Search Results

Software-in-the-Loop (SiL) test environments are the ideal virtual platforms for enabling continuous-development, -integration, -testing -delivery or -deployment commonly referred as Continuous-X (CX) of the complex functionalities in the current automotive industry. This trend especially is contributed by several factors such as the industry wide standardization of the model exchange formats, interfaces as well as architecture definitions. The approach of frontloading software testing with SiL test environments is predominantly advocated as well as already adopted by various Automotive OEMs, thereby the demand for innovating applicable methods is increasing. However, prominent usage of the existing monolithic architecture for interaction of various elements in the SiL environment, without regarding the separation between functional and non-functional test scope, is reducing the usability and thus limiting significantly the cost saving potential of CX with SiL.

Safety-critical embedded software has to satisfy stringent quality requirements. One such requirement, imposed by all contemporary safety standards, is that no critical run-time errors must occur. Runtime errors can be caused by undefined or unspecified behavior of the programming language; examples are buffer overflows or data races. They may cause erroneous or erratic behavior, induce system failures, and constitute security vulnerabilities. A sound static analyzer reports all such defects in the code, or proves their absence. Sound static program analysis is a verification technique recommended by ISO/FDIS 26262 for software unit verification and for the verification of software integration. In this article we propose an analysis methodology that has been implemented with the static analyzer Astrée. It supports quick turn-around times and gives highly precise whole-program results.

The increasing complexity of automotive functions which are necessary for improved driving assistance systems and automated driving require a change of common vehicle architectures. This includes new concepts for E/E architectures such as a domain-oriented vehicle network based on powerful Domain Control Units (DCUs). These highly integrated controllers consolidate several applications on different safety levels on the same ECU. Hence, the functions depend on a strictly separated and isolated implementation to guarantee a correct behavior. This requires middleware layers which guarantee task isolation and Quality of Service (QoS) communication have to provide several new features, depending on the domain the corresponding control unit is used for. In a first step we identify requirements for a middleware in automotive DCUs. Our goal is to reuse legacy AUTOSAR based code in a multicore domain controller.

As automobiles become increasingly smarter, the need to understand within the automotive software the physical behavior of its parts is growing as well. The laws of physics governing such behavior are mostly formulated as differential equations, which today are usually created or obtained from various modeling tools. For solving them, the tools offer several solvers to satisfy the requirements of different problems. E.g. simple and fast explicit low order solvers for non-stiff problems and more complex implicit solvers for stiff problems. Though the modeling and code generation features as available in such tools are desirable for embedded automotive software, they cannot be used directly due to special restrictions with respect to hard realtime constraints. One such restriction is the organization of automotive software in components complying with the AUTOSAR standard which is not widely supported by the modeling tools.

The Side View Assist is the World’s first rider assistance system for two-wheelers. This is a Blind Spot Warning system, which uses four ultrasonic sensors to monitor the surrounding of the rider. Whenever there is a vehicle (i.e. a car, truck, or another motorbike) in the rider’s blind spot, the technology warns the rider with an optical signal close to the mirror. This will allow the rider to avoid a collision when changing lanes. In the current vehicle application, Side View Assist is active at speeds ranging from 25 to 80 kilometers per hour and supports riders whenever the difference in relative speed to other road users is small. The system helps to improve safety especially in cities, where heavy traffic makes it necessary to change lanes more often. Originally such systems have been developed for cars and different system solutions for cars have been in serial production for several years. The challenge was to adapt these systems so they would work for two-wheelers as well.

Many software functions currently available in the engine control units have been developed for several years (decades in some cases), reengineered or adapted due to new requirements, what may add to their inherent complexity an unnecessary complication. This paper deals with the study and implementation of a software reengineering strategy for the embedded domain, which is in transfer from research department to product development, here applied to improve maintainability of flex fuel functions. The strategy uses the SCODE “Essential Analysis”, an approach for the embedded system domain. The method allows to reduce the system complexity to the unavoidable inherent problem complexity, by decomposing the system into smaller sub problems based on its essential physics. A case study was carried out to redesign a function of fuel adaptation. The analysis was performed with the support of a tool, which covers all the phases of the method.

