Date post: | 07-Jan-2017 |
Category: |
Software |
Upload: | alexander-much |
View: | 113 times |
Download: | 6 times |
Evolving Needs for Software Systems - Demonstrated
Rudolf Grave, Alexander Much2016-07-06
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Agenda
2
• 14:00 – 14:05: Introduction
• 14:00 – 14:20: A quick rush through AUTOSAR
• 14:20 – 15:40: Architectures for safety
• 15:40 – 15:50: Coffee break
• 15:50 – 16:20: Secure automotive ethernet communication
• 16:20 – 17:00: Demonstrator: dynamic reconfiguration with classic AUTOSAR
• Open end: Q&A
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
The hosts
3
Alexander Much
Joined EB in 2003
Head of Software Systems Engineering
Spice assessor, safety assessor
„Future stuff“
Rudolf Grave
Joined EB in 2005
Senior Expert ECU Architecture
Auditor
„Getting things done“
A quick rush through AUTOSAR
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SW-CA
Architecture - Basic AUTOSAR Approach
Layered Architecture
RTE
BSW BSW BSW
ECU I ECU II ECU m
uC uC uC
SW-CB
SW-CC
SW-CD
RTE RTE
5
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Architecture - Layered Architecture
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
Services
I/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
Drivers
Communication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
6
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Architecture - Microcontroller Abstraction Layer (MCAL)
Task:
‒ Make higher software layers independent of µC
Properties:
‒ Implementation: µC dependent
‒ Upper Interface: Standardized and µC independent
The Microcontroller Abstraction Layer is
the lowest software layer of the Basic
Software. It contains internal drivers, which
are software modules with direct access to
the µC internal peripherals and memory
mapped µC external devices.
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
ServicesI/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
7
Microcontroller Abstraction Layer
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Task:
‒ Make higher software layers independent of ECU hardware layout, e.g. bus types, memory devices
Properties:
‒ Implementation: μC independent, ECU hardware dependent
‒ Upper Interface: μC and ECU hardware independent, dependent on signal type
The ECU Abstraction Layer interfaces the drivers of the Microcontroller Abstraction Layer. It also contains drivers for external devices. It offers an API for access to peripherals and devices regardless of their location (μC internal/external) and their connection to the μC (port pins, type of interface)
Architecture - ECU Abstraction Layer
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
ServicesI/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
8
ECU Abstraction Layer
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
Services
I/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
Task:
‒ Fulfill the special functional and timing requirements for handling complex sensors and actuators
Properties:
‒ Implementation: Highly μC, ECU and application dependent
‒ Upper Interface: Specified and implemented according to AUTOSAR (AUTOSAR interface)
A Complex Device Driver implements complex sensor evaluation and actuator control with direct access to the μC using specific interrupts and/or complex μC peripherals (like PCP, TPU), e.g.
- Injection control- Electric valve control- Incremental position detection
Architecture - Complex Device Driver
9
Complex Driver
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Architecture - IO Hardware Abstraction
I/O Hardware Abstraction
• Project specific
‒ AUTOSAR provides high level requirements and guidelines
• Signal based interface
‒ Digital IO
‒ Analogue IO
‒ PWM
• Encapsulates
‒ Mapping signal to pin
‒ Filtering and de-bouncing
‒ Failure monitoring (SC to ground/power, open load, … ) and reporting
‒ Compensation of static influences
‒ Conversation to physical units
‒ Handling of SPI driven devices
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
Services
I/O Hardware
Abstraction
Memory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
10
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Task:
‒ Provide basic services for application and basic software modules.
Properties:
‒ Implementation: Partly μC, ECU hardware and application specific
‒ Upper Interface: μC and ECU hardware independent
The Service Layer is the highest layer of the Basic Software which also applies for its relevance for the application software: while access to I/O signals is covered by the ECU Abstraction Layer, the Services Layer offers:- Operating system functionality- Vehicle network communication /management- Memory services (NVRAM management)- Diagnostic Services (UDS, OBD)- Mode management
Architecture - Service Layer
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
ServicesI/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
11
Service Layer
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Task:
‒ Make AUTOSAR Software Components independent from the mapping to a specific ECU
Properties:
‒ Implementation: ECU and application specific (generated individually for each ECU)
‒ Upper Interface: Completely ECU independent
The RTE is a layer providing communication services to the application software (AUTOSAR Software Components and/or AUTOSAR Sensor/Actuator components).Above the RTE the software architecture style changes from “layered“ to “component style“. The AUTOSAR Software Components communicate with other components (inter and/or intra ECU) and/or services via the RTE.
Architecture - Runtime Environment (RTE)
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
ServicesI/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
12
Runtime Environment (RTE)
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Task:
‒ Implement applications (runnables) that are executed by the RTE
Properties:
‒ Applications completely ECU independent.
‒ Sensor/Actuator SW-Cs are dependent on the specifics of a sensor or actuator.
