Leading the Embedded World


Automated Driving Systems—comprised of advanced driver assistance systems and autonomous vehicle functions—require the highest levels of safety and security in a vehicle. Many of today’s self-driving pilot programs run on consumer-grade platforms without the safety and security required for high-volume production. Using its decades of experience making life-critical avionics systems safe and secure, Green Hills Software is helping automotive companies achieve the safety and security necessary for production-level ADAS and automated driving systems.

Green Hills Software is helping automotive companies achieve the safety and security necessary for production-level ADAS and automated driving systems.

The challenge for Automated Driving Systems

The promise of saved lives and autonomous convenience is creating a revolution for systems responsible for driving automation. Automated Driving systems, if fully realized, will save hundreds of thousands of lives, save billions in wasted costs and create billions in new business opportunities.

To realize the promise, today’s ADAS systems must be greatly expanded in terms of complexity, intelligence, safety and security.

The industrialization of producing Level 1-3 systems follows traditional industry processes but these processes are not sufficient for Level 4 and 5 systems. New paradigms are required for the transportation industry to graduate today’s pilots and test vehicles into high-volume vehicles with safety-certified systems.

Projected timeline of evolution to higher autonomous driving levels (defined below) by major automotive manufacturers.

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Full self-driving with no limitations

Local robotaxi
True self-driving, but under limited circumstances, e.g. geo-fenced.

Traffic jam chauffeur
Similar to Level 2, but human has more time to take over.

Control of both steering & speed/brakes under limited circumstances.
Requires driver monitoring - human must be ready to take over.

Either steering or speed/brake, but not both.
Requires driver monitoring - human must be ready to take over.

No automation.
Standard features today: anti-lock brakes, AEB, cruise control.

The SAE Levels of Driving Automation and associated trends. The industrialization of Level 1-3 systems follow traditional industry safety and security certification process that are not sufficent for Level 4 and 5 systems

Level 4 and 5 systems characterized by:

  • Multiple sensor types
  • Multicore heterogeneous processors
  • Custom SoCs and ASICs
  • Multiple operating systems, some open-source consumer quality
  • Layers of multi-vendor software contributors
  • Pilots and test vehicles not designed with production level safety or security in mind
  • Connected vehicles
  • No methods to test or validate L4/5 autonomous systems with traditional ISO 26262, ASPICE

Innovations from Green Hills include:


  • ASIL D plausibility analysis channel
  • ASIL D secure virtualization
  • Multi-OS and mixed criticality
  • Proven software architectures and design techniques for foundational safety and security
  • Support for complex multicore SoCs and ASICs

Development and Testing

  • Multi-site system debug, test and validation
  • Innovative processor-in-the-loop development/verification platforms
  • Pre-silicon test, validation and verification

A safety foundation

The Green Hills Platform for Safe and Secure Automated Driving Systems enables OEMs and their suppliers to achieve their business and technology goals in designing and manufacturing Levels 1 - 5 systems, with a focus on:

  • Safety
  • Security
  • Innovative Development Platforms

Achieving software safety for Automated Driving Systems requires the separation, isolation, containment and control of individual software elements. For decades, Green Hills has been the recognized leader in providing a complete portfolio of certified products and services to manufacturers of life-critical machines, such as aircraft avionics, industrial machinery and medical devices. Today, INTEGRITY powers safety-critical vehicle ECUs in hundreds of millions of vehicles.

INTEGRITY RTOS—The Platform is built on the INTEGRITY real-time operating system (RTOS) technology, certified at the world's highest safety and security levels. It provides proven reliability and separation with unmatched Common Criteria EAL 6+ security credentials and ISO 26262 ASIL D safety certification. INTEGRITY provides guaranteed allocation of system CPU and memory resources, even when faced with malicious or unintended events. Even AUTOSAR applications can be run in their own partitions, giving system designers more flexibility to build scalable systems.

INTEGRITY RTOS separation architecture

The INTEGRITY certified separation architecture isolates functions of mixed levels of criticality making it an ideal architecture for developers of automated driving systems.

