© Siemens AG 2014. All rights reserved
TUM, Jan 2014
RACE
Dr. Ludger Fiege, Siemens AG
ECAR
Seite 1 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Three independent development
paths leading to the Smart eCar
Smart eCar
autonomous driving
© Photo: Nissan
New ergonomic concepts
through mechatronic integr.
ADAS horizontally
integrated with strategy
level
ADAS* vertically
integrated
Function development
Zero Accidents with
intervening decision
E-Motor
Brake
Damping
Steering
Electro mechanical integration
*Advanced Driver Assistant Systems
RACE platform development
Robust and reliable Automotive Computing Environment
for future eCars
Seite 3 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Agenda
■ Motivation
■ RACE setup
■ System Overview
■ RACE Runtime Environment
Seite 4 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Project RACE Robust and reliant Automotive Computing Environment for future eCars
■ Funded by BMWi
■ Project time: January 2012 – December 2014
http://www.projekt-race.de
■ Project based on study „Mehr Software (im) Wagen“
http://www.fortiss.org/ikt2030
gefördert durch:
Seite 5 Jan 2014 projekt-race.de L. Fiege, Siemens AG
To discover the full potential of electric vehicles
a new E/E architecture is mandatory
Symbolic pictures
Energy
Mgmt. Sys.
Transmission
ABS
Acc.
Pedal
Brake
Pedal
ImmobilizerImmobilizer
Radio
Combi
HVACHVAC
ESPESP Suspension
Steering
Wheel
Power
SteeringSuspension
Steering
Wheel
Power
Steering
WU WU
WU WU
Brake
WU WU
WU WU
Brake
DisplayDisplay
Access Doors/RoofAccess Doors/Roof
Hybrid
Controller
DC / DC
Hybrid
Controller
DC / DC
Tire guardTire guard
ACCACC
Lane KeepingLane Keeping
AutoParkAutoPark
NavigationNavigation
MP3 / Phone
iPad
MP3 / Phone
iPad
Passive safety
Get rid of position oriented partitioning
Well defined information flow
Hierarchical decision making
Information Presentation
(ergonomy)
Information Presentation
(ergonomy)
Lane Detection
sensor
Distance
sensorUS sensors
E-horizon
data base
Situation Recognition
(sensor fusion)
Lane Detection
sensor
Distance
sensorUS sensors
E-horizon
data base
Situation Recognition
(sensor fusion)
Strategy Generation
Pedal
Pedal
Steering
Wheel
Driver´s Decisions
Pedal
Pedal
Steering
Wheel
Driver´s Decisions
Cinematic Execution Level
BMS with cells
DC / DC
AC / DC Inverter
with E-Motor
(1-,2- or 4-times)
Brake
Actuator
Power Steering
Actuator
Suspension
Actuator
Gear Box
Smart actuators
Smart sensors
Less controller
Likely less copper
Less different connector
Seite 6 Jan 2014 projekt-race.de L. Fiege, Siemens AG
RACE Platform Idea
Main Project objectives:
• Aim 1: Reduction of complexity of ICT-Architecture by
homogeneous and open basis platform
• Aim 2: Support if new complex functional vehicle features
• Aim 3: Plug & Play capability of ICT-Architecture
• Aim 4: Ability to certify the ICT-Architecture
• Aim 5: Show an migration path to the new architecture
Main Principles: • Centralized ICT-Architecture
• Central-Platform-Computer, mixed critical features
• Data-centric approach: All data about Sensors and
Actuators is accessible everywhere
• Communication
• Switched Ethernet
• Publish/Subscribe communication pattern
• Fail-Operational vehicle features
HM
I
Seite 7 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Agenda
■ Motivation
■ RACE setup
■ System Overview
■ RACE Runtime Environment
■ Safety Aspects
■ Outlook
Seite 8 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Ethernet-based redundant communication
as data backbone
En
terta
inm
en
t
Gateway
Sensor /
Actuator
connector
Sensor /
Actuator
connector
Sensor /
Actuator
connector
Electric
braking
Electric
steering
Energy
source
Drivetrain
Sensor /
Actuator
connector
Vehicle
Control
Computer 2
Vehicle
Control
Computer 1
Seite 9 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Realization of the Multipath Network
Parallel redundant bus:
Shared medium on each bus
