+ All Categories
Home > Software > 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Date post: 07-Jan-2017
Category:
Upload: alexander-much
View: 113 times
Download: 6 times
Share this document with a friend
90
Evolving Needs for Software Systems - Demonstrated Rudolf Grave, Alexander Much 2016-07-06 CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Transcript
Page 1: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Evolving Needs for Software Systems - Demonstrated

Rudolf Grave, Alexander Much2016-07-06

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Page 2: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Agenda

2

• 14:00 – 14:05: Introduction

• 14:00 – 14:20: A quick rush through AUTOSAR

• 14:20 – 15:40: Architectures for safety

• 15:40 – 15:50: Coffee break

• 15:50 – 16:20: Secure automotive ethernet communication

• 16:20 – 17:00: Demonstrator: dynamic reconfiguration with classic AUTOSAR

• Open end: Q&A

Page 3: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

The hosts

3

Alexander Much

Joined EB in 2003

Head of Software Systems Engineering

Spice assessor, safety assessor

„Future stuff“

Rudolf Grave

Joined EB in 2005

Senior Expert ECU Architecture

Auditor

„Getting things done“

Page 4: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

A quick rush through AUTOSAR

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Page 5: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

SW-CA

Architecture - Basic AUTOSAR Approach

Layered Architecture

RTE

BSW BSW BSW

ECU I ECU II ECU m

uC uC uC

SW-CB

SW-CC

SW-CD

RTE RTE

5

Page 6: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Architecture - Layered Architecture

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

Services

I/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

Drivers

Communication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

6

Page 7: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Architecture - Microcontroller Abstraction Layer (MCAL)

Task:

‒ Make higher software layers independent of µC

Properties:

‒ Implementation: µC dependent

‒ Upper Interface: Standardized and µC independent

The Microcontroller Abstraction Layer is

the lowest software layer of the Basic

Software. It contains internal drivers, which

are software modules with direct access to

the µC internal peripherals and memory

mapped µC external devices.

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

ServicesI/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

7

Microcontroller Abstraction Layer

Page 8: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Task:

‒ Make higher software layers independent of ECU hardware layout, e.g. bus types, memory devices

Properties:

‒ Implementation: μC independent, ECU hardware dependent

‒ Upper Interface: μC and ECU hardware independent, dependent on signal type

The ECU Abstraction Layer interfaces the drivers of the Microcontroller Abstraction Layer. It also contains drivers for external devices. It offers an API for access to peripherals and devices regardless of their location (μC internal/external) and their connection to the μC (port pins, type of interface)

Architecture - ECU Abstraction Layer

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

ServicesI/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

8

ECU Abstraction Layer

Page 9: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

Services

I/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

Task:

‒ Fulfill the special functional and timing requirements for handling complex sensors and actuators

Properties:

‒ Implementation: Highly μC, ECU and application dependent

‒ Upper Interface: Specified and implemented according to AUTOSAR (AUTOSAR interface)

A Complex Device Driver implements complex sensor evaluation and actuator control with direct access to the μC using specific interrupts and/or complex μC peripherals (like PCP, TPU), e.g.

- Injection control- Electric valve control- Incremental position detection

Architecture - Complex Device Driver

9

Complex Driver

Page 10: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Architecture - IO Hardware Abstraction

I/O Hardware Abstraction

• Project specific

‒ AUTOSAR provides high level requirements and guidelines

• Signal based interface

‒ Digital IO

‒ Analogue IO

‒ PWM

• Encapsulates

‒ Mapping signal to pin

‒ Filtering and de-bouncing

‒ Failure monitoring (SC to ground/power, open load, … ) and reporting

‒ Compensation of static influences

‒ Conversation to physical units

‒ Handling of SPI driven devices

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

Services

I/O Hardware

Abstraction

Memory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

10

Page 11: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Task:

‒ Provide basic services for application and basic software modules.

Properties:

‒ Implementation: Partly μC, ECU hardware and application specific

‒ Upper Interface: μC and ECU hardware independent

The Service Layer is the highest layer of the Basic Software which also applies for its relevance for the application software: while access to I/O signals is covered by the ECU Abstraction Layer, the Services Layer offers:- Operating system functionality- Vehicle network communication /management- Memory services (NVRAM management)- Diagnostic Services (UDS, OBD)- Mode management

Architecture - Service Layer

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

ServicesI/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

11

Service Layer

Page 12: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Task:

‒ Make AUTOSAR Software Components independent from the mapping to a specific ECU

Properties:

‒ Implementation: ECU and application specific (generated individually for each ECU)

‒ Upper Interface: Completely ECU independent

The RTE is a layer providing communication services to the application software (AUTOSAR Software Components and/or AUTOSAR Sensor/Actuator components).Above the RTE the software architecture style changes from “layered“ to “component style“. The AUTOSAR Software Components communicate with other components (inter and/or intra ECU) and/or services via the RTE.

Architecture - Runtime Environment (RTE)

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

ServicesI/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

12

Runtime Environment (RTE)

Page 13: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Task:

‒ Implement applications (runnables) that are executed by the RTE

Properties:

‒ Applications completely ECU independent.