INTEGRITY Multivisor secure virtualization and separation technology allows ISO 26262-certified applications to concurrently run alongside general-purpose applications or guest operating systems (Linux, Android, others) with freedom-from-interference and with guaranteed access to system resources. Successfully deployed in millions of critical embedded systems since 2003, it’s a system virtualization service of INTEGRITY and therefore inherits the safety and security features of INTEGRITY’s architecture including:

  • Native execution performance
  • Shared peripherals
  • Determinism
  • Fast-boot
  • Multicore control

Safety-Certified Software Development Tools include MULTI IDE, Optimizing C/C++ compilers and C/C++ run-time libraries that are qualified for developing ISO26262 ASIL D applications. In addition, the MISRA C Adherence Checker, DoubleCheck Static Analysis Tool and other integrated tools help developers produce production-quality code that executes at maximum speed with the smallest code size.

Advanced Safety Services for safety board support packages (BSPs) and middleware are available from safety experts at Green Hills.

Safety paradigms for Level 4 and Level 5 systems

New Level 4 and 5 systems use artificial intelligence (AI) based on neural networks to perceive a vehicle’s environment. This AI capability brings tremendous capabilities but comes with a serious disadvantage: Because neural networks calculate solutions as a “black box”, they are impossible to test or validate using traditional (ISO26262, ASPICE) methods that assume a programmatic algorithm.

A solution to this dilemma is a dual-channel approach where the INTEGRITY RTOS runs an ASIL D plausibility analysis function in parallel with the AI black box inference engine. In case of disagreement between the two channels, a decision function, again running on INTEGRITY, makes the final decision.

End-to-end security

For automated systems controlling life-critical vehicles, there is no safety without security. For Auomated Driving Systems, security threats can attack from the outside through wireless connections, or from within, from poorly designed hardware and software.

The ramifications of poor security are acute and dramatic for Level 4 and 5 autonomous and connected systems. Because millions of cars can use the identical autonomous driving ECU, a single vulnerability in that ECU could be instantly “turned on” across millions of cars by a single malicious command, cloaked in a benign looking over-the-air update that delivers a poisoned payload or simply a command that exploits a pre-existing flaw in the ECU. Public demonstrations of automotive security vulnerabilities are well known in the industry.

catastrophic results of ECU security vulnerability

Mass production of a single security vulnerability can mean catastrophic results in millions of vehicles that share the same automated driving ECU.

Addressing external & internal security threats

The Green Hills Platform provides products, technologies and services that address external and internal security threats. It provides end-to-end protection across all product lifecycle phases of an Automated Driving system, spanning system design, software development, device manufacturing, supply chain management, over-the-air updates, ECU authentication and secure program execution.

  • Security through EAL 6+ certified separation of critical software functions and guest operating systems with the INTEGRITY RTOS and INTEGRITY Multivisor secure virtualization
  • Embedded Cryptographic Toolkit is FIPS 140-2 Compliant Suite B and allows engineers to secure the ECU
    • Secure boot, including trust anchor provisioning and software signing
    • Secure data-at-rest with encrypted key storage, integrated and optimized for the processor
  • The Device Lifecycle Management System (DLM) is a cloud-based credential management tool for manufacturers of Automated Driving ECUs. DLM allows them to securely generate, distribute and track keys and secure credentials through their supply chain
  • OTA service securely manages connected devices anywhere in the world
    • Connect worldwide over all mobile networks
    • Standards-based Open Mobile Alliance Device Management (OMA-DM 2.0), including the latest Software Component Management Object (SCOMO)
    • Web-based command center with automated REST interface
    • DLM OTA agent includes FIPS-140 Level 2 embedded algorithms
  • Security Design and Vulnerability Assessments and other consulting services

Innovative development platforms

As Automated Driving Systems become more sophisticated, developing and integrating hardware and software for safety-certified systems faces unprecedented challenges. Key factors driving these new challenges include pre-silicon software development, uncertain AI safety, open-source software, hardware verification, and integrated system validation.

