Editor’s Note: This article first appeared in the Winter 2012 edition of Xilinx's quarterly Xcell Journal magazine, and is reproduced here with their kind permission (Click Here to see the magazine).
Automakers today are adding ever more advanced functions into the electronic control units (ECUs) distributed in their automobiles to improve the driving experience, enhance safety and, of course, outsell the competition. In such a landscape, the Automotive Open System Architecture (AUTOSAR) initiative and the international functional-safety standard ISO 26262 are fast forming the technical and architectural underpinnings of automotive ECU design.
As the density of automotive electronics increases to satisfy the growing functional demands of new vehicles, FPGA vendors are delivering bigger devices capable of integrating full applications, but that use less power and come in at more competitive prices than prior-generation devices. This trend points the way toward the further use of reconfigurable computing technology in the automobile industry.
We have devised a pioneering approach to designing an automotive ECU using a programmable FPGA device rather than an MCU-based platform as the foundation for an ECU that conforms to both the AUTOSAR and ISO 26262 standards. Our approach explores key features such as parallelism, customization, flexibility, redundancy and versatility of the reconfigurable hardware. After designing the concept, we hope to implement it in a prototype. For this purpose, the Xilinx Zynq-7000 Extensible Processing Platform—which combines a hard ARM dual-core Cortex-A9 MPCore processor and a 28-nanometer Xilinx 7 series programmable logic device equipped with dynamic partial-reconfiguration capability—is an excellent candidate. This FPGA platform meets the needed requirements and also features on-chip communication controllers commonly used in the vehicle networks, like CAN and Ethernet.
The computational power present in an automobile is nowadays distributed through ECUs interconnected via a communication network. Over the coming years, such computation power is expected to rise due to the emergence of novel applications for motor vehicles. These include safety and driver-assistance features, car-to-car communications, comfort and control functions, entertainment and the large spectrum of hybrid-electrical technologies. No wonder, then, that the electronic content of vehicles is expected to grow. Analysts predict that the market for semiconductors in automotive applications will increase at a compound annual growth rate (CAGR) of 8 percent in the next five years. One of the fastest-growing segments relates to microcontrollers (MCUs) and programmable logic devices such as field-programmable gate arrays (FPGAs).
While in-vehicle functions are increasing in number and sophistication, automotive manufacturers have seen the need to address the growing complexity of designing and managing these systems in an effective way. As a result, today both the AUTOSAR and ISO 26262 standards influence the way hardware and software systems are architected, designed and deployed in real automotive ECUs (see the "sidebar" at the end of this article).
Founded by automakers in 2003, AUTOSAR aims to define a standard system software architecture for ECUs distributed in the vehicle. The goals of ISO 26262, meanwhile, center on functional safety—essentially, the avoidance, or detection and handling, of faults in order to mitigate their effects and prevent the violation of any established system safety goal. Functional safety turns out to be one of the key issues in automobile development as new safety-critical functions arise, like driver assistance or dynamic control. The standard, which was ratified in 2011, supports the safe development of software and hardware.
The entire ECU design and development flow is thus governed by standards that demand systematic processes. Our work addresses the design of such a cost-effective embedded computing platform, with reconfigurable hardware technology enabling an optimized system architecture.
The AUTOSAR and ISO 26262 directives are mainly driven from a software development perspective and oriented toward computing platforms based on microcontroller units. However, the introduction of hardware/software co-design and reconfigurable computing techniques can bring some advantages in this arena. While standard MCUs are often the hardware platform of choice in automotive ECUs, the decreasing cost of new FPGAs, along with the fact that some of them harbor hard-core processors inside, makes these devices a solid solution for a massive deployment in this market. Moreover, the automotive trend of continually incorporating new embedded functionality points to a need for parallel computing architectures. That is particularly true in the infotainment sector today, where high-speed digital signal processing is opening doors to FPGA technology. Programmable logic suppliers like Xilinx and EDA tool vendors such as MathWorks show clear interest in this field.
