Design Article
Safer vehicles through aircraft technology
Matthias Gerlach and Stefaan Sonck Thiebaut, OpenSynergy
7/27/2012 7:52 AM EDT
The growing number of electronic control devices in vehicles calls for a short-term solution that allows several functions to be integrated onto one chip. Avionics provides one model: in that field, the technology of partitioning has already been in use for ten years [1]. A microkernel, acting as the basic operating system, generates partitions in which other operating systems can run. Software company OpenSynergy has made this technology part of its standard software platform, and prepared it for adoption by the car industry.
This article addresses this transference, in particular with regard to maintaining the safety standards that apply to the development of automotive software.
The large number of electronic control devices found in vehicles already has a significant impact on the total weight of cars, and thus on their fuel consumption. Electronic hardware also adds considerable cost, so that using even more hardware in vehicles would therefore be irresponsible, both ecologically and economically. Carmakers and automotive suppliers have only one option: to integrate several functions onto one control device. The safest and most efficient solution is the combination of microkernel and virtualization technology.
In this technology, a microkernel forms the basis of the software architecture, providing the basic functions to allow the integration of additional operating systems. It generates different logical software partitions on the processor. Operating systems with very different requirements can be integrated onto each of these partitions, because the partitions run independently of one another. Even if the software in one partition crashes, the entire system continues to run unhindered. This type of system design prevents the operating systems from influencing one another, and thus simultaneously enhances protection from malicious attacks.
Virtualization technology means that the operating systems installed in the partitions no longer use the physical hardware; they use "virtual" hardware instead. This allows even highly complex operating systems to run in a partition.
Partitioning already in use in aircraft
Partitioning through the use of microkernels has already been in use in aircraft technology for over ten years. This technology is used as part of integrated modular avionics (IMA) architecture (illustration 1). Several years ago engineers were able to reduce the number of control devices required in aircraft even as the number of software systems needed continued to rise. Airbus, for example, uses the microkernel PikeOS from SYSGO AG for its long-haul Airbus A350 aircraft, as well as for its military cargo plane Airbus A400M. PikeOS is certified in accordance with the DO-178B safety standard.
Next: Research project VirtuOS
This article addresses this transference, in particular with regard to maintaining the safety standards that apply to the development of automotive software.
The large number of electronic control devices found in vehicles already has a significant impact on the total weight of cars, and thus on their fuel consumption. Electronic hardware also adds considerable cost, so that using even more hardware in vehicles would therefore be irresponsible, both ecologically and economically. Carmakers and automotive suppliers have only one option: to integrate several functions onto one control device. The safest and most efficient solution is the combination of microkernel and virtualization technology.
In this technology, a microkernel forms the basis of the software architecture, providing the basic functions to allow the integration of additional operating systems. It generates different logical software partitions on the processor. Operating systems with very different requirements can be integrated onto each of these partitions, because the partitions run independently of one another. Even if the software in one partition crashes, the entire system continues to run unhindered. This type of system design prevents the operating systems from influencing one another, and thus simultaneously enhances protection from malicious attacks.
Virtualization technology means that the operating systems installed in the partitions no longer use the physical hardware; they use "virtual" hardware instead. This allows even highly complex operating systems to run in a partition.
Partitioning already in use in aircraft
Partitioning through the use of microkernels has already been in use in aircraft technology for over ten years. This technology is used as part of integrated modular avionics (IMA) architecture (illustration 1). Several years ago engineers were able to reduce the number of control devices required in aircraft even as the number of software systems needed continued to rise. Airbus, for example, uses the microkernel PikeOS from SYSGO AG for its long-haul Airbus A350 aircraft, as well as for its military cargo plane Airbus A400M. PikeOS is certified in accordance with the DO-178B safety standard.
The fact that microkernel technology reached maturity long ago in avionics gives rise to the question as to why this secure technology is not already firmly established in the automotive industry. The most likely answer is that interest in microkernel solutions has grown only recently because the large number of electronic control devices is only now becoming a challenge in cars, unlike in airplanes. In addition, new technologies must also now meet the safety requirements for software in cars, as well as formal standards like ISO 26262.
OpenSynergy started pursuing this idea of using microkernel technology to integrate software into cars in 2007, and has turned it into a marketable product. To do that, the company integrated the microkernel PikeOS into COQOS, its standards-based software platform (illustration 2). Thanks to this microkernel, COQOS offers independent partitions on which software systems with different timing requirements and safety levels can run without interfering with one another. That means that Linux-based infotainment software can run on one partition while automotive systems run on another. COQOS also features an AUTOSAR interface for the integration of automotive software, so that AUTOSAR-compatible programs can be integrated easily [2].
The microkernel in COQOS is certified in accordance with the DO-178B safety standard. But as it is uncommon to apply avionics components to automotive electronics, the extent to which avionics software meets the requirements of automotive standards had never been examined. This question is especially important because the ISO 26262 has been published.
