Timing verification of automotive communication architectures using quantile estimation by Navet, Nicolas et al.
Timing verification of automotive communication 
architecture using quantile estimation
Nicolas NAVET (Uni Lu), Shehnaz LOUVART (Renault), Jose 
VILLANUEVA  (Renault), Sergio CAMPOY-MARTINEZ 
(Renault) and Jörn MIGGE (RealTime-at-Work).




 Early-stage timing verification of wired automotive 





metrics : the 




2 typical  
automotive 
use-cases
2 Automotive communication architectures
- 307/02/2014ERTSS'2014
 Increased bandwidth requirements & timing constraints
 More complex & heterogeneous architectures with 
black-box ECUs
 Optimized CAN networks for higher bus loads: 
priorities, frame offsets, gateways, communication 
stacks, etc
 Verification activity of higher importance today, higher 
load levels calls for more accurate verification models 
 no margin for errors
 Main performance metrics: frame response time  = 
communication latency
 Upper bounds on the perf. 
metrics   Safe if model is correct 
and assumptions met
 Often pessimistic over-
dimensioning
 Might be a gap between 
models and real systems!  
unpredictably unsafe then
07/02/2014 - 4
Schedulability analysis  
“mathematic model of the 
worst-case possible situation”
Schedulability analysis : 
“mathematic model of the 
worst-case possible situation”
Simulation 
“progra  that reproduces the 
behavior of a system” 
max number of 
instances that can 
accumulate at critical 
instants
max number of 
instances arriving after 
critical instants
VS
 Models close to real systems
 Fine grained information
Worst-case response times are 
out of reach! Occasional deadline 
misses must be acceptable
ERTSS'2014
Metrics for the evaluation of 
frame latencies: the case for 
quantiles
2
























Q1: pessimism of schedulability analysis ?! 



















Using quantiles means accepting a controlled risk
one frame 
every 100 000
 No extrapolation here, won’t help to say anything about what is 













Identifying both deadline and tolerable risks
1. Identify frame deadline
2. Decide the tolerable risk  target quantile
3. Simulate “sufficiently” long 
4. If target quantile value is below deadline, 




1) Quantiles vs average time between 
deadline misses
Quantile One frame 
every …
Mean time to failure 
Frame period = 10ms
Mean time to failure 
Frame period = 500ms
Q3 1 000 10 s 8mn 20s
Q4 10 000 1mn 40s ≈ 1h 23mn
Q5 100 000 ≈ 17mn ≈ 13h 53mn 
Q6 1000 000 ≈ 2h 46mn ≈ 5d 19h
… … …
Warning : successive failures in some cases might be 
temporally correlated, this must be assessed!




2) Determine the minimum simulation length
time needed for quantile convergence 
 reasonable # of values: a few tens … 
Tool support can help here: 
e.g. numbers in gray 
















Reasonable values for Q5 and Q6 
(with periods <500ms) are obtained in 
a few hours of simulation (with a high-
speed simulation engine) – e.g. 2 hours 
for a typical automotive setup     
ERTSS'2014
Typical use-cases of quantile-based 
performance evaluation
3
Use-case 1: OBD2 request through a gateway
07/02/2014 - 16
50% load – 500kbit/s
40% load – 500kbit/s
Time between the OBD2 request frame 
and reception of the first answer frame 












Use-case 1: OBD2 request through a gateway
07/02/2014 - 17
Time between the OBD2 request frame 
and reception of the first answer frame 

















Functional level impact: less than 1 frame every 106









Concluding remarks  
Simulation is well suited to systems that requires 
timing guarantees but
 Are not well amenable to schedulability analysis
 Or can tolerate deadline misses with a controlled 
level of risk
2
3 Some methodological aspects
 Determine quantile wrt criticality, and simulation 
length wrt to quantile
 Simulator and models validation
 High-performance simulation engine needed for 
higher quantiles
ERTSS'2014
Timing verification techniques  & tools should not 
be trusted blindly1
