Ah, the dream of the self-driving car! Here we see a vintage 1957 H. Miller advertisement illustration of a family enjoying a ride in their autonomous auto. In response to customer demands for more and more applications, features and services, and to economic pressures, automakers are consolidating non-safety related and safety-related components on a single platform in their vehicles.
The avionics ARINC 653 and the automotive AUTOSAROS are the two most broadly adopted industry standards for Real Time Operating Systems (RTOS). They stem from domains with originally very different requirements: While avionics engineers have to cope with strict regulations regarding functional safety, automotive engineers generally care a lot about per-unit costs in mass production. However, recent trends in automotive, like steer-by-wire and ECU consolidation, increase the demand for functional safety measures also in this domain.
The market opportunity for driver assisted, driver piloted, and fully driverless cars is projected to reach 42 Billion by 2025. As a result, advanced “IMA like” automotive solutions are being explored and are focused on developing and maturing next generation transformational IMA technologies. Five future IMA dual use focus areas that have the potential to be transformational enablers for affordability, technology refresh, and new capabilities in both automotive and avionics IMA markets are:
heterogeneous multicore processing,
scalable autonomy and data fusion software components,
hypervisor enabled mixed criticality software infrastructure,
unified QoS networking, and 5.) Model Based Design (MBD).
The recent exponential increase in the number and complexity of in-vehicle electronics has transformed the automobile. What was once primarily an assembly of mechanical components has become a system integrating mechanical and electronic components, with the electronic components representing both a substantial portion of the added value and a disproportionate share of the headaches. With a century of experience behind them, automakers have the building of the mechanical part of the car down to constant improvement and refinement of details.
The in-vehicle electronics, that is, the head unit with its complex infotainment system and the dozens of Electronic Control Units (ECUs) are another matter, however. Not only are these systems evolving rapidly, but consumer demand for new applications and services is straining automakers’ ability to deliver.
Thus, automakers must continuously venture into uncharted territory as they seek to satisfy consumer demand while building better cars. Of course, car makers strive to provide all these new features without breaking the bank. Along with the availability of new generations of more powerful processors, this last requirement: to minimize the cost passed on to customers, is driving consolidation of multiple in-vehicle systems onto one board. A design that eliminates one $50 module per vehicle translates into a substantial sum when multiplied by 5 million vehicles.
This consolidation creates its own problems, however. Not least of these is that many in-vehicle systems are safety-related systems, while others are consumer applications and impossible to prove as safe. All these disparate systems may need to run on the same CPU. To this we can add that with the advent of the connected car any system in a vehicle will be potentially accessible from outside the vehicle;
while this will open many new possibilities, such as M2M-enabled over-the-air (OTA) software and firmware updates, it also creates new security and safety vulnerabilities.
Paradoxically, it is the very interconnections of today’s electronics systems that require us to ensure the isolation of their components. More powerful processors allow us to combine safety-related components with an in-vehicle infotainment system on the same board. Some of these components are in turn connected to the cloud, and even periodically subject to M2M-enabled updates. These advancements make today’s systems vulnerable to interference from within in the form of wayward processes, and from without, in the form of malicious attacks against inadequately protected software. Isolating safety-related components and ensuring detection and recovery are both more difficult and more critical than they ever were.
The problem, then, is how to design and validate a system that incorporates components such as a sophisticated 3D display running consumer-grade applications that is unlikely to require safety certifications, and components such as a blind spot detection module whose dependability and freedom from undesired interference must be rigorously engineered and proven.
The automotive industry’s transition from an ownership model to a usage-based model—driven by the “sharing economy,” autonomous driving, and mobility-as-a-service platforms—is forcing the automotive manufacturing industry to make extensive changes in automobile architectures and the automotive business supply chain. Future automobiles will have electronics systems that closely resemble commercial aircraft systems, which optimize safety, security, reliability, and availability. These next-generation automotive systems will virtualize and centralize many electro-mechanical control systems that are currently distributed throughout today’s vehicles. In addition, these systems will be based on open standards that are derived from a wide range of transportation industry solutions.
These technology trends started over 30 years ago, when Boeing was designing the Boeing 777 wide-body aircraft. Reducing Size, Weight, and Power (SWaP) requirements are guiding principles in new aircraft designs, where reducing the size of a component, lowering the weight of a component, or reducing the power consumption of a component are essential design goals.