‒ Sensor/Actuator SW-Cs are dependent on the specifics of a sensor or actuator.

The Application Layer is a layer providing application software (AUTOSAR Software Components and/or AUTOSAR Sensor/Actuator components).

Above the RTE the software architecture style changes from “layered“ to “component style“. The AUTOSAR Software Components communicate with other components (inter and/or intra ECU) and/or services via the RTE.

Architecture - Application Layer

Application Layer

Runtime Environment (RTE)

Hardware

Communication

Services

Complex

Device

Drivers

Memory

ServicesI/O Hardware

AbstractionMemory

Hardware

Abstraction

Communication

Hardware

Abstraction

Memory

DriversCommunication

DriversI/O Drivers

Microcontroller

Drivers

Onboard

Device

Abstraction

System Services

13

Application Layer

Page 14: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

EB tresos AutoCore Solutions

EB tresos AutoCore Safety Solutions up to ASIL D

14

Safety OS

Os

Ap

plic

atio

n

IP

SoAdTcpIpEthIf

UdpNmEthSm

Com ServicesCom, PduR, IPduM

CAN

CanAs

CanIfCanTpCanNmCanSm

LIN

LinIfLinTpLinNmLinSm

FlexRay

FrAs

FrIfFrTpFrNmFrSm

Safety RteRte, RteAs

Memory

MemAs

CrcEa

FeeMemIfNvM

Base

ConfiguratorsHidWizSvcAs

Workflows

DetEcuCMake

MemMapPlatformPbcfgM

DoIP

Libs

SafetyE2E

Protection

CDD

Bas

ic S

oft

war

e

Fr*

FrTrcv*CanTrcv*

RamTst* Can Eth*

EthTrcv*

Lin

LinTrcv

Eep

Fls

FlsTst

Wdg AdcMcu

Port

Dio

Icu

Gpt

Pwm

Spi

SD

Safety ACG

3rd Party

OEM

ACM *EB / 3rd Party

Assistant

Mode Mgmt.

ComMEcuMBswM

Nm

XCP

Diagnostic

DemDcmFiM

SafetyTimE

ProtectionDbg

STBM

IoHwAbs

Crypto

CSM

CRY

Project-specifc

Application SWCApplication SWC Application SWC Application SWC

EB SWC

EB SWC

EB SWC

OEM SWC

OEM SWC

OEM SWC

OEM SWC

OEM SWC

OEM SWC

CAL

Cpl

LDCOM

Time Sync (FlexRay)

Time Sync (Ethernet)

Page 15: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Architectures for Safety

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Page 16: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Example: electric seat positioning

16

down

backfront

up

Page 17: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Example: electric seat positioning

ECU

endP_back

endP_front

SeatPos

motor_current

motor_out

Switch_back_red

Switch_back

Switch_front

Switch_front_red

Wdg_Ext

Page 18: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Exercise - Introduction

18

The software system shall:

• Read two redundant Adc signals

• Perform some calculation

‒ Requires data from non-volatile memory

• Send a result via the CAN bus

Page 19: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Exercise – Constraints

Software constraints:

• ECU shall use AUTOSAR architecture and modules

• Software elements with different safety level needs to be integrated

• CAN stack is implemented according to QM

• ADC and SPI are implemented according to QM

• ADC and ADCext measure the same signal (redundancy)

Organizational constraints:

• Microcontroller might change in future

• Filter and signal preparation for calculation might change

19

Page 20: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Exercise - Part 0

Define data path between Adc signal measurement and Calculation software element

• Define additional software units if required

• Define interfaces between software modules

Draw elements and interfaces directly in the diagram

20

Page 21: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Basic Safety Mechanisms

From DO-178C, section 2.4 “Architectural Considerations:

Basic building blocks (DO-178C). There are basically three safety mechanisms on an architectural level (see 2.4):

1. Partitioning

2. Safety monitoring

3. Multiple-version dissimilar software

Monitoring as well as dissimilar software requires partitioning!

21

Page 22: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Partitioning

DO-178C, 2.4.1, Partitioning:

a. A partitioned software component should not be allowed to contaminate another partitioned software component’s code, input/output (I/O), or data storage areas.

b. A partitioned software component should be allowed to consume shared processor resources only during its scheduled period of execution.

c. Failures of the hardware unique to a partitioned software component should not cause adverse effects on other partitioned software component.

d. Any software providing partitioning should have the same or higher software level as the highest level assigned to any of the partitioned software components

e. Any hardware providing partitioning should be assessed by the system safety assessment process to ensure that it does not adversely affect safety.

22

Page 23: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Safety Monitoring

Safety monitoring is a means of protecting against specific failure conditions by directly monitoring a function for failures. Monitors can be implemented in hardware, software or in a combination of both.

Through the use of monitoring techniques, the software level of the monitored software may be assigned a software level associated with the loss of its related function.

a. Software level: Safety monitoring software is assigned the software level associated with the most severe failure condition for the monitored function.

b. System fault coverage: Assessment of the system fault coverage of a monitor ensures that the monitor’s design and implementation are such that the faults which it is intended to detect will be detected under all necessary conditions.

c. Independency of function and monitor: The monitor and protective mechanism are not rendered inoperative by the same failure that causes the failure condition

23

Page 24: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Safety Monitoring

1. A priori the ASIL requirements is on the function itself.

2. Adding the monitor: the ASIL requirements moves to the Safety monitor (high diagnostic coverage).

3. Usually the monitor will simply shut down the function. Additional safety goal: no new hazards by losing the function.Possible new safety requirement.

