 Hello everybody, I'm Nico paper from Bosch engineering and I'm here today because I have the vision that we can bring Linux into core automotive Hardware and software and I like don't like to leave the field to close source Operating systems microkernel based from professional vendors. I think there's a chance to bring Linux in core systems and one Major point to come into core systems is the Automotive functional safety topic where we need to move into So whom and I? I'm from Bosch engineering working on automotive systems for now 15 years Developing breaking systems steering systems powertrain applications and I'm today working in connectivity solutions for core systems And so I think I have plenty good overview about our business and I like to share some of my knowledge with you So first of all does who of you is had already contact with automotive systems engineering Okay, and whom of you did ever work on a linux system on a motive in an automotive core system like a breaking system Nobody and that's the way and that's what we are talking about So this is my agenda for my talk. I Like to emphasis why I think automotive software is special I will you give you a really really really short overview What automotive? safety means and then I like to introduce an example to make it better to understand and Then I will show you how we think a functional safety level as it'll be maybe Implemented on a traffic light. I will show you some of the open topics that are not Solved from my point of view and I will come to my conclusion Why is automotive software special? We had on the last ELC in Berlin that was the panel discussion and there was raised the question is automotive software special and Sometimes you hear the opinion. No, it isn't and I think it is special because we have special requirement for our systems To understand the automotive industry you need to know that this is a really close source-based business No one likes to get looked into his source code if you find really your own property software normally our business is not willing to share that and On the other hand we see that license obligations are for many of our customers a very heavy burden Just doing so. Okay so the topic The topic of the license obligations is often really a problem where our customers Forbid in their specifications that we use open source licenses for example gpl v3 and I learned in this on this conference That there are companies who think that is not a burden and but in many many projects We see that is a blocking point and Then what we're also here in this conference is the lifetime Normally an automotive system needs to be powered for 15 years and You all know 15 years lifecycle for a product There's no solution available on the table now I think we are making a clear push to it, but it's an open question and Our industry is very very very Cost-sensitive and we need to have a high Scalability, you know if you have a bug in a car software and you get a recall for for example Vw golf and it's really a heavy burden for a company to pay what needs to be paid and to To tackle that we are very very strongly process oriented Business, and it's our fundamental approach to cover everything with development processes And last but not least there's the functional safety topic. We have the ISO 2626 to which is in our opinion a Legislative point of view so if there is a accident for example caused by a Failure in the software then if you come to the legislation if you come to the judge you will be asked Are you developing your systems according the ISO 2626 to and if you don't then you have a problem so that is the specialty of automotive software and that is why we need to Track things a little bit more different than other companies or other industries So when we talk about functional safety What we do is we need to Avoid hazards and we need to avoid the hazards that are above the tolerable risk So when we talk about functional safety in the automotive context There are three main factors which influence the probability of a hazard So it's the extent of the damage the server T we are looking to the probability the situation and The occurring risk and our controllability of the system when a failure occurs to give you an example if you have a car and your car is Back wheel driven and you have a standstill on the rear axle Then the car is much more heavy to control then if you have a front driven car where your back axle is Blocked so that needs that means that depending on the controllability you also get a risk increase month and if you come above the Line of the tolerable risk the ISO 2626 to Introduced for safety integrity levels a to D and normally The entry point for a system to come to safety is an as it be So if we like to get a linux system on an automotive course system Then often we are talking about an as it be and to reach as it be when the norm was introduced as a D was really really critically Discussed and they the common mind in the industry was oh to reach as a D is quite difficult Probably impossible But today today we have as a D Applications in the field for example dual clutch transmissions Back axle driven and we are able to handle that but the first step is tries to baby steps Region as it be and then we will see what's necessary to reach further steps So let me now come to an example to get it a little more Practical from the discussion point of view. I like to give you an example about our activities in the V2X Area and why linux is playing an important role in it So what's V2X? We're talking about V2X Then we talk about the communication between cars commonly not normally known as cartwigs and for the communication of the cars with the infrastructure and V2X is a clear enabler for autonomous driving and at once driving assistant systems Because many of the functions are not able we are not able to implement those functions if you're not able to have a direct communication link between the participants of the system and What's happening in the US right now is that the government is really pushing into a V2X legislation We think the standard will be released soon It may take some additional time because of the different standards that arise And I think also the governance in the US is now a little bit waiting which standard will be the one to set on and To power V2X communication. We normally have communication stacks. There are a handful of Software companies who provided already professional stack support and all those stacks Which we know are POSIX based specs POSIX POSIX based Implementations so it is a high probability That we use a Linux system to run those stacks onto it and a specialty if you look to V2X and Handshake with the autonomous driving is that we get really