Adaptive AUTOSAR - The New AUTOSAR Architecture

Adaptive AUTOSAR – The new AUTOSAR
Architecture
Stuart Mitchell, ETAS Ltd

Public | ETAS-ERS | 2019-09-15
© ETAS GmbH 2018. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Adaptive AUTOSAR – The new AUTOSAR Architecture
What is Adaptive AUTOSAR and why is it necessary?
1990
•Growth of infotainment
•SW widely used for
engine & chassis control
1970
•Mechanical
•EE for engine control
2000
•Many SW functions
•In vehicle networks
predominate
Now
•90% innovation in
vehicle development
•EE accounts for 40%
vehicle development
costs
•50-75% development
costs of an ECU are
SW
Ever increasing amount of
distributed, networked
functionality in software…
Classic AUTOSAR is a response
to that increase in complexity
Classic Platform

o AUTOSAR Classic Platform has reflected and
supported the growth in automotive SW
o Hard Real-time, High Safety, Limited resource ECUs
o The demands on automotive SW are driven by
ever more functionality…
o Connectivity
o Autonomy
o Shared ownership
o Electrification
o Accelerated demand reflects in the demands
on development and the requirements of
the platform
Challenges for Automotive Software
electrified
automated
connected

The Future ECU Landscape
electrified
automated
connected
Complexity concentration: “Cross
domain ECUs” / “Cross domain
Computation”
Domain specific “Domain ECUs” /
“Domain Computer”
(Cross) Domain Centralized
E/E Architecture
• Address complexity of increasing
cross domain and centralized
vehicle functions`
Domain independent
“Vehicle Computer”
VISION: Increasing
number of vehicle
functions in the cloud
Domain
Centralization
Modular
Integration
Function specific ECU
Functional integration
Distributed E/E
Architecture
• Mostly encapsulated
E/E architecture structure
increasing No of SW
Domain
Fusion
Vehicle
Computer
Vehicle Cloud
Computing
Optional ECU, e.g. Central Gateway
Sensors/Actuators
Domain specific zone (ECU)
Performance ECUs, e.g. Domain/Central/Vehicle State of the art Automotive ECU (function specific)
Domain independent zone ECUs, e.g. Door ECU
Vehicle Centralized E/E Architecture
• Domain independent vehicle centralized
approach with central vehicle computation
nodes, neural networks, etc. (zones)
• Logical centralization and physical
distribution
2019-2023TODAYVISION

o The Adaptive AUTOSAR Platform
(AP) is designed to bridge the gap
between the Classic Platform (CP)
and Infotainment
o Key Adaptive AUTOSAR Characteristics
o Support standard Automotive Services
o Diagnostics, Network Mgmt, …
o A Dynamic OS
o Constrained by “Planned Dynamics”
o Strong application isolation
o Soft real-time (ms jitter)
o High resource availability (i.e. micro-
processor)
o ASIL-B safety requirements
Classic and Adaptive AUTOSAR
Infotainment
Platform supporting
„Planned dynamics“
Real-time (µs)
Safety (ASIL-D)
Low resource
Fixed SW
Non real-time (s)
QM
High resource
SW load on demand
Soft real-time (ms)
Safety (ASIL-B)
High resource
Planned Dynamics
AUTOSAR Runtime for Adaptive Applications (ARA)
(Virtual) Machine / Container / Hardware
ara::exec
Execution Mgnt.
ara::com
Communication Mgnt.
ara::rest
RESTful
ara::per
Persistency
SOME/IP
ara::crypto
Cryptography
ara::phm
Platform Health Mgnt.
ara::time
Time Synchronization
ara::log
Logging & Tracing
ara::state service
State
Management
ara::diag service
Diagnostics
User Applications
Adaptive Application Adaptive Application Adaptive Application
ASW::XYZ
Non-PF Service
ASW::ABC
Non-PF Service
IPC
(local)
DDS
ara::s2s service
Signal to Service Mapping
ara::nm service
Network
Management
ara::ucm service
Update and Configuration Management
POSIX PSE51 / C++ STL
Operating System
ara::core
Core Types
ara::iam
Identity Access Mgnt.
Adaptive Application
Classic Platform Adaptive Platform

AUTOSAR Enables Flexible, Secure Software
o Change in SW design
o Incremental SW updates
o Scalable, parallel, high performance
applications
o Dynamic connectivity for adaptability and
reduced coupling
o Change in SW development; architecture,
method, …
o Centralized decision making architecture
o Vehicle computation
o Design for security and safety
o Application isolation
o Virtualization for cross-domain integration
GatewayClassic
Platform
Adaptive
Platform
Centralized Vehicle
Computing
Cross-domain
Integration
Function per ECU