24

Function

Safety Monitor

Precondition: independence between safety monitorand function required.Independence in space as well as in time.

ASIL-xASIL-x

ASIL-y(loss of function)

Page 25: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Multi-Version Dissimilar Software

• Often also referred to as multi-version software, multi-version independent software, dissimilar software, N-version programming or software diversity.

• Dissimilar software is sometimes written such that different parts of the hardware are used, e.g. fixed-point arithmetic vs. floating point.

Issues:

• The degree of dissimilarity and hence the degree of protection is usually not measurable.See the paper from Leveson / Knight about the experiment with n-version software.

• Dissimilar versions of the software are derived from the same specifications and there may be other common parts in the development process.

25

Page 26: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

EB tresos AutoCore Solutions

EB tresos AutoCore Safety Solutions up to ASIL D

26

Safety OS

Os

Ap

plic

atio

n

IP

SoAdTcpIpEthIf

UdpNmEthSm

Com ServicesCom, PduR, IPduM

CAN

CanAs

CanIfCanTpCanNmCanSm

LIN

LinIfLinTpLinNmLinSm

FlexRay

FrAs

FrIfFrTpFrNmFrSm

Safety RteRte, RteAs

Memory

MemAs

CrcEa

FeeMemIfNvM

Base

ConfiguratorsHidWizSvcAs

Workflows

DetEcuCMake

MemMapPlatformPbcfgM

DoIP

Libs

SafetyE2E

Protection

CDD

Bas

ic S

oft

war

e

Fr*

FrTrcv*CanTrcv*

RamTst* Can Eth*

EthTrcv*

Lin

LinTrcv

Eep

Fls

FlsTst

Wdg AdcMcu

Port

Dio

Icu

Gpt

Pwm

Spi

SD

Safety ACG

3rd Party

OEM

ACM *EB / 3rd Party

Assistant

Mode Mgmt.

ComMEcuMBswM

Nm

XCP

Diagnostic

DemDcmFiM

SafetyTimE

ProtectionDbg

STBM

IoHwAbs

Crypto

CSM

CRY

Project-specifc

Application SWCApplication SWC Application SWC Application SWC

EB SWC

EB SWC

EB SWC

OEM SWC

OEM SWC

OEM SWC

OEM SWC

OEM SWC

OEM SWC

CAL

Cpl

LDCOM

Time Sync (FlexRay)

Time Sync (Ethernet)

Page 27: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Relation of HW/SW Measures

27

© Freescale Inc.; C. Temple, HW/SW Codesign in the Light of Functional Safety,

Praxisworkshop “Funktionale Sicherheit in der Fahrzeugelektronik”, Februrary 2013.

Page 28: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Pattern: closed loop

28

• Data validation: HW check, plausibility check, “smoothing”, etc.

• Data integrity: redundant storage or a checksum

• Dotted lines: measuring the output; still an open-loop system

• Dotted lines: measuring the final result; a closed-loop system

• Open-loop example: measuring current for movement of valves in a chemical plant, but failing to notice that the valve itself is “blocked”.

InputProcessing

Data Processing(Transformations)

OutputProcessing

DataValidation

ActuationMonitoring

InputSensors

Actuators

ActuatorSensors

Actuation (Function) Level

Page 29: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Reference Software Architecture

29

ASIL-C: independent memory

ASIL-D: independent memory, independent CPU

Synchronized

L3System

Diagnosis

SoftwareFunction

L2 FunctionalDiagnosis

L2 Signal Diagnosis(Plausibility Check)

L1Base

Actuator Activation

Safe State

From a normal softwarearchitecture to a high integrity system.

Page 30: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Conclusion & Mapping to E-GAS

30

InputProcessing

Data Processing(Transformations)

OutputProcessing

InputSensors

Actuators

ActuatorSensors

Actuation (Function) Level (L1)

Monitoring Level (L2)

Control Level (L3)

DataValidation

IntegrityTest

Monitor

Memory

Monitor Input

Processing

SequenceControl

WatchdogTime Base

Shutdown Signal

Page 31: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Brainstorming: Failure Modes in Time

What can go wrong?

31

Page 32: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Failure Modes & Detection Mechanisms

32

Failure ModeAlive

SupervisionLogical

SupervisionDeadline

SupervisionCheckpoint type and location

Sequence Violation x Logical

Stuck Error x Alive at the end

Exit Violation x Logical, at the end

Entry Violation x Logical, at the start

Sequence Restart x Logical

Commission Error x Logical

Ommission Error x Alive

Timing Violation x Deadline, between constraints

OccurrenceViolation

x Alive

SynchronizationViolation

x Logical, for each component

Page 33: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Alive Supervision

33

• Periodic Supervised Entities have constraints on the number of times they are executed within a given timespan.

• Watchdog Manager checks periodically if the Checkpoints of a Supervised Entity have been reached within the given limits (lower/upper delta).

