|
虚拟化技术和在ISO26262环境下使用虚拟CPU: E-Gas 案例研究
前序 e...提到E-gas,是不是会想到上图,当年还是很震惊汽车圈的,但是是我们今天聊天的E-Gas,不是哦... 下面是这个电子体: 汽油和柴油发动机控制单元的标准化 E-GAS 监测概念
最近一位直接接触有朋友咨询小编,让小编整理下E-Gas的资料,好吧,如您所愿,接下来带着几篇相关的文章和资料,提供,提供大家学习参考... 另外,如果关注公众号的朋友,还需要其他的资料,或者想让小编发表一些你想了解的东东,记得私信小编,或者者公众号在线留言哦,一般来说,基本都能满足您的要求,哈... e...尽管管数满足大家的要求,小编也不是万能的,而是相信人群的力量,最终小编身后有无数姐姐们在支持,哈哈...就是你们哟... 闲言少语,正文来了... 抽像的 需要一种新的开发环境,它可以最大限度地减少控制系统之间的冲突,可以在执行处理的同时保持系统之间的独立性,并且可以轻松确保质量。该环境必须使软件布局具有灵活性,以适应开发过程中的软件更改以及多个衍生系统的并行开发。我们开发了虚拟化技术(虚拟 CPU),可以在单个 CPU 上执行系统控制,而不会在系统之间发生冲突。
介绍
图 1 说明了从用于发动机控制、制动控制、气候控制等的独立独立车辆系统到与多个控制系统合作执行复杂功能的集成车辆控制系统的变化。与车辆外部的基础设施进行协调控制的趋势也越来越明显。传统的车辆电子系统由多个单独安装的 ECU 组成,以执行独立控制。然而,为了实现现代车辆所需的复杂和多功能控制类型,这些 ECU 正在连接到车载网络( 图 2 )。
随着连接的 ECU 数量的增加,很可能会创建分层结构,将这些 ECU 划分为多个域。在 20 世纪 70 年代,发动机控制 ECU 程序的长度约为 4,000 行代码。由于最近电子控制的爆炸式增长,这植根于通过减少排放和燃料消耗来改善环境以及通过安全气囊和安全带等系统提高车辆安全性的日益增长的需求,豪华车辆可能包含 80 多个 ECU,这些 ECU 的尺寸更大规模和复杂程度远超以往。除去导航系统ECU,程序(软件)代码总量现已超过700万行。 图3 显示自 1995 年以来豪华车中安装的 ECU 的趋势。
虚拟化技术 我们认为,可以通过单个 CPU 执行系统控制而系统之间不会发生冲突的虚拟化技术(虚拟 CPU)将满足上述需求,因此我们介绍了我们开发的虚拟 CPU 架构。 使用硬件调度程序执行多个实时控制任务 我们开发了多线程技术,可以执行多个线程。它允许每个线程或软件执行单元拥有执行所必需的通用寄存器、系统控制寄存器等。每个时钟周期都可以在线程之间切换执行。线程切换由硬件调度程序自动处理,确保为每个线程分配用户预先分配的 CPU 时间。这节省了过去时间管理和程序切换功能所需的 CPU 时间。因为这, 将单个 CPU 配置为多个虚拟 CPU
我们开发了(
参见图 5
)扩展地址空间管理和中断处理的硬件,使单个 CPU 可以配置为多个 CPU。应用程序的代码区和数据区等内存资源可以通过地址转换功能充分分离,防止虚拟CPU之间的逻辑地址和内存资源重叠。此外,可以为每个虚拟 CPU 独立管理中断优先级。因为可以为每个虚拟CPU分配一个或多个线程,所以对于实时操作系统这样的简单操作系统,可以为每个虚拟CPU分配一个线程,而对于多线程的大型操作系统,每个虚拟CPU可以被分配多个线程。
减少线程间干扰的总线系统 支持虚拟化技术的一个重要特性是拥有一个减少线程间干扰的总线系统。
可以一起执行的独立控制系统 By combining the above three technologies, a single CPU can be used as multiple CPUs, and by operating different OSs on each virtual CPU, independent control systems can be executed together. This new technology can also solve: issues with changes and reverification of control systems required when multiple control systems are split up/integrated or when a large scale control system is developed; problems with time management of granularity before and after integration; and software overhead problems related to time management. Because of this, multiple control systems can be split up or integrated at the optimal cost. Also, the virtual multi-core structure allows different numbers of virtual CPUs and different levels of frequency performance to be combined, so ECUs can be designed based on the actual location and mounting area. Hypervisor for Virtual CPUs As mentioned earlier, through the use of virtual CPU technology-which is made up of multi-threading technology, hardware scheduler, address management functions, etc.-we have been able to decide on the number and performance of virtual machines (VMs) with a high degree of freedom, while maintaining independence between VMs. However, we believed that the management of the control system in each VM, such as managing the start/stop sequence, monitoring each VM, and running failsafe processes based on this, should be allocated by the OS operating on the virtual CPU.
Hypervisor for VCPU: Structure and Functional Specifications Schematics of a conventional hypervisor that runs on a single CPU and the hypervisor for VCPU, which runs on virtual CPUs, are shown below. To add a monitoring function that ensures normal operation, it is also possible for Hypervisor for VCPU to have a double structure with a Supervision Hypervisor in addition to the main unit. (See Fig. 8-3.)
Robust Implementation Design Example: Communication between VMs As mentioned above, a characteristic of the hypervisor for VCPU is that it incorporates robust implementation design that is unaffected by user software going into a runaway mode; such an occurrence would not affect other VM software either. We achieved this by using the privilege modes that has been built into embedded microcomputers in recent years. Fig. 9 shows the allocation of privilege modes for hypervisor for VCPU and user software. Basically, user software has low privilege and the hypervisor for VCPU has high privilege. However, as shown in Fig. 10, in order to use high privileges, the prescribed transition procedure is required, and this results in higher processing loads. For this reason, a part of the Hypervisor for VCPU that is unaffected by the abnormal operation of the user's OS was designed to run with the supervisor privilege in order to reduce processing loads.
USING VIRTUALIZATION TECHNOLOGY IN THE CONTEXT OF ISO26262: THE E-Gas CASE STUDY When virtual CPUs are used, multiple controls can be run together without interfering with one another. An example of a possible application involves integrating multiple functions and implementing them in a scalable system with a 1-chip virtual CPU. When integrating functions in this way, it is desirable to minimize the effect of adding inserting and removing functions on other functions. For this reason, it is believed that using a virtual CPU in which a VM is allocated for each function to have these VMs operate independently will be effective.
Outline of E-Gas Monitoring Concept The E-gas Monitoring Concept describes the monitoring structure to ensure safety in automotive engine control. This concept is made of three levels (L1, L2, and L3) as shown in Fig. 13. Each level is outlined below.
The “Hypervisor Checker” Task In principle, in virtualization-based E-gas architectures there is a risk of common-cause failures or single point failures causing a simultaneous failure of the Hypervisor and also of L1, L2 and L3. This risk is higher for cases like case 2) and case 4) in which all the safety mechanisms are performed by SW.
Results of the Analysis 安全分析是按照 ISO/IS 26262-10 附录 A 中描述的方法进行的,使用微控制器面积、门数、操作配置文件等基本数据,并估计 L1/L2 覆盖范围和 L3 测试给出的覆盖范围。
结论 汽车电子系统的功能分析和整合的需求越来越大,为了满足这种需求,我们开发了一种使用虚拟CPU的虚拟化技术,可以在单一个MCU上运行多个系统控制而不会相互干扰包一个或多个CPU。
|
|
|