Public | ETAS-ERS | 24/10/2019
Identified
Risk or
Threat
Product
Measures
Process
Measures
Design Methods
Analysis Techniques
Testing
Techniques
Safety Case
Version
Control
Configuration
Management
Software
Architecture
Defensive
Programming
Protection
Mechanisms
Systematic
Redundancy
Self-tests
Diagnostics
Plausibility Checks
Random
Classic and Adaptive AUTOSAR Support for Functional Safety
Eliminate
• Try to make the system intrinsically safe
• Substitute, simplify, decouple…
Reduce
• Reduce the probability that things go wrong
• Monitoring, Partitioning, Redundancy, Recovery
Control
• Control by minimizing duration, exposure or both
• Safe states, limp home
Limit
• Attempt to minimize the damage
• Crumple zone, airbag, seat-belt pre-tension
Process Measures eliminate
risks
• Strong architecture focus
• Well-defined API
• Exchange formats
• Design / review
Product Measures – Reduce
and Control risks
• Application integrity
• Partitioning
• Time and Space Protection
Management
• Communication integrity
ProcessProduct

￮ Classic and Adaptive have very
different architectures
￮ …but both support functional safety in
similar ways
￮ Modular application SW provide
separation of safety levels
￮ SW Components
￮ Service Orientated Applications
￮ Common properties
￮ Support the partitioning of application design into components
￮ Limits scope for propagation of faults
￮ Highly Cohesive – Application components are designed to reusable, individually testable, etc.
￮ Loose coupling – limit dependencies between components to promote reusability
AUTOSAR Architecture for Functional Safety – Product Measures
Classic and Adaptive

AUTOSAR Methodology for Functional Safety – Process Measures
Requirements
Requirement
Specification
Acceptance
System / Design
Specification
Software Specification
System Testing
Delivery
Software
Implementation
Unit Test
Software Integration
Integration Testing
System
Extract
Contract
phase
SWC
Develop
ECU/Machine
Integration
Vehicle
Integration
Exchange
formats
Supporting Processes Management Processes Business Processes

Product
Measures
￮ Product measures tackle Systematic
(or Systemic) and Random risks
￮ Reduce incidence of Systematic risks
￮ AUTOSAR Architecture prevents fault modes; e.g.
through encapsulation
￮ Programming mechanisms eliminate
whole classes of errors; invalid APIs don’t exist
￮ Control the impact, propagation
or incidence of Random risks
￮ Hardware / Application Integrity
￮ Time and Space Protection (“freedom of interference ”)
￮ SW Partitioning
￮ Communication Integrity
Software
Architecture
Defensive
Programming
Protection
Mechanisms
Systematic
Redundancy
Self-tests
Diagnostics
Plausibility Checks
Random

Wireless
Comm HW
Abstraction
I/O
Hardware
Abstraction
Classic AUTOSAR Product measures
￮ MCAL Test; Core, RAM, Flash
￮ Watchdog Stack (PHM)
￮ SW Partitioning
￮ Component Architecture
￮ ECU Partitions
￮ Time and Space Protection
￮ Memory Protection
￮ Execution Budgets
￮ Data Integrity
￮ End-to-end (E2E) protection
Complex
Drivers
Microcontroller
Application Layer
Runtime Environment
Microcontr
oller
Drivers
Memory
Drivers
I/O DriversWireless
Communicati
on Drivers
Crypto
Drivers
Communicati
on Drivers
Memory
Hardware
Abstraction
Onboard
Device
Abstraction
Communicati
on Hardware
Abstraction
Crypto
Hardware
Abstraction
Memory
Services
System Services Off-board
Communicati
on Services
Crypto
Services
Comm
Services
Microcontroller Abstraction Layer
ECU Abstraction Layer
Services Layer
OperatingSystem
CANdriver
PduR
Com
CanIf …
…driverE2E
Transformer
Crypto
driver
CryptoIfCSM
Coretest
RAMTest
FlashTest
Watchdog
driver
WdgIf
Watchdog
Manager
FIM
DEM
DET
Classic

Adaptive AUTOSAR Product measures
￮ Platform Health
Management (PHM)
￮ SW Partitioning
￮ Service-Oriented Architecture
￮ Strongly isolated applications
￮ Safety and Security
￮ Memory and Execution Budgets
￮ Identity and Access Mgmt
￮ Data Integrity
￮ End-to-end (E2E) protection
Adaptive
AUTOSAR Runtime for Adaptive Applications (ARA)
(Virtual) Machine / Container / Hardware
ara::exec
Execution Mgnt.
ara::com
Communication Mgnt.
ara::rest
RESTful
ara::per
Persistency
SOME/IP
ara::crypto
Cryptography
ara::phm
Platform Health Mgnt.
ara::time
Time Synchronization
ara::log
Logging & Tracing
ara::state service
State
Management
ara::diag service
Diagnostics
User Applications
Adaptive
Application
Adaptive
Application
Adaptive
Application
ASW::XYZ
Non-PF Service
ASW::ABC
Non-PF Service
IPC
(local)
DDS
ara::ucm service
Update and
Configuration
Management
POSIX PSE51 / C++ STL
Operating System
ara::core
Core Types
ara::iam
Identity Access Mgnt.
Adaptive
Application
ara::nm service
Network
Management
ara::s2s service
Signal-2-Service