Page 34: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

ControlFlow Monitoring / Logical Monitoring

34

• Detects a divergence from the valid program sequence:

• Control flow errors are caused by serious faults, very often in hardware.Hence: control flow monitoring is a very effective tool in the argument for a diagnostic coverage, e.g. in a FMEDA.

Page 35: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Deadline Monitoring

35

• Verifies the timing of the occurrences of check points.

• This mechanism is dedicated to SEs that have individual constraints on the timing between two checkpoints.

• Deadline monitoring is a classical technique for diverse implementations.

• Caution: deadline monitoring usually requires a very controlled schedule between such checkpoints.E.g. unexpected execution of an interrupt is detected as deadline violation of a completely different SE.

Page 36: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

(Ideal) Scheduling of WdgM

36

Wdg

Pri

ori

ty

WdgM

SafestateManagement

SafetyInterrupts

SafetyFunctions

Everythingelse

Cyclic, HW/Gpt counter, high frequency, uninterruptible,interrupts everything else

Frequency depends on the needs, likely to be supervised by WdgM at leastby alive monitoring

Cyclic, maybe HW/Gpt counter, medium/high frequency, not interruptedby SEs, interrupts everything else

Frequency depends on the needs, likely to be supervised by WdgM at leastby alive monitoring

Frequency depends on the needs, likely to be supervised by WdgM at leastby alive monitoring, this is where the functionalitiy is provided

If there is time, do the actual functionality/calculations., most tasks areInterruptible, unlikely to be monitored, unless on a „critical path“.

Page 37: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Example scheduling

37

Functionality

ISR_Wdg

ISR Input

Time monitoring (L3)

CPU monitoring (L3)

Output validation(L2)

Data processingvalidation (L2)

Input data validation(L2)

Input processing (L1)

Data processing (L1)

Output processing(L1)

Non safety functions preemtable

time

pri

ori

ty

Functionality

L2 Monitoring

System Diagnosis

Page 38: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

Exercise – Part 1

• Timing constraints when the system is properly running in “normal” mode:

‒ The functions Signal preparation, Calculate and Output SHALL be triggered every 10ms

‒ The functions Signal preparation, Calculate and Output SHALL have a fixed order in order to avoid working on outdated data.

‒ The elapsed time between start of Read and finish of Calculate SHALL not exceed 3ms

‒ Adc value are continuously updated all 10 ms

• Task:

Add checkpoints and properties (Alive, ControlFlow, Deadline)

38

Page 39: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Evolving Needs for Software Systems - Demonstrated

39

Page 40: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Secure Automotive EthernetCommunication

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Page 41: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Motivation

Availability

• Sensor data is available on time to create an environment model of the vehicle

• Actuator commands are sent correctly to control the vehicle

Integrity

• Sensor and actuator data are sent by authorized parties only to avoid manipulation

• Sensor and actuator data is not altered, removed or delayed to avoid manipulation

Confidentiality

• Sensor and actuator data are not monitored by unauthorized 3rd parties to protect driver’s privacy

Advanced driver assistance systems (ADAS) are evolving towards autonomous driving

• From alert & assist…e.g. lane departure warning, lane keeping assist

• … to features taking more control

e.g. highway chauffeur, valet parking

Automotive Ethernet is a key enabler for autonomous driving. Secure Ethernet Communication is required to ensure:

Evolving Needs for Software Systems - Demonstrated

Page 42: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Dependability

Availability

Reliability

Integrity

Safety

Maintainability

Dependability & Security

Dependability& Security

Availability

Reliability

Integrity

Safety

Maintainability

Confidentiality

Evolving Needs for Software Systems - Demonstrated

Avenzis, Laprie, Randell, LandwehrBasic Concepts and Taxonomy ofDependable and Secure Computing, IEEE, 2004

Page 43: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

• Safety: Protection against non-malicious faults, e.g. EMV

• Security: Protection against malicious faults, e.g. intended attacks

Security protects Safety

There is no safety without security

Evolving Needs for Software Systems - Demonstrated

Page 44: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Secure communication

Protection against effects of malicious faults on the communication link

• New threats can emerge during system operation

• Threats are attacks (malicious, human made, external)

• Goal: Protect assets (property, environment and human life)

• Types of Attack:

• injection of malicious control commands

• prevention of correct system function (insertion, deletion, manipulation,

replay and delay of messages)

• Points of Attack:

• additional nodes (e.g. via OBD connector or wireless access)

• corrupted and misused existing nodes (e.g. root access to infotainment system via cellular network)

• nodes replaced by manipulated ones

Evolving Needs for Software Systems - Demonstrated

Page 45: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Solution: Multi-Level Security Architecture

Enhanced connectivity and the dynamics of the security threats demand to establish several security barriers in order to avoid a full exposure in case a security mechanism is bypassed.

Approach: establish security mechanisms on four levels:

Goal:

Protect against attacks violating the availability, integrity and confidentiality.