OpenSynergy started pursuing this idea of using microkernel technology to integrate software into cars in 2007, and has turned it into a marketable product. To do that, the company integrated the microkernel PikeOS into COQOS, its standards-based software platform (illustration 2). Thanks to this microkernel, COQOS offers independent partitions on which software systems with different timing requirements and safety levels can run without interfering with one another. That means that Linux-based infotainment software can run on one partition while automotive systems run on another. COQOS also features an AUTOSAR interface for the integration of automotive software, so that AUTOSAR-compatible programs can be integrated easily [2].
The microkernel in COQOS is certified in accordance with the DO-178B safety standard. But as it is uncommon to apply avionics components to automotive electronics, the extent to which avionics software meets the requirements of automotive standards had never been examined. This question is especially important because the ISO 26262 has been published.
Next: Research project VirtuOS
|
|
|
|
|
Navigate to related information
Luis Sanchez
7/28/2012 11:26 PM EDT
Many of the technology that first starts in defense then go to consumer or automotive applications. That's interesting about virtual operating systems within a single processor. I see that's a way to reduce the hardware usage. I think this perhaps would be an adequate way of taking advantage of multi-core technology. One core per OS?
Sign in to Reply
agk
7/29/2012 6:47 AM EDT
Micro kernels gives us better stability and security.Now is the time to start research to use it in automobile applications because lot of electronic monitoring and control are being introduced in the cars. Especially in the Hybrid vehicles.
Sign in to Reply
Idris13
8/3/2012 12:42 PM EDT
Hi Kumar,
I am your old student (Sona ECE 2006 passout ). How are you ? Can you give me ur email id plz?
Sign in to Reply
hm
7/29/2012 3:11 PM EDT
RTOS with micro or nano kernel and safety standard equivalent to DO-178B is essential for critical auto software. Redundant processor for critical processing may be added feature.
Sign in to Reply
Eric Verhulst_Altreonic
8/2/2012 2:32 PM EDT
Why is this called safer?
First of all, it increases a lot the complexity (and hence the risks) as the underlying partitioning hypervisor has to timeslice through the different applications. Change one application and one has to re-examine all. Not to forget that the chip has to run a lot faster than before.
Secondly, multicore promises a lot like higher density of CPUs at a lower cost but memory accesses become more stochastic, not to speak of the common mode failure. Of course ASIL level D in automotive is still not fault tolerant (vs. DAL-A in avionics), so maybe this sector cares less?
Sign in to Reply
JP_Oudet
8/2/2012 5:28 PM EDT
The whole idea is ti NOT re-certify everything when an application (in this system called partition) is changed. The middleware is certified independently from the partitions and each partition is certified independently from the others. The idea is to permit several levels of safety on the same platform, thus reducing cost (and complexity) for the part not requiring a high level of reliability. So, the over-design may be reduced.
Also, AUTOSAR have increased the complexity (and resources) needed from the platform. But it provided far greater advantages in flexibility, cost reduction, fault isolations, separation of concerns...
Multicore, multiprocessors, SoC are extremely complex and will be more and more unmanageable. But the desired functionality is also increasing. It still requires something to provide designers high-performance resources, quality assurance but also ease of use. Hypervisors are only a step in this direction. Not final, not perfect, but still useful and far more important than the added resources consumptions.
And some hypervisors are still relatively simple. I suggest you to look at ARINC 653 in avionics (the APEX part) or OKL4 for small devices. ARINC 653-based systems have been certified under DO178 at an A level. Some have been certified EAL 7.
And, finally, yes, the processors are often limited by the memory. But this is a limitation the designers have to live with. Anyway, most of the highest performance applications do not requires a very high level of safety. For the highest performance application with a high level of safety requirement, the CPU-to-Memory problem is not the most challenging (or first) problem. The data integrity in the complex multicore CPU architecture (CPU to cache, cache coherency... ) will have first to be looked for security and safety. This is not trivial at all.
In avionics, the multicore problems and the GPU integration are not solved yet. Only workarounds have been used... with success.
Sign in to Reply
Eric Verhulst_Altreonic
8/8/2012 10:15 AM EDT
Aircraft don't use multicores for the Level A parts. They are even afraid to use RTOS for the very critical parts (which I think is a mistake).
The difference is very simple: about 100000 people die in cars each year (even Europe has 35000). Only 500 die in an airplane worldwide.
ASIL level D (the highest for automotive) is the second highest level (SIL3) as defined in IEC-61508. They dropped SIL4 when defining ISO_26262. ASIL D is more or less a supervised fault detection (OK, you could call it SIL 3.5). If a failure is detected, it moves the system to a so-called fail-safe state (like limiting the engine to 1000 rpm). How safe is that at high speed on the highway?
Granted, multicore is used for the lower levels (e.g. anything that is not really safety critical). And that's why the title is misleading. If the automotive industry would apply the same process and rigor as avionics, then I would agree. But technology itself is not making cars safer. The main reason for using multicores is not safety, it's cost reduction. Of course, when you do this, partitioning is a must-have. But this is not aircraft specific. It is a standards safety supporting technique. Add then the complexity and the common mode failure risk, and how much is safety really improved vs. using dedicated processors?
Sign in to Reply
I_B_GREEN
10/3/2012 7:21 PM EDT
How about those electronic throtle controls?
Shopuld this be mandated at the sub assembly level
Sign in to Reply