MENU

Safer vehicles through aircraft technology

Safer vehicles through aircraft technology

Technology News |
By eeNews Europe



The large number of electronic control devices found in vehicles already has a significant impact on the total weight of cars, and thus on their fuel consumption. Electronic hardware also adds considerable cost, so that using even more hardware in vehicles would therefore be irresponsible, both ecologically and economically. Carmakers and automotive suppliers have only one option: to integrate several functions onto one control device. The safest and most efficient solution is the combination of microkernel and virtualization technology.

In this technology, a microkernel forms the basis of the software architecture, providing the basic functions to allow the integration of additional operating systems. It generates different logical software partitions on the processor. Operating systems with very different requirements can be integrated onto each of these partitions, because the partitions run independently of one another. Even if the software in one partition crashes, the entire system continues to run unhindered. This type of system design prevents the operating systems from influencing one another, and thus simultaneously enhances protection from malicious attacks.

Virtualization technology means that the operating systems installed in the partitions no longer use the physical hardware; they use "virtual" hardware instead. This allows even highly complex operating systems to run in a partition.

Partitioning already in use in aircraft

Partitioning through the use of microkernels has already been in use in aircraft technology for over ten years. This technology is used as part of integrated modular avionics (IMA) architecture (illustration 1). Several years ago engineers were able to reduce the number of control devices required in aircraft even as the number of software systems needed continued to rise. Airbus, for example, uses the microkernel PikeOS from SYSGO AG for its long-haul Airbus A350 aircraft, as well as for its military cargo plane Airbus A400M. PikeOS is certified in accordance with the DO-178B safety standard.

The fact that microkernel technology reached maturity long ago in avionics gives rise to the question as to why this secure technology is not already firmly established in the automotive industry. The most likely answer is that interest in microkernel solutions has grown only recently because the large number of electronic control devices is only now becoming a challenge in cars, unlike in airplanes. In addition, new technologies must also now meet the safety requirements for software in cars, as well as formal standards like ISO 26262.

OpenSynergy started pursuing this idea of using microkernel technology to integrate software into cars in 2007, and has turned it into a marketable product. To do that, the company integrated the microkernel PikeOS into COQOS, its standards-based software platform (illustration 2). Thanks to this microkernel, COQOS offers independent partitions on which software systems with different timing requirements and safety levels can run without interfering with one another. That means that Linux-based infotainment software can run on one partition while automotive systems run on another. COQOS also features an AUTOSAR interface for the integration of automotive software, so that AUTOSAR-compatible programs can be integrated easily [2].

The microkernel in COQOS is certified in accordance with the DO-178B safety standard. But as it is uncommon to apply avionics components to automotive electronics, the extent to which avionics software meets the requirements of automotive standards had never been examined. This question is especially important because the ISO 26262 has been published.

 

Research project VirtuOS

From this context emerged VirtuOS, a research project in Berlin. In this project, the Technical University of Berlin, the Fraunhofer Institute FIRST, and OpenSynergy found that avionics safety standards (e.g. DO-178B) are fundamentally comparable to the safety standards for the development of automotive software (e.g. ISO 26262). This comparability is what allows avionics software to be applied, and provides assurance that a certified avionics component can be used in the automotive industry. The final report of the project will be published in April 2012. Its key message:

The DO-178B standard for the certification of software systems in aircraft describes the targets for processes, results, and interaction with the certification authority necessary to develop flawless software for use in aircraft. The ISO 26262 norm also details standards for developing safety-critical systems for vehicles to ensure functional safety.

Both DO-178B and ISO 26262 assume that functional safety can be ensured by taking appropriate error prevention steps. As a first step, similarities and differences can be examined in the following areas:

  • Processes and lifecycles: What is the projected lifecycle, and what processes will be accomplished during this lifecycle? What requirements must these processes meet?
  • Work results: As part of these processes, work results, i.e. documents and the final software product, are generated. In general, these form the basis for confirmation measures and product release in accordance with the standards. To what extent are the work results contents required the same or similar?
  • Confirmation measures in ISO 26262: Who conducts the confirmation measures, and to what extent does the standard require autonomy of the inspecting authority? What types of confirmation measures are designated?

The results of the comparison lead to the conclusion that the development processes for aircraft technology and the automotive industry are fundamentally identical.

Avionics provides benefits for automotive software

Despite a few differences, for example that ISO 26262 demands measures for field operation, and that there are no certification authorities for ISO 26262, it is still possible to represent the assumed software lifecycle and most of the work results so that previous certification in accordance with avionics standards is beneficial for automotive software development in accordance with ISO 26262.

So there is no fundamental obstacle to the comparability of safety standards. On the contrary: studies conducted in the context of VirtuOS show that nearly all artifacts from DO-178B can be re-used for development in accordance with ISO 26262.

Establishing the comparability of safety standards opens the door for components from one of the industries to be used in the other. The findings from this research project show that two worlds that seemed so far apart can actually converge. The VirtuOS research restults can thus lead to greater synergy between the aviation and automotive industries.

One example of that is COQOS, the standards-based software platform already mentioned. With it, OpenSynergy has made the microkernel technology used in avionics available for use in the automotive industry.

OpenSynergy’s approach of integrating a microkernel from aircraft technology into an automotive software platform is completely new. COQOS is thus both an example and a trailblazer for the transfer of avionics components into software systems for cars. This re-usability saves carmakers considerable development costs, improves functional safety, and makes safe vehicle technology available at a reasonable price.

The left part of image 3 shows the typical system design that can be generated by using COQOS. It shows clearly that several very different functions can be integrated through one µOS. The µOS is based on a microkernel. That insures the safe separation of the various functions.

The right side of the image shows that the architectures for IMA-based systems are based on the same principle.  

Assumed System Design

The illustration shows the typical system design when COQOS is used on the left-hand side. The general approach is to integrate different functions over a µOS – with a separation microkernel as its core – which ensures safe separation between the different functions.

This is the same approach as for IMA based systems; a system architecture overview compatible with IMA is depicted in the right-hand side of the illustration.

Literature and links

[1] Lötzke, M.: Experiences from Recent Avionics Projects. Talk given at the first symposium of the VirtuOS project partners on 15 June 2011. Berlin.

[2] www.autosar.org

[3] Gerlach, M.; Weißleder, S.; Hilbrich, R.: Can Cars Fly: From Avionics to Automotive: comparability of domain-specific standards. Embedded World 2011.

About the authors

Matthias Gerlach, DEng

Matthias Gerlach, DEng, is a software engineer at OpenSynergy and the head of the VirtuOS project. Before joining OpenSynergy he worked on a number of projects focusing on security from attacks in vehicle-to-vehicle communication. He also wrote his doctoral dissertation at the Technical University of Berlin on this topic. As part of this work he was also involved in the standardization of ITS in the context of ETSI and car-2-car communication consortium.

Stefaan Sonck Thiebaut, DEng

Stefaan Sonck Thiebaut, DEng, is the general manager of OpenSynergy, where he is responsible for overall product development and the technical direction of the company. As one of the co-founders of OpenSynergy, he received his doctorate degree from Stanford University in the USA, and has over 20 years of experience in software development.

 

This article has been published in the magazine "Elektronik automotive”, March 2012

If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :    eeNews on Google News

Share:

Linked Articles
10s