Introduction to

Automotive Software
Systems
2IN60: Real-time
Architectures
(for automotive systems)

Mike Holenderski, [email protected]

Why should I get up early in the morning to

follow this course?

More and more car functions are

being implemented in software
Developing software is
expensive

$$$
Mike Holenderski, [email protected]

Goals for this slide set

Describe different functional domains
in a car
Explain the problem of system
complexity
Describe how complexity is
addressed in automotive systems
Give examples of important
requirements for the realization of
car functions
Mike Holenderski, [email protected]

Outline
Functional domains
Network architecture of a car
Requirements for function
realizations

Mike Holenderski, [email protected]

Car functions

Mike Holenderski, [email protected]

Automotive functional domains

powertrain, e.g.
engine control, transmission and gear control;

chassis, e.g.
ABS (Antilock Braking System), ESP (Electronic Stability Program),
ASC (Automatic Stability Control), ACC (Adaptive Cruise Control);

body (comfort), e.g.

air conditioning and climate control, dash board, wipers, lights,
doors, seats, windows, mirrors, cruise control, park distance
control;

telematics/wireless, e.g.
multimedia, infotainment, GPS and in-vehicle navigation systems,
CD/DVD players, rear-seat entertainment;

passive safety (emerging), e.g.

rollover sensors, airbags, belt pretensioners.

Mike Holenderski, [email protected]

Automotive domains
Powertr
ain

Chassis

Body

Telemat Passiv
ics
e
safety

Program
size

2 MB

4.5 MB

2.5 MB

100 MB

1.5 MB

Number of
ECUs

3-6

6-10

14-30

4-12

11-12

Number of
messages

36

180

300

660

20

Bus
topology

Bus

Bus

Bus

Ring

star

Bandwidth

500 Kb/s

500 Kb/s

100
Kb/s

22 Mb/s

10
Mb/s

50 ms
2s

20 ms 0
5s

50 ms

Cycle time

10 ms
10 ms
Mike Holenderski, [email protected]
10 s
10 s 7

Engine control
Task of engine control:
calculate amount of fuel and
exact moment of injection

Dependencies:
pedal (driver)
load of the engine
temperature
etc.

Sensors and actuators:

position of crankshaft
valves

Crankshaft (red), pistons (grey) in their

cylinders (blue), and flywheel (black)

Relevance:
avoid mechanical damage
provide quality of control (e.g. fuel efficiency)
Mike Holenderski, [email protected]

Engine control
Real-time requirements for fuel injection:
Keep the fuel intake valve open for f(x) s at x rpm
Crankshaft position accuracy: 0.1 degree
At 100 rps 3s temporal accuracy

Challenges:
latency between sending close command to valve and the
actual time when the valve closes
Communication latency
Environmental conditions (e.g. temperature)

Approach:
compensate for latency:
sensor signal indicates when valve closes
latency is measured during every engine cycle
determine when close command must be sent
Mike Holenderski, [email protected]

Anti-lock Braking System

3. Wheel disc
brakes
squeezed

2. Pressure
passed to the
brake fluid

1. Brake
pedal
pushed
5. Controller
releases the
pressure on
the discs by
releasing
some brake
fluid in a
container

6. The fluid is
pumped back to
repeat the
pressure on the
discs

4. If the brake pedal is

pushed too hard, the
wheel will lock a
sensor detects this and
notifies the controller

Controller
7. Entire process is repeated about 15 times/sec
(by courtesy of Damir Isovic)
Mike Holenderski, [email protected]

10

Anti-lock Braking System

Electronic system:
Sensor: detects that the wheel will lock
Actuator: release and repeat the pressure on
the discs
Controller: requires an ECU

Distributed:
Controller, sensors, and actuators at
different locations
Requires wires or a network

Embedded and invisible to the driver

Mike Holenderski, [email protected]

11

Pre-crash system
Reduce severity of head-to-tail crash

Mike Holenderski, [email protected]

12

Pre-crash system
Collision avoidance zone

Stage 1 (~2.6s to impact):

Provide visual and audible collision warning

shine lights and sound

Stage 2 (~1.6s to impact):

Automatically initiate partial braking at 4m/s 2
Move the front passenger seat to safe position
Height, fore/aft adjustment, backrest angle
Inflate air-chambers inside seat for better support

If skidding: close front windows and sunroof

Stage 3 (~0.6s to impact):

Tighten the seatbelts (e.g. fire pyrotechnics or pulleys)
Prepare airbags
for deployment
Damage
mitigation zone
Mike Holenderski, [email protected]

13

Pre-crash system
Relies on several subsystems
Radar for detecting potential collision
Anti-lock Braking System to apply partial
braking
Traction Control to identify if skidding
Window Control System to close
windows

Mike Holenderski, [email protected]

14

Fighting complexity: modular

design
Complexity is due to the many dependencies
E.g. communication

Communication is expensive
Surface area, power consumption, latency, ability
to understand system behavior,

Modular design:
Divide an integrated system into independent
modules
Define interfaces between the modules
Keep the interfaces thin!

