Tackling mixed-criticality for automotive

Tackling mixed-criticality for automotive
Claudio Scordino & Enkhtuvshin Janchivnyambuu

The rising number of ECUs in a car (already in the order of one hundred in luxury vehicles) together with the recent availability of powerful and inexpensive multi-core SoCs, has triggered the interest of automotive OEMs in centralizing the computing resources. The number of processing units in embedded chips is expected to grow, as do the functionalities requiring computing in modern autonomous vehicles. Thus, the automotive market has identified a business opportunity consisting of a reduction of the recurrent costs by combining different functionalities onto the same ECU. The AMPERE project has now achieved another milestone in solving this challenge.

ERIKA RTOS has been successfully ported to the PikeOS hypervisor. This is another step in integrating embedded systems in a cost-saving and functionally safe manner. This aims to serve the interest of the automotive industry which is focused on the possibility of executing non-critical tasks (e.g. infotainment, navigation, logging, human-machine interfaces) alongside safety-critical tasks (e.g. engine/brake control). The platform must also be capable of executing the HPC activities needed by the forthcoming assisted/autonomous driving functionalities.

In such a multi-domain (in particular, mixed-criticality) environment, safety requirements impose that a domain must be prevented from accessing or interfering with more critical domains – i.e. multi-domain isolation. This is usually obtained by leveraging the virtualization support provided by modern CPUs, using a hypervisor for partitioning and isolating the hardware resources. This, in turn, has reignited the interest of the industry for hypervisor technologies which, originally born for running multiple instances of the same OS, are now becoming a key technology for building multi-domain infrastructures in safety-relevant markets. 

Thanks to the collaboration between two key partners, SYSGO and EVIDENCE, the AMPERE project represents an excellent ground for investigating these multi-domain software architectures on novel multi-core platforms. In particular, SYSGO and Evidence have collaborated for porting Evidence's ERIKA Enterprise RTOS [1] on top of SYSGO's PikeOS hypervisor [2]. PikeOS is a modular and highly flexible kernel-based hypervisor certified for different domains. ERIKA Enterprise, in turn, is a RTOS designed for the automotive domain, compliant to the AUTOSAR Classic specifications [3], and it recently got the highest level of safety qualification (i.e. ISO26262 ASIL-D).

As shown in the following figure, the envisioned software architecture will consist of a general-purpose OS (i.e. Linux) and a safety-critical RTOS (i.e. ERIKA Enterprise) concurrently executing on top of the PikeOS hypervisor on a Xilinx ZCU102 embedded platform [4]. The real-time performance of the Linux OS will be increased through the usage of the PREEMPT_RT patch [5] and improvements to the SCHED_DEADLINE CPU scheduler [6]. The communication between the two domains will be based on the ROS2 framework, in the form of the Micro-ROS project [7] for the part running on the RTOS. 

Tackling mixed-criticality for automotive
Multi-domain software architecture

Although the typical configuration of a hypervisor guarantees isolation by partitioning the most sensitive resources (i.e. processing units, SDRAM locations), there are still some hardware resources that are inherently shared between different cores (hence, different domains). One typical example is a significant portion of the memory hierarchy (e.g., Last-Level Cache, memory bus, etc.)  The AMPERE project will therefore investigate modern techniques for ensuring freedom from interference on shared hardware resources, which represents a key aspect when designing a multi-domain system on multi-core hardware.



[1] Evidence Srl, ERIKA Enterprise, https://www.erika-enterprise.com/   

[2] SYSGO, PikeOS, https://www.sysgo.com/pikeos

[3] AUTOSAR Classic Platform, https://www.autosar.org/standards/classic-platform/

[4] Xilinx Zynq Ultrascale+ MPSoC ZCU102, https://www.xilinx.com/products/boards-and-kits/ek-u1-zcu102-g.html

[5] The Linux Foundation, Real-Time Linux project, https://wiki.linuxfoundation.org/realtime/

[6] A. Stevanato, T. Cucinotta, L. Abeni, D. B. de Oliveira. "An Evaluation of Adaptive Partitioning of Real-Time Workloads on Linux," (to appear) in Proceedings of the 24th IEEE International Symposium on Real-Time Distributed Computing (IEEE ISORC 2021), June 1-3, 2021, Daegu, South Korea. http://retis.sssup.it/~tommaso/papers/isorc21.php

[7] Micro-ROS, https://micro.ros.org/