The document discusses the role of virtualization in automotive embedded systems, highlighting its potential to manage complexity and improve efficiency. It outlines use cases for virtualization technologies, including enhancing safety-critical systems and optimizing resource allocation. However, it also addresses the limitations of virtualization, particularly concerning real-time performance and technical challenges associated with embedded systems.

1. Virtualization in Automotive
Embedded Systems :
an Outlook
Nicolas Navet, RTaW
Bertrand Delord, PSA Peugeot Citroën
Markus Baumeister, Freescale
Talk at RTS Embedded Systems 2010
Paris, 31/03/2010

2. Outline
1. Automotive E/E Systems: mastering complexity
2. Ecosystems of virtualization technologies
3. Automotive use-cases of virtualization
4. Limits of virtualization
© 2010 RTaW / PSA / Freescale - 2

3. Mastering complexity of
automotive Electrical and
Electronics (E/E) Systems
© 2010 RTaW / PSA / Freescale - 3

4. Electronics is the driving
force of innovation
– 90% of new functions use software
– Electronics: 40% of total costs
– Huge complexity: 80 ECUs,
2500 signals, 6 networks,
multi-layered run-time environment
(AUTOSAR), multi-source software,
multi-core CPUs, etc
Strong costs, safety, reliability, time‐to‐market,
reusability, legal constraints !
© 2010 RTaW / PSA / Freescale - 4

5. Proliferation of ECUs
raises problems!
50
Number of ECUs (CAN/MOST/LIN)
45
40
35
30
25
20
15 Mercedes-Benz
BMW
10
Audi
5 VW
0
1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008
Year Graphics on this page from [3]
Lexus LS430 has more than 100 ECUs [9]
© 2010 RTaW / PSA / Freescale - 5

6. The case of a “generalist”
car manufacturer - PSA
45
40
35
30 CAN LAS
info-div
LIN
25
CAN CAR
CAN CONF
20 CAN I/S
15
10
5
0
X4-2000 X4-2003 D2 2004 D2 TG D25 X3 X6-2005 X7-2007 W2
PF3
The number of ECUs has more than doubled in 10 years
© 2010 RTaW / PSA / Freescale - 6

7. Possible upcoming architectures
in two car generations
Fewer ECUs but more powerful
– Multi-core μ-controller
– Multi-source software
– Autosar OS strong protection mechanisms
– Virtualization ?
– ISO2626-2 dependability standard
Backbone :
– CAN 500Kbit/s with offsets
– FlexRay™ : 10 Mbit/s
– Ethernet ?
How centralized is unsure
because of carry‐over ..
FlexRay™ as backbone at BWM in a few years [8]
© 2010 RTaW / PSA / Freescale - 7

8. Ecosystem of virtualization
technologies
© 2010 RTaW / PSA / Freescale - 8

9. Virtualization basics
Executing software on virtual machines
decoupled from the real HW
– Virtual Machine: software that executes software like a physical machine
– (System) VM contains an OS
– HW resources can be shared between VMs : role of hypervisor
Strong isolation
between VMs : security
and fault‐confinement are
the primary motivations
Picture from [2]
© 2010 RTaW / PSA / Freescale - 9

10. Classification of virtualization schemes [3]
Virtualization
Emulation Native
Hypoth. Real Full Para-
Machine Machine Virtua. virtua.
eg. JVM eg. Bochs eg. Z/VM eg. Xen, Sysgo,
Wind River
© 2010 RTaW / PSA / Freescale - 10

11. Use-cases of virtualization
© 2010 RTaW / PSA / Freescale - 11

12. Heterogeneous operating system
environments (1/2)
Re-use of a complete legacy ECU : eg. parking
assistance
Legacy
Benefits
– Time-to-market,
applications
–
–
Cost reduction
Validation done
Legacy OS
– Way to deal with +
discontinued hardware
Comm. stack
Hypervisor
hardware
© 2010 RTaW / PSA / Freescale - 12

13. Heterogeneous operating system
environments (2/2)
Using the best execution platform : eg. Body gateway with
both an Autosar and an infotainment VM (eg., linux, android)
Benefits
– Performances
– Availability of manpower / applications
– Time-to-market
– Security despite open systems
– Segregation in “vehicle domains” VMM
– Etc
Picture from [2]
The most obvious and likely use‐case in a first step
© 2010 RTaW / PSA / Freescale - 13

