Automated Driving Systems—comprised of advanced driver assistance systems and autonomous vehicle functions—require the highest levels of safety and security in a vehicle. Many of today’s self-driving pilot programs run on consumer-grade platforms without the safety and security required for high-volume production. Using its decades of experience making life-critical avionics systems safe and secure, Green Hills Software is helping automotive companies achieve the safety and security necessary for production-level ADAS and automated driving systems.
The challenge for Automated Driving Systems
The promise of saved lives and autonomous convenience is creating a revolution for systems responsible for driving automation. Automated Driving systems, if fully realized, will save hundreds of thousands of lives, save billions in wasted costs and create billions in new business opportunities.
To realize the promise, today’s ADAS systems must be greatly expanded in terms of complexity, intelligence, safety and security.
The industrialization of producing Level 1-3 systems follows traditional industry processes but these processes are not sufficient for Level 4 and 5 systems. New paradigms are required for the transportation industry to graduate today’s pilots and test vehicles into high-volume vehicles with safety-certified systems.
Full self-driving with no limitations
True self-driving, but under limited circumstances, e.g. geo-fenced.
Traffic jam chauffeur
Similar to Level 2, but human has more time to take over.
Control of both steering & speed/brakes under limited circumstances.
Requires driver monitoring - human must be ready to take over.
Either steering or speed/brake, but not both.
Requires driver monitoring - human must be ready to take over.
Standard features today: anti-lock brakes, AEB, cruise control.
New safety and security paradigms to be defined
Conventional ADAS safety and security
The SAE Levels of Driving Automation and associated trends. The industrialization of Level 1-3 systems follows traditional industry safety and security certification processes that are not sufficient for Level 4 and 5 systems.
A safety foundation
The Green Hills Platform for Safe and Secure Automated Driving Systems enables OEMs and their suppliers to achieve their business and technology goals in designing and manufacturing Levels 1 - 5 systems, with a focus on:
- Innovative Development Platforms
Achieving software safety for Automated Driving Systems requires the separation, isolation, containment and control of individual software elements. For decades, Green Hills has been the recognized leader in providing a complete portfolio of certified products and services to manufacturers of life-critical machines, such as aircraft avionics, industrial machinery and medical devices. Today, INTEGRITY powers safety-critical vehicle ECUs in hundreds of millions of vehicles.
INTEGRITY RTOS—The Platform is built on the INTEGRITY real-time operating system (RTOS) technology, certified at the world's highest safety and security levels. It provides proven reliability and separation with unmatched Common Criteria EAL 6+ security credentials and ISO 26262 ASIL D safety certification. INTEGRITY provides guaranteed allocation of system CPU and memory resources, even when faced with malicious or unintended events. Even AUTOSAR applications can be run in their own partitions, giving system designers more flexibility to build scalable systems. For more information about the INTEGRITY RTOS see here.
INTEGRITY Multivisor secure virtualization and separation technology allows ISO 26262-certified applications to concurrently run alongside general-purpose applications or guest operating systems (Linux, Android, others) with freedom from interference and with guaranteed access to system resources. Successfully deployed in millions of critical embedded systems since 2003, it’s a system virtualization service of INTEGRITY and therefore inherits the safety and security features of INTEGRITY’s architecture including:
- Native execution performance
- Shared peripherals
- Multicore control
Safety-Certified Software Development Tools include MULTI IDE, Optimizing C/C++ compilers and C/C++ run-time libraries that are qualified for developing ISO26262 ASIL D applications. In addition, the MISRA C Adherence Checker, DoubleCheck Static Analysis Tool and other integrated tools help developers produce production-quality code that executes at maximum speed with the smallest code size.
Advanced Safety Services for safety board support packages (BSPs) and middleware are available from safety experts at Green Hills.
Safety paradigms for Level 4 and Level 5 systems
New Level 4 and 5 systems use artificial intelligence (AI) based on neural networks to perceive a vehicle’s environment. This AI capability brings tremendous capabilities but comes with a serious disadvantage: Because neural networks calculate solutions as a “black box”, they are impossible to test or validate using traditional (ISO26262, ASPICE) methods that assume a programmatic algorithm.
A solution to this dilemma is a dual-channel approach where the INTEGRITY RTOS runs an ASIL D plausibility analysis function in parallel with the AI black box inference engine. In case of disagreement between the two channels, a decision function, again running on INTEGRITY, makes the final decision.
Mass production of a single security vulnerability can mean catastrophic results in millions of vehicles that share the same automated driving ECU.