Level 1: restrict access to the network

Level 2: secure onboard communication

Level 3: apply data usage policies

Level 4: detect anomalies and defend

Evolving Needs for Software Systems - Demonstrated

Page 46: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Multi-Level Security Architecture

46

Level 1: Restrict access to the network

Level 2: Secure onboard communication

Level 3: Apply data usage policies

Level 4: Detect anomalies and defend

Evolving Needs for Software Systems - Demonstrated

Page 47: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Various access points to the network

47

Internet connection

Bluetooth connection

Wireless key

Tire pressure monitor

Remote start

Remote HVAC

WiFi Hotspot

Car2Infrastructure

Car2Car

eCall

Evolving Needs for Software Systems - Demonstrated

Page 48: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

• Limit the number of ECUs with off-board connections (WLAN, bluetooth, cellular, wireless key, DAB, OBD plug, PLC), e.g. via

‒ central network access point with stateful firewall

‒ diagnostic communication from external tester to ECUs via central gateway (communication between tester and central gateway via TLS)

Level 1: Restrict access to the network (I)

Evolving Needs for Software Systems - Demonstrated

Page 49: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 1: Restrict access to the network (II)

• Divide network into security zones, e.g. extern, “demilitarized”, internal. And restrict traffic between zones: Physical split or separation via VLANs

• Not only extern-intern, but also intern-intern, e.g. infotainment to powertrain

VLAN Tagging to separate external – internal• All frames from the external tester are tagged with

an orange VLAN tag at the switch located at the GW• Thus only nodes assigned to the orange VLAN can

receive frames from the external tester• Frames to be sent to external tester, are sent via the

orange VLAN – the switch at the gateway removes the orange VLAN tags before forwarding it to the tester

VLAN Tagging to separate internal networks• ECUs from Infotainment (blue VLAN), chassis (green

VLAN) and powertrain (yellow VLAN) can be separated, i.e. will only see frames from the assigned VLANs

• Traffic between VLANs require a switch or Gateway

Tester

Evolving Needs for Software Systems - Demonstrated

Page 50: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 1: Restrict access to the network (III)

• static Ethernet Switch Forwardingtables OR MAC learning only during learning mode (e.g. end-of-line)

• static ARP tables at nodes OR Address Resolution Protocol onlyduring learning mode(e.g. end-of-line)

• device authentication/authorization

• deactivation of unused (non authorized) ports

Source: AUTOSAR 4.2 EthSwt SWS

Evolving Needs for Software Systems - Demonstrated

Page 51: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Multi-Level Security Architecture

51

Level 1: Restrict access to the network

Level 2: Secure onboard communication

Level 3: Apply data usage policies

Level 4: Detect anomalies and defend

Evolving Needs for Software Systems - Demonstrated

Page 52: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 2: Secure onboard communication (I)

Data integrity, authentication, encryption

• Authentication and integrity of critical frames

• Symmetric key because of calculation effort (and required bandwidth)

• Encryption for exchange of session keys

• Choice of protection layer and protocol:

Com HW

Com SW

Application

Com HW

Com SW

Application

Switch

ASR SecOC

TLS

MACsec MACsec

Application specific (proprietary)

IPsec

Evolving Needs for Software Systems - Demonstrated

Page 53: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 2: Secure onboard communication (II)

Data integrity, authentication, encryption - Protocols

Protocol Standard Type/Layer Authent. Encryption Comment

MACsecIEEE 802.1AE

Hop-by-hopData-Link

X XRequires crypto/keysat each network node

IPsec AH(Authentication Header)

IETF RfC4302

End-to-End IP

X -

IPsec ESP(Encapsulating Security Payload )

IETF RfC4303

End-to-End IP

X X

TLS 1.2(Transport Layer Security)

IETF RfC5246

End-to-End TCP

X XDoes not work with

UDP

SecOC AUTOSAREnd-to-End

PDUsX -

supportsMACtruncation(works also withCAN / FlexRay)

Evolving Needs for Software Systems - Demonstrated

Page 54: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 2: Secure onboard communication (III)

Data integrity, authentication using AUTOSAR SecOC

• Authentication and integrity of critical frames based on Message Authentication Code (MAC, i.e. usage of symmetric key) and freshness value (counter or timestamp)

• Symmetric key because of calculation effort (and required bandwidth)

• Sender generates MAC based onDataId, data, freshness value and secret key.MAC and freshness value aretransmitted together with PDU data.

• Receiver verifies MAC based onreceived data andfreshness value as well as locally stored secrete key, DataId

• CNT/MAC truncation can be usedif message length is very limited. Source: AUTOSAR 4.2 SecOC SWS

DataIdDataId

Evolving Needs for Software Systems - Demonstrated

Page 55: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 2: Secure onboard communication (V)

Design principle for Key Management (Generation, Distribution and Storage)

• Service Backend (off-board) >> KeyMaster (on-board):

‒ Communication between SB and KM is encrypted using asymmetric cryptography

‒ SB configures and triggers key exchange at KM

• KeyMaster >> ECUs:

‒ Communication between KM and ECUs is encrypted using symmetric cryptography

‒ KM generates communication group session keys (TEK) if triggered, e.g. by the SB, a timeout or a diagnostic request

‒ KM assigns TEKs to ECUs by using the related Key Encryption Key (KEK) of the ECU

