Leading the Embedded World

Green Hills Platforms for Automotive:

Automated Driving Systems
Platforms for Automoated Driving Systems


Automated driving systems, comprised of advanced driver assistance systems and autonomous vehicle functions, require the highest levels of safety and security in a vehicle. Consumer-grade run-time platforms can’t deliver the safety and security required for high-volume production.

Using its decades of experience making life-critical electronics systems safe and secure, Green Hills Software is helping automotive companies achieve the safety and security necessary for production-level ADAS and automated driving systems.

The Challenge for Automated Driving Systems

The promise of saved lives and autonomous convenience is creating a revolution for systems responsible for driving automation. Automated driving systems, if fully realized, will save hundreds of thousands of lives, save billions in wasted costs and create billions in new business opportunities.

Green Hills Software is helping automotive companies achieve the safety and security necessary for production-level ADAS and automated driving systems.

To realize this promise, today’s ADAS systems must be greatly expanded in terms of complexity, intelligence, safety and security.

The industrialization of producing Level 1-3 systems follows traditional industry processes but these processes are not sufficient for Level 4 and 5 systems. New paradigms are required for the transportation industry to graduate today’s pilots and test vehicles into high-volume vehicles with safety-certified systems.

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Full self-driving with no limitations

Local robotaxi
True self-driving, but under limited circumstances, e.g. geo-fenced.

Traffic jam chauffeur
Similar to Level 2, but human has more time to take over.

Control of both steering & speed/brakes under limited circumstances.
Requires driver monitoring - human must be ready to take over.

Either steering or speed/brake, but not both.
Requires driver monitoring - human must be ready to take over.

No automation.
Standard features today: anti-lock brakes, AEB, cruise control.

The SAE Levels of Driving Automation and associated trends. The industrialization of Level 1-3 systems follow traditional industry safety and security certification process that are not sufficent for Level 4 and 5 systems

Level 4 and 5 systems characterized by:
  • Multiple sensor types
  • Multicore heterogeneous processors
  • Custom SoCs and ASICs
  • Multiple operating systems, some open-source consumer quality
  • Layers of multi-vendor software contributors
  • Pilots and test vehicles not designed with production level safety or security in mind
  • Connected vehicles
  • No methods to test or validate L4/5 autonomous systems with traditional ISO 26262, ASPICE
Innovations from Green Hills include:


  • ASIL D plausibility analysis channel
  • ASIL D secure virtualization
  • Multi-OS and mixed criticality
  • Proven software architectures and design techniques for foundational safety and security
  • Support for complex multicore SoCs and ASICs

Development and Testing

  • Multi-site system debug, test and validation
  • Innovative processor-in-the-loop development/verification platforms
  • Pre-silicon test, validation and verification

A safety foundation

The Green Hills Platform for Safe and Secure Automated Driving Systems enables OEMs and their suppliers to achieve their business and technology goals in designing and manufacturing Levels 1-5 systems, with a focus on:

  • Safety
  • Security
  • Innovative Development Platforms

Achieving software safety for automated driving systems requires the separation, isolation, containment and control of individual software elements. For decades, Green Hills has been the recognized leader in providing a complete portfolio of certified products and services to manufacturers of life-critical machines, such as aircraft avionics, industrial machinery and medical devices. Today, INTEGRITY powers safety-critical vehicle ECUs in hundreds of millions of vehicles.

INTEGRITY RTOS—The Platform is built on the INTEGRITY real-time operating system (RTOS) technology, certified at the world’s highest safety and security levels. It provides proven reliability and separation with unmatched Common Criteria EAL 6+ security credentials and ISO 26262 ASIL D safety certification. INTEGRITY provides guaranteed allocation of system CPU and memory resources, even when faced with malicious or unintended events. Even AUTOSAR applications can be run in their own partitions, giving system designers more flexibility to build scalable systems.

INTEGRITY RTOS separation architecture

The INTEGRITY certified separation architecture isolates functions of mixed levels of criticality making it an ideal architecture for developers of automated driving systems.