￮ Watchdog Manager (Classic) or Platform Health
Management (Adaptive) both supervise execution
￮ Alive-ness
￮ Deadline
￮ Logical flow
￮ Response to a detected failure depends on Platform…
￮ Classic  on exception can trigger an ECU reset
￮ Adaptive  enter safe state, reset process, …
￮ This approach has limitations!
￮ Not good for detecting systematic programming errors
 Using more SW to detect problems in the “simple” SW
that we can’t get right…
￮ But nonetheless it’s an important tool for functional safety
Classic/Adaptive AUTOSAR Application Integrity Monitoring
SWC
PHM/
WdgM
Reset (ECU)
on Exception
Clock
Alive?

Hardware and Application Integrity Monitoring
Failure
Alive
Supervision
Deadline
Supervision
Logical
Supervision
WdgM / PHM
Configuration
Unexpected
Program Flow
Defined checkpoint
sequence not reached
Deadlock /
Livelock
Checkpoint at application
start or end missed
Arrival rate
(too early, too late)
Checkpoint at start
reported at wrong time
Response time
Defined interval between
checkpoint pairs outside
expected value

￮ AUTOSAR Adaptive is designed to be
flexible and secure
￮ Identity and Access Management (IAM)
￮ Authentication of installed application
(“is it allowed to run?” )
￮ Integrity validation before execution
(“has it been tampered with? ”)
￮ IAM integrates with platform
￮ Access control for API
(“is this application allowed to call API?” )
￮ Update control for application updates
￮ Execution control
(“is it OK to run application? ”)
Data Integrity – Adaptive

ECU
Partition A
Partition B
Software Partitioning
Partition B
Task B3
Task B1
Task B2
RAM
Partition A
Task A1
RAM
Task A2
￮ Application SW regions to be
protected from interference are
partitioned
￮ Time
￮ Space
￮ Safety
￮ Partitions enable control of
memory access
￮ Application data/code
￮ OS Data
￮ Peripherals
￮ Basis of Resource Management
￮ ET & memory budgets

SW Partitioning on Classic AUTOSAR
o Classic AUTOSAR calls its memory partitions
“OS-Applications”
o Collection of OS objects
Untrusted
OsApplication
Task/ISR
Stack
Data
Code
Data
Task/ISR
Stack
Data
RTA-OS
Stack
Data
Write
Write
Peripherals
Assigned
Unassigned
Write
Any
OsApplication
Code
Data
Task/ISR
Stack
Data
Execute
Read
Untrusted: Limited rights
Trusted: Unlimited rights
Mandatory Restriction
Optional Restriction
Write
Classic

How AUTOSAR is Changing Automotive
o Classic and Adaptive AUTOSAR enable the abstraction
and encapsulation of change
o Change is inevitable… so encapsulate it to limit coupling
o AUTOSAR promotes encapsulation and reuse idioms
o Strong application isolation
o Scalable SW architectures…
o Adaptive AUTOSAR enables SW to adapt rather than be
adapted
o Continue to look to non-automotive for inspiration
o Be open to old “new” ideas; many of the problems
have occurred in other industries before!
o As well as exploiting new ideas
Abstract
Complexity
Encapsulate
Change
Centralize
decisions
Decouple
services
Virtualization
for isolation
“The purpose of abstraction is
not to be vague, but to create a
new semantic level in which
one can be absolutely precise.”
- Edsger Dijkstra, 1972

Summary
o The Adaptive Platform builds on Classic’s solid foundation
o Dynamic Machines  Incremental SW change, Platform updates
o Dynamic Applications  Scalable , Parallel, Deterministic
o Dynamic Communication  Run-time communication partnerships
o The Adaptive Platform is ready …
o … to support the rapid change required for CASE.
o The Adaptive Platform promotes and enables change
o Design for change  Uncertainty is certain, plan for it…
o Encapsulate  Parallelism, Errors, Trust, Change
o Adapt  Self calibrating, self correcting, self learning applications
o Safety  Layers, “Swiss cheese” model

Thank you
Dr. Stuart Mitchell
stuart.mitchell@etas.com
www.etas.com
ETAS Ltd
Bacchus House
Link Business Park
Osbaldwick Link Rd
York, YO10 3JB
United Kingdom
Telephone
+44 1904 562586

Adaptive AUTOSAR - The New AUTOSAR Architecture

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Adaptive AUTOSAR - The New AUTOSAR Architecture

Similaire à Adaptive AUTOSAR - The New AUTOSAR Architecture (20)

Plus de AdaCore

Plus de AdaCore (20)

Dernier

Dernier (20)

Adaptive AUTOSAR - The New AUTOSAR Architecture