The Application Layer is a layer providing application software (AUTOSAR Software Components and/or AUTOSAR Sensor/Actuator components).
Above the RTE the software architecture style changes from “layered“ to “component style“. The AUTOSAR Software Components communicate with other components (inter and/or intra ECU) and/or services via the RTE.
Architecture - Application Layer
Application Layer
Runtime Environment (RTE)
Hardware
Communication
Services
Complex
Device
Drivers
Memory
ServicesI/O Hardware
AbstractionMemory
Hardware
Abstraction
Communication
Hardware
Abstraction
Memory
DriversCommunication
DriversI/O Drivers
Microcontroller
Drivers
Onboard
Device
Abstraction
System Services
13
Application Layer
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
EB tresos AutoCore Solutions
EB tresos AutoCore Safety Solutions up to ASIL D
14
Safety OS
Os
Ap
plic
atio
n
IP
SoAdTcpIpEthIf
UdpNmEthSm
Com ServicesCom, PduR, IPduM
CAN
CanAs
CanIfCanTpCanNmCanSm
LIN
LinIfLinTpLinNmLinSm
FlexRay
FrAs
FrIfFrTpFrNmFrSm
Safety RteRte, RteAs
Memory
MemAs
CrcEa
FeeMemIfNvM
Base
ConfiguratorsHidWizSvcAs
Workflows
DetEcuCMake
MemMapPlatformPbcfgM
DoIP
Libs
SafetyE2E
Protection
CDD
Bas
ic S
oft
war
e
Fr*
FrTrcv*CanTrcv*
RamTst* Can Eth*
EthTrcv*
Lin
LinTrcv
Eep
Fls
FlsTst
Wdg AdcMcu
Port
Dio
Icu
Gpt
Pwm
Spi
SD
Safety ACG
3rd Party
OEM
ACM *EB / 3rd Party
Assistant
Mode Mgmt.
ComMEcuMBswM
Nm
XCP
Diagnostic
DemDcmFiM
SafetyTimE
ProtectionDbg
STBM
IoHwAbs
Crypto
CSM
CRY
Project-specifc
Application SWCApplication SWC Application SWC Application SWC
EB SWC
EB SWC
EB SWC
OEM SWC
OEM SWC
OEM SWC
OEM SWC
OEM SWC
OEM SWC
CAL
Cpl
LDCOM
Time Sync (FlexRay)
Time Sync (Ethernet)
Architectures for Safety
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Example: electric seat positioning
16
down
backfront
up
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Example: electric seat positioning
ECU
endP_back
endP_front
SeatPos
motor_current
motor_out
Switch_back_red
Switch_back
Switch_front
Switch_front_red
Wdg_Ext
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Exercise - Introduction
18
The software system shall:
• Read two redundant Adc signals
• Perform some calculation
‒ Requires data from non-volatile memory
• Send a result via the CAN bus
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Exercise – Constraints
Software constraints:
• ECU shall use AUTOSAR architecture and modules
• Software elements with different safety level needs to be integrated
• CAN stack is implemented according to QM
• ADC and SPI are implemented according to QM
• ADC and ADCext measure the same signal (redundancy)
Organizational constraints:
• Microcontroller might change in future
• Filter and signal preparation for calculation might change
19
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Exercise - Part 0
Define data path between Adc signal measurement and Calculation software element
• Define additional software units if required
• Define interfaces between software modules
Draw elements and interfaces directly in the diagram
20
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Basic Safety Mechanisms
From DO-178C, section 2.4 “Architectural Considerations:
Basic building blocks (DO-178C). There are basically three safety mechanisms on an architectural level (see 2.4):
1. Partitioning
2. Safety monitoring
3. Multiple-version dissimilar software
Monitoring as well as dissimilar software requires partitioning!
21
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Partitioning
DO-178C, 2.4.1, Partitioning:
a. A partitioned software component should not be allowed to contaminate another partitioned software component’s code, input/output (I/O), or data storage areas.
b. A partitioned software component should be allowed to consume shared processor resources only during its scheduled period of execution.
c. Failures of the hardware unique to a partitioned software component should not cause adverse effects on other partitioned software component.
d. Any software providing partitioning should have the same or higher software level as the highest level assigned to any of the partitioned software components
e. Any hardware providing partitioning should be assessed by the system safety assessment process to ensure that it does not adversely affect safety.
22
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Safety Monitoring
Safety monitoring is a means of protecting against specific failure conditions by directly monitoring a function for failures. Monitors can be implemented in hardware, software or in a combination of both.
