Aggregation trend
Next-generation vehicle central computing units aggregate and integrate multiple domains and functions, currently handled by large numbers of domain-specific, individual ECUs distributed throughout the vehicle. These high-performance vehicle central computers will be connected to the remaining embedded control units as well as the sensors and actuators via zone modules.
Modern E/E centralized architectures help to enhance overall quality, cost, performance, and security. Importantly for EVs in particular, aggregation also helps to reduce wiring weight and system complexity, as well as saving precious battery energy – all of which contribute to increased driving range. As a result, the number of computing units in a vehicle should drop from 70 or 100 today down to 20 or 30 ECUs, depending on the model and market positioning, while managing more advanced functions.
Software-defined vehicles
Change is coming to vehicle E/E infrastructures as more advanced features are introduced. The new requirements in the areas of electrification, personalization, connectivity, automated driving and assistance result in a growing range of functions to be performed through software. Next generation E/E centralized architectures enable vehicles to become software-defined.
The challenges
Toward heterogeneous multicore/manycore
Today, vehicles with L2+ autonomous functions already have up to 100 million lines of code, more than any other vehicle on land water or air. And L5 cars are expected to embed up to 500 million lines of code!
To process this amount of software efficiently, the central computing ECUs are moving toward heterogeneous multicore (2-8 cores) and even manycore (>= 8 cores) processing hardware to keep pace with performance demands. Single-core processors can only be used for the smaller satellites (sensors and actuators) in future E/E architectures.
Scalability
At the same time, new and significant safety and security challenges are coming, and OEMs must create differentiated product ranges cost-effectively and achieve acceptable time-to-market for new applications, features and models. Therefore, hardware and software scalability become essential.
In the process of aggregation, as many existing software applications as possible must be reused and integrated into larger systems with mixed criticality on the same hardware. Complete applications with their software frameworks and drivers are even being reused. Non-safety-relevant Linux or Android applications (e.g., user interface, data processing, etc.) are to be used together with safety-critical functions (e.g. AD/ADAS, etc.) that must be certified and prove safe real-time behavior.
Security
Finally, security must be carefully considered when bringing all these software functions together. Some of the software modules are only allowed to exchange information via a secure channel in order to prevent attackers from stealing important data or influencing the system. One important aspect and challenge is the enforcement of security policies, to ensure that applications themselves are running unmodified, are only doing what they should be authorized to do, and that only applications that were approved in the first place can even start.
System performance
If there are performance losses on the communication level, the system reacts too slowly, which can only be compensated by more expensive and energy-intensive hardware. Ideally, all functions work and communicate with each other at high speed.
Such an application has a high parallel component. Amdahl's law shows the strong influence of this parallelism on the overall system. Even reducing the parallelism can lead to a drastic loss of performance.
The Multikernel RTOS Solution
The software platform is a critical element in solving these diverse challenges to the overall vehicle E/E architecture. This is particularly the case with the architecture of the operating system, which ties up together all of the computing elements that are drastically changing.
Service-oriented architecture
Scalability is imperative and software based on a service-oriented architecture (SOA) is the proven approach. A multikernel, or distributed microkernel, OS technology is well-suited to managing emerging multicore and manycore hardware architectures while at the same time supporting SOA with a high-speed, deterministic inter-kernel message passing technology.
Distributed microkernel
A multikernel RTOS is inherently suited to servicing the large numbers of interlinked cores and processes, hence meeting the new needs of modern automotive E/E architectures. eSOL has developed such a multikernel RTOS, dubbed eMCOS®, to provide the required performance and scalability as vehicle architectures continue to become more advanced.
In addition to providing the scalability to handle either small or large sets of functions, this distributed microkernel OS also helps deliver fast and deterministic response for real-time control applications in domains such as powertrain. The OS can scale in multiple ways, applications can be connected between the microkernels, and users are able to customize the adaptation layer to suit their intended purpose.
A distributed microkernel OS is unlike typical microkernel OSes. The core deadlocks that occur with usual single microkernel RTOS are avoided here by each core having an independent microkernel. All the distributed microkernels then together form the entire multikernel. With no need for cross-core kernel locks to prevent performance-sapping concurrent accesses, this architecture ensures parallelism is preserved.
Semi-priority-based scheduling
Also, in eMCOS, a patented layered scheduling mechanism allows a simple software assignment to hard real-time functions or soft real-time functions. The latter can be moved to other cores depending on the workload of each core to maximize overall performance while ensuring functional safety. Thus, such scheduler enables hard real-time determinism and permits high-throughput computing combined with load-balancing.
Type 1.5 real-time POSIX hypervisor
eMCOS Hypervisor®, as an extension of eMCOS POSIX, goes to the next level and allows running entire Linux or other OS as Guest environments. This “type 1.5” real-time hypervisor is directly connected to the underlying eMCOS POSIX RTOS. This allows developers to control in a fine-grained manner how they want to reuse or extend open-source software, whether it will be in an underprivileged environment in a Guest, or directly on the real-time POSIX environment, or even both of course.
eMCOS Hypervisor enables the integration of both RTOS and general-purpose OS to run concurrently on a single hardware platform, with full time and space isolation provided inside a mixed-criticality system. It also supports the implementation of the open-standard virtio interface for sharing physical or virtual resources, to allow re-usage of Linux applications code, among other useful things.
Security
Cybersecurity in embedded systems is always about analyzing the attack surface and isolating the weakest link. While this weakest link is often open-source software, the most critical security issues commonly revolve around device drivers – which are either part of the attack surface itself, or part of what the hacker is looking to exploit. Therefore, running drivers in the context of user applications that can themselves be sufficiently isolated is advised on eMCOS POSIX; this brings general isolation capabilities to the entire platform, following a microkernel model.
This course of action allows open-source, commercial, project-specific software and drivers to cooperate in a well-organized, efficient manner, while maintaining an acceptable level of security. And a great performance is delivered, since eMCOS features a multikernel approach for ideal parallelism and Freedom From Interference (FFI).
Furthermore, eMCOS POSIX and eMCOS Hypervisor have the necessary frameworks in place and rely on proven approaches in the field of cryptography and authentication to enable the necessary verification at the application level and perform the initial authorization and corruption detection.
Now, there is always a balance between the effort to reach an acceptable level of security, an acceptable level of Functional Safety (FuSa), an acceptable performance, and an acceptable development time. eSOL experts can assist its customers to consider all these aspects, and help them focus on the differentiating aspects of their products.
Modern Vehicle E/E Use Case Example
The eMCOS software platform offers two different profiles for the new automotive E/E architectures. The choice of two eMCOS profiles - POSIX, POSIX-Hypervisor - allows Linux or Android software as well as ROS 2 middleware assets to be reused and work in parallel on the same heterogeneous multicore hardware platform.
