The term ‘embedded system’ designates a combination including a processor and software executed thereon which have been integrated within a technical application context. In this connection, the processor undertakes, for example, monitoring functions, open-loop control functions or closed-loop control functions. In many cases the processor is responsible, in addition, for signal conditioning or data preparation. Modern embedded systems may also comprise several processors.
As an example of embedded systems, electronic control units (ECUs) may be mentioned. Electronic control units are electronic modules which are used in the automotive field, but also in machines and installations for control purposes, as well as for further tasks.
In motor vehicles, electronic control units are used, for example, in connection with electronic engine management. Electronic control units also come into operation for purposes such as the evaluation of signals of speed sensors, tank-level sensors or oil-pressure sensors and the corresponding drive of display instruments. In addition, electronic control units are integrated for use in automatic system interventions, for instance for the purpose of steering assistance (electronic power steering, EPS) or in connection with a driving-stability system (electronic stability program, ESP). With a view to reciprocal exchange of information, electronic control units may have been networked to one another via a system bus (e.g. in accordance with the CAN, LIN, MOST or FlexRay standard).
With the advent of electronic components into automotive engineering, the number of electronic control units integrated within a vehicle has increased greatly in recent years. Accordingly, the effort for the networking of the electronic control units has also risen. There have been similar developments also in mechanical engineering and plant engineering. For this reason it has been contemplated to pack various applications within a single electronic control unit. In this way, not only is it possible to reduce the number of built-in electronic control units, but the networking effort and the costs can also be lowered. On the other hand, new safety problems arise.
For instance, it has been recognised that problems may occur when different applications integrated within a single electronic control unit are accessing the same memory area. For example, the access of a tachometer application to a stored wheel-speed value might conflict with the access of an ESP application to this value, and this conflict might then result in a situation that is critical in terms of safety. For this reason, various memory-protection concepts for electronic control units having several applications have been proposed.
One memory-protection concept can be implemented via the software of an operating system of the electronic control unit. For this purpose the electronic control unit frequently includes a separate hardware component in the form of a memory-protection unit (MPU, or memory-management unit (MMU)). The memory-protection unit may, for example, have been integrated within a processor of the electronic control unit, or may alternatively constitute a component that is separate from the processor.
Memory protection ordinarily serves for the realisation of rights of access to memory areas, and thereby enables the distinct separation of application processes from one another and from the operating system (over and above that, a support of virtual addresses is often also possible). In particular, memory protection can selectively block individual memory areas, also called partitions, for a writing operation (inclusive of a consuming readout).
In electronic control units on which several applications are running, the write-protection functionality is employed in targeted manner for the purpose of prohibiting applications of lower priority from manipulating memory areas that are also being accessed by applications of higher priority (and, where appropriate, conversely). For the prioritising of applications, recourse may be had to IEC Standard 61508 and also to ISO Standard 26262, derived therefrom. In IEC Standard 61508, for example, four safety-requirement levels or safety integrity levels (SIL) have been defined, namely SIL1 to SIL4. Each level is a measure of the necessary or attained risk-reducing effectiveness of a (safety-critical) function realised by means of a given application.
In a priority-based memory-protection implementation the physical memory of an electronic control unit may be subdivided into various partitions, with a certain safety integrity level being allocated to each partition. Memory accesses of electronic-control-unit applications can then be controlled in such a manner that in a first step the safety integrity level assigned to the accessing application is determined. The memory access (in any case, as far as write operations are concerned) is then restricted to the partition with the ascertained safety integrity level.
In connection with the implementation of a priority-based memory-protection concept a separate partition for applications to which no safety integrity level has been allocated can generally be provided. Furthermore, a jointly utilised memory (shared memory) can be used for the communication between applications of different safety integrity levels amongst themselves.
In order to facilitate the communication of electronic-control-unit applications amongst themselves and also the exchange of applications on different electronic control units, the AUTOSAR development partnership was brought into being. The AUTOSAR project is a continuation of the work of the OSEK standardisation committee.