Through the use of monitoring techniques, the software level of the monitored software may be assigned a software level associated with the loss of its related function.
a. Software level: Safety monitoring software is assigned the software level associated with the most severe failure condition for the monitored function.
b. System fault coverage: Assessment of the system fault coverage of a monitor ensures that the monitor’s design and implementation are such that the faults which it is intended to detect will be detected under all necessary conditions.
c. Independency of function and monitor: The monitor and protective mechanism are not rendered inoperative by the same failure that causes the failure condition
23
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Safety Monitoring
1. A priori the ASIL requirements is on the function itself.
2. Adding the monitor: the ASIL requirements moves to the Safety monitor (high diagnostic coverage).
3. Usually the monitor will simply shut down the function. Additional safety goal: no new hazards by losing the function.Possible new safety requirement.
24
Function
Safety Monitor
Precondition: independence between safety monitorand function required.Independence in space as well as in time.
ASIL-xASIL-x
ASIL-y(loss of function)
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Multi-Version Dissimilar Software
• Often also referred to as multi-version software, multi-version independent software, dissimilar software, N-version programming or software diversity.
• Dissimilar software is sometimes written such that different parts of the hardware are used, e.g. fixed-point arithmetic vs. floating point.
Issues:
• The degree of dissimilarity and hence the degree of protection is usually not measurable.See the paper from Leveson / Knight about the experiment with n-version software.
• Dissimilar versions of the software are derived from the same specifications and there may be other common parts in the development process.
25
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
EB tresos AutoCore Solutions
EB tresos AutoCore Safety Solutions up to ASIL D
26
Safety OS
Os
Ap
plic
atio
n
IP
SoAdTcpIpEthIf
UdpNmEthSm
Com ServicesCom, PduR, IPduM
CAN
CanAs
CanIfCanTpCanNmCanSm
LIN
LinIfLinTpLinNmLinSm
FlexRay
FrAs
FrIfFrTpFrNmFrSm
Safety RteRte, RteAs
Memory
MemAs
CrcEa
FeeMemIfNvM
Base
ConfiguratorsHidWizSvcAs
Workflows
DetEcuCMake
MemMapPlatformPbcfgM
DoIP
Libs
SafetyE2E
Protection
CDD
Bas
ic S
oft
war
e
Fr*
FrTrcv*CanTrcv*
RamTst* Can Eth*
EthTrcv*
Lin
LinTrcv
Eep
Fls
FlsTst
Wdg AdcMcu
Port
Dio
Icu
Gpt
Pwm
Spi
SD
Safety ACG
3rd Party
OEM
ACM *EB / 3rd Party
Assistant
Mode Mgmt.
ComMEcuMBswM
Nm
XCP
Diagnostic
DemDcmFiM
SafetyTimE
ProtectionDbg
STBM
IoHwAbs
Crypto
CSM
CRY
Project-specifc
Application SWCApplication SWC Application SWC Application SWC
EB SWC
EB SWC
EB SWC
OEM SWC
OEM SWC
OEM SWC
OEM SWC
OEM SWC
OEM SWC
CAL
Cpl
LDCOM
Time Sync (FlexRay)
Time Sync (Ethernet)
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Relation of HW/SW Measures
27
© Freescale Inc.; C. Temple, HW/SW Codesign in the Light of Functional Safety,
Praxisworkshop “Funktionale Sicherheit in der Fahrzeugelektronik”, Februrary 2013.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Pattern: closed loop
28
• Data validation: HW check, plausibility check, “smoothing”, etc.
• Data integrity: redundant storage or a checksum
• Dotted lines: measuring the output; still an open-loop system
• Dotted lines: measuring the final result; a closed-loop system
• Open-loop example: measuring current for movement of valves in a chemical plant, but failing to notice that the valve itself is “blocked”.
InputProcessing
Data Processing(Transformations)
OutputProcessing
DataValidation
ActuationMonitoring
InputSensors
Actuators
ActuatorSensors
Actuation (Function) Level
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Reference Software Architecture
29
ASIL-C: independent memory
ASIL-D: independent memory, independent CPU
Synchronized
L3System
Diagnosis
SoftwareFunction
L2 FunctionalDiagnosis
L2 Signal Diagnosis(Plausibility Check)
L1Base
Actuator Activation
Safe State
From a normal softwarearchitecture to a high integrity system.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Conclusion & Mapping to E-GAS
30
InputProcessing
Data Processing(Transformations)
OutputProcessing
InputSensors
Actuators
ActuatorSensors
Actuation (Function) Level (L1)
Monitoring Level (L2)
Control Level (L3)
DataValidation
IntegrityTest
Monitor
Memory
Monitor Input
Processing
SequenceControl
WatchdogTime Base
Shutdown Signal
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Brainstorming: Failure Modes in Time
What can go wrong?
31
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Failure Modes & Detection Mechanisms
32
Failure ModeAlive
SupervisionLogical
SupervisionDeadline
SupervisionCheckpoint type and location
Sequence Violation x Logical
Stuck Error x Alive at the end
Exit Violation x Logical, at the end
Entry Violation x Logical, at the start
Sequence Restart x Logical
Commission Error x Logical
Ommission Error x Alive
Timing Violation x Deadline, between constraints
OccurrenceViolation
x Alive
SynchronizationViolation
x Logical, for each component
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Alive Supervision
33
• Periodic Supervised Entities have constraints on the number of times they are executed within a given timespan.
