Siemens Ebook Automotive Changes v5

D I G I TA L E B O O K
A N E E WO R L D R E S O U R C E
The changing automotive

industry landscape
This eBook describes the challenges that go into the WHAT‘S INSIDE
development of electrical and electronic (E/E)
architectures of today’s highly connected consumer 02 The changing automotive landscape
and off-road vehicles and how to simplify the design 09 Facing significant network architecture and
process. To support the next generation of automotive design challenges
products, manufacturers need modern solutions Deploying safe and secure automotive-grade
19
involving advanced electrical, network and software embedded software with V&V
engineering to help keep up with the complexity and
and more >>
shortening product development timelines.
SPONSORED BY
The changing automotive
industry landscape
Collaborating across functional domains shorter timelines for product development. Topology
with an increase of E/E architecture, Otherwise, they run the risk of falling behind in Modern vehicles are rarely developed from a
networks and software the push for advanced and attractive vehicles. clean sheet. Even new market entrants that lack
legacy architectures to re-use, often purchase
As the automotive industry evolves, the
electronic control units (ECUs) for less strategic
pressure to develop more advanced E/E Assisting engineers with interdependent locations in the architecture. Most programs will
architectures for today’s sophisticated, highly requirements and technologies carry forward at least some of the elements or
connected, on and off-road vehicles is growing.
Growing E/E content philosophy of earlier architectures (figure 1).
Connected vehicle features are seeing increased
A key challenge in modern automotive The move from architectures with a central
adoption in all categories and segments, while
gateway toward those with functional domains
powerful smart features are becoming available architectural design is the decomposition of E/E
connected by a backbone network to a world of
through the integration of underlying requirements from a high-level multi-domain
centralized compute with zonal outstations,
functions. These advanced capabilities rely on vehicle model. Multi-domain modelling at the top
comes in stages. The topology often comes with
electrical wiring and electronic components to level will cover mechanical, E/E, software, thermal
a baseline set of assumptions, which leaves
function, driving an increase in the number and and other domains that make up the final vehicle.
engineers to manage the optimization details
sophistication of these components. At the Engineers can extract E/E aspects from this model (figure 2). Examples could include:
same time, automotive network design and to drive the construction of an E/E architecture
software development is becoming more and further processes downstream. Multi-bus gateway Functional domain Zonal architecture with
challenging. Network designers and software Throughout this process, the various architecture controller architecture centralized compute
engineers must synthesize dozens of new engineers concerned with definition,

considerations to support the next generation
design and delivery of modern E/E
of automotive products, including vehicle
architectures must balance many
electrification, electronic complexity,
interdependent requirements.
government regulations, new business models
and automated driving. These requirements include:
Furthermore, cost and time pressures on • Topology
Functional domain
automotive original equipment manufacturers Gateway controller
(OEMs) and systems integrators are • Functional safety (FuSa) ECU

Centralized generic
compute LIN CAN FD
CAN Automotive ethernet/HDBase T
Sensor/actuator MOST A 2B
unrelenting. In fact, the pressure on OEMs and • Cyber security
Zonal controller
LVDS Automotive SerDes/GMSL
integrators to have the right products at the

