The MASTECS technology will be demonstrated by developing and executing two real-world case studies from the avionics and automotive sectors.

Collins Aerospace, a unit of Raytheon Technologies Corp. (NYSE: RTX), is a leader in technologically advanced and intelligent solutions for the global aerospace and defense industry. Created in 2018 by bringing together UTC Aerospace Systems and Rockwell Collins, Collins Aerospace has the capabilities, comprehensive portfolio, and expertise to solve customers' toughest challenges and to meet the demands of a rapidly evolving global market. From the Research Centre of Raytheon Technologies in Ireland (former United Technologies), we are demonstrating the use of the MASTECS technology for the Civil Certified Vehicle Management computer. This is an adaptable baseline DAL-A (flight-critical) vehicle management computer able to host 3rd party applications, see Figure 1, combining existing legacy parts of Collins Aerospace Flight Control systems. 

 

Figure 1: CCVMC scheme
Figure 1: CCVMC scheme

 

The system is compatible with the RTCA DO-297 standard for integrated modular avionics; it includes customer configurable I/O, scalable redundancy, cybersecurity protections, etc. The system contains triplex dissimilar high-performance processors as seen in Figure 2. The MASTECS project will be focused on the analysis of the software architecture running in one of these processors, the NXP T2080 quad core processor. 
The system includes all necessary functions for flight-critical fly-by-wire system: 


• All I/O has an Enable/Disable capability at the circuit level 
• Watchdog Timers (WDT), Clock Monitors, Activity Monitors 
• Cross Channel Data Links 
• Cross Channel Status 
• Internal Lane-to-Lane Synchronization 
• External Channel-to-Channel Synchronization 
• Multiple Sources of 28 VDC power 
• Power hold-up circuitry 
• Extensive Built-In Test (BIT) 

The draft architecture of the system can be seen in Figure 2. Each Channel contains different subsystems or lanes. The idea is to offer two levels of redundancy, having different channels per aircraft and triplicated processing units per lane. 

 

Figure 2: System Architecture
Figure 2: System Architecture

 

As it can be seen in Figure 2, the VMC architecture includes 6 functional components within the same integration unit that are connected via a PCIe switch: 
• Three dissimilar quad core SBC processing units; a NXP T2080 processor, an Intel x86 processor, and an ARM A72 based processor. Table 1 shows detailed information of the processing units included. 
• One FCC I/O Card: used for Ethernet data link and synchronization purposes. 
• Two I/O Processor Cards: used for analog & discrete I/O communication with external devices. 

 

Table 1 Detail of the selected quad-core microprocessors
Table 1 

 

The integration and timing analysis of such a system, with the added difficulty of hosting 3rd party applications, is extremely challenging. Guaranteeing deterministic Worst-Case Execution Time (WCET) values is very difficult and requires extensive hardware and software knowledge together with extremely thorough testing processes. The purpose of the MASTECS project is to achieve not only that but this analysis in a much shorter time when compared to the state of the art. 

Approved for Public Release

MASTECS Technology use for the analysis of a Vehicle Domain Control Module (VDCM)

Marelli Europe s.p.a. – Powertrain division is in charge of the product area dealing with the whole vehicle’s propulsion system for ICE (Internal Combustion Engines) systems, inside Marelli group, one of the world’s leading global independent suppliers to the automotive sector, born from the fusion of Calsonic Kansei and Magneti Marelli

Marelli will deploy MASTECS technologies and tools for the analysis of a Vehicle Domain Control Module (VDCM). The VCDM is an integrated platform for Powertrain and Vehicle dynamic control. A high-level view of the diverse set of functionalities that can be managed by the VDCM is provided in the figure below. The VDCM system is compliant with the ISO26262 standard for Road Vehicle Functional Safety requirements, with the highest Automotive Safety Integrity Level (ASIL D).

 

VDCM schematic view.
VDCM schematic view

 

The system is configures by "Functions," where each function manages diverse aspects of the vehicle, ranging from canonical traction control functions to more cuttings ADAS Adaptive cruise control. The table below provides a hierarchical breakdown of main VDCM supported functions.

 

Hierarchical breakdown of provided functionalities.
Hierarchical breakdown of provided functionalities.

 

A schematic view of the system is depicted in the figure below, it shows how the VDCM ECU is connected to other vehicle's components as sensors, actuators, smart actuators, or other ECU.

Overview of system connection

Overview of system connection

 

On the hardware side, the VDCM platform is based on 32-bit TriCore™ AURIX™– TC397 Microcontroller by Infineon with the following characteristics:

  • 6 TriCore™ running at 300 MHz (with 4 additional checker cores delivering 4000 DMIPS).
  • Supporting floating point and fix point with all cores.
  • 16 MB flash/ ECC protection.
  • Up to 6.9 MB SRAM/ ECC protection.
  • 1 Gbit Ethernet.
  • 12x CAN FD, 2x FlexRay, 12x ASCLIN, 6x QSPI, 2x I²C, 25x SENT, 4x PSI5, 1x PSI5S, 2x HSSL, 4x MSC, 1x eMMC/SDIOT, 1x I²S emulation.    
  • Redundant and diverse timer modules (GTM, CCU6, GPT12).
  • EVITA Full HSM (ECC256 and SHA2).
  • LFBGA-292 package.
  • LFBGA-516 package.
  • Developed and documented following ISO 26262/IEC61508 to support safety requirements up to ASIL-D/SIL3.
  • AUTOSAR 4.2 support.
  • Single voltage supply 5 V or 3.3 V.
  • 165°C junction temperature.

From the software perspective, the VDCM architecture is based on Autosar 4.3 Conformance Class ICC3. VDCM is implemented as an Embedded Real Time Multitasking full preemptive Software, the management of scheduling and context is done by an OSEK Autosar compliant Operating System. 

In the scope of MASTECS the VCDM will be initially release as a Single Core Application and developed into a multicore application. MASTECS technology will help Marelli in finding an efficient way to partition the Software on the different cores, as well as in supporting a multicore timing analysis framework addressing the verification and certification requirements of the VDCM, once deployed as a Multicore Application. Deploying VDCM as multicore application will also require the adaptation of the implemented Autosar Basic Software Architecture, as depicted in the figure below.

 

Autosar SW Architecture for Multicore Application

 

This document belongs to Marelli Europe SpA - Powertrain.

It may not be transmitted or communicated to any third party without prior authorization.