Two physically independent busses
- High cabling effort
- „Slightly of specification“ failures possible
Switched Ethernet alternative 1:
redundant star architecture (AFDX)
- High cabling effort
+ Physically independent disjoint paths
Switched Ethernet alternative 2:
ring topology (industry automation)
+ Disjoint paths
+ Low cabling effort
- Physical independence of paths is lost additional effort
Seite 10 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Ringtopologie
Vorteile:
■ unabhängige Pfade
(Ringrichtungen links und rechts)
■ keine gemeinsamen Geräte
■ unabhängige Punkt zu Punkt
Verbindungen (Switched Ethernet)
■ Trennung auf logischer Ebene
■ Mixed Criticality möglich
■ vermeidet doppelte Verkabelung
■ ermöglicht Vermaschung
Nachteile
■ Ringschluss
■ Energieversorgung muss explizit
berücksichtigt werden
■ „Babbling Idiot“ Szenario komplizierter
■ Exotische Ethernetvariante
■ Jeweils ein kurzer und ein langer Weg
A
B
Seite 11 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Fail-tolerant architecture: N-Duplex
core idea:
– pair of compute nodes monitor each other
– sensors and actuators don‘t need system know-how
& are independent of scalability of platform core
N-Duplex Platform:
– duplex unit
guarantee integrity
– duo duplex
fail-operational availability
– N-duplex
scalability w.r.t. availability, mission time, performance
Sender
Compute node
CPU
lane a
CPU
lane b
voting voting
Eth-Sw Eth-Sw
Receiver
Compute node
lane b voting voting
CPU
lane a
CPU
lane b
Eth-Sw Eth-Sw
Compute node:
CPU, RAM plus communication-HW
Seite 12 Jan 2014 projekt-race.de L. Fiege, Siemens AG
DCC 2
lane b voting voting
CPU
lane a
CPU
lane b
Consistent Communication in the Platform
coding a / coding b
cwd/acwd direction
DCC 1
CPU
lane a
CPU
lane b
Ethernet
Switch
DCC 3
lane b voting voting
CPU
lane a
CPU
lane b
monitoring monitoring
…
Sn
ap
sho
t!
Ethernet
Switch
Ethernet
Switch
Seite 13 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Agenda
■ Motivation
■ RACE setup
■ System Overview
■ RACE Runtime Environment
■ Safety Aspects
■ Outlook
Seite 14 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Basic information flow
Data capture
Data
Fusion Arbitration
Function
Output
Function Function
Function
processing
Sensor raw data Vehicle Data Model Actuator Data
Analyze Act Perceive Analyze Act
de
taili
ng
Imp
lem
enta
tion
co
nce
pt
Seite 16 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Simplex application development
CPU
lane a
CPU
lane b
Eth-Sw Eth-Sw
App App
applications
• developed for single channel deployment
• without dealing with redundancy
OS / MW function
• compare IO
• detect failures,
• identify fault containment region unanimously
in distributed system
platform failures
• detected (masked) in platform
• offers “correct” RTE
duplex control computer
Seite 17 Jan 2014 projekt-race.de L. Fiege, Siemens AG
RTE: Data flow
physical sensing. +
processing Actuator control App
DCC Sensor Actuator
RACE Ethernet
Signal
data flow
RTE
data flow
IO
Management
Data
Monitoring
Fusion
IO
Management
Data
Demux
Arbitrierung
IO
Management IO
Management
Data
Monitoring
Seite 18 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Data-oriented communication
physical sensing. +
processing Actuator control App
DCC Sensor Actuator
RACE Ethernet
IO
Management
Data
Monitoring
Fusion
IO
Management
Data
Demux
Arbitrierung
IO
Management
Data
Monitoring DB Testserver
Security
Check / Audit
Signal
data flow
RTE
data flow
Seite 19 Jan 2014 projekt-race.de L. Fiege, Siemens AG
cyclic execution
10ms cyclic read / write
10ms cyclic execution
local control loop local control loop
long-running, event-triggered
not considered here
Seite 20 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Partitioning in RACE
Hardware
PikeOS (Separation Kernel)
RTE
Adaptor RTE
Adaptor
RTE
Adaptor
RTE DB
Applications … Applications
I/O Mgmt.