complex systems That need to be handled and we need a lot of Calculating power in the car and in the infrastructure to handle your systems and And all that is in my opinion a clear sign for entering Linux into core automotive systems and if you talk about V2X and autonomous driving when we are talking about Functional safety critical systems so Let's come from the general V2X to an example How V2X could work? You may think of an of a junction Where we have this traffic light and you probably know the function of the Adaptive cruise control where your car accelerates and decelerates Depending on your car that is driving before you so what would happen if we begin to let the car talk to the traffic light directly Then you could easily implement functions like decelerating your car on a red traffic light so your car is automatically decelerating and Automatically accelerating in case the traffic light it switched to green again So that is a simple function another function, which is very handy is a green wave system So your car is driving to a traffic light with 50 kilometers an hour The traffic light is red You know the traffic light will switch to green in three seconds and your car decelerates decently not to a Both then still but to a lower velocity The traffic light switches to green and your car goes above the traffic junction in a smooth way that will save time It will save And it will save this it will save the environment because we do don't need the full stops If we take a look to such a system we see the follow On the left-hand side, we see the system level Where the car and the traffic light are communicating to each other and on the other hand We take a look into the traffic light control system that could be easily done on a modern microcontroller like an imx7 and it is quite easy to power a Linux on it So what we have is we have a power stage where we control the lights with and we have something like an v2x interface Where we calculate the data stream For the communication and put it through the modem to the air But if we begin to power such a system with a Linux Then we come to the objects obstacles and that are typical for our industry first of all Okay, are we willing to use open source whereas as closed source in this case? That could be a management decision, and I think that is not the biggest obstacle The second point is the real-time behavior. So today if you think of a traffic light it needs to be able to give its Data in a time frame for about 500 milliseconds. That is why because why normally human are able to have a reaction time of one second So to operate Traffic light with a deterministic behavior of 500 milliseconds is feasible. That's easy with today's hardware It's easy to do it with linux. It's no problem But now this the traffic light is directly talking to an car and this car main function the Autonomous driving function or the others function is normally calculated in a 10 millisecond base so now we need a Deterministic behavior of the system which is lies in this 10 millisecond base sure We will handle that with the increased Probabilities and the increased power of the hardware, and I think also we will get that With the real-time behavior of the linux, but today it's an obstacle to So and then it's the question are we able to operate this traffic light really with a linux system? What do you think? So let's take a look if we are able to do that if we are able to operate this system with an embedded linux on Software implementation point of view. It's easy. It's simple. We may do that But we need to tackle the asl functionality and we target on an automotive safety integrity level of B And I like now show you how such a view could be So you see again We are talking about this traffic light that is talking to a car directly for deceleration and acceleration Compared to the traffic light color and we operated on a linux based system So when we try to get an asl B first of all normally our industry tries to get it via process and There will be in future also Safety certified linux systems available, but that is a sometime ago. We will need some time to reach that so But how could we implement such a system now today and then for that? It is important that we introduce a system functionality view a system engineering view to the system To abstract the operating system and operating system capabilities from the system behavior What we need to do with our system is that we need to reduce the hazard hazard or risks and by reducing the probability when this risks occur and If a Failure occurs on the system that may happen then we need to be able to go to a to a safe state to allow or to To hinder that any other problems occur and that is on the traffic light quite a needy thing a traffic light That is not working needs a yellow blinking light and that information needs also to be available on the air and For that we need state-of-the-art safety measures on functional levels To safety operate this vehicle and the traffic light But how could we come to a functional view of the system? So in a way that we are able to handle that because system requirements may be very very Numerous so from our point of view and and you might agree to that and we can Build it a T system out of three building blocks. It's the data and the system control It's the data flow and it's the data processing and we think if we are able To achieve a safety integrity for each of these building blocks Then we are able to handle the complete system in a safe way And I will now go into some details how such a thing could look like If we take a look to the data flow, so the v2x Data exchange between the traffic light and the car So if we need if we like to have a safe data exchange we need To ensure that the data is valid for the traffic light. Yeah, so it's quite easy to understand How could we ensure this safety target? We can do it by for example implementing checksums CRCs or HMAC time of stuff. So everyone does that. That's not rocket science so if you take a look to our embedded system, how would that look like you see we have our Traffic light that is powered via the relay We introduce a first level of software. We call it level one and then this functional level and we calculate the traffic light phases and the timing and To ensure that our counterpart is receiving valid data We pack for example a CRC Onto the data flow and then hand it from the functional component to the v2x interface Then the v2x interface is able to recalculate the CRC It sees its valid and then it puts it to the air and on the other hand in the car You may also recalculate a CRC and then you're sure that your data is Valid, so that is the easy way. That is the first thing of Safety integrity measure, which