INTEGRITY Multivisor secure virtualization and separation technology allows ISO 26262-certified applications to concurrently run alongside general-purpose applications or guest operating systems (Linux, Android, others) with freedom-from-interference and with guaranteed access to system resources. Successfully deployed in millions of critical embedded systems since 2003, it’s a system virtualization service of INTEGRITY and therefore inherits the safety and security features of INTEGRITY architecture including:

  • Native execution performance
  • Shared peripherals
  • Determinism
  • Fast-boot
  • Multicore control

Safety-Certified Software Development Tools include MULTI IDE, Optimizing C/C++ compilers and C/C++ run-time libraries that are qualified for developing ISO 26262 ASIL D applications. In addition, the MISRA C Adherence Checker, DoubleCheck™ static analysis tool, and other integrated tools help developers produce production-quality code that executes at maximum speed with the smallest code size..

Advanced Safety Services for safety board support packages (BSPs) and middleware are available from safety experts at Green Hills.

Safety paradigms for Level 4 and Level 5 systems

New Level 4 and 5 systems use artificial intelligence (AI) based on neural networks to perceive a vehicle’s environment. This AI capability brings tremendous capabilities but comes with a serious disadvantage: Because neural networks calculate solutions as a “black box,” they are impossible to test or validate using traditional (ISO 26262, ASPICE) methods that assume a programmatic algorithm.

A solution to this dilemma is a dual-channel approach where the INTEGRITY RTOS runs an ASIL D plausibility analysis function in parallel with the AI black box inference engine. In case of disagreement between the two channels, a decision function, again running on INTEGRITY, makes the final decision.

End-to-end security

For automated systems controlling life-critical vehicles, there is no safety without security. For automated driving systems, security threats can attack from the outside through wireless connections, or from within from poorly designed hardware and software.

The ramifications of poor security are acute and dramatic for Level 4 and 5 autonomous and connected systems. Because millions of cars can use the identical autonomous driving ECU, a single vulnerability in that ECU could be instantly “turned on” across millions of cars by a single malicious command, cloaked in a benign looking over-the-air update that delivers a poisoned payload or simply a command that exploits a pre-existing flaw in the ECU. Public demonstrations of automotive security vulnerabilities are well known in the industry.

catastrophic results of ECU security vulnerability

Mass production of a single security vulnerability can mean catastrophic results in millions of vehicles that share the same automated driving ECU.

Addressing external & internal security threats

The Green Hills Platform provides products, technologies and services that address external and internal security threats. It provides end-to-end protection across all product lifecycle phases of an automated driving system, spanning system design, software development, device manufacturing, supply chain management, over-the-air updates, ECU authentication and secure program execution.

  • Security through EAL 6+ certified separation of critical software functions and guest operating systems with the INTEGRITY RTOS and INTEGRITY Multivisor secure virtualization
  • ISO/SAE 21434 Automotive Security
  • Embedded Cryptographic Toolkit is FIPS 140-2 Compliant Suite B and allows engineers to secure the ECU
    • Secure boot, including trust anchor provisioning and software signing
    • Secure data-at-rest with encrypted key storage, integrated and optimized for the processor
  • The Device Lifecycle Management System (DLM) is a cloud-based credential management tool for manufacturers of automated driving ECUs. DLM allows them to securely generate, distribute and track keys and secure credentials through their supply chain
  • OTA service securely manages connected devices anywhere in the world
    • Connect worldwide over all mobile networks
    • Standards-based Open Mobile Alliance Device Management (OMA-DM 2.0), including the latest Software Component Management Object (SCOMO)
    • Web-based command center with automated REST interface
    • DLM OTA agent includes FIPS-140 Level 2 embedded algorithms
  • Security Design and Vulnerability Assessments and other consulting services

Simple and scalable high-performance AUTOSAR support

As new features and demands for safety, security, and efficiency challenge traditional vehicle electronic architectures, the AUTOSAR software framework plays a key role in managing the growing complexity of ECUs and their software. As a Premium Partner of AUTOSAR since 2005, Green Hills provides both development tools and run-time environments for the safe and secure use of AUTOSAR Classic and AUTOSAR Adaptive.