• Power modes Figure 1. An illustration of the main types of E/E architectural
right time has only increased. These companies philosophies. Multi-bus gateway architectures are giving way to
need modern solutions to keep up with the • Processor, network and gateway loadings domain controller architectures and, eventually, zonal architec-tures
combined pressures of vehicle complexity and with centralized computing
• Component and software re-use
2 SPONSORED BY
The changing automotive industry landscape CO N T I N U E D
• Moving an ECU secondary network Functional Safety FuSa can be achieved in several ways. For
connection between domain-focused FuSa requirements create multiple instance, functions in modern vehicles are
networks and a private link between a sub- considerations during E/E architecture usually enabled by various components from
set of ECUs definition. Specific considerations will vary by multiple domains. Some of these must be
function, but most of the industry has adopted allocated to hardware or software platforms
• Upgrading an ECU to support a higher
the International Organization for that are developed to a specific level of integrity
baud rate network on one or more
Standardization (ISO) 26262 as the standard for to ensure the safety of the function. Another
connections
FuSa (figure 3). ISO 26262 has two overarching method is to add redundant parts to the
• Moving to a new domain to support functional categories. Quality management system. Instead of trying to enhance one sensor
advanced or additional functions (QM) functions do not need to consider FuSa system to support an ASIL D function, it is
requirements and only need to be developed to easier to use two sensors of a lower integrity
normal quality standards. Other functions are level since they can still support an ASIL D
assigned an automotive safety integrity level function (figure 4). However, two sensors may
(ASIL), from A to D. ASIL functions are those
that have some potential to undermine the Figure 4: The
combination of two
ASIL B(D) sensors
Figure 2: Topology
can support ASIL D
optimization may
functions.
include moving
networks connec-
tions, upgrading only allow for fail-safe functionality, which only
E/E Architecture topology decisions ECUs and more. requires that the system remains safe in the
event of a failure.
The transition from a central gateway to a Figure 3: Example
functional domain-oriented architecture is architecture that To achieve the next level of FuSa, called fail-
incorporates ECU operational and which requires systems to
typically easy at a topology and connectivity constraints when
level. Most ECUs are still connected to a remain functional despite a failure, a third
allocating functions.
Domain controller architecture sensor, two higher-integrity sensors, another
functional sub-network in either scenario.
However, to receive the benefits of a domain- redundant system or model-based calculation
Sensor/Actuator
oriented architecture, functions need to be that fuses data from other sources may be
ECU necessary. An additional FuSa consideration
hosted in the domain controllers. This reduces
the need to constantly add more processing may be a redundant power supply for critical
Functional Domain Controller
resources to most of the ECUs. Additional components. Dual batteries, dual power circuits
Optional fitment and independent fusing all need to be
benefits are received when this enables
consolidation of ECUs. Rather than adding more considered.
FuSa capable
ECUs, domain controllers are usually an For higher levels of integrity, technological
upgrade or new generation of one of the higher redundancy becomes more important. This
power ECUs in each domain. The result is fewer FuSa of a vehicle in the event of an unmitigated
entails the use of multiple technological
individual ECUs are needed over time with such failure. ASIL A is the most minor level and ASIL
approaches to achieve the same function. A
consolidation. D is the most significant.
3 SPONSORED BY
prominent example is the array of sensor types In a common use case, data gathered from
used to enable ADAS and self-driving features sensors with redundancy, either from a duplicate
in modern vehicles. Most use a combination of or backup sensor, can be processed on an ECU of
radar, camera, LIDAR, sonar and other sensor a lower integrity level than needed by the whole
types, with multiple versions and devices of system if the redundant sensor and data
each type installed on the vehicle (figure 5). processing are separated. The system can
Each of these sensor types has different achieve its required safety integrity through the
strengths and weaknesses, such as range, combination of sub-systems and elements which
may not all individually delivery the full system
goals.
The result is the architect can allocate input,
processing, decision and action functions to
appropriate ECUs based on their attributes and
redundancies in the system. These FuSa
CYBERSECURITY
requirements constrain the architect’s options
for functional allocation. Yet, there are further
considerations. Want to learn more about multi-layered
Long-range radar Design tools need to include attributes for every approaches to connected vehicle security
LIDAR function, signal, ECU and all other element and how to protect vehicle entry points as
Camera types, with extensible properties to support well as in-vehicle networks? This white
Short-/medium-range radar
architectural studies. The properties list can be paper covers several security strategies
Ultrasound
expanded per the needs of the OEM and used for
including embedded firewalls,
Figure 5: Overlaying redundant sensors enables ADAS trade studies using instant metrics and rules to
and self-driving systems to achieve higher levels of ensure designs meet the defined goals and authentication, secure communications,
functional safety integrity. encryption and digital certificates.
standards.
Cyber security White Paper: Modern automotive
weather tolerance, object detection and more. FuSa and cyber security share some surface cybersecurity through secure
The complete system can build up a dependable similarities: both concern the correct
and accurate understanding of its surroundings communication, strong authentication
functionality of vehicle systems. But while FuSa
by fusing data from each sensor type. and flexible firewall
is mostly concerned with the reliability of
From these considerations, some rules and systems and the consequences of failures, cyber
guidelines for E/E architects can be derived that security must account for malicious attacks CLICK HERE TO VIEW
cover both the development of the base against vehicle systems. As a result, cyber THE WHITE PAPER
architecture and the allocation of functions to security has distinct requirements aimed at
that architecture (including how functions are defending against such attacks.
partitioned). One guideline could be to Modern vehicles have multiple potential
decompose FuSa requirements where possible. vulnerabilities, known as attack surfaces.
4 SPONSORED BY
Table 1: A summary of typical basic power modes. Table 2: An expanded summary typical for vehicles with electrified powertrains.1
Integrated Wi-Fi, cellular, Bluetooth®, on-board differentiate the types of signals and their demanding of processing resources, so
diagnostics (OBD), universal serial bus (USB) physical manifestations, are vitally useful hardware-based security measures are gaining
and other connection points all provide throughout the concept stages to verify popularity. Data classified as cyber security
potential routes to the vehicle communication designs. related can also be designed with specific
systems. Even network bus circuits have been protections to add extra layers to the cyber
Cyber security is achieved with a layered
accessed as entry points, usually for theft security system.
approach. Some mechanisms are repeated at
purposes. These attack surfaces can be
key points in the architecture and different Like FuSa, software tools that use attributes and
considered in architecting of the anti-theft
mixtures of mechanisms are applied at each properties enable designs to include security
systems. Some systems can be made physically
level in the system. The placement of functions and requirements. Design rule checks
inaccessible to malfeasants, while others may
firewalls, or connections of interfaces on ECUs (DRC) enable engineers to check the design
use extra software authentication checks to
that feature firewalls, need to be considered against defined rules and diagram styling
prevent unauthorized access. However, it is
with respect to the various entry routes that enables easy visual understanding and auditing
strongly desirable to have both. The choices
an attack can use to gain access to the of those details.
made on cyber security and anti-theft systems
vehicle. ECUs hosting specific functions may
cascade requirements out to the 3D electrical Power modes
also be required to contain integrated
system design via the logical systems Modern road vehicles often have multiple power
hardware security modules (HSM). It is
containing security functions. modes, some visible to the user, others relatively
possible to emulate an HSM in software by
hidden. These reflect the functions active in the
Design solutions that can link the 3D and careful selection of the integrated circuit (IC)
vehicle and govern what is powered and/or
electrical worlds with rich data and can at the heart of the ECU. This emulation is very
1. Table 2 shows a simple example. In practice, there is more to resolve, such as:
•S
oftware updates that require selective update of target networks and ECUs.
•S
oftware updates of charging ECUs require interlock and handover logic.
•*
Regional differences in the nature of interactions between charging and powertrain activation.
•*
*Some regions require blocking of powertrain activation while on charge. Others call for charging to be suspended in the event of powertrain activation.
Also, further refinement is needed for inductive charging where no disconnect is needed.
5 SPONSORED BY
awake. A vehicle with a traditional key will In modern vehicles, functions need to be partial awake mode. When the vehicle is
usually have four positions on the ignition hosted on ECUs that are powered up when the powered off or asleep, waking a domain or
switch, translating to four to six power modes, function is needed. As a result, the functions network at a time will be enough to perform the
from off, locked, to cranking (table 1). hosted on an ECU can influence when the ECU update. In other cases, such as vehicles that are
needs to be powered. This second point is not plugged in to charge, downloading the
Many OEMs use terms such as KL15 (also known
increasingly important: if a function is needed software in the background when the vehicle has
as Contact 15) and KL30 associated with tables 1
during charging of an electric vehicle, the ECU signal is a more cautious approach. At the start
and 2, at the right and below. Derived from the
that hosts the charging-related function will or end of a drive-cycle, the vehicle can request
German Institute for Standardization (DIN)
need to remain reliable over a life up to 10 user permission to perform the update. The
72552, some OEMs use many more power
times longer than an ECU only used when the architect needs to consider these low-power
modes while others have their own specific
vehicle is in motion. mode states and which module will host
terminology. Some use several state tables that
downloaded updates prior to deployment.
merge. For example, a basic power mode with a This extends further when service and
second state machine to handle the activation diagnostic functions are considered, such as Processor, network and gateway loads
and deactivation of the powertrain. This software updates to the vehicle. Software over Another important architectural consideration is
arrangement is increasingly likely in an electric the air (SOTA) updates will be increasingly the relative loadings on each ECU processor,
vehicle, as the above basic table does not include common, rather than the service center update network or network branch and the gateways
electric powertrain-specific power modes, such that has become practically universal in recent between networks. As functions are allocated to
as a charging mode. years. Over the air updates require another specific ECUs, their associated signals will place
additional load on the networks connected to the
ECU. If direct connections do not exist between
the signals’ respective sources and destinations,
then a gateway is needed to make the
connection. Each new gateway increases the
gateway load and the frequency signals must be
sent to deliver a given timing. Further, in a
functionally oriented domain architecture, it is
likely that the routing of status and mode
information signals may need to travel across the
network back-bone, potentially resulting in two
gateways. Cross-linking between networks is
increasingly undesirable as it makes functions
critical to cyber-security much harder to defend
as more routes around the architecture become
available for malicious actors to traverse.
Consequently, the E/E architect benefits from an
understanding of each of the functions planned
for the architecture when optimizing the
networks and domains that each ECU is
connected to.
Table 3: Examples of typical ECU processing types per functional domain.
6 SPONSORED BY
As mentioned earlier, a design tool that enables injection on direct injection petrol and
trade studies of multiple allocations and can diesel engines, to the control of active
predict the consequences of each allocation can suspension components, anti-roll (anti-
save substantial time and support the delivery sway) bars, dampers and more.
of correct architectures the first time. When
Typical body functions, such as lowering
considering functional allocations to ECUs, it is
a window, can respond in milliseconds
important to consider the specific type of
and provide a satisfactory user
processing in each ECU. The main processing
experience (UX). However, certain
ECUs in each domain have differing
functions can introduce an ASIL and
characteristics (table 3).
hard real-time requirement to these
When functions are added to an architecture body functions. For example, an anti-
during an update, they need to be split and trap function on an automatic window
assigned appropriately to ECUs suitable for close feature, uses a closed-loop control
running each type of function. with sensor feedback to stop and
reverse the motion of the automatic Figure 6.
Image processing has very different needs for
window in the event of a detected
decision making and control outputs. Image
blockage, such as an arm or finger. With the
and radar processing are soft real-time
anti-trap function, the feature operation of the other inputs or outputs. Conversely, carry-over
processes, where the series of images are
windows is considered to include safety related and purchased ECUs bring in constraints that
processed into objects, cars, cyclists, road signs,
functions. Therefore, consideration must be define how parts of the architecture can work.
road markings, etc. Trajectories will also be
given to the appropriate hosting of the
processed where relevant. Soft real-time ECUs normally have a fixed count of I/O once in
automatic or one-touch window feature in
processes have a deadline by which time the production. In development, they are
parts of the architecture with sufficient
data must be processed to enable accurate constrained by the selected silicon, available
integrity and timing capability. In general, body
control decisions. The actual processing time space on the PCB and by the desired
functions are highly distributed, using sensors
has variation, thus high-power compute results connectors. During development there may
and actuators placed around the cabin to build
in a more consistent delivery. Control and also be scope to convert certain pins from
up sophisticated comfort and convenience
output decisions, on the other hand, are often inputs to outputs, analog to digital or to data
features (figure 6).
hard real-time processes, requiring much less buses. Opportunities for these conversions
processing power. Input/output (I/O) connectivity – ECU/sensor/ must be frozen at some stage. After this,
actuator connections can only be made to the I/O the
Hard real-time processes are extremely time-
New custom ECUs are sometimes, cost ECU already has. It is often possible to process a
sensitive and must be executed in a small-time
permitting, able to be specified exactly as sensor value in the ECU the sensor is connected
window in a regular processing period. This
needed. More commonly, new ECUs are derived to and monitor for hardware faults and other
kind of process may be scheduled at a high
from a platform design, limiting the capabilities errors. The decision function(s) utilizing the
frequency, but could also be triggered by an
of the ECU and both the type and total number sensor data may be elsewhere on the vehicle
engine crank angle, motor rotor position, etc.
of connections to the vehicle networks and due to other requirements.
Examples range from the control of fuel
7 SPONSORED BY
Re-use Conclusion
It is not practical to develop every vehicle from
The challenges facing OEMs developing E/E
a clean sheet. Re-usability of vehicle features,
systems are numerous, varied and only
functions and systems, which was once
increasing in complexity. These challenges
desirable, is now essential. E/E architecture
are particularly acute at the stage where E/E
optimization and effective systems design are
architectures are being defined and
critical to maximizing re-usability, reducing the
evaluated. There are many considerations
number of vehicle variants and improving
that E/E system architects must include
companies’ ability to deliver the right vehicle
when developing, updating and optimizing
on time.
vehicle architectures. These can typically be
When a new or updated vehicle line is being characterized as attributes or properties of
developed, there are typically constraints the function, ECU, signal, port and so on.
established around the re-use of vehicle Therefore, it becomes necessary to use
content. Some of these constraints are firm,
while others need to be evaluated in
advanced tools such as Capital™ Systems
Architect to plan and check the architecture
AUTOSAR
consideration of the relative costs associated. against a set of rules and guidelines defined
Traditionally, ECUs sourced from tier 1 suppliers by the engineers. Capital is part of the
Why is AUTOSAR the leading solution for
have limited scope to add functions unless the Xcelerator portfolio, the comprehensive and
supplier is contracted to develop such integrated portfolio of software and services automotive software platforms? How can
functions. OEMs are taking more responsibility from Siemens Digital Industries Software. development teams benefit from a
in developing some ECUs, software models and Furthermore, with extensible rules, it is comprehensive AUTOSAR solution? Watch
sometimes full software. Today, this can even desirable to automate assignments and this webinar to find out, and also be
extend to the hardware for strategic modules allocations, according to the rules defined.
introduced to an overview of the features
and, in selected cases, as far as designing the Insight metrics enable trade-studies
and characteristics of VSTAR support
silicon. between topological changes, functional
allocations, signal assignments and more, including functional safety, cybersecurity,
When the architect considers where functions
supporting early optimizations of the E/E and advanced E/E architectures.
can be allocated, the type of ECU, installed
architecture before detailed design work
software and its source are a consideration. It is Webinar: Evolution of AUTOSAR
begins. Taking advantage of innovative tools
also important to consider if there are plans for in automotive
enables engineers to verify architectural
the ECU to have upgrades or enhancements
decisions early. This is increasingly critical as
over its lifetime, to hardware and/or software
automotive competition becomes more CLICK HERE TO VIEW
functions. Ideally, these considerations are
intense and E/E architectures become more THE WEBINAR
accounted for when the OEM is deciding which
important in delivering products that
ECUs are strategically important. This will help
delight consumers.
provide the scope for functional allocations
over the life of the ECU and architecture.
8 SPONSORED BY
Facing significant network
architecture and design challenges
Technological context that reside near the sensors and actuators, OEM. It is worth noting that the speed of this
while others aim to keep them in simple transition is variable across organizations,
The E/E architectures used in the automotive regions and vehicle market sectors. Well-funded
gateways. Furthermore, moving away from
industry today are highly complex, with many OEMs known for selling premium passenger
functional domains cascades high integrity
vehicle features delivered by functionality cars are usually seen as the first movers, but
requirements into more ECUs across the
distributed across multiple discrete ECUs. there are also regional variations and new
architecture.
Commonly, the ECUs, sensors and actuators are entrants that do not conform to the traditional
not all directly connected and much of the data The forces driving OEMs towards centralized or timelines of automotive companies and some
communication takes place across networks, zonal architectures are broader than only advanced vehicles in more specialist market
with gateways over several networks. Modern reducing the ECU count in vehicles. These segments.
E/E architectures have become more formally architectures can streamline the functionality
organized around functional domains, scalability, with processing and memory Usually, these design challenges can be
increasingly with domain computers or headroom only needing to be provisioned in considered by the network designer in relative
controllers acting as a centralized compute and the central compute unit. Centralized or zonal independence. But, each design decision has an
absorbing much of the higher-level functions architectures can also help reduce harness mass impact on the full system. This impact should
for that domain. and lower bill-of-material (BoM) costs to the be considered at the time of design, allowing
The next trend is the increasing use of service-