Aiming to bring all the advantages of reconfigurable hardware to automotive applications, we describe the potential of this technology through a use case focused on one of the most important ECUs found in the automobile computing network concerning deployment of end-user functions: a body controller module. This ECU, also called a body domain controller, is responsible for synthesizing and controlling the main electronic body functions found in the vehicle, such as the windshield wiper/washer, lighting, window lift, engine start/stop, exterior mirrors and central locking. Our goal was to design an AUTOSAR-compliant ECU system equipped with safety-critical functions on an FPGA platform.
The standardization of the ECU system architecture that AUTOSAR promotes is unavoidable if automakers are to manage the increasing functional complexity of vehicles in a cost-efficient way. It enables the high-level integration of functions distributed in ECUs and the reuse of software components. The main goal of AUTOSAR is to define a uniform ECU architecture that decouples the hardware from the software. In this way, AUTOSAR boosts the reuse of software by defining interfaces that are hardware independent. In other words, a software component written in accordance with the AUTOSAR standard should work on any vendor’s microcontroller, provided it has been properly integrated into an AUTOSAR-compliant runtime environment.
This feature delivers increased flexibility to the automaker. Car manufacturers can exchange equivalent versions of the same software module developed by different suppliers throughout their vehicle platforms in a transparent way, thanks to inherent plug-and-play characteristics, and without causing side effects in the behavior of the rest of the functions within the vehicle. In the end, hardware and software are highly independent of each other. This decoupling occurs by means of abstracted layers interconnected through standard software APIs. Figure 1 shows the functional-layers breakdown that AUTOSAR defines.
Figure 1. The AUTOSAR layer-based model,
from MCU to application layer
At the bottom, in black, is the hardware or physical layer, consisting of the MCU itself—that is, the CPU and some standard peripherals attached to it. Above the microcontroller, the basic software (BSW) is decomposed in three layers: microcontroller abstraction layer (MCAL) in pink, ECU abstraction layer (ECUAL) and complex drivers in green, and services layer (SRV) in purple. These three layers are organized, in turn, into several columns or stacks (memory, communication, input/output and so on).
Close to the hardware components is the microcontroller abstraction layer. As its name suggests, this layer abstracts the MCU. The goal is to have a hardware-independent API that handles the hardware peripherals present in the microcontroller. Next up, the ECU abstraction layer abstracts the other smart devices placed in the ECU board, typically in contact with the MCU (for example, system voltage regulator, smart switching controllers, configurable communication transceivers and the like). Next, the third layer is the services layer. This layer is almost hardware independent and its role is to handle the different types of background services needed. Examples are network services, NVRAM handling or management of the system watchdog. With these three layers, AUTOSAR defines a set of basic software functions that sustain, under a specific hardware platform, all the functionality conceived from higher levels of abstraction to the automotive ECU.
The fourth layer, the runtime environment (RTE), provides communication services to the application software. It is composed of a set of signals (sender/receiver ports) and services (client/server ports) accessible from both the upper layer of the BSW and the application layer (APP). The RTE abstracts the application from the basic software and it clearly delimits the line of the software-stacked architecture that separates the generic and exchangeable software code (APP) from the particular and hardware-dependent code (BSW). In other words, the RTE makes it possible to isolate the software application from the hardware platform; therefore, all software modules running above the RTE are platform-independent.
Above the RTE, the software architecture style changes from layered to component-based through the application layer. The functionality is mainly encapsulated in software components (SWCs). Hence, standardization of the interfaces for AUTOSAR software components is a central element to support scalability and transferability of functions across ECUs of different vehicle platforms. The standard clearly specifies the APIs and the features of these modules, except for the complex drivers. The SWCs communicate with other modules (inter- or intra-ECU) only via the runtime environment.
As ECUs continue to integrate ever more functionality, FPGA devices can be a sensible alternative to single- or multicore MCUs. This overview of the different AUTOSAR layers may hint at the benefits that designers can extract from this architecture when deploying it in programmable logic. Let’s take a closer look at how our design could potentially implement a solution based on custom static hardware (flash- or SRAM-based FPGA technology), and then extend this approach to a runtime reconfigurable hardware implementation (SRAM-based partially reconfigurable FPGA).ECU design on FPGA-based static hardware
The AUTOSAR architecture fits well in an embedded system composed of a CPU, memory and programmable logic. The ECU platform requires one CPU or host processor to manage the application and process the different functions distributed in software components through the APP layer. At the same time, the MCU layer and part of the basic software layer can be synthesized in hardware in the programmable logic fabric. Hence, in addition to implementing standard peripherals attached to the CPU, other custom peripherals and coprocessors can coexist in hardware and be totally or partially managed in software.