Advanced AUTOSAR-aware multicore software development

Green Hills has developed and optimized the next generation of tools and techniques for customers who are developing, debugging, optimizing, integrating, testing and delivering complex AUTOSAR-based solutions. The advanced MULTI IDE offers:

  • ISO 26262 safety-certified development tools and C/C++ run-time libraries
  • advanced debugging of multiple software components running on multiple AUTOSAR Classic and/or Adaptive environments from various vendors, even across heterogenous cores on complex multicore SoCs
  • advanced time-synchronized system viewing that is OS and trace log agnostic with minimal intrusion
  • run forward and backward in time to find the most difficult bugs

Safe and secure execution

The INTEGRITY RTOS and its Multivisor secure virtualization provide the certified separation and guaranteed hardware resources to applications and their AUTOSAR components, including safety and security tasks, drivers, middleware, guest operating systems and AUTOSAR operating systems. The resulting freedom-from-interference is a vital feature to safely and securely run these complex mixed-ASIL software components with determinism, across multicore heterogenous SoCs.

For AUTOSAR Classic, the INTEGRITY RTOS executes one or more AUTOSAR Classic environments in virtual address spaces/containers across one or more cores on a high-performance multicore application processor. No virtualization is required. This means customers have the flexibility to incorporate and run their own AUTOSAR Classic asset, an OEM’s AUTOSAR Classic asset or a third-party asset without compromising the platform’s performance, safety architecture or security.

INTEGRITY architecture for AUTOSAR Classic

AUTOSAR Classic run-time environments execute natively on INTEGRITY without requiring virtualization support.
Click for a larger view.

For AUTOSAR Adaptive, Green Hills again leverages the INTEGRITY RTOS’ certified separation architecture and policies to natively run AUTOSAR Adaptive, as compared to other vendors that must rely on less secure virtualization for system separation. As a result, customers eliminate the significant complexities, performance overhead, security impacts, and development and debug challenges that come with using a hypervisor platform approach to AUTOSAR Adaptive in vehicle electronics designs.

INTEGRITY architecture for AUTOSAR Adaptive

With its separation architecture, the INTEGRITY RTOS also natively executes AUTOSAR Adaptive. Click for a larger view.

Innovative development platforms

As automated driving systems become more sophisticated, developing and integrating hardware and software for safety-certified systems faces unprecedented challenges. Key factors driving these new challenges include pre-silicon software development, uncertain AI safety, open-source software, hardware verification, and integrated system validation.

The Platform for Safe and Secure Automated Driving Systems offers the following innovative development environments:

  • pre-silicon verification and prototyping platforms
  • automotive simulator, model-based application programming & processor-in-the-loop testing
  • BlueBox Autonomous Driving Processor Platform
  • safety-certified ROS and ROS2 support

Cadence co-verification and prototyping

Green Hills products integrated with the Cadence Verification Suite enable concurrent hardware/software development and testing before first silicon is available. This allows projects to “shift left” their timeline for integrating SoCs with automated driving applications and underlying drivers, middleware and operating systems.

The core engines of the suite include:

  • Formal Verification—JasperGold Formal Verification Platform apps that address specific design and verification of RTL
  • Virtual System Platform—Functional model for first software development before RTL or FPGAs
  • Emulation—Palladium Enterprise Emulation Platform that runs RTL code on custom ASICs
  • FPGA Prototyping—Protium FPGA-Based Prototyping Platform that runs RTL code on FPGAs
Cadence pre-silicon verification and prototyping platforms

Developing and testing production-grade automated driving applications on a continuum of pre-silicon verification and prototyping platforms saves time and money while improving software and silicon quality.

BlueBox Platform for Safe Autonomous Driving

The focus of the autonomous driving ecosystem has shifted from performance at any cost to safety for mass production roll out. To that end, NXP and Green Hills have created the BlueBox Platform for Safe Autonomous Driving. It combines safety and performance on a trusted development and reference processor platform suited to the rigors of autonomous vehicle industrialization.