‒ ECU securely stores the keys in its HSM

KM ECUSB Internet

Asym/SymOff-board

SymOn-board

Based on: The EVITA Project

SB … Service Backend ServerKM … Key Master

Evolving Needs for Software Systems - Demonstrated

Page 56: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Multi-Level Security Architecture

57

Level 1: Restrict access to the network

Level 2: Secure onboard communication

Level 3: Apply data usage policies

Level 4: Detect anomalies and defend

Evolving Needs for Software Systems - Demonstrated

Page 57: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 3: Apply data usage policies

Define data usage policies to limit the exposure• Use service specific know how to implement policies in the application

‒ Control Data: accept control commands only in specific application states, define priorities of requester

‒ Sensor data: validate the contents of data (context, history, …)

Examples• allow diagnostic messages only in specific vehicle state, e.g. speed is less than 5mph or drivers

door open

• allow massive steering/braking/acceleration change only in certain vehicle state (e.g. crash indication, driver request in ‘sport’ mode, …)

• use more than one sensor (instance) to determine if the vehicle is not moving

Challenges• Highly application dependent

• Side-effect must be considered

Evolving Needs for Software Systems - Demonstrated

Page 58: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Multi-Level Security Architecture

59

Level 1: Restrict access to the network

Level 2: Secure onboard communication

Level 3: Apply data usage policies

Level 4: Detect anomalies and defend

Evolving Needs for Software Systems - Demonstrated

Page 59: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Level 4: Detect anomalies at the network and defend

• Anomalies: deviations to specified communication matricese.g. cyclic message is received more often than defined, very high network load, 1:n message received with different source addresses, …

• Detection: via central device or at the receivere.g. plausibility check based on diverse input data or data sequence, failed integrity checks

• Defend: report (e.g. DTC, involvement of driver, …) and start mitigation

• mask (e.g. block messages from infotainment ECU, block messages from “babbling idiot” by enforcingbandwidth limitation at switches) or

• reconfigure (e.g. deactivation of critical functions, initiate hand-over in case of autonomous driving, request change of session key …)

20

40

20 20

SwitchECU

Stream1

Stream2

Evolving Needs for Software Systems - Demonstrated

Page 60: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Summary: Protection by the security levels

Levels protecting against attacks violating the availability, integrity and confidentiality:

Level Availability Integrity Confidentiality

Level 1: restrict access to the network Yes Yes Yes

Level 2: secure onboard communicationNo

(DoS attacks)Yes Yes

Level 3: apply data usage policiesNo

(DoS attacks)Yes

No(eavesdropping)

Level 4: detect anomalies and defend Yes (Yes)No

(eavesdropping)

.

Evolving Needs for Software Systems - Demonstrated

Page 61: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Multi-level security architecture with AUTOSAR

CryHsm

Csm

Hardware

Security

Module

Implementation layerCry

Interface layerCsm

SecMon

Level 1

Level 2

Level 3

Level 4

Evolving Needs for Software Systems - Demonstrated

Page 62: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Summary

• Autonomous driving requires secure communication to protect against malicious attacks

• Multi-level security architecture

‒ ensures availability, integrity and confidentiality

• Security mechanisms

‒ Use experience from IT industry

‒ Adaptations for automotive necessary and implemented

‒ First steps of standardization for security in automotive achieved, more needed.

• Solutions are available, use them to secure Ethernet for autonomous driving.

Evolving Needs for Software Systems - Demonstrated

Page 63: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Demonstrator:Semi-dynamic reconfiguration based on classic AUTOSAR

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Page 64: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Future architecture of a car infrastructure

• Split up ECUs in low performance IO Controller and high performance controller

• Establish a service oriented architecture (SOA)

• Performance Controller

‒ High computation power

‒ Widespread, POSIX-like Operating System (e.g. Linux), Adaptive AUTOSAR

• IO Controller

‒ Provide Sensor and Actuator Services

‒ Deeply embedded, real-time Operating System (e.g. Classic AUTOSAR)

Semi-dynamic reconfiguration based on Classic AUTOSAR

65

Gateway

IO

IO

IO

Cloud

PF

IO

IO

IO

PF

Page 65: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Requirements for a future car infrastructure

66

High Level Requirements

Technical Concepts Technologies

High computing power

High Performance Controllers and GPUs

• Autosar Adaptive Platform• Hypervisor

High data rates Ethernet (1 GigE, 10 GigE)Dependable Communication

• Fault-tolerant Communication• QoS and Timesync• Safe & Secure Communication

High availability, fail-operational systems

Redundancy ConceptService oriented architecture Software System Engineering

• 2oo3, 1oo2D,…• (Semi-) dynamic

reconfiguration

Car-2-Xcommunication, update over the air

Reliable Security mechanisms, concepts and infrastructure

• Secure Onboard Communication & Key management

• Crypto Algorithms , Security HW

• Secure Separation

Page 66: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

From Fail safe to Fail operational

Safe State means:

• Continue driving until driver is in the loop

‒ approx. 7-15s for conditional autonomous driving

‒ Several minutes for high and full autonomous driving

• Perform an autonomous „safe-stop“ (stand-still at a non-hazardous place)

‒ Main issue is to get the driver attention focused on the situation

‒ Several minutes, depending on the situation

67

Driver only

AssistedPartial autom.