• Watchdog Manager checks periodically if the Checkpoints of a Supervised Entity have been reached within the given limits (lower/upper delta).
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
ControlFlow Monitoring / Logical Monitoring
34
• Detects a divergence from the valid program sequence:
• Control flow errors are caused by serious faults, very often in hardware.Hence: control flow monitoring is a very effective tool in the argument for a diagnostic coverage, e.g. in a FMEDA.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Deadline Monitoring
35
• Verifies the timing of the occurrences of check points.
• This mechanism is dedicated to SEs that have individual constraints on the timing between two checkpoints.
• Deadline monitoring is a classical technique for diverse implementations.
• Caution: deadline monitoring usually requires a very controlled schedule between such checkpoints.E.g. unexpected execution of an interrupt is detected as deadline violation of a completely different SE.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
(Ideal) Scheduling of WdgM
36
Wdg
Pri
ori
ty
WdgM
SafestateManagement
SafetyInterrupts
SafetyFunctions
Everythingelse
Cyclic, HW/Gpt counter, high frequency, uninterruptible,interrupts everything else
Frequency depends on the needs, likely to be supervised by WdgM at leastby alive monitoring
Cyclic, maybe HW/Gpt counter, medium/high frequency, not interruptedby SEs, interrupts everything else
Frequency depends on the needs, likely to be supervised by WdgM at leastby alive monitoring
Frequency depends on the needs, likely to be supervised by WdgM at leastby alive monitoring, this is where the functionalitiy is provided
If there is time, do the actual functionality/calculations., most tasks areInterruptible, unlikely to be monitored, unless on a „critical path“.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Example scheduling
37
Functionality
ISR_Wdg
ISR Input
Time monitoring (L3)
CPU monitoring (L3)
Output validation(L2)
Data processingvalidation (L2)
Input data validation(L2)
Input processing (L1)
Data processing (L1)
Output processing(L1)
Non safety functions preemtable
time
pri
ori
ty
Functionality
L2 Monitoring
System Diagnosis
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
Exercise – Part 1
• Timing constraints when the system is properly running in “normal” mode:
‒ The functions Signal preparation, Calculate and Output SHALL be triggered every 10ms
‒ The functions Signal preparation, Calculate and Output SHALL have a fixed order in order to avoid working on outdated data.
‒ The elapsed time between start of Read and finish of Calculate SHALL not exceed 3ms
‒ Adc value are continuously updated all 10 ms
• Task:
Add checkpoints and properties (Alive, ControlFlow, Deadline)
38
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Evolving Needs for Software Systems - Demonstrated
39
Secure Automotive EthernetCommunication
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Motivation
Availability
• Sensor data is available on time to create an environment model of the vehicle
• Actuator commands are sent correctly to control the vehicle
Integrity
• Sensor and actuator data are sent by authorized parties only to avoid manipulation
• Sensor and actuator data is not altered, removed or delayed to avoid manipulation
Confidentiality
• Sensor and actuator data are not monitored by unauthorized 3rd parties to protect driver’s privacy
Advanced driver assistance systems (ADAS) are evolving towards autonomous driving
• From alert & assist…e.g. lane departure warning, lane keeping assist
• … to features taking more control
e.g. highway chauffeur, valet parking
Automotive Ethernet is a key enabler for autonomous driving. Secure Ethernet Communication is required to ensure:
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Dependability
Availability
Reliability
Integrity
Safety
Maintainability
Dependability & Security
Dependability& Security
Availability
Reliability
Integrity
Safety
Maintainability
Confidentiality
Evolving Needs for Software Systems - Demonstrated
Avenzis, Laprie, Randell, LandwehrBasic Concepts and Taxonomy ofDependable and Secure Computing, IEEE, 2004
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
• Safety: Protection against non-malicious faults, e.g. EMV
• Security: Protection against malicious faults, e.g. intended attacks
Security protects Safety
There is no safety without security
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Secure communication
Protection against effects of malicious faults on the communication link
• New threats can emerge during system operation
• Threats are attacks (malicious, human made, external)
• Goal: Protect assets (property, environment and human life)
• Types of Attack:
• injection of malicious control commands
• prevention of correct system function (insertion, deletion, manipulation,
replay and delay of messages)
• Points of Attack:
• additional nodes (e.g. via OBD connector or wireless access)
• corrupted and misused existing nodes (e.g. root access to infotainment system via cellular network)
• nodes replaced by manipulated ones
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Solution: Multi-Level Security Architecture
Enhanced connectivity and the dynamics of the security threats demand to establish several security barriers in order to avoid a full exposure in case a security mechanism is bypassed.
Approach: establish security mechanisms on four levels:
Goal:
Protect against attacks violating the availability, integrity and confidentiality.
