

## 1. Challenges in the design of today's E/E architectures at BMW





# 1 Cultural shift from function/signal-oriented sub-architectures & solutions to a unified and <u>trusted</u> vehicle-wide layered Service-Oriented Architecture





#### Consequence #1: two key benefits

Clear separation of concerns through layered SOA



Well defined responsibilities between infrastructure providers and consumers



See "Service-oriented architectures as a mindset: Shaping the next EE architecture in a digital age" by Julian BROY (BMW Group) @ Automotive Networks (Hanser, 11/2019) for an in-depth discussion on SOA benefits, implementation & standardization issues.





## Consequence #2: More system knowledge must be encoded in the system itself, such as

Bounded latencies / deadlines

Bandwidth requirements and degradation options

Vehicle-wide runtime configuration (modes, start-up, shut-down), safety-required redundancy, authentication & authorization

Need for **self-aware automotive cyber-physical systems** "able, based on the understanding of their state and environment, to make self-explanatory decisions autonomously at runtime – despite limited resources, complex unforeseeable environmental dynamics, high expectations on their reliability, and substantial levels of risk associated with malfunctioning."

See "Self-aware Cyber-Physical Systems" by K. Bellman et al, ACM TECS, 2020/06.





Consequence #3 : Dynamic re-allocatability of resources means "general purpose" and "highly integrated" hardware that can serve multiple roles, possibly as a software-defined, virtualized infrastructure

Highway Pilot, L3 primary channel

BMW's Scalable Autonomous Vehicle Architecture uses for Level 3 & 4:

- Infineon's Aurix 3C and Renesas' 9C R-CAR SoCs
- Intel Denverton 8C and Intel Xeon 24C (level 4 only)

See "Unveiled: BMW's Scalable AV Architecture" by Junko Yoshida, EE | Times, 2020/04.



#### 2 Scalability and re-usability of SW and HW through modularity

Modular privacy and trust:
capabilities, roles, and rights
must be centrally manageable,
across individual vehicle boundaries

Modular safety case(s) needed: fault containment regions must be guaranteed by construction



See "System and Software Architecture for Automated Driving Systems" by Simon Fürst (BMW Group), 2020/04.





Bigh efforts & costs for integration & testing!

Shift from "whole system tests" to continuous deployment & testing - Strong focus on automation needed

Early-stage validation & verification on virtual platforms is key

Test coverage must be measured in variability and validated execution paths, not in km driven

Large variety in methods and tools used in design a way to intelligently combine their benefits is needed, not replacing them by something more complex





#### Design for SW and HW extensibility

✓ Architectural choices are made early in the design → software functions will be added during vehicle's development & once in customers' hands (eg, OS7 OTA)





How to design "future-proof" E/E architectures? *i.e.*, make optimized design choices in terms of architecture, technologies (link speeds) & TSN protocol selection (e.g., Qbv? Qbu? CB? ...)?

#### Possible solutions offered by algorithmic tools

Transition to service orientation



Modular privacy and trust





High efforts for integration & testing

Big data and AI algorithms for correlating many of the various existing design specifications

- Transitive trust algorithms for a centralized security model
- Mathematical models of fault probabilities within fault containment regions and their resulting "module error rates"



Simulation of "full-stack" system behavior with varying degrees of precision, potentially plugging in real components for "software-in-the-loop" or "hardware-in-the-loop" testcases, in order to build trust in the overall OA.

Highest challenge



#### Focus on challenge

Use-cases for algorithmic tools: COTS & R&D



Total capacity

Quantify network extensibility wrt TSN

Topology Stress Test 
technological options

IEEE SA Ethernet TechDays 2019

Identify bottlenecks in E/E architecture and remove them

Topology Optimizer ® - AEC2020

**Bottlenecks** 

Assess and optimize communication reliability

AEC2020 + IEEE SA Ethernet TechDays 2020 (NXP, UL, Cognifyer)

Reliability

Cost-optimize by reducing link speeds & # of ECUs

Topology Optimizer ® - AEC2020

**Cost-optimize** 

Selecting cost-efficient TSN scheduling solutions

Synthesis

E/E architecture synthesis

**Our focus next** 



#### Enabling technologies for E/E Architecture Design Automation



"Centaur Era": teaming design engineers with machine by "marrying human experience and creativity with computer's brute force ability"



## 2. Illustration on a prototype TSN-based zonal SOA architecture – evolution scenario considered: addition of new services by software update



See "Service-oriented architectures as a mindset: Shaping the next EE architecture in a digital age" by Julian BROY (BMW Group), Automotive Networks, Hanser, 11/2019.