Fullautom.

High autom.

Condi-tional

autom.

Fail safe Fail operational

Page 67: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Example: 1oo2D System

68

Input Data

Output Data

Diagnostics

Diagnostics Enable Output

Enable Output

Logic

Logic OutputInput

OutputInput

• High diagnostic coverage needed to detect failures in one channel• If a component fails in one of the two channels the system does not shut down• The system continues to operate with one channel

Common sense: It´s not best policy to operate a highly safety critical system on a single channel – but it´s sufficient for a certain period of time, the so called hand-over-time to the car driver

or…

Page 68: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Outlook: Reconfiguration for rebuilding 1oo2D

1 channel

• Still Operational

• Handover to driver

• Failure recovery

• Internal recovery

1oo2D*

• Rebuilding 2-channel-system

• Disabling of comfort functions

69

< 10s

error occurred

Page 69: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

1oo2D - Normal operation

Func4

Func3

Func2Func5

Func6

Fault tolerant Ethernet

Sensors /Actuators

Func1Func3

critical

non-critical

dis-abled

Func3

Func2

Diagnostics

Func1

Diagnostics

Func1

1oo2D system

Page 70: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

1oo2D – 1 channel

Func4

Func3

Func2Func5

Func6

Fault tolerant Ethernet

Sensors /Actuators

Func1Func3

critical

non-critical

dis-abled

Func3

Func2

Diagnostics

Func1

Diagnostics

Func1

1oo2D system

Page 71: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

1oo2D* – 2 channel

Func4

Func3

Func2Func5

Func6

Fault tolerant Ethernet

Sensors /Actuators

Func1Func3

critical

non-critical

dis-abled

Func3

Func2

Diagnostics

Func1

Diagnostics

Func1

1oo2D system

Page 72: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Req. 1: Reconfiguration in classic AUTOSAR systems

Semi-dynamic reconfiguration based on Classic AUTOSAR

• Application information based on AUTOSAR xml description available

• Runtime environment (RTE) supporting starting and stopping of software components

• Threads can started/stopped via Safety OS partitions

• FailOpManager

‒ Monitoring of own health status

‒ Monitoring of foreign health status

‒ Triggering of reconfiguration

73

Page 73: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Req. 2: Sensor/Actuators are redundant or accessible via network

Redundant Sensor/Actuators

• Duplication and higher costs

• Only limited reconfiguration of vehicle lifetime due to hardwired sensors

Sensor/Actuators are accessible via network

• Service orientated communication (SOME/IP and Service Discovery)

• Multi-cast fault-tolerant Ethernet

74

Page 74: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Semi-dynamic reconfiguration based on Classic AUTOSAR

Page 75: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Start point

76

Rte Rte

Appl.1Appl.1(red.)

Appl. 2

ComStackOS

Node 1 Node 2

ASRBSW

Ethernet

ComStack

ASRBSW OS

• Application contains a realistic number of SW-C and interfaces for an driver assistance ECU

• Number of SW-C and interfaces are taken from a real ECU

Semi-dynamic reconfiguration based on Classic AUTOSAR

Page 76: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Requirements

77

Requirement

Detection of failing nodes (scalable algorithm)

Reconfiguration mechanism based on AUTOSAR

State transfer from Node1 to Node2

Reconfiguration time (<500ms)

Small increase of CPU load and memory consumption

„Let‘s look at the details“

Semi-dynamic reconfiguration based on Classic AUTOSAR

Page 77: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Health monitoring & Service State Agreement

Page 78: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Introduction

79

Definition of a group membership protocol (GMP)

“A set of processors has a common view of the state (crashed, restarting, running) of each processor at any time”

Selection of a suitable protocol (research in existing academic work)

Tailoring (downsize) of selected protocol

Service state agreement (based on GMP)

“A set of processors has an agreed state (active, stand-by) of each service provided by each node”

static agreement (rules based current GMP states)

Page 79: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Group membership protocol

80

“A Low-Cost Processor Group Membership Protocol for a Hard Real-Time Distributed System” by Clegg and Marzullo

‒ low overhead

‒ small failure detection latency

‒ small message complexity

• Features:

‒ Assumes n (arbitrarily number of) processors to participate the GMP

‒ connected by 𝐶𝑚𝑎𝑥 network channels with broadcast functionality.

‒ Detects channel network channel/interface errors and supports heartbeat forwarding (up to (𝐶𝑚𝑎𝑥 – 1) channel/interface errors)

‒ States: Restarting, Running, Crashed

P1 P2 Pn

P1 … Pn: processors𝐶1 … 𝐶𝑚𝑎𝑥: communication channelsδ: maximum broadcast period (heartbeatcontaining Id and timestamp 𝑇𝑡𝑥)ε: maximum clock skew∆𝑠𝑒𝑛𝑑: maximum transmission delay∆𝑓𝑤𝑑: channel forward decision constant

