Creating Embedded Platforms for Integrated Infotainment
Today’s vehicle data-sharing needs demand innovative thinking.
Integrated Cockpits are becoming more important for the next generation of car buyers, who want to see information freely shared between different systems inside the vehicle and brought to the attention of the driver when necessary. In some cases, the traditional separate instrument cluster and infotainment screens are already being combined into one large display. In other use cases, involving multiple display screens, there is already a need to share information generated from multiple sources within the vehicle, such as navigation images, camera data, audio feeds, and ADAS sensors. These data-sharing requirements have required new thinking and design approaches for the embedded software platforms employed and new approaches to testing and safety approval. This article looks at some of the techniques and trends being adopted.
The continuous improvement in digital display technology, with higher-resolution screens available at lower cost, means they are becoming available for the mass-market in applications. The current-generation of instrument clusters, are so-called “hybrid,” combining mechanical dials with small-digital in-build panels. As they becoming financially viable alternatives, fully digital panels are gradually replacing the hybrid clusters. The fully digital panel offers several advantages over its mechanical predecessor, including dynamic reconfiguration to support different driving modes or information preferences, and plenty of future scope for vehicle personalization. Software updates over the life of the vehicle mean that the display application could be upgraded to offer new features and functionality, potentially opening additional revenue streams for vehicle manufacturers. A typical architecture stack for a digital cluster is shown in Figure 1.
Single Display Data Consolidation
A large screen display, such as the example shown in Figure 1, can be visually attractive but presents big challenges for the embedded software designer. As the screen resolution increases, a more powerful Graphics Processing Unit (GPU) is required to keep the screen refresh flicker-free, with associated optimized driver-software. A performance of 60 Frames-per-Second (FPS) is generally acknowledged to be the minimum required to allow comfortable defect-free viewing. Displaying a wide selection of complex graphical objects or video feeds from different sources is also a challenge—how to successfully arrange the information into a single display and allow for appropriate partitioning of safety-critical and so called normal-world data. With an ever-increasing emphasis on safety, touch-screen based systems become less attractive when there is a large amount of visual data to communicate to the driver. Controlling the vehicle’s systems via steering wheel buttons, gestures, and voice commands is preferred as they reduce driver-distraction.
Organizing the complete application stack with hardware, board support packages, operating systems, and human machine interface (HMI) applications typically involves contributions from different technology providers. Mentor has collaborated with HMI provider Socionext and its CGI Studio software development platform to create safety-certified consolidated information displays. Socionext has an ISO 26262 certifiable functional safety module called Candera Safety. This module can be used to display safety-critical contents, according to Automotive Safety Integrity Level (ASIL) A or B and has been specifically developed for ISO 26262 compliance, providing safe second-path rendering. All included components are developed following this functional safety standard and Candera allows rendering of safety-critical graphical content onto a visualization layer dedicated to functional safety. The display architecture is such that the safety-critical application is executed within Virtual Address Space (VAS) dedicated to ISO 26262 ASIL B rendering.
When it comes to the embedded architecture, the safety-critical elements in any design need to operate on isolated safety-certified operating systems, with clear separation from “normal world” functions that could compromise them through interference. Vehicle manufacturers will typically request “safety artifacts” to be supplied by embedded software providers, along with software deliverables. These artifacts include items such as proof of testing, exhaustive documentation on all modes of operation, including failure modes, and traceability back to the software requirements. The higher the safety-rating (ASIL), the more rigorous the validation and certification process, and the resulting cost of the embedded software components.
To adequately meet the most stringent ASIL D safety requirements, a fault-tolerant design with built-in software and hardware redundancy is needed. At the system-level, this can mean duplicate connection paths for signals, duplicate hardware, and fail-safe modes of operation. At the embedded software level, the safety architecture will involve separated operating systems, process monitoring watch dogs and alerting systems that are triggered in the event of any detected anomalies or failures.
Consolidated ECUs’ Impact on Vehicle Architecture
A modern luxury car is likely to contain between 60 and 100 Electronic Control Units (ECUs) and a variety of operating systems ranging from simple schedulers to Real-Time Operating Systems (RTOS), to complex multifunction Linux-based operating-systems or similar embedded platforms supporting communication gateways, domain controllers, infotainment, and driver information systems.
The trend to consolidate functions is well underway in the automotive industry, and by combining some functions wire-harness weight and connection complexity can be optimized. It may be possible to eliminate some ECU hardware, saving overall cost and component count.
Software application complexity brings a challenge for testing and certification—the more lines of code to test, the higher the risk of missing a use-case or exposing unexpected behavior. Applying decomposition to embedded software allows safety critical components to run in isolation on stand-alone safety-certified operating systems, while more complex, “normal world” components can run on a complex operating system such as Linux, which can host rich graphics support and complex applications.
Providing safety-certification for an operating system means checking all possible responses for any given set of inputs. For high-end operating systems, such as Linux, the number of possible states and responses becomes very large, and meeting exacting test and certification standards is time-consuming and costly. By reducing the size and scope of an operating system, the safety-certification process becomes more manageable, and mixed-domain architectures will allow small-footprint, safety-certifiable operating systems to operate alongside more complex domains based on Linux or other multifunctional operating systems.
Applications such as instrument cluster displays need to integrate with vehicle communication systems, passing data via CAN, CAN-FD, FlexRay, and Ethernet communication networks. Including an AUTOSAR software communications stack running as a separate, secure domain allows vehicle performance information to be collected and passed into the Instrument Cluster.
Having different embedded domains using secure communications channels provides a scalable mixed-safety platform that can meet the high-performance rich graphics expectations of consumers, as well as the safety-critical requirements of the automotive industry.
Techniques for Information Sharing
Several mechanisms exist for sharing information either between separate physical ECUs or within a single ECU hosting multiple applications converging onto a single display. High-bandwidth bus architectures in the next generation of vehicle designs allow video and other large-size graphical data objects to be quickly moved between nodes on the vehicle bus.
These mechanisms include shared memory, accessible from both applications, an Inter-process-communication mechanism (IPC), or a secure message protocol such as Data Distribution Service (DDS) or Restricted Permission Message (RPMsg). A shared-memory approach offers high data rate throughput and is often favored for graphics-based applications.
Eye-catching complex displays in vehicles are becoming a differentiating selling point for manufacturers, and new techniques are needed to combine 2D/3D graphics with safety-critical information. Applying new thinking to embedded software frameworks allows safety critical and “normal world” applications to co-exist, meeting the needs of both suppliers and vehicle buyers. Mixed-criticality embedded architectures with capable HMI solutions have become very popular with automotive designers, and are scalable to meet the needs of next generation, increasingly autonomous vehicles.
Andrew Patterson is Business Development Director for Mentor Graphics’ embedded software division, specializing in automotive solutions (Mentor Automotive). Prior to Mentor, he spent over 25 years in the Design Automation market and IT/Engineering markets, working in the areas of vehicle networks, simulation model development, and embedded software build and test. Recently he has been focused on automotive connectivity challenges involving ADAS, Infotainment, AUTOSAR, and the use of complex SoCs in Linux-based in-vehicle solutions. Patterson holds a master’s degree in Engineering and Electrical Sciences from Cambridge University, UK.