights for ASIL-D deployment
- ISO 26262 safety evidence package (FMEA, FTA, DFA)
- UN R155 / ISO 21434 cybersecurity artifact package
- ASPICE process documentation
- Long-term engineering support and maintenance
Contact: https://norxs.com
All symbols reside in norxs::soa.
ISO 26262 · ISO/SAE 21434 · UN R155 · UN R156 · ASPICE · AUTOSAR C++14 · POSIX
(c) 2026 norxs Technology LLC. All rights reserved.