∆𝑠𝑓:max ∆𝑠𝑒𝑛𝑑 , ∆𝑓𝑤𝑑

ε

δ δ δ

Failure detection latency:∆𝑙𝑎𝑡= ∆𝑠𝑒𝑛𝑑 + ∆𝑠𝑓 + 2 𝛿 + 휀

Membership end (mse):𝑇𝑚𝑠𝑒 = 𝑇𝑡𝑥 + ∆𝑙𝑎𝑡

Page 80: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Service state agreement

81

• Processor (P) = Electronic Control Unit (ECU)

• Redundant service A’’ and A’ deployed on processors (P1(A’), P2(A’’))

• States of P1 available in P1 and P2:

‒ Restarting, Running, Crashed

• Static service state agreement:

‒ P1: A’ initially deactivated (cold-stand-by)

• gmp state P1 -> Restarting: -

• gmp state P1 -> Running: activate A’ (active)

• gmp state P1 -> Crashed: deactivate A’ (P1 crashed)

‒ P2: A’’ initially deactivated (cold-stand-by)

• gmp state P1 -> Restarting: -

• gmp state P1 -> Running: -

• gmp state P1 -> Crashed: activate A’’

Page 81: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Putting it all together

82

Restarting Running Crashed

Restarting Running Crashed

P2

P1

GMP[P1]

GMP[P1]

SSAA‘‘

SSAA‘

Cold-Stand-By Active

Cold-Stand-By Active - Crashed -

HB

t

GMP … Group Membership ProtocolSSA … Service State Agreement LogicHB … Heartbeat messageP1 … Processor (ECU) 1, containing primary SWCP2 … Processor (ECU) 2 , containing backup SWCA‘ … primary SWC stateA‘‘ … backup SWC state

max 𝛿

𝛿 + ∆𝑠𝑒𝑛𝑑 + 𝜇

𝑇′𝑟𝑥 𝑇′𝑚𝑠𝑒

∆𝑠𝑒𝑛𝑑

activate A‘

activate A‘‘

Page 82: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Semi-dynamic reconfiguration

Page 83: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Start/Stop on runnable level – Pro’s /Con’s

84

‒ Usage of existing Autosar mechanisms (ModeSwitch and ModeEnabling/Disabling dependencies)

‒ Fast start/stop possible

‒ Central SW-C required as mode manager

‒ Distribution only possible on clustered software function

• Connected RTE Ports required

• Evaluation of execution path/data dependency required

‒ Modification / extension of application necessary

• configuration overhead for ModeSwitch-Ports

‒ Safety requirements will be assigned on this RTE mode management feature

‒ Additional effort to disable OS elements and ISR (load reduction)

Page 84: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Os application/partition level - Overview

85

• An Autosar Os-Application is a composition of Os elements

• Os-Application realizes a partition

• Partition is a logical composition

• Each partition has an own

RTE (VFB)

• Inter partition communication is

handled by OS (IOC) or RTE (SMC)

OS App1Data

Task1Data

Stack

Task2Data

Stack

OS App2Data

Task3Data

Stack

ISR1Data

Stack

OS Kernel Stack

App1 App2

Rte Rte

Page 85: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Semi-dynamic reconfiguration based on Classic AUTOSAR

Start/Stop on Partition level– Pro’s /Con’s

86

‒ Partitions can be started/stopped individually

‒ Cold standby can be realized

‒ Standard ASR mechanism

• Additionally used to realize memory protection in some OS implementations

‒ ISR and other OS elements are part of this concepts

‒ Mechanism on a higher abstraction level compared to runnable approach – but on a logical functional level (remember SW-C to partition mapping)

‒ Starting and Stopping is divided into separate Rte & Os_Application APIs

• Small overhead at startup for setup

‒ Probably slower compared with mode management approach

• Partition A needs to be stopped and Partition B needs to be started

Page 86: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Results

Page 87: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Software components and partitions

88

Rte Rte

App1

App1(standby) App2

GSM

ComStackOS

Node 1 Node 2

ReConfMASRBSW

Ethernet

GSM

ComStack

ASRBSW OS

ReConfM

• Two small software components are added• Configurable as plugin• Configuration is generated

• Partitioning added on Node 2 (dotted lines) Infrastructure, Normal Application, Cold standby

Semi-dynamic reconfiguration based on Classic AUTOSAR

Page 88: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

© Elektrobit (EB) 2015 | 89

Semi-dynamic reconfiguration based on Classic AUTOSAR

Page 89: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Benchmark - Reconfiguration Time

Failure detection depends on configurable parameter in GSM.

• Node 2:

‒ ReConfRemoteHeartBeatRxTimeout = 10 times – GSM cycle time(10ms) ~= 100ms (depending on start-point)

‒ At least one heartbeat needs to be received in ReConfRemoteHeartBeatRxTimeout

• Node 1:

‒ ReConfHeartBeatTxPeriod = 1 time per GSM cycle time (10ms)90

Time measured Time

Last received heartbeat from Node1, in Node2 - 11.7ms

Failure 0

Node 2 detects fail-silent of Node 1 98.24ms

Detection till cold standby application is executed 0.08 ms

Overall time 110.02ms

Page 90: 20160706 Automotive SYS: "Evolving Needs for Software Systems - Demonstrated"

Thank you

Contact us!

automotive.elektrobit.comrudolf.grave@[email protected]

CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.


Recommended