Level 1: restrict access to the network
Level 2: secure onboard communication
Level 3: apply data usage policies
Level 4: detect anomalies and defend
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Multi-Level Security Architecture
46
Level 1: Restrict access to the network
Level 2: Secure onboard communication
Level 3: Apply data usage policies
Level 4: Detect anomalies and defend
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Various access points to the network
47
Internet connection
Bluetooth connection
Wireless key
Tire pressure monitor
Remote start
Remote HVAC
WiFi Hotspot
Car2Infrastructure
Car2Car
eCall
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
• Limit the number of ECUs with off-board connections (WLAN, bluetooth, cellular, wireless key, DAB, OBD plug, PLC), e.g. via
‒ central network access point with stateful firewall
‒ diagnostic communication from external tester to ECUs via central gateway (communication between tester and central gateway via TLS)
Level 1: Restrict access to the network (I)
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 1: Restrict access to the network (II)
• Divide network into security zones, e.g. extern, “demilitarized”, internal. And restrict traffic between zones: Physical split or separation via VLANs
• Not only extern-intern, but also intern-intern, e.g. infotainment to powertrain
VLAN Tagging to separate external – internal• All frames from the external tester are tagged with
an orange VLAN tag at the switch located at the GW• Thus only nodes assigned to the orange VLAN can
receive frames from the external tester• Frames to be sent to external tester, are sent via the
orange VLAN – the switch at the gateway removes the orange VLAN tags before forwarding it to the tester
VLAN Tagging to separate internal networks• ECUs from Infotainment (blue VLAN), chassis (green
VLAN) and powertrain (yellow VLAN) can be separated, i.e. will only see frames from the assigned VLANs
• Traffic between VLANs require a switch or Gateway
Tester
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 1: Restrict access to the network (III)
• static Ethernet Switch Forwardingtables OR MAC learning only during learning mode (e.g. end-of-line)
• static ARP tables at nodes OR Address Resolution Protocol onlyduring learning mode(e.g. end-of-line)
• device authentication/authorization
• deactivation of unused (non authorized) ports
Source: AUTOSAR 4.2 EthSwt SWS
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Multi-Level Security Architecture
51
Level 1: Restrict access to the network
Level 2: Secure onboard communication
Level 3: Apply data usage policies
Level 4: Detect anomalies and defend
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 2: Secure onboard communication (I)
Data integrity, authentication, encryption
• Authentication and integrity of critical frames
• Symmetric key because of calculation effort (and required bandwidth)
• Encryption for exchange of session keys
• Choice of protection layer and protocol:
Com HW
Com SW
Application
Com HW
Com SW
Application
Switch
ASR SecOC
TLS
MACsec MACsec
Application specific (proprietary)
IPsec
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 2: Secure onboard communication (II)
Data integrity, authentication, encryption - Protocols
Protocol Standard Type/Layer Authent. Encryption Comment
MACsecIEEE 802.1AE
Hop-by-hopData-Link
X XRequires crypto/keysat each network node
IPsec AH(Authentication Header)
IETF RfC4302
End-to-End IP
X -
IPsec ESP(Encapsulating Security Payload )
IETF RfC4303
End-to-End IP
X X
TLS 1.2(Transport Layer Security)
IETF RfC5246
End-to-End TCP
X XDoes not work with
UDP
SecOC AUTOSAREnd-to-End
PDUsX -
supportsMACtruncation(works also withCAN / FlexRay)
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 2: Secure onboard communication (III)
Data integrity, authentication using AUTOSAR SecOC
• Authentication and integrity of critical frames based on Message Authentication Code (MAC, i.e. usage of symmetric key) and freshness value (counter or timestamp)
• Symmetric key because of calculation effort (and required bandwidth)
• Sender generates MAC based onDataId, data, freshness value and secret key.MAC and freshness value aretransmitted together with PDU data.