New technologies such as multi-core and Ethernet provide vastly improved computing and communications capabilities. This sets the foundation for the implementation of new digital megatrends in almost all areas: driver assistance, vehicle dynamics, electrification, safety, connectivity, autonomous driving. The new challenge: We must share these computing and communication capacities among all vehicle functions and their software. For this step, we need a good resource planning to minimize the probability of late resource bottlenecks (e.g. overload, lack of real-time capability, quality loss). In this article, we summarize the status quo in the field of resource management and provide an outlook on the challenges ahead.

Automotive vehicles today consist of very complex network of electronic control units (ECU) connected with each other using different network implementations such as Controller Area Network (CAN), FlexRay, etc. There are several ECUs inside a vehicle targeting specific applications such as engine, transmission, body, steering, brakes, infotainment/navigation, etc. comprising on an average more than 50 ECUs executing more than 50 million lines of software code. It is expected to increase exponentially in the next few years. Such complex electric/electronic (E/E) architecture and software calls for a comprehensive, flexible and systematic development and validation environment especially for a system level or vehicle level development. To achieve this goal, we have built a virtual multi-ECU high fidelity cyber-physical multi-rate cosimulation that closely resembles a realistic hardware based automotive embedded system.

With the increasing complexity of electronic vehicle systems, one particular “gap” between function development and ECU integration becomes more and more apparent, and critical; albeit not new. The core of the problem is: as more functions are integrated and share the same E/E resources, they increasingly mutually influence and disturb each other in terms of memory, peripherals, and also timing and performance. This has two consequences: The amount of timing-related errors increases (because of the disturbance) and it becomes more difficult to find root causes of timing errors (because of the mutual influences). This calls for more systematic methods to deal with timing requirements in general and their transformation from function timing requirements to software architecture timing requirements in particular.

Current exhaust gas emission regulations can only be well adhered to through optimal interplay of combustion engine and exhaust gas after-treatment systems. Combining a modern diesel engine with several exhaust gas after-treatment components (DPF, catalytic converters) leads to extremely complex drive systems, with very complex and technically demanding control systems. Current engine ECUs (Electronic Control Unit) have hundreds of functions with thousands of parameters that can be adapted to keep the exhaust gas emissions within the given limits. Each of these functions has to be calibrated and tested in accordance with the rest of the ECU software. To date this task has been performed mostly on engine test benches or in Hardware-in-the-Loop (HiL) setups. In this paper, a Software-in-the-Loop (SiL) approach, consisting of an engine model and an exhaust gas treatment (EGT) model, coupled with software from a real diesel engine ECU, will be described in detail.

More electronic vehicle functions lead to an exponentially growing degree of software integration in automotive ECUs. We are seeing an increasing number of ECUs with mixed criticality software. ISO26262 describes different safety requirements, including freedom from interference and absence from error propagation for the software. These requirements mandate particular attention for mixed-criticality ECUs. In this paper we investigate the ability to guarantee that these safety requirements will be fulfilled by using established (deadline monitoring) and new error detection mechanisms (execution time monitoring). We also show how these methods can be used to build up safe and efficient schedules for today's and future automotive embedded real time systems with mixed criticality software.

The integration of mixed-criticality software according to safety standards like ISO 26262 generates new, parasitic mutual effects within the involved software architectures. In this situation, established schedule design patterns like RMS fail to deliver both efficiency and safety, in particular the freedom of interference. In today's practice of building a schedule, certain such measures to fulfill these safety requirements can conflict with efficiency requirements. The target of this paper is to present a sound approach of how to solve such requirement conflicts and to build up schedules that are safe and also efficient. We present a general early-stage procedure to build safe, certifiable, and efficient schedules. The procedure is based on the established design patterns and adds guidelines on how to exploit additional options in both schedule design and software partitioning. This procedure was validated against typical real-world systems and one example is presented.