Bootloader PSP
PSSW CAN Ethernet File I/O …
Partition Services
(Muxa,
Montitoring, …)
Error handling
separate applications from each other and RTE
Seite 21 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Time Partitioning
using PikeOS scheduling (ARINC 653 + priority based)
RTE
Adaptor RTE
Adaptor
RTE
Adaptor
RTE DB
… A5
I/O Mgmt.
RTE Scheduler
PAF
Local Scheduler
A1 A3
A2
Time Partition1 TP N TP2 TP4 TP3 TP3
best effort background tasks
long running background tasks are always active
high priority fault handling tasks
Seite 22 Jan 2014 projekt-race.de L. Fiege, Siemens AG
inter partition communication (RTE – App)
RTE
Adaptor
RTE
DB
Anwendungen
I/O Mgmt.
Partition Services
(Muxa,
Montitoring, …)
Error handlng
shared mem
separated shared mem segment for each partition facilitates:
access control, auditability
Seite 23 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Agenda
■ Motivation
■ RACE setup
■ System Overview
■ RACE Runtime Environment
■ Safety Aspects
■ Outlook
Seite 24 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Application of the ISO within RACE
hazard & risk (H&R) assessment
ASIL ≥ A
Acc. To TÜV SGS -
documents
measures to avoid systematic faults measures to manage systematic and
probabilitsic faults
safety-management and supporting
processes
technical measures
(functionality, system, subsystem, hw,
sw)
no
yes
development acc.
to standard-
process
Severity
Probability
additional risk-reduction measures have to be applied
Seite 25 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Application of the ISO within RACE
hazard & risk (H&R) assessment
ASIL ≥ A
Acc. To TÜV SGS -
documents
measures to avoid systematic faults measures to manage systematic and
probabilistic faults
safety-management and supporting
processes
technical measures
(functionality, system, subsystem, hw,
sw)
n
o
ye
s
development acc.
to standard-
process
Severity
Probability
additional risk-reduction measures have to be applied Adressed in RACE
Seite 26 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Failure ooC Scenario E C S ASIL Safe state Fault-tolerance
time (loss / invalid)
Uncontrolled
command-output
(incl. no output)
Highway E4 C3 S3 D None 50ms / 10ms
Secondary
road
D None 50ms / 10ms
Country
road
D None 50ms / 10ms
Assumed requirements
on central platform:
Req.: Execute any driver
assistance functionality up
to automated driving
Example
Relation to SEooC (ISO 26262-10, Figure 17)
Assumed requirements
Assumptions on design external
to SEooC
SEooC requirements
SEooC design
New ICT as safety-element out of context (SEooC)
RunTime Environment to manage
execution of vehicle functions
Central Platform Computer
communication network
Seite 27 Jan 2014 projekt-race.de L. Fiege, Siemens AG
Agenda
■ Motivation
■ RACE setup
■ System Overview
■ RACE Runtime Environment
■ Safety Aspects
■ Outlook
Seite 28 Jan 2014 projekt-race.de L. Fiege, Siemens AG
The vision of the future ICT system platform
The future ICT system platform facilitates fully automated driving and dynamic
extensibility in field.
The concept is based on an enlarged modularisation *) concept that leads to less end-
to-end interface complexity.
AutoSAR
Generic safety
up to
fail-operational
Plug & Play + +
= future ICT system platform
RACE project
Vehicle
Control-
computers +
*) to further reduce the dependancy from automotive functions to HW, topology, communication links but
also to SW-functionality ensuring non-functional qualities.
Seite 29 Jan 2014 projekt-race.de L. Fiege, Siemens AG
the road ahead
not mentioned, but part of the project
■ network protocols and Ethernet AVB Gen2 prototype
■ ECU board design and low-level drivers
■ test framework
■ automotive functions …
R&D topics not addressed currently
■ sensor fusion (how to boil data down)
■ scale IO and processing bandwith
■ car2X
■ BYOD
■ …
Join and make it happen!