Dedicated coprocessors or core processors are suitable from the point of view of functional safety too, since they can implement functionality with inherent freedom of interference in hardware, bringing a high level of flexibility—and even redundancy when required—to the system design. Also, the intermediate RTE layer can be synthesized in RAM blocks distributed along the FPGA or in flip-flops embedded in the logic cells of the device, as well as external memory. Moreover, it’s easy to design the RTE signal interfaces to allow both read and write operations (via single-port memories) or to restrict the architecture to either read or write transactions only (by means of single dual-port memories with two independent read and write ports) as a protective measure against interference, like the counterpart sender and receiver software ports that AUTOSAR defines.
Figure 2 shows the proposed porting of the MCU-based AUTOSAR ECU architecture into an Extensible Processing Platform (EPP) or FPGA device, keeping a clear system partitioning in layers. Below the RTE layer are the operating system (OS), memory stack, communication stack, I/O stack and so on. Above it are the software components, which implement the applications and communicate with the RTE through AUTOSAR interfaces.
Figure 2. Porting of the AUTOSAR ECU
architecture to an FPGA platform
Due to the inherent complexity of the AUTOSAR architecture, its deployment demands powerful embedded computing platforms. Today, the typical ECU implementation is based on a 32-bit single-core processor on an MCU platform. However, more and more, a single core is not going to be enough to deliver all the computational power demanded. Yet the use of multicore CPUs can degrade performance if they share the program/data memory through a multiprocessor bus with arbitration mechanisms, often necessitating a highly complex solution.
Instead, we propose a new alternative based on programmable logic and composed of only one single-core processor playing the role of host CPU but surrounded by more-intelligent peripherals, coprocessors or even slave processors. All these computing units can be instantiated in the FPGA fabric as new soft-core processors, such as the Xilinx PicoBlaze and MicroBlaze, which run their own code from dedicated RAM blocks of the FPGA (separate soft-core processors with dedicated program memories), or as made-to-measure hardware accelerators. In both cases, the topology is one host CPU with smart peripherals that offload some of the CPU’s tasks, reducing the complexity of the system. Thus, the host CPU manages the whole APP layer in software while the custom peripherals take charge of the BSW layer and run independently of each other, in parallel and autonomously. Moreover, it’s a good idea to design these peripherals to make the software execution of the host CPU more linear—that is, without creating excessive interrupts coming from the peripherals to request the CPU’s attention via interrupt service routines. Figure 3 shows the block diagram of the system and its component breakdown into functional units synthesized in one FPGA device.
Figure 3. Block diagram of an automotive
ECU deployed in an FPGA
This approach can attain system performance comparable to that of a multiprocessor platform but with the level of simplicity (regarding software development and maintenance) of a single-core processor. This trade-off is possible by using dedicated hardware to build more powerful and autonomous custom coprocessors that work in parallel with the host processor.
Conceptually, to simplify the idea, it is possible to split the architecture of these systems into two main layers—the high layer and the low layer—separated by the RTE interface. The high layer corresponds to the application layer of AUTOSAR, composed of software components that manage the end-user functions in the vehicle. The low layer comprises the hardware and the basic software up to the RTE link. The application layer can represent, in relative figures, around 90 percent of the high-level functionality within the vehicle, and all this source code—above the RTE—is reusable.
At the same time, the low layer comprises all those features that grant flexibility and versatility to the high layer. That is, the low layer performs the customization of all that reusable functionality in a particular hardware platform. As such, the high layer is essentially a set of software functions that implement the control of some vehicle loads, sensors and actuators by means of algorithms implemented in finite state machines (FSMs). These algorithms are executed cyclically by a CPU and scheduled in software tasks that the OS controls.