Advantages
Separation of concerns
Flexibility
Maintainability
Security

Mike Holenderski, [email protected]

15

Outline
Functional domains
Network architecture of a car
Requirements for function
realizations

Mike Holenderski, [email protected]

16

Modeling software systems

When investigating the root causes for
traffic jams in a city, it is infeasible to
consider the interactions between molecules
comprising the car or the drivers brain.
A model is an abstraction of the key
elements which are relevant for achieving a
given goal
Example: traffic in a city can be modeled by
means of a queue network representing the
streets, and Markov chains describing the arrival
of cars
Mike Holenderski, [email protected]

17

System architecture
A system is a set of interacting
components forming an integrated
whole
Architecture is a description of
the individual components and their
interactions
Collection of models describing the
system from different views

Mike Holenderski, [email protected]

18

4+1 Architectural View Model *

Describes the architecture of
software-intensive systems
Logical view: functionality that the
system provides to end-users
Development view: implementation
from programmers perspective
Process view: runtime behavior
(tasks and how they communicate)
Physical view: mapping of the
software onto physical layer
Scenarios: illustrates the
architecture description based on
several use cases

Mike Holenderski, [email protected]

19

Network architecture of a car

Electronic Control Unit (ECU)
CAN Diagnose

Sensors and actuators

Microcontroller
Software

Sensor-CAN

AFS-CAN

CAN
Kombi

Gateway

Bus
Connects individual ECUs

CAN Infotainment

CAN Antrieb

Interconnect between buses

Mike Holenderski, [email protected]

20

LIN

LIN

CAN Komfort
LIN

CAN Komfort

Electronic Control Unit (ECU)

Controls one or more car functions
Types of electronic control units
Airbag (ACU), Engine (ECU), Transmission
(TCU),

70 100 ECUs inside a car (nearly as

many as inside Airbus A380)
Microprocessor-based

Mike Holenderski, [email protected]

21

An ECU and its interfaces

Power
Debug port

CAN port

Mike Holenderski, [email protected]

FlexRay port
22

Digital and Analog

I/O ports

Example ECU (Freescale board EVB9512XF)

Power
CAN controller
CAN port

FlexRay port

Reset button

Digital and
Analog
I/O ports

Debug port

Microcontroller
(CPU + memory)
LEDs

Mike Holenderski, [email protected]

23

Bus
Connects individual ECUs
Examples: CAN, FlexRay, I2C, IEEE
802.11p
Diagnose

Gateway

K-CAN
System

MOST

Mike Holenderski, [email protected]

K-CAN
Periphery

24

SI-BUS
(Byteflight)

PT-CAN

Outline
Functional domains
Network architecture of a car
Requirements for function
realizations

Mike Holenderski, [email protected]

25

Requirements for function realizations

Also referred to as non-functional requirements or
extra-functional requirements
Timeliness/Predictability
Hard timing requirements: functional
Firm/soft timing requirements: non-functional (can be traded for
others, e.g. a bit later but much cheaper to realize)

Dependability
Maintainability: ability for software to undergo
modifications and repairs
Scalability: ability to scale a metric with changing
architecture
Example: maintainability will decrease when increasing number of
ECUs in a car

Security
Mike Holenderski, [email protected]

26

Timeliness requirements

Mike Holenderski, [email protected]

27

Timeliness requirements
Example: inflation of an air bag
real-time fast
real time: fulfill specific timing
requirements

time
event

response
best-case
deadline

Mike Holenderski, [email protected]

worst-case
deadline
29

Timeliness requirements
Example: Software controlling the
deployment of airbags has 15 to 40
milliseconds to determine which and in
what order to activate
Specification:
Lower and upper bounds on the response
time

Metrics:
Worst-case response time
Tardiness
Mike Holenderski, [email protected]

30

Dependability requirements
Specification in 3 dimensions:
Availability: readiness for correct service
Metric: probability of the system being ready to use
Mean Time To Failure (MTTF), Mean Time To Repair (MTTR)
Availability: MTTF/(MTTF+MTTR)

Reliability: continuity of correct service

Metric: expected time until not being available

Safety: absence of catastrophic consequences

on the user and the environment
Metric: catastrophic states are not reachable

Mike Holenderski, [email protected]

31

Dependability requirements
In 2005, Toyota recalled 160 000
Prius hybrids, because of software
causing car to stall and shutdown.
Fix required 90 min per car = 240 000
man hours

In 2008, VW recalled 6500 cars,

because of software causing
unexpected increase in RPM when
air-conditioning is turned on.
Mike Holenderski, [email protected]

32

Safety requirements
The controlled system must remain
safe
hazardous states unreachable (e.g.,
extremely high temperatures)
even in erroneous conditions, safety
must be maintained (no error exit)

Certification: approval by
independent agency

Mike Holenderski, [email protected]

33

Security requirements
Security: when the system is open to
external observation and control
(e.g., via Internet)
confidentiality, integrity and nonrepudiation
validation of privileges (authentication,
authorization)
secure protocols to make intrusion
impossible

Mike Holenderski, [email protected]

34

References
Recommended reading:
[Burns] Ch. 1.1-1.3, 2.1-2.2, 2.10

Optional reading:
N. Navet, F. Simonot-Lion, Automotive Embedded
Systems Handbook, CRC Press, 2009
G. Leen, D. Hefferenan, Expanding automotive
electronics systems, Computer, 35(1), 2002
U. Keskin, In-Vehicle Communication Networks: A
Literature Survey, TU/e CS-Report 09-10, 2009
P. Kruchten, Architectural BlueprintsThe 4+1
View Model of Software Architecture, Software 12
(6), 1995
Mike Holenderski, [email protected]

35