A significant aspect of the AUTOSAR specification is the logical splitting of the software into electronic-control-unit-specific system software and electronic-control-unit-independent application software. A virtual function bus (VFB) connects all the intercommunicating software applications (software components, SWC), also beyond various electronic control units. The centrepiece of the AUTOSAR architecture is its run-time environment (RTE). This run-time environment is a communications layer based on the VFB, and uses ports for transmitter/receiver-oriented communicating between various applications and between an application and the operating system (and remaining system software) of the electronic control unit.
FIG. 1 shows schematically the memory partitioning and memory-based communication for an electronic control unit in connection with the implementation of a priority-based memory-protection concept in the AUTOSAR environment. In the exemplary case the memory has been split up into three partitions, namely two ‘non-privileged’ partitions 10, 20 and one ‘privileged’ partition 30.
The two partitions 10, 20 each include the software code of an application SWC1 and SWC2, respectively, in which connection differing safety integrity levels have been allocated to the two applications SWC1, SWC2 (or to the two partitions 10, 20). Furthermore, each of the two partitions 10, 20 includes an area of private data 40, 50 assigned to the respective application SWC1, SWC2, and also the software code of a run-time environment 60, 70 assigned to the respective application. Read operations and write operations with respect to the areas of private data 40, 50 are undertaken in a non-privileged mode (also called user mode) of a processor on which the software code of the applications SWC1, SWC2 is running. On the processor, which is not represented in FIG. 1, the software code of the run-time environments 60, 70 and of the operating system is also executed.
The third partition 30 includes a shared memory 80 for communication between the two applications SWC1, SWC2. The shared memory 80 takes the form of a buffer or queue. Read operations and write operations with respect to the shared memory 80 are possible only in a privileged mode of the processor.
For the purpose of communication between the two applications SWC1, SWC2 via the shared memory 80, a system call of the respective run-time environment 60, 70 via a programming interface (application programming interface, API) to the operating system which is not represented in FIG. 1 is required. The operating system is, inter alia, responsible for configuring a memory-protection unit of the processor dynamically in accordance with the system call.
If, as illustrated in FIG. 1, application SWC1, for example, wishes to write data from the area of private data 40 into the shared memory 80, in a first step a write request to the run-time environment 60 is made. The run-time environment 60 thereupon makes a system call to the operating system. The operating system writes, in the privileged mode, the data from the area of private data 40 into the memory 80. From there, the data can then be read out by application SWC2.
If, in a next step, application SWC2 wishes to read the data written by application SWC1, for example into the area of private data 50, once more in a first step a read request from application SWC2 to the assigned run-time environment 70 is required. The run-time environment 70 then makes a system call to the operating system. The operating system thereupon checks whether data are present in the memory 80. It then reads out the data—if present—in the privileged mode and delivers them back, in order that they can be written to the area of private data 50. In case no data were to be present in the memory 80, an error message (as a rule, with an error code) is returned.
The communication, sketched in FIG. 1, taking place within an electronic control unit between the applications SWC1, SWC2 on the basis of the shared memory 80 is unsatisfactory from various viewpoints. On the one hand, system calls to the operating system and the associated copying of data or configuring of the memory-protection unit are computationally intensive from the perspective of the processor. On the other hand, for the run-time environments 60, 70 additional wrapper functions are ordinarily required which increase the flash-memory requirement.
Brief Outline
Accordingly, a technique for configuring an electronic control unit having intercommunicating applications is to be specified that avoids one or more of the disadvantages described above.
According to a first aspect, a method for configuring an electronic control unit for intercommunicating applications is made available, wherein a memory assigned to the electronic control unit has been split up or is split up into partitions, and wherein at least one application with a first safety integrity level has been assigned to a first partition, and at least one application with a second safety integrity level, different from the first safety integrity level, or with no safety integrity level, has been assigned to a second partition. The method comprises the steps of analysing a communications behaviour of the applications assigned to the differing partitions amongst themselves, in order to identify a data-writing application and at least one application reading the written data, said applications not being located in the same partition, and of configuring a shared memory area in the partition of the writing application, and of generating a communications data structure for a communication between the data-writing application and the data-reading application, the communications data structure being provided for at least partial arrangement in the shared memory area.
The method according to the first aspect may come into operation, for example, when a writing application is confronted with one or more reading applications. This corresponds generally to a communications ratio of 1:n (n=1, 2, . . . ) between writing and reading applications.