For automated systems controlling life-critical vehicles, there is no safety without security. For Auomated Driving Systems, security threats can attack from the outside through wireless connections, or from within, from poorly designed hardware and software.
The ramifications of poor security are acute and dramatic for Level 4 and 5 autonomous and connected systems. Because millions of cars can use the identical autonomous driving ECU, a single vulnerability in that ECU could be instantly “turned on” across millions of cars by a single malicious command, cloaked in a benign looking over-the-air update that delivers a poisoned payload or simply a command that exploits a pre-existing flaw in the ECU. Public demonstrations of automotive security vulnerabilities are well known in the industry.
The Green Hills Platform provides products, technologies and services that address external and internal security threats. It provides end-to-end protection across all product lifecycle phases of an Automated Driving system, spanning system design, software development, device manufacturing, supply chain management, over-the-air updates, ECU authentication and secure program execution.
- Security through EAL 6+ certified separation of critical software functions and guest operating systems with the INTEGRITY RTOS and INTEGRITY Multivisor secure virtualization
- Embedded Cryptographic Toolkit is FIPS 140-2 Compliant Suite B and allows engineers to secure the ECU
- Secure boot, including trust anchor provisioning and software signing
- Secure data-at-rest with encrypted key storage, integrated and optimized for the processor
- The Device Lifecycle Management System (DLM) is a cloud-based credential management tool for manufacturers of Automated Driving ECUs. DLM allows them to securely generate, distribute and track keys and secure credentials through their supply chain
- OTA service securely manages connected devices anywhere in the world
- Connect worldwide over all mobile networks
- Standards-based Open Mobile Alliance Device Management (OMA-DM 2.0), including the latest Software Component Management Object (SCOMO)
- Web-based command center with automated REST interface
- DLM OTA agent includes FIPS-140 Level 2 embedded algorithms
- Security Design and Vulnerability Assessments and other consulting services
Innovative development platforms
As Automated Driving Systems become more sophisticated, developing and integrating hardware and software for safety-certified systems faces unprecedented challenges. Key factors driving these new challenges include pre-silicon software development, uncertain AI safety, open-source software, hardware verification, and integrated system validation.
The Platform for Safe and Secure Automated Driving Systems offers the following innovative development environments:
- Pre-silicon verification and prototyping platforms
- Automotive simulator, model-based application programming and processor-in-the-loop testing
- BlueBox Autonomous Driving Processor Platform
Cadence co-verification and prototyping
Green Hills products integrated with the Cadence Verification Suite enables concurrent hardware/software development and testing before first silicon is available. This allows projects to “shift left” their timeline for integrating SoCs with automated driving applications and underlying drivers, middleware and operating systems.
Developing and testing production-grade automated driving applications on a continuum of pre-silicon verification and prototyping platforms saves time and money while improving software and silicon quality.
The core engines of the suite include:
- Formal Verification—JasperGold Formal Verification Platform apps that address specific design and verification of RTL
- Virtual System Platform—Functional model for first software development before RTL or FPGAs
- Emulation—Palladium Enterprise Emulation Platform that runs RTL code on custom ASICs
- FPGA Prototyping—Protium FPGA-Based Prototyping Platform that runs RTL code on FPGAs
Platform for Safe Autonomous Driving
The focus of the autonomous driving ecosystem has shifted from performance at any cost to safety for mass production roll out. To that end, NXP and Green Hills have created the BlueBox Platform for Safe Autonomous Driving. It combines safety and performance on a trusted development and reference processor platform suited to the rigors of autonomous vehicle industrialization.
The BlueBox Platform for Safe Autonomous Driving combines safety and performance on a trusted development and reference platform suited to the rigors of autonomous vehicle industrialization
- The INTEGRITY architicture is certified for ISO 26262 ASIL D
- BlueBox compute and vision acceleration at ASIL B; subsystems and dedicated interfaces are ASIL D
- Green Hills MULTI and C/C++ compilers are qualified for ASIL D software development
- Safety-critical applications, such as fusion and planning, are run and protected by INTEGRITY RTOS
- Motion planning by embotech generates the best path from tens of thousands of candidate paths per second
- Statistics and networking apps run on Linux which is safely and securely virtualized by INTEGRITY Multivisor; when Linux crashes and restarts, critical autonomous tasks run unaffected
Autonomous vehicle processor-in-the-loop platform
Developed by ANSYS and Green Hills Software, the platform is a virtual world driving simulator and model-based software development environment to rapidly prototype and run ASIL-D applications on automotive-grade processors:
The Autonomous Vehicle Processor in Loop Platform, developed by ANSYS and Green Hills Software, is a virtual world driving simulator and model-based software development environment to rapidly prototype and run ASIL-D applications on automotive-grade processors.