The low layer is also responsible for implementing the drivers of all the standard peripherals attached to the CPU—for example, A/D converter, PWM controller, timer or memory controller—to make the abstraction of the high layer feasible. This low layer involves the management of events that need to be served in real time. In this regard, programmable logic can bring some added value. The idea is to reach a host CPU able to process the application as a simple sequence of software functions not influenced by external events typically derived from hardware, but reading or writing RTE signals periodically to evolve the FSMs accordingly. The low layer would hide these hardware events and manage them, preprocessing them and updating certain signals in the RTE or performing certain actions in real time as a result, following its specific tasks scheduling.
Attaching custom hardware controllers to the system CPU minimizes the need for shared resources, if such controllers can work in an autonomous way. From an OS point of view, this helps to reduce the system complexity (avoiding arbitration, latencies, retry mechanisms and the like).
Another advantage is that dedicated hardware can more simply implement certain functionality that is typically performed in software through multithreading, since concurrency is a feature more inherent to hardware than to software. Furthermore, the flexible hardware can be used to reduce execution time by hardwiring computationally intensive parts of the algorithm by means of parallel and pipelined hardware implementations instead of sequential software approaches on Von Neumann machines.
You can reduce the software complexity of an automotive ECU by granting a major level of intelligence to the peripherals and hardware coprocessors synthesized in the MCU and BSW layers, freeing up CPU time.
In parallel with the growing complexity of the ECU platforms, the number of I/O lines the system demands is also increasing. In this regard, an FPGA brings a clear advantage over a microcontroller since it typically offers far more user pins. This point is often relevant in MCU-based ECUs, because they need to extend the MCU inputs and outputs with external chips that perform the parallel-serial data conversion, like digital shift registers or analog multiplexers. An FPGA lets you skip all these satellite components, reducing thus the bill of materials as well as the PCB dimensions of the electronic board.
State-of-the-art FPGA devices already incorporate analog-to-digital converters. This feature is interesting in automotive design since many ECUs make use of analog signals (for example, battery voltage) to implement part of the needed functionality. The presence of ADCs in programmable logic devices opens new application fields for FPGAs.
Like MCUs, FPGAs offer remote update capability. However, it is important to note that in this case, the bitstream downloaded into the FPGA relates not only to software code but also to hardware circuitry. This means that, once the product is in production, it is still possible to change the hardware design by means of system updates or upgrades. The automotive industry appreciates such flexibility, since it also enables bug fixes (in this case, both hardware and software) after the product launch.
In any ECU that embeds a function qualified as safety-relevant under ISO 26262, the hardware and software involved in this implementation must fulfill a certain level of protection depending on how it is categorized. From the software point of view, it is necessary to demonstrate freedom from interference—that is, the non-safety-relevant code running in an ECU must not corrupt the operation of any code inside the same ECU classified as safety-relevant. This isolation is necessary to guarantee correct execution of safety-related and non-safety-related functions running side-by-side on the same processor. Often, it’s easier to manage these measures more flexibly in programmable logic than in MCUs.
Regarding memory protection strategies oriented to functional safety, it is necessary to guarantee write access to certain safety-related signals only from authorized safety software components. In the context of MCU devices, memory partitioning provides a fault-containment technique to separate software applications from each other to avoid any data corruption among them. Programmable logic will likely make it possible to implement a more efficient self-protection mechanism. It is possible to manage the RTE buffer related to safety signals through dedicated single dual-port memories so that the data is written from the write port and read from the read port. In this way, it is possible to implement dedicated hardware controllers that put different restrictions on writing or reading those signals from the software side. The same approach can be implemented with registers.
The possibility of introducing custom hardware solutions in the ECU system is a big advantage of the FPGA approach, especially for safety-related features. In this case, with regard to I/O pins and GPIO controllers, the pinout involved in safety functions can be grouped in made-to-measure I/O ports that are accessed exclusively by safety components inside the ECU, separated from the remaining pins of the device. This is a good way to decouple the safety-critical pins from the non-safety-critical pins of the system, ensuring freedom from interference by design. Any access to non-safety pins cannot corrupt the status of the safety pins, which are managed by safety-relevant code only. This idea is depicted in Figure 4.