Multi-bus gateway Functional domain Zonal architecture with
oriented architectures (SOA), enabled by
architecture controller architecture centralized compute
Ethernet networking. This enables principals
from the information technology (IT) domain to
be re-used in automotive applications. The
main evolution with such an architecture is the
move from thinking about discrete signals to
services, which often provide multiple related
signals. Functions now provide and subscribe to
services according to their functional needs.
Moving towards an SOA is happening in parallel
with changes to the physical architecture.
Computing power is increasingly centralized, Functional domain
Figure 7. Centralized versus zonal architectures.
with domain ECUs being re-organized into a Gateway controller
Centralized generic
zonal layout. Some OEMs and integrators opt ECU
compute LIN CAN FD
CAN Automotive ethernet/HDBase T
for high computing power in the zonal ECUs Sensor/actuator
Zonal controller MOST A 2B
LVDS Automotive SerDes/GMSL
9 SPONSORED BY
Facing significant network architecture
and design challenges CONTINUED
system testing later in the process to confirm Besides the media functions that may be hosted With the cluster example, it is common for
correct behavior rather than uncover issues that in the infotainment portion of this system, displayed data coming from a specific control
require design iterations. there are many other pieces of critical ECU or sensor to potentially need some
information to convey to the driver, ranging smoothing or processing in the cluster.
The instrument cluster, central display(s) and
from vehicle speed and faults, through to Meanwhile, data from a domain controller or
heads-up display (HUD) are increasingly part of
driving modes, ice warnings, navigation mode function, such as a chassis mode for off-
one integrated system, an extension of the
directions, estimated range, etc. Some OEMs road or sport driving, may need to be more
driver information and infotainment systems.
refer to the cluster as a combination meter, as it heavily processed to resolve a status or adjust
However, there is often more information in the
reflects the history of bringing together what the context or highlighting of information to be
instrument cluster with FuSa considerations.
was once multiple instrumentation gauges, ready for presentation.
Therefore, several partitions are still required
warning lights and trip computer elements into
on the compute platforms that host these
one system. Modern domain consolidation is in
functions. These partitions may be separate Network load, gateway load
line with these historical examples, which
processors or separate cores. These systems
illustrates the pattern of functional growth In the days of controller area network (CAN) to
may have discrete LEDs, switches and other
after each consolidation. Every time functions CAN gateways, the network designer had a
peripherals connected to fully meet their
are consolidated, new functions are added in choice between gatewaying whole frames of
requirements. However, traditional automotive
new components or ECUs - from trip signals or each signal individually, re-packed
vehicle control switchgear is often connected to
computers, clocks, temperature gauges to ice into a new frame. This provided a simple trade-
a body controller or gateway.
warnings.
Gateway Gateway Figure 9. An example subset of signal flows.
Figure 8. An example
subset of ECUs in a
vehicle architecture.
Central Central
Propulsion Chassis Cluster Propulsion Chassis Cluster
display display
Rear seat Rear seat