Prior to the Boeing 777, aircraft systems traditionally had a federated architecture, where every supplier provided its own electronics enclosure with unique power and connectivity requirements, and unique reliability and redundancy capabilities. All the disparate electronic subsystems were then interconnected into a “federated” environment on the aircraft. This earlier model is similar to the electronics architecture in automobiles today. Although federated avionics systems were easy to manufacture and service, outfitting an increasingly more capable aircraft with ever more federated systems continued to increase SWaP requirements, reducing efficiency with every new capability. This architecture was tolerable in an era of very inexpensive fuel, but as fuel costs rose, it was clear that the approach needed to change.
Boeing contracted Honeywell to create a common avionics cabinet, the Aircraft Information Management Systems (AIMS), for the Boeing 777. This electronics cabinet hosted multiple functions on the 777 that typically had been federated systems, altering the architecture of the airborne electronics for the 777. Honeywell supplied most of the software in this common computing environment for the Boeing 777, and the resulting specification for this environment was the ARINC 653 time and space separation application executive (APEX). ARINC 653 is now the standard for this aircraft systems architecture, called Integrated Modular Avionics (IMA).
The next major commercial design innovation for Boeing was the Boeing 787 Dreamliner. Boeing 787’s Common Core System (CCS) based on the ARINC 653 specification, which enabled a diverse ecosystem of hosted function suppliers to deliver software that executed on this common virtualization platform. This new platform changed the business environment for Boeing suppliers, and a new role-based business standard, RTCA DO-297, emerged that defined business roles—IMA platform suppliers, IMA applications suppliers, and IMA systems integrators—as well as processes and workflow for those roles. This IMA role-based supplier business methodology evolved into the current, global standard for the development of all large commercial aircraft today.
Over the last three decades, the aviation industry has developed multiple standards that have improved the technology used in modern airframes as well as the business efficiency of the supply chain. Use of standards will provide similar technological advancement and business efficiencies in the automotive industry as well.
Below are some example standards that have emerged in the aviation industry. Some of these aviation standards may directly apply or influence similar standards in the automotive industry.
The ARINC 653 technical standard and the DO-297 role-based business standard provide fundamental benefits and efficiencies for modern commercial aircraft:
The common compute environment enables a level playing field for the entire electronic systems supply chain, and enables a level playing field for competitors.
The SWaP footprint is dramatically reduced: Boeing stated that by using the IMA approach it was able to shave 2,000 pounds off the avionics suite.
The complexity of federated compute/function boxes distributed all over the aircraft is removed.
System availability and reliability increase due to the redundancy of the Boeing 787 CCS.
In addition, ARINC 653 time and space separation architectures enable applications with different levels of safety criticality to share the common compute platform, thereby optimizing the use of computer resources and allowing the Human–Machine Interface (HMI), flight controls, and aircraft systems to safely share the common compute resource.
Finally, ARINC 653 was designed for safety certification, which decreased aircraft programs’ certification risk. This technical and business foundation enabled the creation of a competitive aircraft supply chain, where most new capabilities and upgrades have multiple suppliers bidding on the new opportunities.
A time- and space-partitioning standard for automotive electronics that enables applications with different safety levels to share a common compute platform could pave the way toward easier development of automotive electronics systems, with reduced SWaP requirements to improve automobile fuel efficiencies. This partitioned architecture could also provide for greater safety and security attributes.
The U.S. military also had a federated-systems problem that helped exacerbate a slowing-evolution-of-capabilities problem, which in turn denied military personnel the modern capabilities required to fight in modern, sophisticated conflict scenarios. With this in mind, six years ago the U.S. Army, U.S. Navy, and U.S. Air Force, along with nearly all of the U.S. defense suppliers, created a managed consortium to develop a new technical and business standard called the Future Airborne Capability Environment (FACE™), managed by The Open Group®.
The FACE Consortium based its technology foundation on ARINC 653, but also extended its specification to include the POSIX® (UNIX) standard, so that many mission systems and other, typically non-safety-certified applications could also be included in this specification. The FACE technical standard uses a layered software architecture, where application, communications/transport, I/O, and platform-specific capabilities are layered on top of the operating system standard, enabling any FACE component at any layer to be easily assembled with a mix of other FACE components.
The FACE software layer architecture leverages both commercial and military standards, and the technical specification includes over 100 proven industry standards. These teams also created a common data model, flexible enough to include all modern military aircraft systems, and aligned this model with the Department of Defense (DoD) Unmanned Aircraft System (UAS) Control Segment (UCS) Architecture data model, which is now an SAE standard (SAE AS6518). This standardization has created a very powerful foundation for all future manned and unmanned aircraft for the U.S. military and coalition partners.
Finally, the FACE business team modeled the FACE business specification after RTCA DO-297, but expanded this with a Contract Guide and a FACE conformance certification process that can validate FACE components, which can be referenced in a FACE Web-based applications store. These FACE certification activities and Web stores are just now coming online.