Figure 4. Hardware/software co-design of a safety shell
architecture isolates the safety-relevant ports from
non-safety ports to guarantee there will be no interference.
Furthermore, it’s also possible to tailor the size of each GPIO port to the needs of the application or the software component that handles it, skipping the step of converting a GPIO port into a physical resource that different applications share, as happens with MCU ports. In this way, in an FPGA each application managed by a different SWC (for example, window lift, wiper, exterior mirror, etc.) can have its specific port mapped in specific registers within the system memory map. In MCU platforms this is often not possible, since the ports have a fixed size (typically 8, 16 or 32 bits wide) and are addressed in a word-wise mode, not bit-wise. Therefore, this control register becomes a shared resource that several SWCs access along the program execution.
We can extend the same strategy used for the GPIO controller to other standard peripherals. In this manner, the function partitioning and isolation that AUTOSAR promotes at the high layer with SWCs can extend also to resources of lower layers by means of programmable hardware. Such a technique is impossible with frozen hardware solutions based on standard MCU devices.
The same decoupling strategy we described for MCU standard peripherals can be applied to all the channels or data paths of a safety function. This feature is particularly interesting as a way of implementing highly categorized safety goals—organized by ASIL level in ISO 26262 (see sidebar)—decomposing them in redundant partitions of a lower ASIL level so that each of these parts, performed in duplicate, is then implemented according to its new level. This safety strategy based on redundancy is another argument for choosing programmable logic, which makes it possible to instantiate several identical and independent processing engines multiple times in the same device. Moreover, the fulfillment of a certain ASIL level is always clearer and easier to prove with architectural approaches (hardware) than by abstract software, especially features like freedom from interference, where design failures like a stack overflow or an incorrect handling of a data pointer in C programming language could introduce unexpected safety integrity problems to the system.
Another design advantage derived from the flexibility of programmable logic and applicable to functional safety is the possibility of implementing triple-modular redundancy (TMR) strategies. This is a commonly known method for single-event upset (SEU) mitigation in aerospace applications. Such a mitigation scheme has three identical logic circuits that perform the same task in parallel, with the corresponding outputs compared through a majority-voter circuit. Hardware offers a very efficient way to implement this strategy.
Also, in a market where cost and power consumption are huge concerns, some programmable logic devices, such as the Xilinx Zynq-7000 EPP, support several features to lower the overall system power consumption—some of them inherited from MCU devices. Features like the processing system power-on-only mode, sleep mode and peripheral independent clock domains can significantly reduce dynamic power consumption of the device during idle periods.
Certain programmable logic devices come with a hard-core processor placed in the fabric, enabling designers to initially develop the whole system functionality in software, as they typically would do for an MCU-based platform, and then progressively add more hardware in the design, porting certain parts to programmable logic resources. This methodology enables the designer to build different versions of a solution and realize the advantages of synthesizing some functions in custom hardware with respect to a purely software-based approach.ECU design on runtime reconfigurable hardware
After exploring the advantages of implementing ECUs in static hardware and software via programmable logic, let’s turn to designs that use SRAM-based FPGAs equipped with runtime partial-reconfiguration capability. PR technology offers additional benefits for automotive designers.
One big advantage is the fact that the system startup time can be reduced if the FPGA contains some PR regions that do not need to be configured at startup—for instance, when the ECU wakes up or at power-up. FPGAs that do not support active partial reconfiguration need to configure all the FPGA resources at power-up; runtime reconfigurable FPGAs, however, can be partially reconfigured by downloading a partial bitstream.
The large capacity of today’s state-of-the-art FPGA devices results in considerable configuration time overhead to download the full bitstream at power-up. Runtime partial-reconfiguration technology can dramatically reduce this configuration latency. In that case, it is possible to configure only a minimalist subsystem at power-up (that is, the bootloader and the portion of the system application immediately required) and keep the rest of the system idle until it is necessary to initialize it. Splitting this startup activity into two phases speeds up the initialization process in case the system needs a fast response at power-up or upon waking. For this purpose, the system architecture is decomposed into a static region and one or more partially reconfigurable regions (PRRs). The static region encompasses the system responsible for carrying out the startup process, typically the host CPU, along with the reconfiguration engine and a data link to the bitstream repository. The other regions are described by specific partial bitstreams that can be downloaded later, when the application needs them.