Door Inverter Dampers Door Inverter Dampers
display display
Example signals
Motor power
Seat DCDC Anti-roll Amplifier Seat DCDC Anti-roll Amplifier
Battery charge
Chassis mode
Battery Air springs Battery Air springs
10 SPONSORED BY
off between more processing at the gateway or time triggered networks with a schedule.
less-efficient use of network bandwidth. That Although, FlexRay’s dynamic segments give
compromise is still made today — AUTOSAR some flexibility for event-driven data and
provided protocol data units (PDUs) as a design variations in payload size. CAN uses an
element to support gatewaying between arbitration mechanism based on the frame ID.
different network technologies. This This means that in most designed networks
streamlines the gatewaying of PDUs, while there are frame ID ranges reserved for different
preserving the option of reading out individual types of payloads. This includes both functional
signals and repacking them in a new PDU. and network management needed to run most
networks and occasional data such as service
This basic compromise is much more and diagnostics. Higher priority is often
complicated in detail. The designer may need to
consider how the gateway will trigger sending
assigned to data that would affect vehicle
functions with variable jitter.
AUTOSAR AND
the gatewayed data it is forwarding, which
influences the overall latency across the The use of a model-based design tool permits a HYPERVISOR
system. In practice, this is often constrained by left-shift of network validation by
re-using existing ECUs or frame and PDU understanding the behavior of the network and
designs that support an integration with a the consequences of design decisions in worst
Download this paper to understand an
supplier across multiple vehicle programs. case scenarios. Capital Networks software has
efficient way to reduce the cost of adding a
inbuilt models allowing the worst-case
However, some OEMs prefer using an existing consequences of design decisions to be dedicated micro-controller to each
library of pre-designed network messages with predicted, confirming the validity of the design. platform. This paper describes types of
pre-defined frame packing to support ECU re- Rules for frame IDs, consistency of frame hypervisor available and their
use without changes. The use of a standardized packing and the correct configuration of characteristics, as well as a practical
protocol, such as the Society of Automotive gateways can all be checked and confirmed to
Engineers (SAE) J1939 for heavy-duty and off- example involving AUTOSAR. Learn how a
be correct-by-design. Further generative
highway vehicles, provides the ability to hypervisor can be used as a reliable
automation accelerates laborious task
connect vehicles and equipment of different completion, saving time and reducing manual solution for consolidating both
brands together reliably. Both approaches errors. infotainment and AUTOSAR applications on
reduce the scope for optimization by the the same ECU!
designer, but do not reduce the need to
consider the performance and behavior of the Ethernet and switches White Paper: Using Hypervisor for IVI
design. There is an increasing need to consider more and AUTOSAR Consolidation on an ECU
Networks designers follow design defined by network technologies across the architecture.
the respective OEM that consider many Ethernet first appeared in the infotainment
system or diagnostics over intellectual property CLICK HERE TO VIEW
technical details of the system. For example,
the prioritization or scheduling of each network (IP) (DoIP) systems. Now, it is frequently THE WHITE PAPER
technology must be considered. The Local expanding across domains, forming a backbone
Interconnect Network (LIN) and FlexRay are between the functional domain controllers. At
11 SPONSORED BY
Table 4. A quick reference guide to common automotive network technologies.
Network Max baud Max frame AUTOSAR Priority/