Similar to the FACE initiative, an industry-wide consortium of automotive companies could be formed to drive the definition and adoption of a standard specification for a layered software architecture for consolidated automotive electronics on common, shared platforms. This specification could streamline the innovation, development, deployment, and maintenance of next-generation automotive electronics.
The complex graphics systems found in today’s aircraft have standardized on the Khronos Group’s OpenGL and OpenGL SC (Safety-Critical) specifications. This standardization has enabled the market to create both safety-critical cockpit graphics, and also a supply chain for OpenGL graphics drivers and tools that have full commercial off-the-shelf (COTS) RTCA DO-178C safety certificationevidence for a variety of graphics devices. Companies such as ANSYS, CoreAVI, Ensco, and Presagis have sophisticated design tools, test tools, and simulation tools that provide a clear path to DO-178C and DO-254 safety certification with their COTS product lines.
Visualization of the state of a vehicle, along with its real-time IoT sensor environment, will enable the driver or the operator of a car to immediately deliver the most efficient, safe, and secure experience to future automotive users. Both aircraft and next-generation automotive dashboards are already sharing common design OpenGL tools and safety-certified platform components.
Over the last decade, the automotive industry has built the Automotive Open System Architecture (AUTOSAR) set of standards that specifies basic software modules, application interfaces, and a common development methodology based on a standardized exchange format. The AUTOSAR layered software architecture is designed to enable electronic components from different suppliers to be used in multiple platforms (vehicles), enabling the move to all-electric cars and vehicles with higher software content that can be more easily upgraded over the service life of the vehicle. AUTOSAR aims to improve cost-efficiency without compromising quality or safety.
Even with AUTOSAR and other standards from SAE and other organizations, the overall technical and business model for the vast majority of today’s automobiles is still a federated environment in which suppliers define the requirements for their systems, and the Original Equipment Manufacturer (OEM) or systems integrator designs automobiles within these constraints. This technical and business architecture is the reason that many cars today have scores of processors distributed throughout the vehicle, increasing the complexity of wiring harnesses and other support systems.
This federated architecture was designed to optimize supplier integration; it was not designed to increase safety or meet stringent safety and security certification requirements, nor was it designed to directly reduce vehicle complexity or SWaP requirements. The automotive industry could well benefit from an expansion of the AUTOSAR standard to an ARINC 653–like specification for Integrated Modular Automobile Electronics (IMAE) that virtualizes many of the current federated systems. This specification could help reduce SWaP requirements, reduce development and testing costs, and improve the efficiencies of the industry’s supply chain. And like the partitioning in ARINC 653, this module separation holds the promise to create safer and more secure automotive platforms.
Although the technologies mentioned in this CRC Press News contain some of the world’s most valuable and competitive intellectual property, they are based on open standards—the ARINC, AUTOSAR, The Open Group, RTCA, and SAE standards mentioned in this CRC Press News are all readily available to any interested party. Some of these technologies may be open source, many are proprietary, but all of these products rely on the market surrounding an open standard. The use of open standards drives innovation and reduces business friction.
Aircraft cockpits are not the only consumers of aircraft flight data. Today’s aircraft are complex IoT platforms that generate terabytes of data per aircraft per day—data used not only in the cockpit by pilots but also by airline supply chains to optimize performance, safety, and operations. Boeing 787s interconnect nearly every system in the airplane, from the engines to the flaps to the landing gear. The Pratt & Whitney Geared Turbofan jet engines have over 5,000 sensors that generate 10 GB/s per engine, yielding over 2 Tbps for a typical twin engine on a commercial airliner such as the Airbus 320neo or Boeing 737 MAX. Pratt & Whitney estimates that with these systems generating data, their needs for data streaming will reach 12 PB each year. (By comparison, an instrumented Formula 1 car produces around 1.2 GB/s.)
Why this high level of IoT data capture? This real-time IoT intelligence can reveal trend and fault patterns on specific aircraft systems, classes of aircraft systems, or entire fleets of aircraft that can drive immediate actions for optimizing flight and ground operations, or queue up parts and Maintenance and Repair Operations (MRO) teams that can drive higher levels of aircraft availability. This increases aircraft efficiency and serviceability, reduces operational interruptions, and has the potential to reduce major performance and maintenance issues. Everyone wins:
airlines obtain greater operational performance with higher fuel efficiency,
aircraft systems manufacturers gain valuable insight for creating even more powerful, reliable, safe, and efficient systems for future insertion, and
passengers enjoy greater comfort, safety, and entertainment while aboard these modern aircraft.
