Changes in software development by vehicle computers
Autonomous driving, networking and electrification are increasing the complexity of software-controlled functions. Conventional E / E architectures reach their limits here. Centralized approaches with microprocessor-based vehicle computers enable the merging of previously distributed domains.
Camera systems and other sensors are designed to monitor the vehicle surroundings seamlessly while driving. Driver assistance systems take over vehicle control from time to time. Car buyers can subsequently customize and upgrade their vehicles with apps - at the latest in such scenarios, today's E / E architectures reach their limits . The increasingly complex, increasingly cross-domain functions are difficult to implement if many dozen decentralized, highly specialized ECUs are involved, each with specific embedded software.
In addition, processing the rapidly increasing data volumes requires more computing power and broadband data transmission on board; and in the future there will also be an outsourcing of computationally intensive processes to the cloud. In addition, the networking of modern vehicles in the Internet of Things (IoT) poses new security requirements. And last but not least, the changing user behavior of the smartphone generation requires practical, secure solutions for (over-the-air) software updates.
To meet all of these requirements, the automotive industry relies on two central approaches: Vehicle computers based on microprocessors (µP) bring more computing power on board and allow the on-board network to be centralized, which also simplifies domain mergers (Figure 1). In line with this, the AUTOSAR Adaptive standard creates a set of rules for these new, networked architectures. Both will change the automotive software development fundamentally.
Figure 1. The E / E architectures in the vehicle will change rapidly to meet the new megatrends. Vehicle computers (VC) are of central importance.
Centralization with vehicle computers
Unlike conventional ECUs based on microcontrollers (µC), microprocessors, system-on-a-chip hardware architectures with multiple cores in the central processing unit and co-processors work in vehicle computers (VC). By using hardware from the IT world, VCs create a basis for executing complex computing processes on board. At the same time, they can be partitioned into encapsulated virtual machines using a hypervisor. In conjunction with the appropriate basic software, this encapsulation guarantees comprehensive freedom from interference, i.e. the software parts do not influence each other during their term. Each virtual machine can thus take over the function of a virtual control device with its own software. This makes it possible to operate software from different providers with different automotive safety integrity levels (ASIL) on the same VC software.
Comprehensive Posix operating systems such as Blackberry QNX or Linux are used for the efficient integration and smooth interaction of the software. And because the new, centralized computing units access external storage, file systems and possibly cloud services in the future, data traffic runs over broadband automotive Ethernet buses.
Such a centralized structure creates the prerequisite for overcoming the historically grown but now disruptive separation of the domains . For example, for automated driving, functions of the power train and chassis, including brakes and steering, can be merged in software packages on VCs and executed there as software-based controllers. Such a centralized decision level in the vehicle E / E architecture reduces complexity, increases flexibility - and provides the necessary basis to bring together huge amounts of data from the radar, video or lidar environment sensors in the future, to compare them and to make decisions in the sense of maximum functionality To make security plausible.
However, there will be no complete changeover to the central computer for the time being. At least temporarily, parallel structures with classic ECUs must remain on board. Because although VC generally calculate faster than ECUs, only the µC-based control units with software based on the AUTOSAR Classic standard are real-time capable in the strict sense: They execute control algorithms in clearly determined cycles, which makes them indispensable for particularly safety-relevant functions. As usual, they communicate via CAN, LIN or FlexRay buses. Hybrid on-board networks are therefore required.
Overview in hybrid electrical systems ...
The coexistence of the different hardware and communication paths in the hybrid electrical systems needs to be coordinated - and safeguarded in terms of functional safety and complete security. Developers have to keep an eye on a wide range of requirements: Many areas of the industry are converting from the established V-Model to agile software development for improved development dynamics in the software area. Advanced software must therefore be rolled out quickly and safely onto vehicles in the field. Over-the-air updates (OTA) and stationary upgrades are the means of choice and at the same time pave the way for new data services and app stores in which non-industry players can also offer their software. If this is installed on the encapsulated virtual machines with the said freedom from interference, then it can be developed, tested, verified and validated in virtualized environments.