  • The INTEGRITY architicture is certified for ISO 26262 ASIL D
  • BlueBox compute and vision acceleration at ASIL B; subsystems and dedicated interfaces are ASIL D
  • Green Hills MULTI and C/C++ compilers are qualified for ASIL D software development
  • Safety-critical applications, such as fusion and planning, are run and protected by INTEGRITY RTOS
  • Motion planning by Embotech generates the best path from tens of thousands of candidate paths per second
  • Statistics and networking apps run on Linux which is safely and securely virtualized by INTEGRITY Multivisor. When Linux crashes and restarts, critical autonomous tasks run unaffected
Platform for Safe Autonomous Driving-Bluebox

The BlueBox Platform for Safe Autonomous Driving combines safety and performance on a trusted development and reference platform suited to the rigors of autonomous vehicle industrialization.

Autonomous vehicle processor-in-the-loop platform

Developed by ANSYS and Green Hills Software, the platform is a virtual world driving simulator and model-based software development environment to rapidly prototype and run ASIL D applications on automotive-grade processors.

  • ANSYS SCADE Suite model-based application development generates ISO 26262 ASIL D code and enables rapid testing of path planning algorithms
  • Green Hills MULTI IDE is the ASIL D-certified C/C++ development environment
  • Green Hills ASIL D-certified INTEGRITY RTOS runs autonomous applications on automotive-grade SoCs
  • ANSYS virtual world driving simulator incorporates dozens of inputs from:
    • Camera and Lidar sensors
    • Traffic and environment
    • Feedback from code executing on automotive-grade SoC
  • ANSYS SCADE Display generates OpenGL graphics for instrument cluster
ANSYS autonomous vehicle processor-in-the-loop platform

The Autonomous Vehicle Processor in Loop Platform, developed by ANSYS and Green Hills Software, is a virtual world driving simulator and model-based software development environment to rapidly prototype and run ASIL D applications on automotive-grade processors.

Robot Operating System (ROS)

The Green Hills Platform for Automated Driving provides ROS developers an efficient and clear path to transition ROS objects to embedded processors, rapidly reducing the time needed to deploy safety-certified production-grade software.

  • ROS objects run as native tasks on the safety-certified INTEGRITY RTOS, taking advantage of its freedom-from-interference and guaranteed resource allocation features
  • Improved visibility through a single, unified MULTI debugging session that can debug all ROS components in an autonomous system:
    • ROS components on workstation and on target hardware
    • Linux kernel and applications environments on workstation and on target hardware
    • RTOS tasks and drivers
  • The MULTI IDE and C/C++ toolchain are qualified for ISO 26262 ASIL D and IEC 61508 SIL 4, with certified run-time libraries
  • INTEGRITY Multivisor virtualization gives developers the option of running unmodified ROS applications in a virtualized Linux environment. From there, they can either be ported to the safety-certified INTEGRITY RTOS or simply deployed as non-critical components
  • The ROS solution is independent of processor and ROS framework vendor
The INTEGRITY separation architecture isolates functions of mixed levels of criticality, an ideal architecture for developers of automated driving systems.

Shown here is the ROS-based architecture for:
a) pilot programs and PoCs
b) migration to production and
c) purpose-built for production.
ROS architecture for INTEGRITY RTOS

Safety-Certified ROS 2 Framework for Production Programs

This framework provides a production-grade 3D LiDAR Object Detection solution that combines the safety and security of the INTEGRITY RTOS with the ROS 2-compatible, safety-certified Apex.OS development framework from Apex.AI. The INTEGRITY RTOS runs the Apex.Autonomy 3D LiDAR object detection stack and middleware in a protected partition.

  • Apex.AI OS is a fork of ROS 2, made real-time, reliable, deterministic, and certified for safety-critical applications
  • Green Hills ASIL D-certified INTEGRITY RTOS has adopted the ISO 21434 automotive cybersecurity standard
  • LiDAR data from a Velodyne VLP Hi-Res LiDAR sensor is processed by the Renesas R-Car H3 automotive processor
  • The detected objects are visualized by RViz
ROS 2 Framework for Production Programs featuring Apex.AI OS

The ROS 2 framework from Apex.AI and Green Hills Software offers a solution for developing and deploying safe and secure automated driving applications such as LiDAR-based applications.