The collection and integration of this IoT data is fully autonomous, driving higher IoT sampling rates for the entire industry. Analysis of this data is a service that is delivered as a scaled business model, from very low-cost to more comprehensive levels that drive fleet specific intelligence, optimization, and management.
The investment in technology for commercial aircraft is driven by four key drivers:
Safety: All commercial aircraft accidents have a global audience. Higher rates of safety directly influence higher rates of passenger airline traffic.
Efficiency: Minimizing operations expenses, with fuel being one of the highest expenses, defines profitability.
Multi-vendor supply chain: Aircraft manufacturers need a strong, consistent ecosystem of suppliers to keep technology innovation high to remain both competitive and efficient.
MRO and aircraft availability: Canceled flights due to equipment have a large financial impact. Planes are measured by flight time and percent utilization.
Future automobiles will need a similar set of IoT data and intelligence to survive the far higher demands of mobility-as-a-service. This will increase by a factor of ten for autonomous platforms, where IoT sensing will not only enable safer, faster, and more reliable travel, but also help protect against accidents and unexpected liabilities. In addition, this IoT intelligence will allow automotive fleets to enjoy airline-like MRO benefits such as improved fuel efficiency, and to enable an accurate predictive maintenance service environment.
How people use automobiles is changing at a rapid pace. Personal automobiles have defined affluence for over a century. Commercial vehicles have defined success in a wide range of businesses, from long haul to delivery services (such as DHL, FedEx, and UPS) to bus lines to taxis. But the rise of autonomous vehicles, along with new sharing economy businesses, is changing the character and responsibilities of autonomous ground and air vehicles. A large proportion of future vehicles will not be considered “personal” property. Many transportation systems will be autonomous and rented “for the moment” of usage, instead of by the day, week, or month of possession. The responsibility for safety and security will be transferred from the human driver to the vehicle manufacturer and the service operator; this will force automobile designers and manufacturers to build vehicles of the future with many of the strict safety and security design constraints that aircraft manufacturers have used for decades, allowing the future service operators to deploy these vehicles into new markets with confidence.
If we were living in the 1980s, this business transformation would be daunting and fraught with peril. But in today’s world, the requisite business and technology framework already exists, has been proven with an incrementally improving safety record, and is captured in a wide range of comprehensive open standards. These standards will underpin the convergence of manned and unmanned, airborne and ground systems vehicles over the next decade, and deliver new levels of safety, security, reliability, and serviceability for a new era of vehicles to serve the expanding uses of modern travel.
The automobile industry is moving in a direction that closely reflects the requirements of the commercial airline industry. Although improvements in vehicle quality, Maintenance, Repair and Operations (MRO) and fuel efficiency have had a relatively modest impact on automotive sales over the last 30 years, the impact of the sharing economy and 24/7 autonomous, commercial use of automobiles and transportation services will be far greater. As autonomous vehicles become prevalent, and as vehicles increasingly deliver mobility as a service, safety and security concerns will escalate in importance; percent utilization will also become a concern and a key factor in value and in related quality metrics and operating expenses. These increases in operational quality must be based on open standards and COTS tooling to maintain an escalating cadence for innovation and reliability. With shared personal mobility companies such as Uber, Lyft, and others, the architecture and design of cars will migrate in the direction of aircraft and airlines, with similar supply chain concerns and operations metrics.
Future electronics systems in automobiles will look a lot like the airborne electronics in commercial aircraft. The automotive platform changes are being driven by three significant trends:
Consumer value is derived from many cross-functional use cases, such as Advanced Driver Assist Systems (ADAS).
Vehicles are connecting with expanding Internet of Things (IoT) environments.
The automotive economy is advancing into a digitized, usage based model, with commercial enterprises such as Uber, Lyft, Carma, Didi Chuxing, Enterprise CarShare, Getaround, Maven, Turo, and Zipcar leading this global expansion.
This paradigm shift places a greater emphasis on safety, security, and reliability, and brings the automotive industry closer to the commercial aviation industry. This new automotive business model is based on the transportation of goods and passengers with vehicles that are primarily owned and operated by commercial companies rather than private individuals. Oerating expense (OPEX) savings will motivate the entire industry to create new architectures that ensure safety, security, and platform consolidation efficiencies.
A microkernel OS may be able to provide a full and rich set of OS features to support consumer demands while at the same time ensuring that the system meets its safety requirements. The trusted code in a microkernel OS is simple and small, with a well-tested and short execution path that is granted system-level privileges. In short, a microkernel OS is inherently appropriate for safety-related systems.