Search Results

The increasing complexity of automotive functions which are necessary for improved driving assistance systems and automated driving require a change of common vehicle architectures. This includes new concepts for E/E architectures such as a domain-oriented vehicle network based on powerful Domain Control Units (DCUs). These highly integrated controllers consolidate several applications on different safety levels on the same ECU. Hence, the functions depend on a strictly separated and isolated implementation to guarantee a correct behavior. This requires middleware layers which guarantee task isolation and Quality of Service (QoS) communication have to provide several new features, depending on the domain the corresponding control unit is used for. In a first step we identify requirements for a middleware in automotive DCUs. Our goal is to reuse legacy AUTOSAR based code in a multicore domain controller.

New technologies such as multi-core and Ethernet provide vastly improved computing and communications capabilities. This sets the foundation for the implementation of new digital megatrends in almost all areas: driver assistance, vehicle dynamics, electrification, safety, connectivity, autonomous driving. The new challenge: We must share these computing and communication capacities among all vehicle functions and their software. For this step, we need a good resource planning to minimize the probability of late resource bottlenecks (e.g. overload, lack of real-time capability, quality loss). In this article, we summarize the status quo in the field of resource management and provide an outlook on the challenges ahead.

Automotive vehicles today consist of very complex network of electronic control units (ECU) connected with each other using different network implementations such as Controller Area Network (CAN), FlexRay, etc. There are several ECUs inside a vehicle targeting specific applications such as engine, transmission, body, steering, brakes, infotainment/navigation, etc. comprising on an average more than 50 ECUs executing more than 50 million lines of software code. It is expected to increase exponentially in the next few years. Such complex electric/electronic (E/E) architecture and software calls for a comprehensive, flexible and systematic development and validation environment especially for a system level or vehicle level development. To achieve this goal, we have built a virtual multi-ECU high fidelity cyber-physical multi-rate cosimulation that closely resembles a realistic hardware based automotive embedded system.

With the increasing complexity of electronic vehicle systems, one particular “gap” between function development and ECU integration becomes more and more apparent, and critical; albeit not new. The core of the problem is: as more functions are integrated and share the same E/E resources, they increasingly mutually influence and disturb each other in terms of memory, peripherals, and also timing and performance. This has two consequences: The amount of timing-related errors increases (because of the disturbance) and it becomes more difficult to find root causes of timing errors (because of the mutual influences). This calls for more systematic methods to deal with timing requirements in general and their transformation from function timing requirements to software architecture timing requirements in particular.

For a long time, tools and methods for automotive E/E design were mostly in the domain of academic researches only. Recently, OEMs have started adopting selected contributions, because (very soon) it will become quite costly NOT to apply them. The first step is establishing centralized data storage for all design data. At present, selecting appropriate abstraction levels and design methods that get fed by and feed the data is the task at hand. In this paper, we summarize recent progress in this selection process with a focus on performance; which is a key aspect for architecture generation. Our contribution provides incremental progress from both ends of the mentioned gap (requirements vs. architecture vs. implementation) towards one another. The presentation is created around the IMES project [21] considering centralized data storage. However, the overall approach is based on established standards and common design patterns as much as possible.

More electronic vehicle functions lead to an exponentially growing degree of software integration in automotive ECUs. We are seeing an increasing number of ECUs with mixed criticality software. ISO26262 describes different safety requirements, including freedom from interference and absence from error propagation for the software. These requirements mandate particular attention for mixed-criticality ECUs. In this paper we investigate the ability to guarantee that these safety requirements will be fulfilled by using established (deadline monitoring) and new error detection mechanisms (execution time monitoring). We also show how these methods can be used to build up safe and efficient schedules for today's and future automotive embedded real time systems with mixed criticality software.

The integration of mixed-criticality software according to safety standards like ISO 26262 generates new, parasitic mutual effects within the involved software architectures. In this situation, established schedule design patterns like RMS fail to deliver both efficiency and safety, in particular the freedom of interference. In today's practice of building a schedule, certain such measures to fulfill these safety requirements can conflict with efficiency requirements. The target of this paper is to present a sound approach of how to solve such requirement conflicts and to build up schedules that are safe and also efficient. We present a general early-stage procedure to build safe, certifiable, and efficient schedules. The procedure is based on the established design patterns and adds guidelines on how to exploit additional options in both schedule design and software partitioning. This procedure was validated against typical real-world systems and one example is presented.

Developers of safety-critical real-time systems have to ensure that their systems react within given time bounds. Ideally, the system is designed to provide sufficient computing power and network bandwidth, is cost efficient and provides the necessary safety level. To achieve this goal, three challenges have to be addressed. First, it must be possible to account for timing during early development stages in the architecture exploration phase. Second, during software development, timing behavior and the effects of software changes on timing must be observable. Third, there must be a technology for formally verifying the final timing behavior for industry-size applications. In this article we present a comprehensive methodology for dealing with timing which addresses all three issues based on state-of-the-art commercial tools.

The increasing functionality and complexity of future electric/electronic architectures requires efficient methods and tools to support design decisions, which are taken in early development phases 6. For the past four years, a holistic approach for architecture development has been established at Mercedes-Benz Cars R&D department. At its core is a seamless design flow, including the conception, the analysis and the documentation for electric/electronic architectures. One of the actual challenges in the design of electric/electronic architectures concerns communication behavior and network topologies. The increasing data exchange between the ECUs creates high requirements for the networks. With the introduction of FlexRay 21 and Ethernet the automotive network architecture become a lot more heterogeneous. Especially gateways must fulfill many new requirements to handle the strict periodic schedule of FlexRay and the partly event-triggered communication on CAN-busses 23.

When designing safety-critical automotive systems, verification of timing and performance are key, especially the verification of hard deadlines and other critical timing constraints. Test- or simulation-based approaches suffer from corner-case coverage problems and are becoming less reliable as systems grow in size and complexity. Time-triggered mechanisms (e.g. OSEKtime and FlexRay) were proposed as a way out by providing better timing prediction. However, for reasons of cost, flexibility and reactivity, future cars will mostly likely contain a mix of event-triggered (ET) and time-triggered (TT) components that are combined synchronously and/or asynchronously, thereby further complicating timing. Scheduling analysis has recently matured to allow reliable timing verification and systematic optimization for ET, TT, and mixed systems.