• Receiver verifies MAC based onreceived data andfreshness value as well as locally stored secrete key, DataId
• CNT/MAC truncation can be usedif message length is very limited. Source: AUTOSAR 4.2 SecOC SWS
DataIdDataId
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 2: Secure onboard communication (V)
Design principle for Key Management (Generation, Distribution and Storage)
• Service Backend (off-board) >> KeyMaster (on-board):
‒ Communication between SB and KM is encrypted using asymmetric cryptography
‒ SB configures and triggers key exchange at KM
• KeyMaster >> ECUs:
‒ Communication between KM and ECUs is encrypted using symmetric cryptography
‒ KM generates communication group session keys (TEK) if triggered, e.g. by the SB, a timeout or a diagnostic request
‒ KM assigns TEKs to ECUs by using the related Key Encryption Key (KEK) of the ECU
‒ ECU securely stores the keys in its HSM
KM ECUSB Internet
Asym/SymOff-board
SymOn-board
Based on: The EVITA Project
SB … Service Backend ServerKM … Key Master
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Multi-Level Security Architecture
57
Level 1: Restrict access to the network
Level 2: Secure onboard communication
Level 3: Apply data usage policies
Level 4: Detect anomalies and defend
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 3: Apply data usage policies
Define data usage policies to limit the exposure• Use service specific know how to implement policies in the application
‒ Control Data: accept control commands only in specific application states, define priorities of requester
‒ Sensor data: validate the contents of data (context, history, …)
Examples• allow diagnostic messages only in specific vehicle state, e.g. speed is less than 5mph or drivers
door open
• allow massive steering/braking/acceleration change only in certain vehicle state (e.g. crash indication, driver request in ‘sport’ mode, …)
• use more than one sensor (instance) to determine if the vehicle is not moving
Challenges• Highly application dependent
• Side-effect must be considered
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Multi-Level Security Architecture
59
Level 1: Restrict access to the network
Level 2: Secure onboard communication
Level 3: Apply data usage policies
Level 4: Detect anomalies and defend
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Level 4: Detect anomalies at the network and defend
• Anomalies: deviations to specified communication matricese.g. cyclic message is received more often than defined, very high network load, 1:n message received with different source addresses, …
• Detection: via central device or at the receivere.g. plausibility check based on diverse input data or data sequence, failed integrity checks
• Defend: report (e.g. DTC, involvement of driver, …) and start mitigation
• mask (e.g. block messages from infotainment ECU, block messages from “babbling idiot” by enforcingbandwidth limitation at switches) or
• reconfigure (e.g. deactivation of critical functions, initiate hand-over in case of autonomous driving, request change of session key …)
20
40
20 20
SwitchECU
Stream1
Stream2
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Summary: Protection by the security levels
Levels protecting against attacks violating the availability, integrity and confidentiality:
Level Availability Integrity Confidentiality
Level 1: restrict access to the network Yes Yes Yes
Level 2: secure onboard communicationNo
(DoS attacks)Yes Yes
Level 3: apply data usage policiesNo
(DoS attacks)Yes
No(eavesdropping)
Level 4: detect anomalies and defend Yes (Yes)No
(eavesdropping)
.
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Multi-level security architecture with AUTOSAR
CryHsm
Csm
Hardware
Security
Module
Implementation layerCry
Interface layerCsm
SecMon
Level 1
Level 2
Level 3
Level 4
Evolving Needs for Software Systems - Demonstrated
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Summary
• Autonomous driving requires secure communication to protect against malicious attacks
• Multi-level security architecture
‒ ensures availability, integrity and confidentiality
• Security mechanisms
‒ Use experience from IT industry
‒ Adaptations for automotive necessary and implemented
‒ First steps of standardization for security in automotive achieved, more needed.
• Solutions are available, use them to secure Ethernet for autonomous driving.
Evolving Needs for Software Systems - Demonstrated
Demonstrator:Semi-dynamic reconfiguration based on classic AUTOSAR
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Future architecture of a car infrastructure
• Split up ECUs in low performance IO Controller and high performance controller
• Establish a service oriented architecture (SOA)
• Performance Controller
‒ High computation power
‒ Widespread, POSIX-like Operating System (e.g. Linux), Adaptive AUTOSAR
• IO Controller
‒ Provide Sensor and Actuator Services
‒ Deeply embedded, real-time Operating System (e.g. Classic AUTOSAR)
Semi-dynamic reconfiguration based on Classic AUTOSAR
65
Gateway
IO
IO
IO
Cloud
PF
IO
IO
IO
PF
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Requirements for a future car infrastructure
66
High Level Requirements
Technical Concepts Technologies
High computing power
High Performance Controllers and GPUs
• Autosar Adaptive Platform• Hypervisor
High data rates Ethernet (1 GigE, 10 GigE)Dependable Communication
• Fault-tolerant Communication• QoS and Timesync• Safe & Secure Communication
High availability, fail-operational systems
Redundancy ConceptService oriented architecture Software System Engineering
• 2oo3, 1oo2D,…• (Semi-) dynamic
reconfiguration
Car-2-Xcommunication, update over the air
Reliable Security mechanisms, concepts and infrastructure
• Secure Onboard Communication & Key management
• Crypto Algorithms , Security HW
• Secure Separation
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
From Fail safe to Fail operational
Safe State means:
• Continue driving until driver is in the loop
‒ approx. 7-15s for conditional autonomous driving
‒ Several minutes for high and full autonomous driving
• Perform an autonomous „safe-stop“ (stand-still at a non-hazardous place)
‒ Main issue is to get the driver attention focused on the situation
‒ Several minutes, depending on the situation
67
Driver only
AssistedPartial autom.
Fullautom.
High autom.
Condi-tional
autom.
