Professional Articles

However, there is still a big step to complete autonomy, which requires not only appropriate systems in the individual car, but also an intelligent infrastructure and standardized vehicle-to-vehicle communication (V2V). In addition, legal issues need to be clarified, such as responsibility in the event of accidents, and other major topics are data protection and safety.

The autonomous vehicle communicates intensively and produces a large amount of personal data. This is not just about motion profiles - there are already interior cameras that detect when the driver is getting tired based on facial expressions. Some manufacturers are testing sensor arrays that are designed to diagnose reduced blood sugar levels and the like based on the reactions of the driver or even passengers. This data needs to be protected, as does private data from the comfort of home.

Cybersecurity, on the other hand, is primarily about protecting critical systems from unauthorized access and, above all, from manipulation. This requirement becomes all the more important the more safety-critical and non-critical applications are operated within the vehicle and are logically or physically connected to one another. Many entertainment systems, for example, are based on the comparatively insecure Android operating system. Should an attacker gain access to such systems, it is annoying but not dangerous - but if he can access safety-critical systems via this gateway, the situation immediately changes dramatically. It is therefore essential to strictly separate such applications with different criticality levels.

Figure 1: Advanced Driver Assistance System (ADAS)

Manufacturers strive for Consolidation and Standardization

However, this runs diametrically counter to another important ambition of the manufacturers. They want to dramatically reduce the current sprawl in automotive electronics and introduce platforms and communication channels for the various electronic components that are as uniform as possible. In doing so, they are pursuing the goal of saving hardware and also development costs, because each platform requires different tools and expertise. They are also interested in being able to use electronic components across models, comparable with the platform strategies for mechanical components that have been popular since around the beginning of the millennium.

Today's automobiles have up to 100 different processors for a wide variety of functions and up to seven buses for communication between them and the sensors or actuators. The software environment is correspondingly complex - 100 million lines of code are not uncommon in passenger cars. Consolidation onto a few hardware platforms and Ethernet as a uniform communication channel therefore offers considerable savings potential. However, this consolidation must ensure that individual applications, especially the safety-critical ones, are strictly separated from all others, even if they run on the same hardware.

PikeOS for the secure Separation of Applications

SYSGO's PikeOS provides developers with an environment that ensures such separation and has already proven itself in the aircraft industry with its at least equally high safety requirements. PikeOS represents a modular software architecture that integrates multiple embedded applications on a single hardware platform. PikeOS provides both a full real-time operating system (Hard RTOS) and a virtualization and partitioning system to support the special requirements of automotive applications. The basis of the PikeOS platform is a small, certifiable microkernel that provides a virtualization infrastructure. This makes it possible to place various applications and resources in secure, individual partitions. 

Since automotive applications range from non-critical infotainment systems to highly critical in-car control functions, PikeOS accordingly offers a wide range of guest operating systems, so-called "guest OS": from POSIX® to Linux and Android to AUTOSAR or COVESA. Thanks to the strict separation of the individual partitions from each other, applications of different criticality levels and with different security levels can run in a mixed environment on a single standard hardware platform. Thanks to the integrated time partitioning, it does not matter whether the applications are real-time or not.

Figure 2: Diverse applications on a hardware platform and a deterministic communication channel enable a simple but secure system design

Hypervisor and RTOS

PikeOS is based on a microkernel with the performance of a traditional real-time operating system. The hypervisor provides partitions that can host different applications - from a simple but highly critical control task to a full-fledged operating system like Linux or Android. As a result, secure and non-secure applications can coexist on the same platform. Complex systems that in the past required multiple devices can thus be consolidated on a single piece of hardware. This reduces weight, power consumption, and cabling requirements, and shrinks the bill of materials. The PikeOS hypervisor runs on x86 as well as ARM, PowerPC, SPARC V8 / LEON or MIPS and can easily be adapted to other CPU architectures.

Very interesting is the use of hypervisors like PikeOS on multi-core CPUs. On the one hand, multiple cores by design support the separation of applications, and on the other hand, they also offer the performance that is needed for this. However, the certification of multicore systems is very complex, and many certified systems actually use only one core. However, if different functions are bundled into a single piece of software running under a real-time operating system on only one CPU core, interference between the functions can very easily occur - strict separation is not guaranteed. For example, the effect of one application on the runtime behaviour of another application can lead to security problems, such as exceeding deadlines in real-time applications. Similarly, timing effects due to the sharing of system resources, such as caches and memory buses, can lead to hidden channels of information that violate application confidentiality requirements.

Safety and Certification

The PikeOS hypervisor itself is certified to the highest industry standards, making it a suitable foundation for critical systems in which both functional safety and IT security must be guaranteed. The protection mechanisms are essentially based on two principles: strict separation of applications through time and resource partitioning, and control of communication channels. The individual applications within the overall system can have different criticality levels.

Due to these protection mechanisms of PikeOS, certification according to industry-specific safety and security standards can be performed separately for each application - an essential feature to keep costs under control. In addition, PikeOS was the first platform to also achieve SIL 4 certification in multi-core environments.

Figure 3: Based on the PikeOS microkernel, various operating systems and applications can run with strict separation

ISO 26262 and SEooC (Safety Elements out of Context) Concept

ISO 26262 is an international standard that defines the safety life cycle of electrical, electronic and software-based components in passenger cars. Based on IEC 61508, ISO 26262 reduces the risk of hazardous operating situations occurring and defines safety measures that reduce the risk of failure.

To meet the requirements of ISO 26262, PikeOS is optionally offered with an Automotive Certification Kit, which incorporates SYSGO's long-standing and extensive certification expertise. The certification kit includes an ISO 26262 Part 6 compliant PikeOS hypervisor as well as comprehensive documentation support for development and testing. Furthermore, additional security information can be provided to achieve ISO 26262 compliant systems. Important components of these certification kits are a safety manual with guidelines for the use of PikeOS in safety-critical designs of systems, as well as a case study with characteristic functional safety requirements according to the respective required Automotive Safety Integrity Levels (ASIL).

More information at www.sysgo.com/pikeos