is quite easy to implement Now let's take a look to the data processing For example, if we like to put the the data of the the status of the traffic light to the radio We need to be ensured that not that there are not calculate the calculation based errors Are present in our system and you all know that bit errors are possible There are rounding errors possible and there are also overflow errors possible if we do a perfect testing We may reduce stuff like that to nearly zero But there is a risk risk and we like to reduce this risk. What can we do for that? one could try to implement functionality in a redundant way or in a For example by calculating based software in a second way where you for example use other data structures or data types How could that look like in our embedded system? So we see again. We have the level one where we calculate the traffic light phase and the timing and now we Introduce a new level a level two and in this level two for example, we do a redundant calculation To stay at the example from before you remember we Calculated and see a see to ensure that the data integrity is given. So what one could do for example is In the level one area you calculate your CRC by for example the shifting algorithms in the level two You calculate your CRC for example in the table point of view. So I'm data table base Then if you see if both calculations are the same your calculation is ensured And then you have monitored your second level You're sure that you have no bit errors or rounding errors in your software and you may ensure the functionality Now let's take a look to the data system control. So what we do is we operate the traffic light and the color state and And we need to ensure that this state control is working correctly How do we do that in embedded software? Normally if you have to control a state use a state machine? so every one of you is Doing that and it's easy to implement But how do we monitor a state machine? So That's quite easy because what you can do is you may Calculate the forbidden states of your state machine and if your system enters a forbidden state You are also able to detect that and then to counteract So again, we are taking a look to our system and which is quite well known at this point We have our traffic light face Monitoring or control and in this traffic light face control we implemented a system state So we know all the transitions that are well at from green yellow red and again to green And now it's quite easy to monitor this system So we take again take a look into our level to software which is here indicated by this green box What we now do is we do monitor the system for the forbidden states for example if the traffic light Has a status which is green and red at the same time We know that this state is forbidden and then we are able to shut down the system to our safe state again So that was all the easy stuff. So everyone knows how to implement a CSE everyone knows how to implement a state machine and how to monitor it, but now We have the problem that we also need to control the system control and the real-time integrity of the system So what we need to ensure is that the light The real traffic light status and the stadium the status on there are the same status and this Adds in another topic where we need to ensure that the real-time behavior is running correctly and This is the point where we at the moment are running In this way that we not do it in a line existent by itself Because we think that we are a little bit apart from this real-time Deterministic behavior. So what we introduce is a second entity that ensures that the real-time behavior and the complete system behavior Is working correctly and we implement it in a way. We call the deadline monitoring How does this look like? So first of all Normally we implemented on a second microcontroller area. So that is state of the technology in our in our business So you take something like an I mix seven and four addition You may put any other safety relevant controller to it from cost point of view, it's possible and This second entity the microcontroller, which is powered by a typical real-time operating system with a real-time Scheduling, you know, you have a deterministic behavior of 10 milliseconds So you're sure that your real-time behavior of this entity is working fine But you do not overcrowd this controller with functions. You just put monitoring functions to it. So first of all We take a look to the real-time behavior. So The microcontroller takes a look to the real-time behavior it measures it between his expectations and Again, if we see that the deadline monitoring is not sufficient that the system the main processor is not working in a time Scale we are expecting then again. We are able to dis a disengage The calculation and to put a system to a safe state The other thing which we need to ensure is do we really operate the correct traffic? Light color so did everything went correctly for example with the power stage with the relay and for that We introduce what you see below in this line below Also a hardware feedback from the traffic light so that we to for any time of the system We know that the state of the traffic light is as we expected So if we want a red traffic light and we want to put this data on the radio We know by measuring the feedback from the Traffic light. Yes, we are on a red state and yes, our system is working correctly So what you have seen here in the three straps is what we call a three-layered Monitoring system and that is the state of the art of monitoring for a lot of core automotive systems For example an engine control software is powered by such as three level System an ESP system is cooperated in this and this is in the abstract way and how that works you have your data input and you have your first level of Implementation and this first level of implementation is to just the functional view of your system and You get your data output Which is then to be that needs then to be verified and you verify it by two steps The first step is the second layer where we do a functional monitoring for example the redundant calculation the CRC calculation and stuff like that and This layer to then at its value to the safe data output so we have a validated data and If the level 2 detects, okay, something went wrong. We bring the system to the safe state and Third the third layer is the system feedback and the deadline monitoring We do that normally in our industry by feeding back sensor data Or for example by ensuring this real-time behavior does work and This is really proven in use for many many Topics and in our opinion to apply such a system on a linux system on a pure functional view will allow us To point to cover out the linux