At least the two steps of analysing and of configuring may be carried out offline—that is to say, in the approach to the run-time of the applications. For example, these steps may be undertaken in connection with the creating of a configuration file to be loaded into the electronic control unit. Moreover, a memory-protection unit of the electronic control unit can (e.g. during the run-time) be configured in such a manner that the reading application during its run-time is given only read access, but not write access, to the communications data structure. In this connection, a write access, for example, to the partition of the writing application (in which the shared memory area with the communications data structure is situated) can be prevented.
According to one implementation, the shared memory area has been configured as a buffer memory. Additionally or as an alternative, the communications data structure may have been designed as a queue for communication between the two applications. Generally, a first part of the communications data structure can be configured in the shared memory area in the partition of the writing application, and a second part of the communications data structure can be configured in another memory area outside the partition of the writing application. This other memory area may be formed in the partition of the reading application.
The first part of the communications data structure may be configured for storing at least the written data. The second part of the communications data structure may, on the other hand, have been configured for storing at least one read pointer.
According to one version, two or more of the applications reading the written data have been provided. In this case, for each reading application a separate communications data structure, for example configured as a queue, can be provided. The two or more applications reading the written data may have been assigned to differing partitions (and hence also to differing safety integrity levels).
According to a second aspect, a method for configuring an electronic control unit for intercommunicating applications is specified, wherein a memory assigned to the electronic control unit has been split up or is split up into partitions, and wherein at least one application with a first safety integrity level has been assigned to a first partition, at least one application with a second safety integrity level, different from the first safety integrity level, has been assigned to a second partition, and at least one application with a third safety integrity level, different from the first and second safety integrity levels, or with no safety integrity level, has been assigned to a third partition. The method comprises the steps of analysing a communications behaviour of the applications assigned to the differing partitions amongst themselves, in order to identify at least two data-writing applications and an application reading the written data, said applications not all being located in the same partition, and of configuring a shared memory area in the memory outside the first, second and third partitions, and also of generating a communications data structure for a communication between the data-writing applications and the data-reading application, the communications data structure being provided for at least partial arrangement in the shared memory area.
The method according to the second aspect may come into operation, for example, when several writing applications are confronted with one reading application. This corresponds generally to a communications ratio of n:1 (n=2, 3, . . . ) between writing and reading applications.
As already described above in connection with the first method aspect, at least the analysing and the configuring can be carried out offline. A memory-protection unit of the protection appliance can (e.g. during the run-time) be configured in such a manner that the writing applications during their run-time are given write access, and the reading application during its run-time is given only read access, but not write access, to the communications data structure.
In the case of the second method aspect, the shared memory area can be established in a fourth partition.
The shared memory area may, according to each of the two process aspects, be an area of private data. The communications data structure may, for example, be a buffer memory (e.g. a ring buffer) and/or a queue. In the course of generating the communications data structure, a size and/or an address of the data structure can be defined.
Within the framework of the methods presented here, a run-time environment can be generated (e.g. in the form of source code or object code). The run-time environment may serve to decouple a function call of an application from an access to the communications data structure. In other words, the run-time environment can act as an interface between one of the applications and the communications data structure that has been assigned to the application.
Both method aspects may furthermore include the step of receiving information relating to the assignment between partitions and applications, and also relating to the communications behaviour of the applications. The step of analysing the communication paths may in this case be undertaken on the basis of the received information. The information may, for example, be received in the form of a file or as user input.
The configuring of the shared memory area and the generating of the communications data structure can generally be undertaken in connection with the creating of compilable configuration data (e.g. in the form of source code). The configuration data may have been split up in partition-specific manner (that is to say, for example, they may contain several files or data sets which have each been allocated to a certain partition).
Besides the configuration data, application data can also be compiled that contain the applications (e.g. in the form of source code). The application data may contain calls to the data to be read and written. Like the configuration data, the application data may also have been split up in partition-specific manner.
The compiled configuration data can be linked with the compiled application data (e.g. in the form of object code). The linking may be carried out on the basis of information that specifies which application data are to be mapped onto which partitions.
The configuration data alone or the linked data can be loaded (e.g. as a configuration file) into the electronic control unit. Subsequent to this, the electronic control unit has been configured for the communication of the applications amongst themselves.
