Design Article
Safer vehicles through aircraft technology
Matthias Gerlach and Stefaan Sonck Thiebaut, OpenSynergy
7/27/2012 7:52 AM EDT
Assumed system design
The illustration shows the typical system design when COQOS is used on the left-hand side. The general approach is to integrate different functions over a µOS – with a separation microkernel as its core – which ensures safe separation between the different functions.
This is the same approach as for IMA based systems; a system architecture overview compatible with IMA is depicted in the right-hand side of the illustration.
Literature and links:
[1] Lötzke, M.: Experiences from Recent Avionics Projects. Talk given at the first symposium of the VirtuOS project partners on 15 June 2011. Berlin.
[2] www.autosar.org
[3] Gerlach, M.; Weißleder, S.; Hilbrich, R.: Can Cars Fly: From Avionics to Automotive: comparability of domain-specific standards. Embedded World 2011.
About the authors:
Matthias Gerlach, DEng
Matthias Gerlach, DEng, is a software engineer at OpenSynergy and the head of the VirtuOS project. Before joining OpenSynergy he worked on a number of projects focusing on security from attacks in vehicle-to-vehicle communication. He also wrote his doctoral dissertation at the Technical University of Berlin on this topic. As part of this work he was also involved in the standardization of ITS in the context of ETSI and car-2-car communication consortium.
Stefaan Sonck Thiebaut, DEng, is the general manager of OpenSynergy, where he is responsible for overall product development and the technical direction of the company. As one of the co-founders of OpenSynergy, he received his doctorate degree from Stanford University in the USA, and has over 20 years of experience in software development.
This article has been published in the magazine "Elektronik automotive”, March 2012
Courtesy of EETimes Europe
----------------------
If you found this article to be of interest, visit Military/Aerospace Designline where you will find the latest and greatest design, technology, product, and news articles with regard to all aspects of military, defense and aerospace. And, to register to our weekly newsletter, click here.
The illustration shows the typical system design when COQOS is used on the left-hand side. The general approach is to integrate different functions over a µOS – with a separation microkernel as its core – which ensures safe separation between the different functions.
This is the same approach as for IMA based systems; a system architecture overview compatible with IMA is depicted in the right-hand side of the illustration.
Literature and links:
[1] Lötzke, M.: Experiences from Recent Avionics Projects. Talk given at the first symposium of the VirtuOS project partners on 15 June 2011. Berlin.
[2] www.autosar.org
[3] Gerlach, M.; Weißleder, S.; Hilbrich, R.: Can Cars Fly: From Avionics to Automotive: comparability of domain-specific standards. Embedded World 2011.
About the authors:
Matthias Gerlach, DEng
Matthias Gerlach, DEng, is a software engineer at OpenSynergy and the head of the VirtuOS project. Before joining OpenSynergy he worked on a number of projects focusing on security from attacks in vehicle-to-vehicle communication. He also wrote his doctoral dissertation at the Technical University of Berlin on this topic. As part of this work he was also involved in the standardization of ITS in the context of ETSI and car-2-car communication consortium.
Stefaan Sonck Thiebaut, DEng, is the general manager of OpenSynergy, where he is responsible for overall product development and the technical direction of the company. As one of the co-founders of OpenSynergy, he received his doctorate degree from Stanford University in the USA, and has over 20 years of experience in software development.
This article has been published in the magazine "Elektronik automotive”, March 2012
Courtesy of EETimes Europe
----------------------
If you found this article to be of interest, visit Military/Aerospace Designline where you will find the latest and greatest design, technology, product, and news articles with regard to all aspects of military, defense and aerospace. And, to register to our weekly newsletter, click here.
|
|
|
|
|
Navigate to related information
Luis Sanchez
7/28/2012 11:26 PM EDT
Many of the technology that first starts in defense then go to consumer or automotive applications. That's interesting about virtual operating systems within a single processor. I see that's a way to reduce the hardware usage. I think this perhaps would be an adequate way of taking advantage of multi-core technology. One core per OS?