The Platform for Safe and Secure Automated Driving Systems offers the following innovative development environments:

  • Pre-silicon verification and prototyping platforms
  • Automotive simulator, model-based application programming and processor-in-the-loop testing
  • BlueBox Autonomous Driving Processor Platform

Cadence co-verification and prototyping

Green Hills products integrated with the Cadence Verification Suite enables concurrent hardware/software development and testing before first silicon is available. This allows projects to “shift left” their timeline for integrating SoCs with automated driving applications and underlying drivers, middleware and operating systems.

The core engines of the suite include:

  • Formal Verification—JasperGold Formal Verification Platform apps that address specific design and verification of RTL
  • Virtual System Platform—Functional model for first software development before RTL or FPGAs
  • Emulation—Palladium Enterprise Emulation Platform that runs RTL code on custom ASICs
  • FPGA Prototyping—Protium FPGA-Based Prototyping Platform that runs RTL code on FPGAs
Cadence pre-silicon verification and prototyping platforms

Developing and testing production-grade automated driving applications on a continuum of pre-silicon verification and prototyping platforms saves time and money while improving software and silicon quality.

BlueBox Platform for Safe Autonomous Driving

The focus of the autonomous driving ecosystem has shifted from performance at any cost to safety for mass production roll out. To that end, NXP and Green Hills have created the BlueBox Platform for Safe Autonomous Driving. It combines safety and performance on a trusted development and reference processor platform suited to the rigors of autonomous vehicle industrialization.

  • The INTEGRITY architicture is certified for ISO 26262 ASIL D
  • BlueBox compute and vision acceleration at ASIL B; subsystems and dedicated interfaces are ASIL D
  • Green Hills MULTI and C/C++ compilers are qualified for ASIL D software development
  • Safety-critical applications, such as fusion and planning, are run and protected by INTEGRITY RTOS
  • Motion planning by embotech generates the best path from tens of thousands of candidate paths per second
  • Statistics and networking apps run on Linux which is safely and securely virtualized by INTEGRITY Multivisor; when Linux crashes and restarts, critical autonomous tasks run unaffected
BlueBox Platform for Safe Autonomous Driving

The BlueBox Platform for Safe Autonomous Driving combines safety and performance on a trusted development and reference platform suited to the rigors of autonomous vehicle industrialization.

Autonomous vehicle processor-in-the-loop platform

Developed by ANSYS and Green Hills Software, the platform is a virtual world driving simulator and model-based software development environment to rapidly prototype and run ASIL D applications on automotive-grade processors:

  • ANSYS SCADE Suite model-based application development generates ISO 26262 ASIL D code and enables rapid testing of path planning algorithms
  • Green Hills MULTI IDE is the ASIL D-certified C/C++ development environment
  • Green Hills ASIL D-certified INTEGRITY RTOS runs autonomous applications on automotive-grade SoCs
  • ANSYS virtual world driving simulator incorporates dozens of inputs from:
    • Camera and Lidar sensors
    • Traffic and environment
    • Feedback from code executing on automotive-grade SoC
  • ANSYS SCADE Display generates OpenGL graphics for instrument cluster
ANSYS autonomous vehicle processor-in-the-loop platform

The Autonomous Vehicle Processor in Loop Platform, developed by ANSYS and Green Hills Software, is a virtual world driving simulator and model-based software development environment to rapidly prototype and run ASIL D applications on automotive-grade processors.

Robot Operating System (ROS)

The Green Hills Platform for Automated Driving provides ROS developers an efficient and clear path to transition ROS objects to embedded processors, rapidly reducing the time needed to deploy safety-certified production-grade software.