The applications can generally communicate with one another in accordance with a predetermined specification. This communication may, for example, be undertaken on the basis of the AUTOSAR specification.
Furthermore, a computer-program product with program-code means is made available for implementing the method aspects presented here when the computer-program product is executed on one or more processors. The computer-program product may have been stored on a storage medium (for example, a flash memory). The storage medium may be part of an electronic control unit.
Likewise specified is an electronic control unit configured in accordance with the process presented here. The electronic control unit can be configured, for example, by loading of the aforementioned linked data into the electronic control unit.
According to a further aspect, an apparatus for configuring an electronic control unit for intercommunicating applications is made available, wherein a memory assigned to the electronic control unit has been split up or is split up into partitions, and wherein at least one application with a first safety integrity level has been assigned to a first partition, and at least one application with a second safety integrity level, different from the first safety integrity level, or with no safety integrity level, has been assigned to a second partition. The apparatus includes an analysis device which has been designed for analysing a communications behaviour of the applications assigned to the differing partitions amongst themselves, in order to identify a data-writing application and at least one application reading the written data, said applications not being located in the same partition. The apparatus further includes a configuration device which has been set up for configuring a shared memory area in the partition of the writing application and for generating a communications data structure for a communication between the data-writing application and the data-reading application, the communications data structure having been provided for at least partial arrangement in the shared memory area.
Furthermore, an apparatus is made available for configuring an electronic control unit for intercommunicating applications, wherein a memory assigned to the electronic control unit has been split up or is split up into partitions, and wherein at least one application with a first safety integrity level has been assigned to a first partition, at least one application with a second safety integrity level, different from the first safety integrity level, has been assigned to a second partition, and at least one application with a third safety integrity level, different from the first and second safety integrity levels, or with no safety integrity level, has been assigned to a third partition. The apparatus includes an analysis apparatus which has been set up for analysing a communications behaviour of the applications assigned to the differing partitions amongst themselves, in order to identify at least two data-writing applications and an application reading the written data, said applications not all being located in the same partition. The apparatus further includes a configuration device which has been set up for configuring a shared memory area in the memory outside the first, second and third partitions and for generating a communications data structure for a communication between the data-writing applications and the data-reading application, the communications data structure having been provided for at least partial arrangement in the shared memory area.
Further made available is an electronic control unit having intercommunicating applications. The electronic control unit includes a memory which has been split up into partitions, wherein at least one application with a first safety integrity level has been assigned to a first partition, and at least one application with a second safety integrity level, different from the first safety integrity level, or with no safety integrity level, has been assigned to a second partition, wherein a data-writing application and at least one application reading the written data have been stored in the memory, said applications not being located in the same partition, and wherein the memory includes a shared memory area in the partition of the writing application and a communications data structure for a communication between the data-writing application and the data-reading application, the communications data structure having been arranged at least partially in the shared memory area. The electronic control unit further includes a memory-protection device which has been configured in such a manner that the reading application during its run-time has only read access, but not write access, to the communications data structure.
According to another aspect, a further electronic control unit having intercommunicating applications is specified. The electronic control unit includes a memory which has been split up into partitions, wherein at least one application with a first safety integrity level has been assigned to a first partition, at least one application with a second safety integrity level, different from the first safety integrity level, has been assigned to a second partition, and at least one application with a third safety integrity level, different from the first and second safety integrity levels, or with no safety integrity level, has been assigned to a third partition, wherein at least two data-writing applications and an application reading the written data have been stored in the memory, said applications not all being located in the same partition, and wherein the memory includes a shared memory area outside the first, second and third partitions and a communications data structure for a communication between the data-writing applications and the data-reading application, the communications data structure having been arranged at least partially in the shared memory area. The electronic control unit further includes a memory-protection unit which has been configured in such a manner that the writing applications during their run-time have write access, and the reading application during its run-time has only read access, but not write access, to the communications data structure.
The memory-protection unit of the respective electronic control unit can be configured appropriately when the operating system switches from one processing thread to another thread.
The electronic control unit may generally have been networked with other electronic control units via a system bus. The electronic control unit may furthermore generally have been designed for evaluating a sensor signal. Accordingly, the electronic control unit may include at least one input for a sensor signal to be processed.
The electronic control unit proposed here in each instance may be an electronic control unit of a motor vehicle.