this point, Ethernet design, including switch Segregation Topology
rate payload support timing
configuration, may expand from a topic specific Physical
LIN 20 kbps 8 Bytes Y Schedule Linear
to the network traffic of a single domain to network
include more general vehicle data (for example, CAN 1 Mbps 8 Bytes Y Priority
Physical
Linear/Star
network
data passing between traditional networks and
Physical
Ethernet, benefitting from full system CAN-FD 8 Mbps 64 Bytes Y Priority
network
Linear/Star
considerations). In Physical
CAN-XL 10 Mbps 2048 Bytes Priority Linear/Star
development network
Initially, using Ethernet adds another set of
Physical Linear/Star/
network behaviors to consider and a more FlexRay 10 Mbps 254 Bytes Y Schedule
network Hybrid
complex set of standards and protocols. Physical
MOST25 25 Mbps 64 Bytes N Schedule Ring
However, these are more scalable than network
specialized automotive networks, with the 10Base-T1S 10 Mbps 1500 kB Y AVB/TSN VLAN Linear
same communication software used regardless 100Base-T1 100 Mbps 1500 kB Y AVB/TSN VLAN
Switched
flexible
of Ethernet physical layer type. This makes
Switched
updates easier over time. As Ethernet networks 1000Base-T1 1 Gbps 1500 kB Y AVB/TSN VLAN
flexible
can interoperate at multiple baud rates, it can
be used across a large section of the vehicle, Table 5. Audio Visual Bridging (AVB) was originally Table 6. Time Sensitive Networking (TSN) was developed from
reducing the technological complexity. Media created for audio/visual media streams. AVB as an expansion to include necessary elements to support
high integrity use cases of automotive.
Oriented Systems Transport (MOST) is already
AVB IEEE standard
fading from use and was never incorporated IEEE
Time Sync gPTP 802.1AS-2011
into AUTOSAR. FlexRay and high-baud-rate CAN TSN
Stream standard(s)
have an ever-reducing set of use-cases for Reservation reservation 802.1Qat Redundant Time
which they are the ideal solution. Only time will protocol gPTP 802.1AS-2020
Sync
show if 10Base-T1S or CAN-XL can fully take Credit based
Quality of service 802.1Qav Stream reservation
over for networks where a 10 megabits per shaper Reservation 802.1Qcc
enhancement
second (Mbps) network is utilized. Transport protocol AVTP 1722
Path control and
Transport protocol RTP over AVB 1733 Reservation 802.1Qca
Ethernet networks introduce additional reservation
configuration options for the network designer. Quality of service Time aware shaper 802.1Qbv
Protocols, methods and elements of different of bandwidth utilization) and even disabled. A 802.3br and
Quality of service Frame preemption
levels can be used to ensure that priority data, specific VLAN may be used to implement 802.1Qbu
signals and services are available in a timely software updates, which allows regulation of Cyclic queue
Quality of service 802.1Qch
manner while allowing multiple types of data the bandwidth utilized for specific functions, forwarding
on the same physical network. depending on the vehicle status or mode. Asynchronous
Quality of service 802.1Qcr
shaping
Meanwhile, virtual local area networks (VLANs) Audio visual bridging (AVB) was initially created
Frame replication
are used to segregate different types of data to add specific shaping or prioritization of audio Redundancy 802.1CB
and elimination
and enable these data types to be prioritized, and visual data flows on Ethernet networks.
Transport
limited (in terms This ensured that audio and visual data could AVTP 1722-2016
protocol
12 SPONSORED BY
be sent across the network without distortions Figure 11. Apparently similar data
due to variable data rates. AVB was adopted by Gateway may come from different sources.
early automotive Ethernet users, usually in
conjunction with scalable service-oriented
middleware over IP (SOME/IP) and service
discovery (SD), as a method to enable SOA
communication. Time sensitive networking Central
Propulsion Chassis Cluster
(TSN) is a development of AVB specifically for display
functions and use-cases that have high integrity
requirements, such as automotive. TSN extends
some of the elements of AVB, while also adding
others that were not available before. Rear seat
Door Inverter Dampers
display
AUTOSAR has directly included or supported the
above technologies and standards as needed. Example signals
This has avoided the need to reinvent Motor power
Seat DCDC Anti-roll Amplifier
technology that was originally developed for Battery charge
specific purposes. Standards and functionality
needed by both classic and adaptive versions of
AUTOSAR are standardized in the Foundation Battery Air springs
standard, enabling compatibility and
consistency.
change quickly and can likely be updated once problems and mismatches across the full
per second, potentially with some damping. An architecture. Capital Networks facilitates the
Classic platform Adaptive platform energy usage reading, such as a power gauge, consistent design of data signals, and
instantaneous fuel consumption or similar implementation of protocols across full
graphic will need more frequent updates. These architectures, considering vehicle variants,
Foundation elements of similar data will come from options, and the different technologies used.
different ECUs — one from a battery Sophisticated design tools can model full E/E
Figure 10. The Foundation standard of AUTOSAR
management ECU or fuel tank sender and the architecture behavior, including timing,
provides functionality needed in both the Classic and
Adaptive platform versions. other from an inverter or powertrain control bandwidth utilization and other performance
ECU. Although, these are sometimes measures. These models can also consider the
consolidated. characteristics of each technology, and the
In the instrument cluster example, any
prioritizations and allocations made for the
information displayed to the driver must be Network design tools are vital to enabling the
data types in use. Configuration of VLANs, the
current (an adequate maximum age from the correct implementation of these protocols and
assignment of the relevant subset of ECUs to
original measurement or calculation), to standards, both traditional automotive
each, the audio visual bridging (AVB)/time
represent the actual state of the vehicle. networks such as CAN, and those utilized in the
sensitive networking (TSN) priorities and more
Examples include a fuel gauge or battery state automotive industry like Ethernet. Model-based
can all be managed centrally in the system design,
of charge reading or trip computer functions. design tools support consistent
ensuring consistent and correct implementations.
The charge or fuel level reading should not implementations, predicting configuration
13 SPONSORED BY
Functional Safety: A networks perspective Data that carries a potential safety consequence systems design phase and structures these
if incorrect or missing primarily receives end-to- groups in the network design, or re-includes
Network designers have been designing with
end (E2E) protection. A group of signals are the groups in the case of carry-over from
FuSa in mind for many years now and in most
packaged in a common message or PDU and existing projects. Documentation
cases the mechanisms used are well understood.
treated as a single entity in terms of the demonstrating that the design fulfills
The larger data elements and objects used with
network bus, gateways and COM stacks. These requirements, rules and standards in place
higher levels of driver assistance and automation
grouped signals have a cyclic redundancy check supports auditing of the application of E2E
have added updated mechanisms or schemas in
(CRC) calculated for them, some form of protections. These mechanisms are set by the
recent AUTOSAR releases.
counter (alive, frame or other depending on the sender and used by the receiver to confirm
The conventional approach with networks is to scheme chosen) and a data ID. Although, other that the data is fresh, valid, and from the
treat them as quality measures (QM), as a methods can be used to overcheck the identity correct sender. However, the integrated
mechanism, which is defined in ISO 26262. of the group. These protection methods are protections are only designed to defend
Where required elements are added to the identified as schemas by AUTOSAR, which has against errors and faults and not targeted
design to validate the data is being received included common mechanisms used to provide malicious actions. Thus, the system design
regularly and accurately. Increasing system the protections, including the CRC calculations. must be robust enough to cope with correct
integrity requirements now demand redundant This allows OEMs and systems integrators to data occasionally being rejected or invalid
routings for some data, but this is often a shape their own design rules according to the data being accepted, both infrequently and
system-level design consideration and will only risks identified in their system design usually as single occurrences. With over
be encountered by the network designer as methodology. thousands of hours of usage of millions of
additional design rules. For instance, a design vehicles, these infrequent events will occur
The network designer groups signals based on
rule may prevent the routing signals A1 and A2 sporadically.
the functional requirements identified in the
on the same networks from sender to receiver.
FUNCTIONAL SAFETY
Automotive megatrends of electrification, connectivity, and automation
have intensified the necessity for functional safety. Consumer
expectations for end-user vehicle functionality have also increased
demands on CPU performance. Watch this webinar for practical design
examples, including a system-level framework for partitioned
communication introduced into the AUTOSAR ECU systems.
Webinar: Architecting vehicles for functional safety compliance
CLICK HERE TO VIEW THE WEBINAR
14 SPONSORED BY
For E2E protection to be meaningful, the As with general network design, OEMs have
sending and receiving ECU need to be designed design rules and standards instructing the
with appropriate FuSa considerations. network design engineers which protections to
Protecting a signal which may have been sent use in which system design scenarios. Capital
incorrectly due to software of inappropriate Networks includes editors that assist with the
integrity renders the protection meaningless set up these safety mechanisms. The design
and a waste of bandwidth. Further, the frame model enables consistency checks to guide the
headers of most network types contain some designer toward problems and makes sure the
protections that will cause the data in the networks are correct-by-design and consistently
frame to be rejected if a basic fault is detected. described in the software configuration outputs
Although, these usually are not considered to for each ECU.
be robust enough for application level data
checks, and are only suitable for bus level MCU SHORTAGE
errors. Cyber security
The information presented to the driver is of There are similarities in the approaches taken
mixed criticality. Some elements are safety Multiple factors collided to create a global
with FuSa and cyber security — the base
related or legislated, requiring continuous technology is built upon and in terms of network microcontroller shortage that forced
availability with sufficient accuracy. Other design, signal protection elements are added. developers to redesign ECUs using
elements of information are presented for the However, due to the need to mitigate malicious alternative Microcontrollers (MCUs) and
comfort or convenience of the driver. The attacks, the mechanisms added need to be more find alternative solutions for designing and
simultaneous need to present both safety- sophisticated. These mechanisms may not
testing their software. This white paper
related and non-safety-related information always meet the needs of the FuSa on their own
introduces requirements not just into the aims to share ways to arrive more easily
and OEMs must consider the risk when selecting
processing and presenting of such data, but the mitigations to be used across a system or and effectively at software that is less
also the networks design. Sometimes this platform for potential threats and/or faults. ISO/ dependent on specific hard-to-get MCU
includes redundant information sources. SAE 21434 is used to set out best practice hardware. Discover how to reduce the
However, more commonly, the requirements principals and process when designing vehicle impact of the global microcontroller
call for E2E signal protection, or even both. systems in consideration of cyber security.
shortage on your ECU software
Examples may include airbag warnings — if the
To satisfy FuSa, received data is checked to be development.
cluster or warning lamp system misses the data
consistent and correct with what was sent, with
from the airbag controller, it will put the White Paper: Microcontroller Shortage
a limited check that the signal group is correct.
warning lamp on assuming there to be a fault.
Cyber security includes additional checks to
In contrast, some of the data in a trip computer
authenticate the data is from the correct sender CLICK HERE TO VIEW
function is for convenience only and can safely
and sometimes (depending on the systems
not be shown when not available. Likewise, THE WHITE PAPER
design) includes encryption of the data itself.
other than damaging the impression of vehicle
Although, use of all mechanisms on the same
quality, occasionally erroneous values may be
data is infrequent.
accepted by design.
15 SPONSORED BY
Introducing new challenges for the network four or eight bits, while cyber security counters cyber security protections manifest as built-up
designer, modern vehicle systems can exchange can be extended to 16, 32 or more bits to layers of defense across the platform, its cloud
data such as phone numbers, addresses, mitigate a replay attack. It is common to use connections and more. Special care must be
payment details and more. These types of data multiple protections, as per FuSa, to mitigate taken to make sure all appropriate layers are in
are, or contain, personally identifiable different risks. Redundant copies or paths for place for systems determined to be at risk.
information (PII). This data needs to be the data can help, however, determining which
If we consider the cluster example, functions
encrypted both during transmission and in data to trust when a conflict occurs is an
that relay phone or navigation information onto
storage. Therefore, encryption keys are also important design consideration.
the driver display might contain PII. This data
needed to write and read the data.
These protections and others have a bigger should typically be encrypted so that it is not
Meanwhile, data used to determine control impact to both the network designer and the readable from a data log without the correct
decisions with safety relevance needs to be architect than FuSa protections. With cyber key. This data, however, usually does not
trustworthy. In some cases, the overall system security, data sizes tend to be much larger, warrant protection from corruption so that
design may contain sufficient redundancy in consuming more bandwidth. The larger frame duplicate information is displayed to the driver.
the sourcing or sensing of this data that full sizes of higher baud rate networks such as The encryption of data containing PII may be
protection is not needed on every element and Ethernet, FlexRay, CAN flexible data-rate (FD), more important in markets with privacy
a fusion algorithm may be used to resolve or CAN extra load (XL) can support the greater legislations, such as Europe’s GDPR protections,
conflicts. It is also possible that this part of the demands of cyber security, as opposed to but it is a good practice overall.
system design is constrained by the sourced traditional CAN or LIN networks. An additional
As described previously, the consequences of
system components and network technology firewall before a CAN or LIN network, with
this are additional design rules and standards
available (bandwidth, maximum PDU size, etc). health monitoring of the sub-systems from the
that must be followed by the network designer.
Eliminating or reducing these constraints is a secure ECU, can provide additional protection
Capital Networks models the full vehicle E/E
primary driver to higher baud rate networks to vulnerable parts of the system.
architecture and can perform consistency
with larger payloads per frame.
VLANs can be used to segregate traffic types on checks across the full system to make sure the
The control data coming from the decision Ethernet and IP networks, allowing bandwidth design is consistent and the cyber security
algorithm, which may be instructions on utilization limits to be set. This can help prevent protections are complete, enabling correct-by-
control inputs for steering, acceleration, denial-of-service-type attacks from affecting design outputs.
braking and more, has a direct impact on multiple systems and enables certain traffic
vehicle behavior. The system design must types to be turned off in various modes of
Power modes
assure that this data is correct and operation. For example, software updates can
authenticating control data at the target motor be prevented while the vehicle is in motion. Traditionally, vehicle networks have been
or actuator is highly desirable. Possible Additionally, firewalls are increasingly deployed designed to remain awake to ensure
authentication mechanisms include a hashed at entry points to the vehicle, such as the functionality is available when needed. Under
(#) version of the signal group that enables the telematics and between the entry points and this approach, special attention is paid to
receiver to perform an additional keyed check ECUs hosting higher risk functions. designing robust shutdown procedures that
of the data. Control data may also include some occur when the vehicle is in an appropriate
A further consideration is that FuSa can usually
indicator for time, or a step counter. Counters state. This method sustains safety-related
be considered in relative isolation. In contrast,
used in automotive networks for FuSa are often functions and backup functionality (for
16 SPONSORED BY
Figure 12. During some modes, such as vehicle charging, only a

