The document discusses the development of safety-compliant autonomous driving solutions using the Adaptive AUTOSAR standard, emphasizing its flexibility and portability for complex automotive applications. It highlights the importance of selecting a reliable operating system, such as VxWorks 7, to ensure functional safety according to ISO 26262 standards. The implementation includes various architectural components, real-time process management, and mixed-criticality capabilities to support both critical and non-critical applications.

1. © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Developing Safety Autonomous
Driving Solutions Based on the
Adaptive AUTOSAR Standard
Leo Hendrawan – Senior Member Technical Staff
Andrei Kholodnyi – Senior Architect
Wind River Systems

2. 2 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
AGENDA
 Introduction and Background
 Adaptive AUTOSAR
 Safety Compliant OS for Adaptive AUTOSAR
 Implementation of Adaptive AUTOSAR on VxWorks 7
 Conclusions & Demo
 Q&A

3. 3 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Introduction and Background
 Automotive Industry is facing three transformations:
• Electrification
• Advanced Communication/Networking
• Autonomous driving
 A Self driving car is estimated to generate more than 4 TB data per day

4. 4 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Introduction and Background
 Since 2003, AUTOSAR has been establised as automotive software
development standard.
 Classic AUTOSAR
• Suitable for deep embedded application
• Less versatile for managing complex application such as autonomous driving

5. 5 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Adaptive AUTOSAR
 Defined by AUTOSAR Consortium in 2017
 Designed for technologies with
• High end processors
• Ethernet communication
• Over-The-Air Update
 Offer high portability/flexibility with POSIX and C++ standards

6. 6 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Adaptive AUTOSAR Basic Architecture
 Adaptive Applications (AA)
• User application implementing
connected, autonomous driving
functionalities
• Implemented as single/multiple
processes separated with each
other and other applications
• May only use ARA
Communication Manager for
communication
AUTOSAR Runtime for Adaptive Applications (ARA)
Adaptive Platform Foundation
(Virtual) Machine / Hardware
Adaptive Platform Services
Software
Configuration
Management
Service
Security
Management
Service
Diagnostics
Service
Bootloader
Operating
System
API
Execution
Management
API
Persistency
API
Platform Health
Management
API
Logging and
Tracing
API
Other Functional
Clusters
API
Communication
Management
API
ApplicationApplicationApplication
Hardware
Acceleration
API
Other Adaptive
Platform
Services
Service
Non-platform
service
Service
Non-platform
service
Service

7. 7 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Adaptive AUTOSAR Basic Architecture
 AUTOSAR Runtime for
Adaptive Applications (ARA)
• Abstraction layer for underlying
OS and hardware
• Comparable to AUTOSAR RTE
(Run Time Environment) in the
classic AUTOSAR
• Provides standard C++
interfaces
• Consisting collection of
Functional Clusters
AUTOSAR Runtime for Adaptive Applications (ARA)
Adaptive Platform Foundation
(Virtual) Machine / Hardware
Adaptive Platform Services
Software
Configuration
Management
Service
Security
Management
Service
Diagnostics
Service
Bootloader
Operating
System
API
Execution
Management
API
Persistency
API
Platform Health
Management
API
Logging and
Tracing
API
Other Functional
Clusters
API
Communication
Management
API
ApplicationApplicationApplication
Hardware
Acceleration
API
Other Adaptive
Platform
Services
Service
Non-platform
service
Service
Non-platform
service
Service

8. 8 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Adaptive AUTOSAR Basic Architecture
 Adaptive Platform Foundation
and Adaptive Platform
Services
• Providing basic functionalities
and standard services
• From AA perspective,
indistinguishable due to
standard C++ interfaces
• Example clusters:
• Execution Management
• Communication Management
• Diagnostics
• .......
AUTOSAR Runtime for Adaptive Applications (ARA)
Adaptive Platform Foundation
(Virtual) Machine / Hardware
Adaptive Platform Services
Software
Configuration
Management
Service
Security
Management
Service
Diagnostics
Service
Bootloader
Operating
System
API
Execution
Management
API
Persistency
API
Platform Health
Management
API
Logging and
Tracing
API
Other Functional
Clusters
API
Communication
Management
API
ApplicationApplicationApplication
Hardware
Acceleration
API
Other Adaptive
Platform
Services
Service
Non-platform
service
Service
Non-platform
service
Service