Fail safe Fail operational
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Example: 1oo2D System
68
Input Data
Output Data
Diagnostics
Diagnostics Enable Output
Enable Output
Logic
Logic OutputInput
OutputInput
• High diagnostic coverage needed to detect failures in one channel• If a component fails in one of the two channels the system does not shut down• The system continues to operate with one channel
Common sense: It´s not best policy to operate a highly safety critical system on a single channel – but it´s sufficient for a certain period of time, the so called hand-over-time to the car driver
or…
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Outlook: Reconfiguration for rebuilding 1oo2D
1 channel
• Still Operational
• Handover to driver
• Failure recovery
• Internal recovery
1oo2D*
• Rebuilding 2-channel-system
• Disabling of comfort functions
69
< 10s
error occurred
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
1oo2D - Normal operation
Func4
Func3
Func2Func5
Func6
Fault tolerant Ethernet
Sensors /Actuators
Func1Func3
critical
non-critical
dis-abled
Func3
Func2
Diagnostics
Func1
Diagnostics
Func1
1oo2D system
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
1oo2D – 1 channel
Func4
Func3
Func2Func5
Func6
Fault tolerant Ethernet
Sensors /Actuators
Func1Func3
critical
non-critical
dis-abled
Func3
Func2
Diagnostics
Func1
Diagnostics
Func1
1oo2D system
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
1oo2D* – 2 channel
Func4
Func3
Func2Func5
Func6
Fault tolerant Ethernet
Sensors /Actuators
Func1Func3
critical
non-critical
dis-abled
Func3
Func2
Diagnostics
Func1
Diagnostics
Func1
1oo2D system
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Req. 1: Reconfiguration in classic AUTOSAR systems
Semi-dynamic reconfiguration based on Classic AUTOSAR
• Application information based on AUTOSAR xml description available
• Runtime environment (RTE) supporting starting and stopping of software components
• Threads can started/stopped via Safety OS partitions
• FailOpManager
‒ Monitoring of own health status
‒ Monitoring of foreign health status
‒ Triggering of reconfiguration
73
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Req. 2: Sensor/Actuators are redundant or accessible via network
Redundant Sensor/Actuators
• Duplication and higher costs
• Only limited reconfiguration of vehicle lifetime due to hardwired sensors
Sensor/Actuators are accessible via network
• Service orientated communication (SOME/IP and Service Discovery)
• Multi-cast fault-tolerant Ethernet
74
Semi-dynamic reconfiguration based on Classic AUTOSAR
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Start point
76
Rte Rte
Appl.1Appl.1(red.)
Appl. 2
ComStackOS
Node 1 Node 2
ASRBSW
Ethernet
ComStack
ASRBSW OS
• Application contains a realistic number of SW-C and interfaces for an driver assistance ECU
• Number of SW-C and interfaces are taken from a real ECU
Semi-dynamic reconfiguration based on Classic AUTOSAR
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Requirements
77
Requirement
Detection of failing nodes (scalable algorithm)
Reconfiguration mechanism based on AUTOSAR
State transfer from Node1 to Node2
Reconfiguration time (<500ms)
Small increase of CPU load and memory consumption
„Let‘s look at the details“
Semi-dynamic reconfiguration based on Classic AUTOSAR
Health monitoring & Service State Agreement
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Introduction
79
Definition of a group membership protocol (GMP)
“A set of processors has a common view of the state (crashed, restarting, running) of each processor at any time”
Selection of a suitable protocol (research in existing academic work)
Tailoring (downsize) of selected protocol
Service state agreement (based on GMP)
“A set of processors has an agreed state (active, stand-by) of each service provided by each node”
static agreement (rules based current GMP states)
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Group membership protocol
80
“A Low-Cost Processor Group Membership Protocol for a Hard Real-Time Distributed System” by Clegg and Marzullo
‒ low overhead
‒ small failure detection latency
‒ small message complexity
• Features:
‒ Assumes n (arbitrarily number of) processors to participate the GMP
‒ connected by 𝐶𝑚𝑎𝑥 network channels with broadcast functionality.