Nevertheless, it is essential to secure any software updates by authenticating the provider and using cryptographic means. In any case, vehicle-to-x communication and networking create connections from the vehicle to the outside world, which inevitably entail increased risks. Prevention against cyberattacks and unauthorized access to on-board networks is essential. The ETAS subsidiary Escrypt offers various automotive solutions for this.
So that all these requirements do not lead to unmanageable complexity, new solutions and new methodological approaches are required. Bosch and ETAS recognized this need at an early stage and are already providing solutions with which the transition period up to the introduction of the AUTOSAR Adaptive standard can be used productively.
... is a question of the right tools
The core of the solution is the basic software framework RTA-VRTE. The abbreviation stands for Realtime Application (RTA) - Vehicle Runtime Environment (VRTE). It is a multi-layer platform on which different AUTOSAR adaptive-compliant software functions can be set up. It specifically supports the parallel structures with decentralized ECUs and central VCs. In addition, the pre-configured partitioning via hypervisor enables immediate entry into the highly virtualized development methodology of the future. In the RTA-VRTE, the virtual machines take on the function of virtual ECUs that developers can simulate on conventional desktop PCs. They are networked via Ethernet and can therefore also communicate with each other.
Addressing challenges in the Early Access Program
The ETAS RTA-VRTE is embedded in an early access program (Fig. 2). Users can now start prototyping, penetrate the hybrid wiring system architectures and integrate, test and debug software. It is also possible (yet) to integrate non-AUTOSAR adaptive software solutions, such as firewalls or gateway management solutions, which are essential for the fully secure operation of the hybrid, increasingly networked electrical systems.
Figure 2. Software components of the ETAS RTA-VRTE software framework.
Ultimately, the user receives a complete virtual box image of the vehicle computer with an AUTOSAR adaptive architecture made up of five levels (Figure 3). To implement this efficiently, the software development kit contains configuration tools for the integration of a Posix-compliant operating system. Your subsystems run on the VMs like on your own computer. The interaction is controlled on a different layer. A communication middleware ensures that problems with a software function do not have any unwanted effects on ASIL-relevant functions.
For functions with high ASIL relevance, microcontrollers will remain the means of choice in the future due to their advantages with strict real-time requirements and when monitoring communication processes. Together, Bosch, ETAS and their subsidiary Escrypt offer a complete package that guarantees seamless monitoring of the CAN buses using suitable intrusion detection systems (IDS) as well as high-performance Ethernet firewalls and hardware security modules (HSM).
Figure 3. The five layers of the platform software framework RTA-VRTE contain all mechanisms to safely and flexibly set up functions.
Outlook: Restrained complexity
The new architectures with vehicle computers are the key to functionally secure cross-domain functions. At the same time, they pave the way for a completely new, virtualized development process in which different software suppliers develop software completely independently of one another and can integrate them securely on virtual machines of the vehicle computers. Despite the high degree of heterogeneity, high security standards can be guaranteed. On the one hand, because the partitioning via hypervisor in conjunction with a sophisticated middleware firmly anchors Freedom from Interference - which also ensures that unauthorized access affects the respective partition as a maximum, but never the entire vehicle electrical system.
This new development world provides software developers with leverage tools. In the future, the need for specific embedded software for ECUs, which previously had to be developed for each vehicle generation, will shift towards the far less specific software for vehicle computers. The ETAS RTA-VRTE's Early Acess Program enables companies to familiarize themselves with the new E / E architectures and the associated changes in automotive software development.
 Andreas Lock, Detlef Zerfowski: "Functional Architecture and E / E-Architecture - A Challenge for the Automotive Industry", conference proceedings 19th International Stuttgart Symposium Automotive and Engine Technology 19th-20th March 2019, (editor: M. Bargend, H.-C. Reuss, A. Wagner, J. Wiedemann), pages 909-920, publisher Springer Vieweg.
 Detlef Zerfowski: "Verticalization versus horizontalization? The (r) evolution of automotive software is advancing. ”Conference proceedings Embedded Software Engineering Kongress 2018, Sindelfingen, 3.-7. December 2018, pages 452-460.