9. 9 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Developing Adaptive AUTOSAR Applications
ADAR
code
generator
ARXML C++ interfaces
ARTOP
Apps

10. 10 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Safety Compliant OS for Adaptive AUTOSAR
 Adaptive AUTOSAR is highly portable
 Yet it is important to select the underlying platform and operating system
to ensure funcitonal safety capabilities
 Internal safety standard for automotive industry: ISO 26262
• Based on the general IEC 61508 safety standard
• Defines the Automotive Safety Integrity Level ranging from level A (lowest) to
level D (highest)

11. 11 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Safety Compliant OS for Adaptive AUTOSAR
 Refer to already established safety-related concept from other industries
 Several feature of VxWorks 7 RTOS for implementing safety critical
functions:
• Real Time Process with Time and Space Partition Scheduling
• Resource Area Control
• Support of Certified Hardware Platform and Software Tools

12. 12 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Real Time Process (RTP) with Timer and Space Partition
Scheduling
 Pre-emptive scheduling is critical for functional safety applications
 Additional components:
• Time partition: guarantee RTP to have CPU access at specified time windows
• Core/CPU affinity policies: avoid core transfer during task execution to ensure
predictability
RTP1 + RTP2 + kernel RTP3 RTP1 + RTP4 + kernel (or RTP2)
RTP1-t1 RTP1-t3
RTP1-t2 RTP1-t2
RTP2-t1
kernel-t1
CPU0
CPU1
CPU2
RTP2-t2CPU3 kernel-t2
RTP3-t1
idle
idle
idle
RTP1-t3 RTP4-t1
RTP1-t2 RTP1-t2kernel-t1
RTP4-t2
kernel-t2
RTP2-t1

13. 13 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Resource Access Control
 Malfunctioning task can put whole system to unsafe state
 Operating system shall manage control of all resource available (shared
memories, message queues, semaphores, etc.)
 VxWorks 7 Safety Profile implements hard-coded data structures defining
access control to each resources which need to be protected

14. 14 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Support of Certified Hardware Platform and Software Tools
 Safety compliant hardware is needed for implementing safety compliant
application
 Usage of software tools and development standards helps improving
confidence in developing safety relevant application
• VxWorks uses DIAB compiler which is developed by using Automotive SPICE

15. 15 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Implementation of Adaptive AUTOSAR on VxWorks 7
 High portability due to POSIX and C++ standards
 Straightforward porting to VxWorks 7
• Running helloAdaptiveWorld basic ara::com example
ara::comm
testService
ara::comm
helloAdaptiveWorld
ara::comm
testClient

16. 16 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Mixed-criticality Implementation with Hypervisor
 Separating critical and non-critical application
ARA
Critical App 1 Critical App 2
VxWorks 7 RTOS
ARA
App 1
Linux OS
Type 1 Hypervisor
Hardware with Multi-core CPU
App 2 App 3

17. 17 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Conclusions
 Adaptive AUTOSAR offers possibilty to develop complex automotive
applications (autonomous driving).
 Important to consider proven safety-compliant solution for underlying
layers (operating system).
 Safety OS running AUTOSAR stack allows to build flexible mixed-critical
automotive solutions

18. 18 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
Demo
ARA::COM
(VSOMEIP)
VxWorks
Gazebo Simulator
ActuatorSensor
Gazebo/ARA::COM
Bridge
Sensor
Application
libGazebo
Process
Application
Actuator
Application
Linux
ARA::COM
(VSOMEIP)

19. 19 © 2018 WIND RIVER. ALL RIGHTS RESERVED.
™