example, enabling parking brakes or maintaining Gateway sub-set of the full display information is needed and available.
limited powertrain operation in the event of a
faulted network). However, for maximum energy
efficiency, it is desirable to shut down what is
not currently needed and what will not be
needed on shorter notice than the wake time of
the components that are asleep or powered Central
Propulsion Chassis Cluster
down. display
Partial networks allow some networks to be shut

down when not needed. Pretended networking
is also used occasionally, where some ECUs go
Rear seat
into a low power mode, but continue to be Door Inverter Dampers
display
active on the networks. Power modes can get
more complicated. It is very important that Example signals
needed signals and data can be generated by Motor power
awake ECUs, using awake sensors and sent over Seat DCDC Anti-roll Amplifier
Battery charge
networks that are awake. Therefore, power
modes can quickly constrain the routing of
signals.
Battery Air springs
Returning to the cluster example, the user has an
expectation that certain data is visible in given
vehicle modes, such as charging a battery Complexity measured differently for different vehicle types.
electric vehicle. This data might be offered for For instance, a vehicle speed algorithm will
Finally, complexity must be considered at a full
the convenience of the driver, but could also consider different wheel slip behavior on two and
system level as it is impacted by everything we
have legal or safety considerations, such as the four-wheel-drive vehicles. The mechanisms
have discussed. Complexity means options and
current charging status, vehicle odometer or covered for FuSa and cyber security also need to
variants. Most vehicle programs share a
parking brake status. If this data is not calculated consider the relevant vehicle variations.
common underlying E/E architecture across a
or stored in the cluster, it needs to be available
range of vehicles of different sizes and body Capital Networks allows full consideration of
to be displayed. While this would have been
types, for different markets and more. A two- vehicle and ECU variants, using consistency checks
considered in the E/E architecture definition, it
door vehicle may use fewer door modules than to ensure correct-by-design implementations.
still creates network routing and signal packing
a four-door car and a low-specification car will Implementation files, AUTOSAR configurations or
requirements for the network designer.
likely use fewer ECUs overall than a high others, can be shared with software teams and
Capital Networks includes editors that assist and specification car that is driven by features suppliers appropriate to the ECU versions and
automate setup of these power saving modes, included in the vehicle. All of this is to be variants needed. Also, with the increasing size of
with model-based consistency checks that considered in the design. Some signals must be network architectures and data, generative design
enable correct-by-design setup of mechanisms, available on all variations, while others may will accelerate the completion of laborious tasks,
which can be very complicated to implement. change source due to being calculated or saving time and effort and reducing manual errors.
17 SPONSORED BY
Generative By following a model-based approach in a

common environment for system and software
Each of the day-to-day challenges and
engineers, this process can be significantly
decisions that occur during the network
improved. There are several key tasks embedded
design phase of E/E systems development
software engineers must accomplish:
can have widespread, cross-domain effects
that are difficult to predict or even fully • Create clear requirements and functional
understand. Connecting the many definitions to improve downstream software
disciplines enables designers to understand quality
the downstream impacts of their decisions
• Develop accurate, verified software
during development and is critical to
architectures
accelerating the vehicle development
process. • Design, simulate, implement and verify
Networks design considers and implements