Also, if PRR regions are disabled, then it is possible to reduce the power consumption of the device proportionally to the portion of area that is not in use. Power-saving modes are especially relevant in automotive battery-powered ECUs. For this reason, automotive MCUs make use of low-power modes to keep the ECU power consumption to a minimum when the vehicle is inactive (that is, in sleep mode). Analogously, the use of blank bitstreams to disable portions of the FPGA when not required reduces logic activity and consequently, dynamic power consumption.
Automotive designers can also use a technique inherited from aerospace applications in systems based on runtime reconfigurable logic. Configuration scrubbing can recover the system from failures on SRAM resources originated by SEU or electromagnetic interference. Periodically reconfiguring the hardware peripherals guarantees that the system is self-repaired in case of a malfunction. Moreover, the maximum time of the malfunction is restricted to the scrubbing period. This idea is commonly applied also in software as a protection measure against interference, for example, periodic reconfiguration of MCU peripherals.
Another promising feature derived from the flexibility of runtime partial-reconfiguration technology is fault recovery by means of function relocation in case of permanent or nonrepairing circuit failures placed in one specific 2D position of the FPGA resources, affecting for instance one specific logic cell or RAM block. Once a hardware or software fault has been identified, it is possible to automatically relocate the required functionality to another part of the programmable logic device inside the same ECU, or even relocate it to another ECU at runtime. Although conceptually feasible, this feature is not totally supported by automatic tools today.
The most powerful characteristic of runtime reconfigurable computing technology applicable in the automotive sector is, beyond doubt, the time-multiplexing of functionality on shared hardware resources on the fly. Time-sharing of functional applications processed in the same computing resources inside an ECU if both applications are mutually exclusive (for example, deployment of a lane-departure warning while a vehicle is running straight ahead and switching to a rear-camera view or park-assistance application when it’s backing up) is an idea that could help to reduce the cost and complexity of such embedded systems, as well as freeing space and reducing weight in the vehicle.
This idea applies as well to the self-adaptivity of specific algorithms in changing environmental or external conditions. For example, a given engine control algorithm can self-adapt, via partial reconfiguration, certain hardware blocks to perform optimally in any operating conditions of temperature or battery voltage. The same concept applies to communications systems, for instance designing a cryptographic controller able to specialize at runtime its security level in function of certain parameters. Another example would be making an ECC encoder/decoder IP that detects and corrects data transmission errors in noisy communication channels and is able to dynamically adapt its hardware architecture depending on the signal-to-noise ratio sensed.
Figure 5 shows an example of an ECU system deployed in a Xilinx Virtex®-4 FPGA composed of one static region and one PR region. The static region integrates a soft-core MicroBlaze processor and an ICAP-based reconfiguration controller, while the PRR plays the role of a shared resource to swap different functional tasks or applications in and out at different times.
Figure 5. Spatial and temporal partitioning of the automotive
ECU application in a runtime reconfigurable FPGA
composed of one PR region and one static region
Finally, bringing the previous concept to its extreme, it is possible to envision a universal automotive ECU platform that can be configured in the manufacturing line and customized for a specific ECU functionality inside the vehicle. This idea, technically feasible through reconfigurable hardware, would simplify the logistics in manufacturing plants and keep inventory to a minimum. That’s because the module assembled in the production line should be, from the hardware point of view, the same for all the vehicles, all within a single platform design or product architecture (based on flexible hardware). Only the downloadable bitstream would make the ECU functional differentiation.Highly-integrated ECUs
Around 90 percent of innovation in the automotive sector is nowadays driven by electronics, and there is no end in sight. The car of the future will be based on very advanced software and hardware technologies enabling new features like autonomous driving, vehicle-to-vehicle communication, entertainment and improved safety. However, controlling the cost of automotive embedded systems is extremely important for automobile suppliers competing in a very high-volume industry. As a result, current trends are oriented toward reducing the number of ECUs present in the vehicle in exchange for delivering major functionality per unit. This is a goal that demands more-powerful computing platforms.