Sign in to Reply
agk
7/29/2012 6:47 AM EDT
Micro kernels gives us better stability and security.Now is the time to start research to use it in automobile applications because lot of electronic monitoring and control are being introduced in the cars. Especially in the Hybrid vehicles.
Sign in to Reply
Idris13
8/3/2012 12:42 PM EDT
Hi Kumar,
I am your old student (Sona ECE 2006 passout ). How are you ? Can you give me ur email id plz?
Sign in to Reply
hm
7/29/2012 3:11 PM EDT
RTOS with micro or nano kernel and safety standard equivalent to DO-178B is essential for critical auto software. Redundant processor for critical processing may be added feature.
Sign in to Reply
Eric Verhulst_Altreonic
8/2/2012 2:32 PM EDT
Why is this called safer?
First of all, it increases a lot the complexity (and hence the risks) as the underlying partitioning hypervisor has to timeslice through the different applications. Change one application and one has to re-examine all. Not to forget that the chip has to run a lot faster than before.
Secondly, multicore promises a lot like higher density of CPUs at a lower cost but memory accesses become more stochastic, not to speak of the common mode failure. Of course ASIL level D in automotive is still not fault tolerant (vs. DAL-A in avionics), so maybe this sector cares less?
Sign in to Reply
JP_Oudet
8/2/2012 5:28 PM EDT
The whole idea is ti NOT re-certify everything when an application (in this system called partition) is changed. The middleware is certified independently from the partitions and each partition is certified independently from the others. The idea is to permit several levels of safety on the same platform, thus reducing cost (and complexity) for the part not requiring a high level of reliability. So, the over-design may be reduced.
Also, AUTOSAR have increased the complexity (and resources) needed from the platform. But it provided far greater advantages in flexibility, cost reduction, fault isolations, separation of concerns...
Multicore, multiprocessors, SoC are extremely complex and will be more and more unmanageable. But the desired functionality is also increasing. It still requires something to provide designers high-performance resources, quality assurance but also ease of use. Hypervisors are only a step in this direction. Not final, not perfect, but still useful and far more important than the added resources consumptions.
And some hypervisors are still relatively simple. I suggest you to look at ARINC 653 in avionics (the APEX part) or OKL4 for small devices. ARINC 653-based systems have been certified under DO178 at an A level. Some have been certified EAL 7.
And, finally, yes, the processors are often limited by the memory. But this is a limitation the designers have to live with. Anyway, most of the highest performance applications do not requires a very high level of safety. For the highest performance application with a high level of safety requirement, the CPU-to-Memory problem is not the most challenging (or first) problem. The data integrity in the complex multicore CPU architecture (CPU to cache, cache coherency... ) will have first to be looked for security and safety. This is not trivial at all.
In avionics, the multicore problems and the GPU integration are not solved yet. Only workarounds have been used... with success.
Sign in to Reply
Eric Verhulst_Altreonic
8/8/2012 10:15 AM EDT
Aircraft don't use multicores for the Level A parts. They are even afraid to use RTOS for the very critical parts (which I think is a mistake).
The difference is very simple: about 100000 people die in cars each year (even Europe has 35000). Only 500 die in an airplane worldwide.
ASIL level D (the highest for automotive) is the second highest level (SIL3) as defined in IEC-61508. They dropped SIL4 when defining ISO_26262. ASIL D is more or less a supervised fault detection (OK, you could call it SIL 3.5). If a failure is detected, it moves the system to a so-called fail-safe state (like limiting the engine to 1000 rpm). How safe is that at high speed on the highway?
Granted, multicore is used for the lower levels (e.g. anything that is not really safety critical). And that's why the title is misleading. If the automotive industry would apply the same process and rigor as avionics, then I would agree. But technology itself is not making cars safer. The main reason for using multicores is not safety, it's cost reduction. Of course, when you do this, partitioning is a must-have. But this is not aircraft specific. It is a standards safety supporting technique. Add then the complexity and the common mode failure risk, and how much is safety really improved vs. using dedicated processors?
Sign in to Reply
I_B_GREEN
10/3/2012 7:21 PM EDT
How about those electronic throtle controls?
Shopuld this be mandated at the sub assembly level
Sign in to Reply