- ANSYS SCADE Suite model-based application development generates ISO 26262 ASIL D code and enables rapid testing of path planning algorithms
- Green Hills MULTI IDE is the ASIL D-certified C/C++ development environment
- Green Hills ASIL D-certified INTEGRITY RTOS runs autonomous applications on automotive-grade SoCs
- ANSYS virtual world driving simulator incorporates dozens of inputs from:
- Camera and Lidar sensors
- Traffic and environment
- Feedback from code executing on automotive-grade SoC
- ANSYS SCADE Display generates OpenGL graphics for instrument cluster
Robot Operating System (ROS)
The Green Hills Platform for Automated Driving provides ROS developers an efficient and clear path to transition ROS objects to embedded processors, rapidly reducing the time needed to deploy safety-certified production-grade software.
- ROS objects run as native tasks on the safety-certified INTEGRITY RTOS, taking advantage of its freedom from interference and guaranteed resource allocation features
- Improved visibility through a single, unified MULTI debugging session that can debug all ROS components in an autonomous system:
- ROS components on workstation and on target hardware
- Linux kernel and applications environments on workstation and on target hardware
- RTOS tasks and drivers
- The MULTI IDE and C/C++ toolchain are qualified for ISO 26262 ASIL D and IEC 61508 SIL 4, with certified run-time libraries
- INTEGRITY Multivisor virtualization gives developers the option of running unmodified ROS applications in a virtualized Linux environment. From there, they can either be ported to the safety-certified INTEGRITY RTOS or simply deployed as non-critical components
- The ROS solution is independent of processor and ROS framework vendor
Shown here is the ROS-based architecture for:
a) pilot programs and PoCs
b) migration to production and
c) purpose-built for production.
Scalable family of real-time operating systems
- Safe — The safety certified INTEGRITY RTOS technology is certified to the highest safety levels for ISO 26262 (ASIL D) and IEC 61508 (SIL 4).
- Secure — INTEGRITY RTOS technology is certified to the highest security level ever achieved for any software product—Common Criteria SKPP, EAL6+ High Robustness
- Flexible — INTEGRITY Multivisor securely and safely runs guest operating systems alongside critical applications
- Deeply embedded —µ-velOSity microkernel offers a tiny footprint and simple programming model for microcontroller architectures.
- Open — Automotive application programming interfaces to OSEK, AUTOSAR and POSIX
- Automotive connectivity including CAN, Ethernet AVB, MOST, Wireless, USB, Bluetooth, and IPv4/v6 TCP/IP stack
- Graphics and UI Kits for 2D, 3D, OpenGL, Qt Commercial, HTML5
- Internet offerings including web servers, HTML5, email and HTTP clients
- File systems featuring partitioning, journaling, flash storage and more
- Embedded firewall
- Secure OTA
Software development tools
- The Green Hills toolchain is qualified to the highest functional safety levels, including ISO 26262 (ASIL D).
- Green Hills Optimizing Compilers for C, C++, and Embedded C++ generate the fastest and smallest production-quality code on all automotive processor architectures.
- MULTI IDE includes multicore debugger, profiler, simulator, MISRA C/C++ Adherence Checker, run-time error checking, project builder, editor and much more.
- TimeMachine Suite runs and steps back in time to find even the most difficult bugs in minutes.
- MISRA C Adherence Checker builds in code quality at the time of compilation.
- Integration with ANSYS SCADE, Cadence Virtual Simulation Platform and MathWorks' Embedded Coder and Simulink for model-based code development, simulation and PIL testing.
Hardware development tools
- Embedded Cryptographic Toolkit provides FIPS 140-2 compliant services for securing embedded devices through secure boot, secure data storage, secure networks (SSL, TSL, IPSec, SSH) and digitally signed secure OTA firmware updates
- Device Lifecycle Management (DLM) products and services that enable embedded product manufacturers to monetize, manage and protect hardware and software intellectual property.
Green Hills has teamed with best-in-class technology providers to integrate their complementary products with the Green Hills Platform for Safe and Secure Automated Driving Systems, including:
For a complete list of ecosystem partners for Green Hills Platforms for Automotive click here.