One approach shared by many industry players is to create highly integrated ECUs as domain controllers—that is, several core processors or microcontrollers in the same board sharing bus connections and other resources aimed at reducing system complexity from the whole-vehicle perspective. This trend permits us to think about the possible use of reconfigurable hardware in the design of ECUs as a valid means of increasing computation parallelism and reducing PCB complexity while reaching a balanced solution in terms of performance/cost.
The approach presented in our work, although it is only an early concept, lays the groundwork for merging both AUTOSAR and ISO 26262 with runtime reconfigurable hardware to perform hardware/software co-design for a full automotive embedded ECU system. In fact, although today AUTOSAR does not cover reconfigurable hardware, we think this possibility cannot be discarded in the future. Runtime reconfigurable SRAM-based FPGAs are already in use in aerospace applications despite their more difficult environmental conditions concerning susceptibility to SEU, and the automotive field has a history of adopting trends first seen in the aerospace field. Also, there exist already in the market some qualified design methodologies and tools aimed at enabling the implementation of FPGA-based safety-related systems, as well as the existence of one standard, already in place in the industry for some time and involving also FPGA devices, that regulates the design of components and systems in the avionic sector, such as the DO-254.Paradigm change driven by co-design
Therefore, this work spreads a computing paradigm change in the automotive field based on the replacement of a software-only solution by another alternative—one driven by hardware/software co-design and reconfigurable computing techniques in specific ECU scenarios where a purely software-based approach founded in Von Neumann MCUs is not feasible due to reasons of performance, complexity and safety. The continuous drop in the price of programmable logic technology—together with the incessant rise in performance such automotive electronic control units demand—should make this change viable in the not-too-distant future.
TWO CRUCIAL STANDARDS
The automotive industry is already designing electronics with two crucial standards in mind: AUTOSAR, for handling embedded-system complexity by means of appropriate software and hardware architectures, and the upcoming ISO 26262, which governs functional safety. Relevant technical concerns adopted from ISO 26262 and released in AUTOSAR include the detection and handling of safety issues like hardware faults at runtime; abnormal timing and the broken logical order of execution of applications; and data corruption, among others.Inside AUTOSAR
In recent years, electronic components have displaced mechanical and hydraulic systems within vehicles. The incursions continue, as designers begin to implement additional control, monitoring and diagnostic functions in software. In fact, electronics technology makes it possible to deliver new functions whose development would be costly or not feasible if using only mechanical and hydraulic solutions. These parts must meet stringent safety requirements to avoid faulty states and failures.
While software-related product failures have so far been relatively rare, continued growth in the use of software as part of manufactured products increases the system complexity and, together with shorter product development cycles, leads in the end to product failures. The automotive industry has attacked this problem by forming coalitions and enacting standards to ensure the application and creation of safe and reliable software.
The Motor Industry Software Reliability Association (MISRA), for example, is a consortium of vehicle manufacturers such as Ford and Jaguar Land Rover, component suppliers and engineering consultancies. By defining a series of software programming rules, MISRA seeks to promote best practices in developing safety-related electronic systems in road vehicles and other embedded systems.
The Automotive Open System Architecture, or AUTOSAR, is a partnership of automotive manufacturers, suppliers and other companies from the electronics, semiconductor and software industries working together to develop a de facto open industry standard for automotive electrical/electronic (E/E) architectures, targeting several major issues. These include managing the growing complexity of automotive E/E systems associated with the continuous increase of functionality; improving flexibility for product modification, upgrade and update; improving scalability of solutions within and across product lines; improving the quality and reliability of E/E systems; and enabling the detection of errors in early design phases.
This initiative faces the challenge of having to integrate a growing amount of software and electronic technologies across a vast ecosystem of suppliers. By simplifying the exchange and update options for software and hardware, the AUTOSAR approach forms the basis for reliably controlling the rising complexity of the E/E systems in motor vehicles, as well as improving cost-efficiency without compromising quality.