14. Virtualization for
security-critical sub-systems
Benefits:
– Critical code can run on bare hardware
– Sufficiently small for formal methods
– “Brick-wall” partitioning for open systems (OTA update)
Critical
code
Hypervisor
hardware
© 2010 RTaW / PSA / Freescale - 14

15. Virtualization for
safety-critical sub-systems
Short term benefits:
– Memory, CPU, IO protection mechanisms
– Redundant execution with diversity reduces common faults,
possible to go one step farther with OS and com. stack diversity
– Monitoring / watchdog on the same multi-core chip
(ideally with some HW diversity at the core level)
Medium term goal:
– Virtual lockstep execution without dedicated HW
Not the same scope of protection as Autosar OS
Autosar OS : OS application, OS task, ISR
Virtualization : VM (usually with an OS)
© 2010 RTaW / PSA / Freescale - 15

16. AUTOSAR OS protection mechanism -
a recap (see [7])
Issues : resource confiscation (CPU, memory,
drivers), non authorized access / calls, fault-
propagation
5 types of mechanisms
Memory protection
Temporal protection
As of Autosar R4, there
are multi‐core
OS service protection
extensions enabling CPU
HW resource protection
core partitioning
trusted / non-trusted code
4 scalability classes
© 2010 RTaW / PSA / Freescale - 16

17. Limits of virtualization
© 2010 RTaW / PSA / Freescale - 17

18. Real-time performances
Virtualization implies a
hierarchical two-level scheduling
that is inherently less predictable
and more complex to handle
Picture from [2]
Actually, three‐level scheduling since runnables
are scheduled within OS tasks!
Static core allocation (to VMs) is probably the way to go ..
© 2010 RTaW / PSA / Freescale - 18

19. Technical issues
Memory:
VMM footprint: < 64KB
Possibly several OSs !
CPU:
Limited hardware support in embedded CPU [6]
Preemption, L2 cache flush, locked cache
Resource sharing is tricky: ISR, IOs, com. controllers
Real-time performances (eg. LIN)
peripheral virtualization is complex (eg. CAN)
VMM must be kept small to be secure (more than guest
OSs) and ideally bug free … otherwise responsibility
sharing is impossible
© 2010 RTaW / PSA / Freescale - 19

20. Conclusion
Virtualization is a mature technology, industrial
risk is limited
Automotive can benefit from both aerospace /
military and consumer electronic experiences:
Products, certification, deployment tools, etc
The overlap between virtualization and Autosar
OS seems small
There are meaningful use-cases but real-time
behavior of the virtualized systems should be
(formally) verified.
© 2010 RTaW / PSA / Freescale - 20

21. References
© 2010 RTaW / PSA / Freescale - 21

22. References
[1] N. Navet, F. Simonot-Lion, editors, The Automotive Embedded Systems
Handbook, Industrial Information Technology series, CRC Press / Taylor
and Francis, ISBN 978-0849380266, December 2008.
[2] R. Kaiser, D. Zöbel, Quantitative Analysis and Systematic Parametrization
of a Two-Level Real-Time Scheduler, paper and slides at IEEE ETFA’2009.
[3] T. Nolte, Hierarchical Scheduling of Complex Embedded Real-Time
Systems, slides presented at the Summer School on Real-Time Systems
(ETR’09), Paris, 2009.
[4] G. Heiser, The role of virtualization in embedded systems, Proceedings of
the 1st workshop on Isolation and integration in embedded systems,
2008.
[5] D. Baldin, T. Kerstan, Proteus, a Hybrid Virtualization Platform for
Embedded Systems, IFIP Advances in Information and Communication
Technology, 978-3-642-04283-6, 2009.
[6] F. Behmann, Virtualization for embedded Power Architecture CPUs,
Electronic Products, September 2009.
[7] N. Navet, A. Monot, B. Bavoux, F. Simonot-Lion, Multi-source and
multicore automotive ECUs - OS protection mechanisms and scheduling,
to appear in IEEE ISIE, 2010.
[8] A. Schedl, Goals and Architecture of FlexRay at BMW, slides presented at
the Vector FlexRay Symposium, March 2007.
[9] R. Schreffler, Japanese OEMs, Suppliers, Strive to Curb ECU Proliferation,
Wardsauto.com, March 6, 2006.
© 2010 RTaW / PSA / Freescale - 22

23. Questions / feedback ?
Please get in touch at :
nicolas.navet@realtimeatwork.com
bertrand.delord@mpsa.com
B17517@freescale.com
© 2010 RTaW / PSA / Freescale - 23