process area from defining the system But and that's the but you really need to understand your complete system if in your system Engineering something went wrong and that may happen because we are mankind. We are making wrong decisions then Probably will have later on a problem and that is that leads me to the to the open points We need to tackle to really get a SLB working in an car So first of all If someone from you attended mr. Bullwanz talk yesterday from BMW He described about the certification of complex systems in the C2 Linux project So what I pointed out if if we are not able to tackle everything in the system engineering area It would be a good idea to have a certified Safe linux operating system to reduce the rest risk also in case of problems The other thing and which are which I did not point it out is we have a complex loop system So imagine the case your car is running to the traffic light the traffic light Provides its data correctly, but the car is not behaving in the correct way That could be for example The traffic light expects the car to decelerate, but the car that does not decelerate it powers the complete speed again it don't slow down and For that we need also a feedback loop from the car to the traffic light Where then the traffic light is able to react and that leads me to the last thing is in future transportation and Future traffic it will be very very important Define to define overall system states for complex systems So to stay on the example of the car that is not decelerating on the red traffic light In the case a traffic light detects such a wrong behavior There could be a solution to put every traffic light to red in the junction So the car that is not decelerating could run over the Junction with a less risk of colliding with other cars. So there are open questions certification of linux the feedback loops and the system complex states will be Big obstacle we need to handle in the fast in the few in the past in the coming years But I think that our problems we may solve and it's not a blocking point anymore So let's come to the conclusion of my talk. I Pointed out embedded linux is making a clear push also to core automotive systems There are challenges. We know them There is license obligations, there's real-time behavior and there's also the asia confirm confirm it T But I am sure we are able to tackle that by introducing a functional view and Get a little bit away from the process orient on orientation our business normally does Linux linux isn't isn't any more the blocking point It's an additional point, but it's not the blocking point anymore And I think a three-layered Monitoring concept may be attached to any system. It may be an automotive system or any other system at all This three-layered Monitoring concepts are proven in use. There are many examples available how to implement this It's a good abstraction of how a monitoring system works So that you may train your engineers how to do a three-layered monitoring approach and then you are able to handle a system view of safe behavior and Last but not least there are challenges. So our industry is normally not known for up-streaming software into open source projects We are not able to for example push linux Into real-time behavior by just working alone and from my opinion what needs to be is Our industry needs to open to the community We do that by for example Supporting a project like the old that old saddle project or the IGL and we need to learn how to stream Contribute software to the open source community and I think we need your help because there are many many obstacles We need to solve and we are not able to solve them by by our own So that's it. If you have any questions about this talk You may contact me. I like to thank my my two co-authors young Christian Arnold and Hans Leo Ross who had did me a great help for preparing this presentation and I think we have time to have two or three questions here in the audience or afterwards if you like to thank you very much Yeah, so Yeah, sure. So the question was what's with the security of the system to To have a communication between a car and the traffic light Is a possible way to attack the system and to do it in a correct way for example using an HMAC is an open point So that was the question. Yes. So what I did here is just a safety View to it. It's not a point of security view in my industry sometimes you hear the theme safety and security are the same and No, they influence you are there but they are not the same and really you need to have a good System on security side for that and you need to do that, but it's a side activity and it's another complexity Okay. Okay. The question was if you have a If you have a functional safety system and your linux is not Working in a correct way, then you may not ensure the complete integrity correct. So The key for that is the third entity You will remember the microcontroller. So we heavily depend on this microcontroller that is the Referee for the complete system. So it needs to it really needs to Monitor and observe the linux system and if this is working in a wrong way, then you're out So on calculation base that helps you not on calculation based errors But I'm quite confident that in the system like linux And how we use it that this is working on calculation base as an operating system on the correct way Yeah, yeah, that's it. So the linux part in this point of view is qa And the monitoring and the second microcontroller is then an asyl system and that is what for example Was the point of yesterday so the seal to a linux that is where you try to bring also a Validation to the linux system so that you may also handle it as an asyl software or in this case a seal software So any other questions one one last Okay, so the question was what's about hypervisors is a hypervisor a possibility to Get rid of the microcontroller, correct? So What we do is in the vehicle computing campus at Bosch is that we are really working with hypervisors where we use different operating systems on one device But our our industry is a very Industry which is not handling big risks. So even if you take a look to today's Systems we develop like the vehicle computer We develop at Bosch We always have a microcontroller on it where you put real-time data on it Latest for example, if you like to do real-time communication via for example the canvas or flex ray Then probably you need also such a device to handle this communication So I think in the near future. We will not miss out the microcontroller But probably five years or six years or ten years ahead. We will see something like that Okay, then thank you for your questions. If there are any more just feel free to come over and have a nice rest of the day Bye