  • ROS objects run as native tasks on the safety-certified INTEGRITY RTOS, taking advantage of its freedom-from-interference and guaranteed resource allocation features
  • Improved visibility through a single, unified MULTI debugging session that can debug all ROS components in an autonomous system:
    • ROS components on workstation and on target hardware
    • Linux kernel and applications environments on workstation and on target hardware
    • RTOS tasks and drivers
  • The MULTI IDE and C/C++ toolchain are qualified for ISO 26262 ASIL D and IEC 61508 SIL 4, with certified run-time libraries
  • INTEGRITY Multivisor virtualization gives developers the option of running unmodified ROS applications in a virtualized Linux environment. From there, they can either be ported to the safety-certified INTEGRITY RTOS or simply deployed as non-critical components
  • The ROS solution is independent of processor and ROS framework vendor
The INTEGRITY separation architecture isolates functions of mixed levels of criticality, an ideal architecture for developers of automated driving systems.

Shown here is the ROS-based architecture for:
a) pilot programs and PoCs
b) migration to production and
c) purpose-built for production.
Transition to ROS for Green Hills Platform for Automated Driving

Platform components

Scalable Family of Real-Time Operating Systems and Secure Virtualization

  • Safe — The safety certified INTEGRITY RTOS technology is certified to the highest safety levels for ISO 26262 (ASIL D) and IEC 61508 (SIL 4).
  • Secure —INTEGRITY RTOS technology is certified to the highest security level ever achieved for any software product—Common Criteria SKPP, EAL 6+ High Robustness—and is incorporating the latest automotive cybersecurity standards as defined by ISO/SAE DIS 21434 CAL 4 and UNECEVR EZP.29 CSMS
  • FlexibleINTEGRITY Multivisor securely and safely runs guest operating sWems alongside critical applications
  • Deeply embeddedµ-velOSity microkernel offers a tiny footprint and simple programming model for microcontroller architectures.
    The µ-visor virtualization solution for microcontrollers features robust hardware-enforced software separation, multi-OS support, and real-time efficientcy to safely and securely consolidate critical workloads on resource-constrained processors
  • Open — Automotive application programming interfaces to OSEK, AUTOSAR and POSIX

Middleware components

Software Development tools

  • MULTI IDE and Green Hills toolchain are qualified to the highest functional safety levels, including ISO 26262 (ASIL D) and IEC 61508 (SIL 4) and EN 50128 (SIL 4)
  • Green Hills Optimizing Compilers for C, C++, and Embedded C++ generate the fastest and smallest production-quality code on a broad range of automotive processor architectures
  • MULTI IDE includes multicore debugger, profiler, simulator, run-time error checking, project builder, editor and much more
  • TimeMachine revolutionary debugging suite. Run and step an application back in time to find even the most difficult bugs in minutes.
  • MISRA C Adherence Wizard for building in code quality at the time of compilation
  • DoubleCheck integrated static source code analyzer
  • Integration with MathWorks' Embedded Coder and Simulink for modeling, simulation and PIL testing

Hardware Development tools

  • Green Hills Probe V4 for multicore hardware bring-up, low-level debugging and trace-powered analysis tools


  • Embedded Cryptographic Toolkit provides FIPS 140-2 compliant services for securing embedded devices through secure boot, secure data storage, secure networks (SSL, TSL, IPSec, SSH) and digitally signed secure OTA firmware updates

Device Lifecycle Management (DLM)


Solution ecosystem

Green Hills understands the value of providing integrated, total solutions directly to its powertrain customers. In addition to offering the industry's most comprehensive solutions, we have partnered with best-in-class technology providers to integrate their complementary products with the Green Hills Platform for Automated Driving, including:

  • Accelerated 2D and 3D graphics and UI kits
  • Automotive connectivity
  • AUTOSAR Classic and Adaptive support for the leading AUTOSAR stack providers
  • Operating systems including Linux, Android, and ROS
  • Applications development and services
  • Co-simulation and co-verification
  • Database and storage including embedded databases and flash devices
  • Code quality, test, and management including automated testing and code coverage analysis tools
  • Application modeling and simulation for building and evaluating applications early in the software lifecycle
  • Network protocols and security for communications within the vehicle network and to the external world
  • Automotive processors from leading semiconductor manufacturers

For a complete list of ecosystem partners for Green Hills Platforms for Automotive click here.