Platform components

Scalable Family of Real-Time Operating Systems and Secure Virtualization

  • Safe — The safety certified INTEGRITY RTOS technology is certified to the highest safety levels for ISO 26262 (ASIL D) and IEC 61508 (SIL 3).
  • Secure —INTEGRITY RTOS technology is certified to the highest security level ever achieved for any software product—Common Criteria SKPP, EAL 6+ High Robustness—and is incorporating the latest automotive cybersecurity standards as defined by ISO/SAE 21434 CAL 4 and UNECE WP.29 CSMS
  • FlexibleINTEGRITY Multivisor securely and safely runs guest operating sWems alongside critical applications
  • Deeply embeddedµ-velOSity microkernel offers a tiny footprint and simple programming model for microcontroller architectures.
    The µ-visor virtualization solution for microcontrollers features robust hardware-enforced software separation, multi-OS support, and real-time efficientcy to safely and securely consolidate critical workloads on resource-constrained processors
  • Open — Automotive application programming interfaces to OSEK, AUTOSAR and POSIX

Middleware components

  • Automotive connectivity including CAN, Ethernet AVB/TSN, DoIP, SOME/IP, DDS, RTP/RTCP, gPTP Slave/Bridging, Wireless, USB, Bluetooth, and IPv4/v6 TCP/IP stack
  • Graphics and UI Kits for 2D, 3D, OpenGL, Qt Commercial, Rightware Kanzi, Altia Design, DiSTI GL Studio, Crank Storyboard, CGI Studio, HTML5
  • Internet application offerings including web servers, HTML5, email and HTTP clients
  • File systems featuring partition journaling, wear leveling flash storage and more
  • Embedded firewall
  • Secure communications protocols—SSL, SSH, IPSec, IKEv2, HTTPS, FIPS 140-2, Suite B crypto
  • Secure OTA

Software Development tools

  • The Green Hills toolchain is qualified to the highest functional safety levels, including ISO 26262 (ASIL D)
  • Green Hills Optimizing Compilers for C, C++, and Embedded C++ generate the fastest and smallest production-quality code on a broad range of automotive processor architectures
  • MULTI IDE includes multicore debugger, profiler, simulator, run-time error checking, project builder, editor and much more
  • TimeMachine revolutionary debugging suite. Run and step an application back in time to find even the most difficult bugs in minutes
  • MISRA C Adherence Wizard for building in code quality at the time of compilation
  • Integration with ANSYS SCADE, Cadence Virtual Simulation Platform and MathWorks’ Embedded Coder and Simulink for model-based code development, simulation and PIL testing

Hardware Development tools

  • Green Hills Probe V4 for multicore hardware bring-up, low-level debugging and trace-powered analysis tools


  • Embedded Cryptographic Toolkit provides FIPS 140-2 compliant services for securing embedded devices through secure boot, secure data storage, secure networks (SSL, TSL, IPSec, SSH) and digitally signed secure OTA firmware updates

Device Lifecycle Management (DLM)


Solution ecosystem

Green Hills understands the value of providing integrated, total solutions directly to its automotive customers. Green Hills has teamed with best-in-class technology providers to integrate their complementary products with the Green Hills Platform for Safe and Secure Automated Driving Systems, including:

  • Accelerated 2D and 3D graphics and UI kits
  • Automotive connectivity
  • AUTOSAR Classic and Adaptive support for the leading AUTOSAR stack providers
  • Operating systems including Linux, Android, and ROS
  • Applications development and services
  • Co-simulation and co-verification
  • Database and storage including embedded databases and flash devices
  • Code quality, test, and management including automated testing and code coverage analysis tools
  • Application modeling and simulation for building and evaluating applications early in the software lifecycle
  • Network protocols and security for communications within the vehicle network and to the external world
  • Automotive processors from leading semiconductor manufacturers

For a complete list of ecosystem partners for Green Hills Platforms for Automotive click here.

Green Hills Software Automoated Driving Systems Partners