AUTOSAR (AUTomotive Open System ARchitecture) is a worldwide standard for automotive basic software in line with an architecture that eases exchange and transfer of application software components between platforms or companies. AUTOSAR provides the standardized architecture together with the specifications of the basics software along with the methodology for developing embedded control units for automotive applications. AUTOSAR matured over the last several years through intensive development, implementation and maintenance. Two main releases (R3.2 and R4.0) represent its current degree of maturity. AUTOSAR is driven by so called core partners: leading car manufacturers (BMW, Daimler, Ford, GM, PSA, Toyota, Volkswagen) together with the tier 1 suppliers Continental and Bosch. AUTOSAR in total has more than 150 companies (OEM, Tier X suppliers, SW and tool suppliers, and silicon suppliers) as members from all over the world.

Developers of safety-critical real-time systems have to ensure that their systems react within given time bounds. Ideally, the system is designed to provide sufficient computing power and network bandwidth, is cost efficient and provides the necessary safety level. To achieve this goal, three challenges have to be addressed. First, it must be possible to account for timing during early development stages in the architecture exploration phase. Second, during software development, timing behavior and the effects of software changes on timing must be observable. Third, there must be a technology for formally verifying the final timing behavior for industry-size applications. In this article we present a comprehensive methodology for dealing with timing which addresses all three issues based on state-of-the-art commercial tools.

In order to master the increasing complexity of electrical/electronic (E/E) systems in vehicles, E/E architecture design has become an established discipline. The task of the E/E architecture design is to come up with solutions to challenging and often contradictory requirements such as reduced cost and increased flexibility / scalability. One way to optimize the E/E architecture in terms of cost (electronics & wiring harness) is to integrate functions. This can be done by either combining functions from multiple ECUs into a single ECU or by introducing Domain Control Units. Domain Control Units provide the main software functionality for a vehicle domain, while relegating the basic functions of actuator control to connected intelligent actuators. Depending on the different market segments (low price, volume and premium) and the different vehicle domains, the actual usage of Domain Control Units can be quite different and sometimes questionable.

When designing safety-critical automotive systems, verification of timing and performance are key, especially the verification of hard deadlines and other critical timing constraints. Test- or simulation-based approaches suffer from corner-case coverage problems and are becoming less reliable as systems grow in size and complexity. Time-triggered mechanisms (e.g. OSEKtime and FlexRay) were proposed as a way out by providing better timing prediction. However, for reasons of cost, flexibility and reactivity, future cars will mostly likely contain a mix of event-triggered (ET) and time-triggered (TT) components that are combined synchronously and/or asynchronously, thereby further complicating timing. Scheduling analysis has recently matured to allow reliable timing verification and systematic optimization for ET, TT, and mixed systems.

Electromagnetic Compatibility (EMC) requirements and the effort to fulfill them are increasing steadily in automotive applications. This paper demonstrates the usage of virtual prototyping to efficiently investigate the EMC behavior of a gasoline direct injection system. While the system worked functionally as designed, tests indicated that current and especially future client-specific EMC limits could not be met. The goal of this investigation was to identify and eliminate the cause of EMC emissions using a virtual software prototype including the controller ASIC, boost converter, pi filter, injection valves and wire harness. Applying virtual prototyping techniques it was possible to capture the motor control system in a simulation model which reproduced EMC measurements in the frequency ranges of interest.

This paper describes the first results from the AutoMoDe project (Automotive Model-based Development), where an integrated methodology for model-based development of automotive control software is being developed. The results presented include a number of problem-oriented graphical notations, based on a formally defined operational model, which are associated with system views for various degrees of abstraction. It is shown how the approach can be used for partitioning comprehensive system designs for subsequent implementation-related tasks. Recent experiences from a case study of an engine management system, specific issues related to reengineering, and the current status of CASE-tool support are also presented.

The amount of software integrated into today's vehicles growths exponential and tends to be a patchwork of non interrelated applications. However the interrelationship gets more and more intensive as applications start to cooperate and therefore communicate with each other. By introducing a domain exceeding middleware concept we want applications to experience a high level of integration and enable outsourcing of features applications have in common.

The development of future automotive electronic systems requires new concepts in the software architecture, development methodology and information exchange. At Bosch an XML and MSR based technology is applied to achieve a consistent information handling throughout the entire software development process. This approach enables the tool independent exchange of information and documentation between the involved development partners. This paper presents the software architecture, the specification of software components in XML, the process steps, an example and an exchange scenario with an external development partner.