Today, automakers need to constantly implement innovative new features. At the same time, in order to save costs, reduce weight and energy consumption, the number of controllers should not increase too much. Therefore, a large number of highly integrated multi-function controllers complying with Autosar came into being. Designing an efficient, reliable, highly integrated multifunction controller requires an optimized architectural concept, including functionality, software, and controller architecture. The system architect needs to choose the right idea for the design and, if necessary, optimize and modify the system architecture (as early as possible during the development process).
The uniqueness of the controller design presented in this article is to achieve different severity levels of application on a single controller, especially for chassis controllers that implement safety-related functions at many different severity levels. Figure 1 shows the integration of software with different security requirements. This mixed-criticality system must meet two basic time performance requirements:
â— In any case, you must ensure that there is sufficient computing space to implement related functions, avoid CPU overload, and implement functions to meet their respective time performance requirements.
â— Implementation of safety-related functions cannot be interfered by low ASIL level functions
Contradictory priority design method
Scheduling priority is an important factor in the software integration process. Mature priority setting concepts include Rate Monotonic Scheduling (RMS) and Criticality Aware Priority Assignment (CAPA). Among them, the design concept of the RMS method is: the shorter the period, the higher the priority; the design concept of the CAPA method is: the higher the security level, the higher the priority. However, using either method alone does not achieve a satisfactory scheduling effect. Using the RMS method to set priorities, all tasks can meet their deadlines, but cannot guarantee "freedom from interference"; using the CAPA method can ensure that tasks with low security levels do not affect tasks with high security levels. However, CPU resource utilization efficiency is low and resource waste is serious.
Autosar timing protection mechanism enhances design space
The timing protection mechanism is a system service of Autosar that monitors the execution time of one (or several) tasks on a running controller. If the actual running time of a task exceeds the preset maximum execution time, the system will determine the error and handle the error accordingly. Although this approach does not completely eliminate the problem of criticality inversions, the possibility of causing problems is effectively controlled. This timing protection mechanism allows the system to meet the relevant security requirements of ISO 26262, in particular the "absence of error propagation". In general, the timing protection mechanism needs to be designed according to the highest ASIL level of the application. In order to properly configure the timing protection mechanism (especially the maximum execution time setting), it is necessary to analyze and predict the worst case task scheduling (WCRT&WCET). As shown in FIG. 2, the comprehensive utilization of the timing protection mechanism and the periodic conversion (so-called periodic conversion refers to dividing a long-cycle task into multiple sub-tasks with a short execution time, and the multiple sub-tasks can still be completed in the original task cycle) Under the conditions of both design concepts, all safety and real-time related requirements are met. That is, there is no interference from a low security level to a high security level task, and all tasks are performed within their cycle time.
Application of new design patterns
We integrate the design concepts mentioned above into the actual design flow, as shown in Figure 3. First, a version of the initial scheduling parameters is designed according to the RMS method. Then, check to see if there is a severity level reversal. As described above, if the timing protection mechanism is applied in the software architecture, the problem can be effectively controlled. If the timing protection mechanism is not used in the software architecture, the CAPA method must be used to prioritize software with security requirements. The final "security check" is used to ensure that there are no errors in the design of the priority and timing protection mechanisms. The next step is to check if all schedulable items meet the time requirements. If so, the relevant parameters of the timing protection mechanism can be determined. If it is not met, it must take corresponding measures to solve the problem, such as adopting a cyclical transformation method to adjust the software architecture. In addition, in order to optimize the software architecture and scheduling in the design process as early as possible, in addition to related configuration information, such as task name, period, ASIL, etc., it is also necessary to know the execution time of task and runnable.
in conclusion
Audi and Symtavision successfully applied the above design patterns in a joint project, and related architectural design variants were confirmed in the practical application of highly integrated controllers. This fully demonstrates the value of this design pattern. All in all, timing and security are two important perspectives that need to be considered early in system architecture design.
Source: "Design patterns for highly integrated ECUs with various ASIL levels" - "ATZ elektronik" magazine.
Mosquito Coil,Electric Mosquito Coil,Mosquito Repellent Liquid,Electric Mosquito Repellent Liquid
Shandong Tianzige International Trade Co., Ltd , https://www.sdbabydiapers.com