‒ Detects channel network channel/interface errors and supports heartbeat forwarding (up to (𝐶𝑚𝑎𝑥 – 1) channel/interface errors)
‒ States: Restarting, Running, Crashed
P1 P2 Pn
P1 … Pn: processors𝐶1 … 𝐶𝑚𝑎𝑥: communication channelsδ: maximum broadcast period (heartbeatcontaining Id and timestamp 𝑇𝑡𝑥)ε: maximum clock skew∆𝑠𝑒𝑛𝑑: maximum transmission delay∆𝑓𝑤𝑑: channel forward decision constant
∆𝑠𝑓:max ∆𝑠𝑒𝑛𝑑 , ∆𝑓𝑤𝑑
ε
δ δ δ
Failure detection latency:∆𝑙𝑎𝑡= ∆𝑠𝑒𝑛𝑑 + ∆𝑠𝑓 + 2 𝛿 + 휀
Membership end (mse):𝑇𝑚𝑠𝑒 = 𝑇𝑡𝑥 + ∆𝑙𝑎𝑡
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Service state agreement
81
• Processor (P) = Electronic Control Unit (ECU)
• Redundant service A’’ and A’ deployed on processors (P1(A’), P2(A’’))
• States of P1 available in P1 and P2:
‒ Restarting, Running, Crashed
• Static service state agreement:
‒ P1: A’ initially deactivated (cold-stand-by)
• gmp state P1 -> Restarting: -
• gmp state P1 -> Running: activate A’ (active)
• gmp state P1 -> Crashed: deactivate A’ (P1 crashed)
‒ P2: A’’ initially deactivated (cold-stand-by)
• gmp state P1 -> Restarting: -
• gmp state P1 -> Running: -
• gmp state P1 -> Crashed: activate A’’
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Putting it all together
82
Restarting Running Crashed
Restarting Running Crashed
P2
P1
GMP[P1]
GMP[P1]
SSAA‘‘
SSAA‘
Cold-Stand-By Active
Cold-Stand-By Active - Crashed -
HB
t
GMP … Group Membership ProtocolSSA … Service State Agreement LogicHB … Heartbeat messageP1 … Processor (ECU) 1, containing primary SWCP2 … Processor (ECU) 2 , containing backup SWCA‘ … primary SWC stateA‘‘ … backup SWC state
max 𝛿
𝛿 + ∆𝑠𝑒𝑛𝑑 + 𝜇
𝑇′𝑟𝑥 𝑇′𝑚𝑠𝑒
∆𝑠𝑒𝑛𝑑
activate A‘
activate A‘‘
Semi-dynamic reconfiguration
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Start/Stop on runnable level – Pro’s /Con’s
84
‒ Usage of existing Autosar mechanisms (ModeSwitch and ModeEnabling/Disabling dependencies)
‒ Fast start/stop possible
‒ Central SW-C required as mode manager
‒ Distribution only possible on clustered software function
• Connected RTE Ports required
• Evaluation of execution path/data dependency required
‒ Modification / extension of application necessary
• configuration overhead for ModeSwitch-Ports
‒ Safety requirements will be assigned on this RTE mode management feature
‒ Additional effort to disable OS elements and ISR (load reduction)
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Os application/partition level - Overview
85
• An Autosar Os-Application is a composition of Os elements
• Os-Application realizes a partition
• Partition is a logical composition
• Each partition has an own
RTE (VFB)
• Inter partition communication is
handled by OS (IOC) or RTE (SMC)
OS App1Data
Task1Data
Stack
Task2Data
Stack
OS App2Data
Task3Data
Stack
ISR1Data
Stack
OS Kernel Stack
App1 App2
Rte Rte
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Semi-dynamic reconfiguration based on Classic AUTOSAR
Start/Stop on Partition level– Pro’s /Con’s
86
‒ Partitions can be started/stopped individually
‒ Cold standby can be realized
‒ Standard ASR mechanism
• Additionally used to realize memory protection in some OS implementations
‒ ISR and other OS elements are part of this concepts
‒ Mechanism on a higher abstraction level compared to runnable approach – but on a logical functional level (remember SW-C to partition mapping)
‒ Starting and Stopping is divided into separate Rte & Os_Application APIs
• Small overhead at startup for setup
‒ Probably slower compared with mode management approach
• Partition A needs to be stopped and Partition B needs to be started
Results
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Software components and partitions
88
Rte Rte
App1
App1(standby) App2
GSM
ComStackOS
Node 1 Node 2
ReConfMASRBSW
Ethernet
GSM
ComStack
ASRBSW OS
ReConfM
• Two small software components are added• Configurable as plugin• Configuration is generated
• Partitioning added on Node 2 (dotted lines) Infrastructure, Normal Application, Cold standby
Semi-dynamic reconfiguration based on Classic AUTOSAR
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
© Elektrobit (EB) 2015 | 89
Semi-dynamic reconfiguration based on Classic AUTOSAR
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Benchmark - Reconfiguration Time
Failure detection depends on configurable parameter in GSM.
• Node 2:
‒ ReConfRemoteHeartBeatRxTimeout = 10 times – GSM cycle time(10ms) ~= 100ms (depending on start-point)
‒ At least one heartbeat needs to be received in ReConfRemoteHeartBeatRxTimeout
• Node 1:
‒ ReConfHeartBeatTxPeriod = 1 time per GSM cycle time (10ms)90
Time measured Time
Last received heartbeat from Node1, in Node2 - 11.7ms
Failure 0
Node 2 detects fail-silent of Node 1 98.24ms
Detection till cold standby application is executed 0.08 ms
Overall time 110.02ms
Thank you
Contact us!
automotive.elektrobit.comrudolf.grave@[email protected]
CC SSE Much, Grave | 2016-07-06 | VDA Automotive SYS 2016 | Public | © Elektrobit Automotive GmbH 2016.All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.