software components AUTOSAR and
• Develop embedded software for automotive
many elements vital to both assuring
correct vehicle functionality and protecting ECUs that satisfy functional safety and Siemens
the entire system from incorrect sub- cybersecurity requirements
system behavior. It is important to select a
• Integrate AUTOSAR basic and application
solution that consistently and correctly AUTOSAR is the go-to standard to enable
software
generates the configurations and the digital thread for development of
documentation used in the development • Configure AUTOSAR embedded software and automotive embedded software and a
and validation of each ECU making up the enable ECU flashing
key technology enabler for generative
full system. Capital Networks has been • Simulate and verify embedded software software development. Read this blog
developed to address the specific needs of implementations
the design of vehicle networks. Bringing post by Henrik Olsen is Product Line
together learnings from its predecessors, Capital‘s new embedded software development director for the Embedded Software
which were used by multiple OEMs across tools can help customers establish high quality solutions in the Integrated Electrical
the world, and the AUTOSAR flow and software and adherence to the industry Systems segment in Siemens Digital
framework, which also includes many years standards of safety and security. This is done by
Industries Software, to find out more
of industry learning, to offer the most using a software architecture-driven flow,
integrating network design into the development about Siemen’s Premium Partner status
robust networks design solution.
process and accelerating AUTOSAR-based virtual with AUTOSAR.
verification and deployment of software on an
The criticality of embedded software ECU. This virtual verification approach has great
CLICK HERE TO VIEW
development potential to positively impact the quality and
speed of embedded software development and THE BLOG POST
Effectively designing, testing and deploying
is the subject of the next section.
on-board software is a key priority for
automotive companies across the world.
18 SPONSORED BY
Deploying safe and secure automotive-
grade embedded software with V&V
Workflow and verification Figure 13. The generative MDD/
XIL workflow produces correct
Development methodologies and verification systems using automation.
and validation (V&V) tools have advanced over
the past few decades. Today, the Model Driven
Development (MDD) methodology and X-in-
the-loop (XIL) verification are well-established
as an effective means to develop safe and
secure vehicle E/E subsystems. In the MDD
systems engineering process, or generative
workflow (figure 13), a model of the ECU is
tested against a model of the vehicle system’s
communication networks, sensors, actuators
and plant environment that surround the ECU:
the model-in-the-loop (MIL) level of
abstraction. Once the model is validated, C/C++
code is auto-generated from it and retested: the
software-in-the-loop (SIL) level of abstraction.
Eventually, the generated code is integrated
into ECU hardware and platform software
(firmware) and retested: the hardware-in-the- of the ECU hardware model can scale whereas the
loop (HIL) level of abstraction. HIL-level testing platform and application software remain the actual
can also be performed utilizing models of the code that deploys in the final vehicle (similar to HIL).
ECU hardware: the so-called virtual hardware- This facilitates testing final production software on a
in-the-loop (vHIL) level of abstraction. platform that is optimal for the verification intent. With
advanced MDD tools, integration can also be generative
The different abstraction levels of XIL
in the workflow.
configurations found across the MDD/XIL
workflow are summarized in (figure 14). The
range of accuracy (or fidelity) of the various XIL
Test benches and test automation
configurations can be quite wide. The vHIL
configuration that leverages virtual ECU There are two major elements in the MDD/XIL testing
simulation technology covers the broadest architecture: the test bench and the test automation Figure 14. Test automation software sequences the SUT and
range. In the vHIL configuration, the accuracy software that executes test cases (figure 15 next page). accesses data within it using interfaces exposed by test benches.
19 SPONSORED BY
grade embedded software with V&V CO N T I N U E D
Test bench
Testing an XIL system begins at the test bench. vendors. For automotive E/E subsystems, the primary data and accesses of
The test bench is an abstraction that provides interest include:
the ability to execute a system under test (SUT) • Signals and parameters in embedded software and simulation models
and access the data in it. The SUT includes
ECUs, networks, mechatronic hardware and • Data from the diagnostic functionalities of ECUs
other simulated parts of the system. Each type • Measurable variables and calibration data in automotive software
of data or access requires a different interface
and the information is configured and managed • Data controlling fault and error-injection in the SUT
by different specialized tools from different • Signals encoded into messages communicated over an automotive network
Figure 15. An
overview of XIL
test bench
configurations.
20 SPONSORED BY
Figure 16.
Shift-left test
Test automation software A larger business issue is the and verification
problems not found early in a using a digital
To support the testing sequence or test case, twin to find
project when they are less
test automation software utilizes the interfaces problems
expensive to fix. Even worse, earlier.
exposed by the test bench to access the data
issues uncovered in the field
and exercise the system’s functionality. The test
can be disastrous to the
cases must have enough coverage to V&V all
business.
aspects of the system that are applicable at
each phase of the MDD/XIL workflow.
Factors that affect
test re-use
Testing challenges
The main factors that
The idea of using computers to automatically
contribute to the lack of test
transform modeled functions into production
re-use include:
quality embedded C/C++ code was once
considered impractical, yet is now well- • Levels of abstraction of
established as the most effective way to the data and signals in the
develop software. However, because of several test benches
factors such as the tiered ecosystem where
• Modeling and
several teams in different companies
programming languages example, a signal might be encoded as a double
collaborate over large process gaps, the sheer
complexities involved in developing modern E/E • Sequencing and control over the various precision software variable at the MIL level, yet it
systems and the slower pace of standardization specialized tools ultimately will be realized in a CAN network message
relative to the pace of new methodology at the HIL level or as a calibrated 32-bit integer at the
• Means to stimulate and trace the SUT SIL level. How does a test case consistently access
adoption, there are large disconnects between
V&V at the model level and V&V at the • Lack of standardization data that changes in its data structure during a
implementation level. project without any modifications?
If these factors are not addressed adequately,
It is clear this lack of test re-use is a significant equipment and tool dependent tests are
issue. A huge business ramification is a reduced developed multiple times, often by different Different languages
amount of V&V coverage if every test case is people with varying skill sets.
not converted or adapted to each level of In the systems engineering process, different
abstraction. This causes issues in both languages are used. A modeling language such as
directions: production code is not exercised Different levels of data abstraction Simulink, Simcenter™ Amesim™ software, the UML,
against all important functional scenarios that or Modelica might be used at the MIL level whereas a
A major challenge is when signals are programming language like C/C++ is typically used at
are validated at the model level and an represented, encoded and interfaced at
overreliance on expensive HIL equipment that the HIL level. How does a test case read and write
different levels of abstraction as the system is values in a SUT consistently during development as
is not always available to every software re-integrated moving from MIL, SIL to HIL. For
engineer. the languages change?
21 SPONSORED BY
Different tools and simulators • Generate test artifacts automatically Issues with direct-coupled test
using MDD model transformations architecture
Many different tools and simulators are needed
to validate a modern ECU. Simcenter Amesim The business problems related to a lack of If the test automation software is directly
might be used in a MIL level testbench to standardization are: coupled to the test bench using a rigid
describe a plant model and Capital VSTAR interface, whether it is standard or not, test re-
• No ability to efficiently exchange test
Virtualizer could be used at the vHIL level. use is not possible across the MDD/XIL
cases and test benches between OEMs
Automated driving tests require environment workflow.
and suppliers
scenario tools like Simcenter Prescan™
Another drawback of direct-coupled test
software. Starting up an HIL rig is very different • Increased training costs because know-
architectures is that the verification apparatus
from launching a virtual ECU. These are just a how cannot be easily transferred
does not readily support a heterogeneous
few examples. How does a test case know how
• Prohibitive costs to switch between configuration where MIL-level test benches can
to configure, initialize and control the various
testing technologies and products be mixed with HIL and/or vHIL level test
tools used as a project progresses?
benches. These heterogeneous configurations
• Verification engineers cannot combine
are needed to efficiently test multi-ECU
the best test automation software with
systems, which are typically required to validate
Different means to simulate and trace the best test bench products
modern E/E systems for ADAS, ADS and AV.
Each tool has a different way to extract signals
and parameters, obtain data from diagnostic
Figure 17. Several
functionalities, measure variables and access
factors contribute to
calibration data, provide a means to control the challenges within
fault and error-injection and parse and extract the MDD/XIL workflow.
signals packed in automotive network
messages. How does a test case consistently
stimulate and trace data as test benches
change?
Lack of standards
Without standardization, test case re-use is
simply unattainable because there is no
standard way to:
• Communicate between test cases and test
benches
• Describe, configure and initialize test
benches
• Map and access data in test benches
22 SPONSORED BY
MIL level workflow with direct- XIL level workflow with direct-coupling Standards that support test re-use
coupling
By examining the rest of the MDD/XIL workflow Open standards such as the Association for
The MIL level workflow that uses direct- with direct-coupled test benches and test Standardization of Automation and Measuring
coupling starts with the development of automation software, the problems expand Systems (ASAM) XIL and functional mockup
test cases that are rigidly connected to the significantly due to many different languages, interface have emerged to support testing artifact
first MIL level test bench. Everything levels of data abstraction and the number of re-use and provide a common test automation
appears good enough. However, when you different specialized tools that must be architecture that promotes interoperability
consider that different representations of controlled (figure 16). It is most certain that between testing tools from different vendors.
the system are possible at the MIL level, none of the downstream test benches will
These standards are very effective at reducing
you quickly discover rigid interfaces do not expose interfaces that are compatible with the
development and training costs. The standards are
support test re-use because the interfaces original MIL level test benches.
more effective when combined with an MDD/XIL
do not match. For example, if an MIL level
In a direct-coupled test architecture, test workflow methodology that automatically
system #1 is modeled using language #L1,
development must be performed multiple produces testing artifacts as normal by-products
data type #D1 and tool #T1, its test bench
times, most likely by different groups. This of systems integration efforts using institutional
interface #I1 will not match the interface
means function development is more isolated rules and model transformations.
#I2 for a MIL-level system #2 that uses
from ECU integration.
language #L2, data type #D2 and tool #T2.
Figure 18.
Interfaces across
the XIL-levels do
not match when
data, languages,
or tools change.
23 SPONSORED BY
When used in the MDD/XIL generative workflow • Collection of time-aligned trace data and a to control simulation tools and access simulation
as tool profiles, architecture standards such as specification of its data format models executing in them. ASAM XIL-MA is
AUTOSAR can further maximize effectiveness extracted from ASAM XIL and abstracts test
• Ability to inject faults and errors into the
and quality. Several professional-grade automation tools from test benches for this
SUT
AUTOSAR runtime software and associated purpose.
development tool solutions exist from different • Support for test event and triggering
vendors.
AUTOSAR
Functional mockup interface (FMI)
The AUTOSAR partnership is an alliance of OEM
ASAM XIL
FMI is an open tool independent standard that manufacturers, tier 1 automotive suppliers,
ASAM XIL is an API standard for the is broadly supported by many tool vendors to semiconductor manufacturers, software and tool
communication between test automation tools support model exchange and co-simulation of suppliers. Considering the different automotive
and test benches. The standard started in 2009, dynamic models using a combination of XML E/E architectures in current and future markets,
as an effort to standardize HIL and has files and compiled C-code. The XML and C-code the partnership establishes a defacto open
advanced to cover other test bench is bundled in a functional mockup unit (FMU). industry standard for an automotive software
configurations used in the MDD/XIL workflow. These FMUs are used during V&V to represent architecture.
XIL indicates the standard can be used for all in- the sensor, actuator and plant environment
A contribution of AUTOSAR that facilitates test
the-loop systems. The most recent release is surrounding a distributed E/E subsystem. FMI
re-use is the ability to describe architectures and
ASAM XIL version 2.1.0. has been driven by a European Union (EU)
their configurations in automotive E/E systems to
Information Technology for European
A beneficial contribution of ASAM XIL in terms provide the required formal model
Advancement (ITEA)2-funded project, called
of business value is the ability to develop tests transformation targets in the MDD/XIL
MODELISAR.
early in the development process when issues generative workflow.
are least expensive to rectify. Other ASAM XIL
values include:
ASAM XIL-MA
A better test architecture
• Support for test case re-use by decoupling
The FMI initiative cooperated with the ASAM
test automation software from test To combat the inherent testing challenges
XIL initiative in the MODELISAR project. This
hardware described here, a test architecture centered on
cooperation helped standardize the way
standards and augmented with automated
• Interoperability between different vendors simulations are setup and executed to
model transformation in an MDD/XIL generative
of test automation software and test accomplish the coupling of simulation tools
workflow is key.
benches with testing tools across the MDD/XIL workflow.
The results were embodied in an internally Mapping and configuration framework ASAM XIL
• Significant reduction of testing efforts
named result called FMI for applications. ASAM is architected into two major parts (figure 17):
• Longer term protection of testing and MODELISAR decided to join this part of
1. A test bench for the simulation models, ECU
investments their activities to develop a single standard,
data (for example, parameters, variables and
resulting in ASAM XIL-MA. The major goal of
• Common way to setup and initialize a test diagnostics), electrical error simulation and the
ASAM XIL-MA is to allow test automation tools
bench automotive networks.
24 SPONSORED BY
2. A mapping and configuration framework that • Model access concrete identifiers, physical units to physical
supports the mapping of units, data types or units and data types to data types. By providing
• Diagnostics
variable identifiers, triggering, actions, a new mapping for each different test bench,
measurement, logging and other management • Electric error simulation the test case remains unchanged and can be re-
facilities and services related to communication used directly across engineering phases.
• Automotive networks
to the test bench such as initialization, ordering
The test bench ports are only supported in
and sequencing. The most challenging task of decoupling test
ASAM XIL 2.0 for compatibility with ASAM HIL
automation software from test benches is
The test bench part of the architecture provides and to provide functionality that is currently not
facilitated by the ASAM XIL mapping
standardized interfaces to the different types of provided by the framework layer. The major
framework. It allows data in a test bench to
tools with specific test bench ports. These ports change in this area of ASAM XIL 2.0 is to
differ in value and type during the overall MDD/
offer standardized access to ECUs, including introduce port independence to test cases by
XIL workflow. The framework isolates the
interfaces for: using an object-oriented access to variables on
differences to different mappings of values
the test bench and an abstraction of ports in
• Calibration between the test cases and the test benches.
the framework layer. Based on these variable
Examples include abstract identifiers to
• Measurement objects, the framework also provides objects for
port-independent signal recording, signal
generation, event watching and triggering.
ASAM XIL thus effectively provides an adaption
layer between the test cases and the different
XIL test bench configurations in the MDD/XIL
workflow. This allows the verification engineer
to test any MIL, SIL, vHIL, or HIL test bench
configuration using the same test case by
inserting its corresponding mapping and
configuration counterpart between the test
case and the test bench (figure 20, next page).
Generative MDD/XIL workflow