#### Model of the core TSN Network



17 ECUs incl. HMI, powertrain, charging, lightning systems, camera, AI backend calculator, access, etc

| # Nodes                           | 17                                                                                               |
|-----------------------------------|--------------------------------------------------------------------------------------------------|
| # Switches                        | 4                                                                                                |
| Link speed                        | 1Gbit/s: inter-switch links 100Mbit/s: all other links                                           |
| # TFTP streams                    | 6 → 320Kbit/s overall                                                                            |
| Standard<br>automotive<br>traffic | Command & Control (≈30% of the streams), Audio (5%), Video incl. ADAS (5%), Misc. Services (60%) |

[RTaW-Pegase screenshot]





#### Breaking down the design problem into smaller problems answered using algorithmic tools



©2020 - BMW - RTaW - UL - Cognifver





# [RTaW-Pegase screenshot]

## Probability that the network is overloaded when new services are deployed



Total Network Capacity

#### Network extensibility for ≠ TSN QoS options



- User priorities ☐ CBS ☐ CBS/HP
  - PreShaping
- Preemption TAS
- Preemption+PreShaping
- ✓ Preemption+CBS TAS+PreShaping
  - ✓ TAS+Preemption

✓ TAS+CBS

#### Stream priorities optimized

- ✓ Concise priorities
- ✓ Concise priorities+Preemption









#### Adding cost into the equation

✓ Cost can be any quantity, expressed in relative or absolute values, possibly calculated with a user-defined cost function f(price, time, risk, weight, ...)

#### Example of a simple cost model



A cost model is applied to a candidate architecture

[RTaW-Pegase screenshot]





Cost / Extensibilty Analysis

#### Cost / extensibility trade-offs

Cost model applied



## Considering CPU requirements in addition to communication requirements

- ✓ <u>Assumptions:</u> each service requires a CPU time proportional the # of flows it processes all processors have equivalent CPU power in this experiment
- ✓ Focus on the best performing TSN solutions: Express at top priority and 2 CBS classes below





#### Architecture synthesis: extending a core topology

#### The core topology



#### **Topological constraints**

- connection lengths,
- physical location (e.g. vs power & sensors)
- ECU dimension restricting switch sizes, number of pins, power consumption, ...



#### The evolution scenario

- adding SW or HW+SW
- assumptions on the services added (CPU and comm. requirements)
- HW components that can be added

..

#### Security and reliability

- stream segregation
- proxy ECUs
- load limits for packet inspection
- multiple paths for reliability
- ...





#### Extending a topology: HW components that can be added

#### ECUs / Processors / SoCs

- Computing power
- Reliability & security





- Additional bandwidth
- Reduce cable lengths e.g. with daisy chains

Catalogue of cost-effective "extension patterns" comprised of several HW components



Network interface + link ("dual homing")

- Load balancing
- Reliability & Security

Link between switches

ECUs with internal switch

- Space & cost optimization
- Re-use in next generation

Additional bandwidth e.g. on backbone





## Illustration: computer-generated architectures based on a core topology



- ✓ <u>Heuristic applied here:</u> additional ECUs close to the "hot-spots", i.e. ECUs subject to max. variability pressure in terms of # future services added
- ✓ Parameter specifies trade-off between topology balance / hot-spots coverage



Candidate Sol. A
(3 or 4 ECUs per zone)



Candidate Sol. B (2 ECUs per zone)



Candidate Sol. C (1 ECU per zone)

Daisy-chains & bus topology using 10BASE-T1S, and different types of CPUs open up many more design options that can be systematically explored



#### Conclusion and a look forward





#### Ignore, challenge, or embrace it?

The state of technology enables computer-aided E/E architecture design, incl. evidence-supported TSN architectural & technological choices

Complexity, time & cost effectiveness, extensibility requirements are key drivers



Is it just a convenient tool or will it ultimately reshapes the innovation process & the organization of R&D?

How such a novel approach fits into the existing design flow at BMW? Which timeline, limitations and risks, what to expect and not expect?