The AUTOSAR initiative, founded in 2003, is a natural evolution of the older OSEK/VDX consortium—born one decade before and spearheaded by some German and French automakers—but now with more ambitious goals and extended to most of the automotive OEMs all over the world.
The core partners of AUTOSAR are the BMW Group, Bosch, Continental, Daimler, Ford, General Motors, PSA Peugeot Citroën, Toyota and the Volkswagen Group. In addition to these companies, more than 160 other members play an important role in the success of the partnership. Thus, under the slogan “cooperate on standards, compete on implementation,” automotive manufacturers and suppliers work together to define an open and standardized system architecture aimed at being a breakthrough in automotive E/E design (www.autosar.org
Similarly, the IEC 61508 is a general standard of the International Electrotechnical Commission governing the functional safety of electrical, electronic and programmable electronic systems and components, accepted worldwide and in use since 2004, based on the various fields of application of safety-related systems.
Among other standards tailored for this purpose is one specifically aimed at functional safety in the automotive arena: the International Organization for Standardization’s ISO 26262. Still under development but expected to be in place in 2012, this new standard is designed to support and facilitate all the development activities of safe products in the automotive industry. It encompasses safety activities during the concept phase, product development, production and operation.
In fact, functional safety—understood as the absence of unacceptable risk due to hazards caused by malfunctions in E/E systems—has become a key requirement in automotive design. This recently published standard is aligned to automotive-industry use cases and the definitions of acceptable risks, with the aim of preventing catastrophic failures. In this context, the term “risk” is defined as the combination of the probability of harm or damage occurring and its severity. During the engineering development phase, the standard requires that all potential hazards and risks be assessed in advance and that developers take suitable measures to minimize them. ISO 26262 includes guidance to avoid these risks by providing appropriate requirements and processes.
Following this approach, in a vehicle there are functions catalogued as safety relevant and non-safety relevant. Safety-relevant functions are all those in which a malfunction could put the driver at risk. For those functions that are considered safety relevant, the standard defines several possible levels of risk. That is, some functions are more critical than others from the point of view of ensuring a specific safety goal.
The standard defines a series of automotive-safety integrity levels (ASILs) based on the severity of possible accidents, the probability of exposure to certain driving situations and risk reduction due to external measures. It identifies four levels, from ASIL D through C, B and A, with D representing the most stringent and A the least stringent level. Each ASIL lists requirements or recommendations that carmakers and suppliers must satisfy to reduce an “intolerable risk” to a tolerable residual risk.
One example: If the steering column gets locked while the car is moving, the driver could have an accident, since he or she would not be able to turn the wheel. To reduce this risk to a tolerable level, the implementation of the steering-column control function should follow certain safety design criteria, according to the ISO 26262 standard and the ASIL level given to such a safety goal.
Depending on the level for each safety goal, both hardware and software developers have to consider specific safety measures in the implementation of those functions involved. In the case of an ASIL at the high (D or C) level, a common design method is to decompose safety requirements into redundant safety requirements to allow ASIL tailoring at a potentially lower ASIL level implemented by sufficiently independent elements. That is, the original safety requirements are redundantly implemented by different processors (typically MCUs), deploying redundant channels to minimize the probability of a catastrophic failure.
In the end, manufacturers and suppliers need to prove to the accreditation authorities that their E/E systems will deliver the required functionality safely and reliably according to the industry-specific regulations (www.iso.org/iso
).About the authors
Francisco Fons and Mariano Fons are both PhD Candidates at the University or Rovira i Virgili, Tarragona, Spain. You may remember the Fons brothers from a previous article on biometrics (Click Here
to see that article).
Francisco may be contacted at firstname.lastname@example.org
Mariano may be contacted at email@example.com
If you found this article to be of interest, visit Programmable Logic Designline
where you will find the latest and greatest design, technology, product, and news articles with regard to programmable logic devices of every flavor and size (FPGAs, CPLDs, CSSPs, PSoCs...).
Also, you can obtain a highlights update delivered directly to your inbox by signing up for my weekly newsletter – just Click Here
to request this newsletter using the Manage Newsletters tab (if you aren't already a member you'll be asked to register, but it's free and painless so don't let that stop you [grin]).