Combining ASAM XIL, FMI and AUTOSAR
provide all the formal ingredients required for
automated model transformation to create a
generative MDD/XIL workflow. With the
addition of a set of institutional rules, it is
possible for automated tooling to take test case
descriptions, function models, environment
Figure 19. ASAM XIL provides a flexible standard test architecture.
25 SPONSORED BY
Figure 20. Test cases are reusable across MDD/XIL configurations using ASAM XIL Figure 21. The MDD/XIL MIL-level workflow using
mapping and configuration layers to adapt test bench interfaces. ASAM and FMI standards is straight-forward.
models and architecture models that are The test bench, map and configurations for the • Test cases are re-used across the entire MDD/XIL
produced during normal system design efforts, environment model are re-used directly from work-flow, preserving testing investments
and generate the test benches, mappings and the MIL level test bench. FMI co-simulation is
• Increased V&V coverage increases safety,
configurations required for automated V&V used to connect and execute the environment
enhances security and finds problems before
regression testing. model and ECU simulation (for the case of
they are deployed into the field
vHIL).
The workflow starts at the MIL level of
• An automated and generative MDD/XIL workflow
abstraction and generates test artifacts (figure
increases quality by using model transformations
19). It is important to note that all the models
Results and conclusion that are correct-by-design and it reduces
conform to some formal domain-specific meta-
development, which shortens time-to-market
model, and the map and configuration The test cases developed during design can be
descriptions correspond to the function and re-used through to production ECU testing and • OEMs and suppliers can efficiently exchange test
environment model test benches for MIL level ultimately for automated regression V&V of cases and test benches, which saves cost and
testing. future software updates deployed into the field time
(figure 23).
After the function model is validated at the MIL • Decreased training costs because standards-
level, it is used as input for automatic There are several valuable business benefits this based know-how is more easily transferred
integration in an AUTOSAR-based platform testing architecture and generative MDD/XIL
• Verification engineers can combine the best test
using another set of rules (figure 21). Note that workflow affords:
automation software with the best test bench
all models conform to some formal meta-
• Problems are found earlier in car projects products because of standard interoperability –
model. The additional map and configuration
when they are least expensive to fix and switching between testing solutions is much
descriptions correspond to the ECU test bench.
less expensive
26 SPONSORED BY
Figure 22. The MDD/

XIL workflow reuses
tests across XIL-
Figure 23. A MDD/XIL
levels using formal
workflow that uses a
standards.
standard test architecture
supports test case reuse.
• Tests can include multiple levels of non-RT systems). Because of the inherent need Going forward
abstraction in a heterogeneous for network protocols in such a configuration,
The complexity of all E/E architecture domains
configuration – this is useful when ACOSAR could potentially fill the gap of the
will continue to increase in the future.
validating the distributed multi-core, multi- missing network protocol specifications within
Automotive manufacturers must deliver and
ECU E/E systems found in modern ADAS, FMI. It is considered that ACOSAR will provide a
integrate numerous components that make up
ADS and AV vehicle systems so-called FMI for RT co-simulation.
highly complex, connected vehicle features to
• Multiple, cross-discipline interface System structure and parameterization keep up with today’s demands. The increasing
requirements are satisfied with System structure and parameterization (SSP) is number and sophistication of these
standardized access: calibration, a developing standard that should be usable in components calls for advanced electrical,
measurement, diagnostics, networking, all stages of the MDD/XIL workflow. The network and software engineering solutions to
tracing, stimulus and fault-injection standard’s effort is coordinated with the FMI help keep up with the complexity and
and ASAM standards. The goal of SSP is to shortening product development timelines.
provide a standardized format to represent a Today, innovative electrical systems
Future work connected set of components. engineering solutions can help automakers by
automating development processes, while
ACOSAR These components for example, can be FMI-
frontloading capabilities will help companies
The main goal of ACOSAR is to develop a non- based simulation models and ASAM testing
accelerate vehicle development, spur
proprietary real-time (RT) co-simulation artifacts. This would provide for a more
innovation and lower development costs.
interface. ACOSAR is an ongoing project. Real- complete automation and a standard way to
time testing, in particular mixing actual and describe and parameterize test configurations if
virtual testing components together, is an the MDD/XIL workflow utilizes SSP as a standard
important use case (co-simulation of RT and description format.
27 SPONSORED BY
Siemens Digital Industries Software is driving transformation to enable a digital enterprise
where engineering, manufacturing and electronics design meet tomorrow. The Xcelerator™
portfolio, the comprehensive and integrated portfolio of software and services from Siemens
Digital Industries Software, helps companies of all sizes create and leverage a comprehensive
digital twin that provides organizations with new insights, opportunities and levels of
automation to drive innovation. For more information on Siemens Digital Industries Software
products and services, visit siemens.com/software or follow us on LinkedIn, Twitter, Facebook
and Instagram. Siemens Digital Industries Software – Where today meets tomorrow.
STAY CONNECTED
CLICK HERE TO VISIT OUR WEBSITE

Siemens Ebook Automotive Changes v5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Siemens Ebook Automotive Changes v5

Uploaded by

Copyright:

Available Formats

D I G I TA L E B O O K

The changing automotive

engineers must synthesize dozens of new engineers concerned with definition,

(OEMs) and systems integrators are • Functional safety (FuSa) ECU

integrators to have the right products at the

The next trend is the increasing use of service-

Gateway Gateway Figure 9. An example subset of signal flows.

Rear seat Rear seat

Battery Air springs Battery Air springs

Table 4. A quick reference guide to common automotive network technologies.

Network Max baud Max frame AUTOSAR Priority/

CLICK HERE TO VIEW THE WEBINAR

Figure 12. During some modes, such as vehicle charging, only a

Partial networks allow some networks to be shut

Generative By following a model-based approach in a

Networks design considers and implements

Generative MDD/XIL workflow

Figure 19. ASAM XIL provides a flexible standard test architecture.

Figure 22. The MDD/

products and services, visit siemens.com/software or follow us on LinkedIn, Twitter, Facebook

You might also like