Abstract-In this paper we present a CO-SImulation Trace Analysis (COSITA) tool in order to analyze functional/architectural properties, in the automotive field. These properties should enhance a specific design requirement that we call functional/architectural diagnosability. The validation process is applied on a real automotive experimental embedded platform called DIAFORE based on several Electronic Control Units. In the design phase of a System Development Life Cycle, we aim to analyze the functional/architectural diagnosability by analyzing its properties (observability, reachability, etc.), using a co-simulation-based approach. In this paper, our objective is to verify that the analysis made on the real platform is consistent with the theoretical analysis made on the co-simulation results. We believe that simulating a functional model is not sufficient to analyze system properties, because each hardware instantiation has its own properties constraints and limitations. Therefore, a hardware architecture characteristics modification may change the system requirements correctness. Hence, we co-simulate the Hardware (HW) and Software (SW) models, and then we analyze the interaction between them, by analyzing the co-simulation trace. For co-simulation, we use SystemC and Matlab/Simulink tool, with objectively selected simulation scenarios reflecting the system behavior.
I. INTRODUCTION
OWADAYS, systems in the automotive industry are becoming more complex due to the growing demand on driving assistance functions. In order to improve the reliability of the design, we have to foresee the possibility of system failure. Assessing the diagnosability of a system regarding a defined set of faults ensures that any eventual occurrence of one of the faults will be correctly detected, identified and hence isolated.
In [1] , a new framework for design of automotive systems was defined as result of the IDD (Integrating Diagnosis in the Design of automotive systems) European projects, especially Model-Based Diagnosis which is suitable for integrating diagnosis in the design of electronic systems; both from the methodological and the practical point of view [2] .
In this work, we consider embedded on-line Modelbased Diagnosis [3] as a requirement at the design time. The model-based approaches for diagnosis and diagnosability analysis that were developed in the domains of automatic control and artificial intelligence can be classified into two categories:
• state-based approaches, which are suitable for continuous systems as shown in [4] , • and event-based approaches [5] , which are suitable to use with discrete-events models to represent an electronic embedded system [6] . At the system modeling phase in event-based approaches, we should provide the maximum of faults models. There is also a recent approach that deals with hybrid systems where both continuous and discrete aspects coexist in modeling [7] [8] . However, in all these categories, there is an absence of the architecture description. Hence, the limitations on the diagnosability imposed by the hardware architecture are not considered, therefore we present in this paper the first step that will lead us to analyze, the diagnosability requirement of an embedded hardware architecture, taking into account simultaneously functional (software) and architectural (hardware) aspects.
To present our contributions, this paper is structured as follows:
First, we present the functional/architectural diagnosability analysis. Then in section III, we present the co-design technique that we use for co-simulation. In section IV, we describe our tool COSITA (COSimulation Traces Analysis) that we have developed to analyze several properties. In section V, we discuss the hardware architecture properties.
Section VI shows some results. We validate the results via an automotive platform in section VII. Finally, we conclude this paper and present our future works in section VIII.
II. FUNCTIONAL/ARCHITECTURAL DIAGNOSABILITY
A. Diagnosability Definition Our tentative definition would describe Diagnosability as the property of a system allowing it to react face to a set of anticipated faults, in order to reduce the cases where no decision can be made after fault detection.
B. Scope of the Functional/Architectural
Diagnosability Metrics We have updated the definition of classic diagnosability metrics and define new ones to adapt them for functional/architectural analysis: Observability and reachability. The different diagnosability metrics that we defined are:
• The observability is defined as a Boolean property, or a time schedule of available windows for observations in a sub-system (I/O, communication bus) or a degree for the whole system, • The reachability is a Boolean property, representing the possibility for a node to reach an I/O or a variable value;
The diagnosability is often defined as a degree, i.e. a percentage combining the observable and reachable I/Os or variables over their total number. These metrics will be analyzed through Comodeling and Co-simulation techniques described in the following section.
III. HW/SW CO-MODELING AND CO-SIMULATION
The electronic HW/SW architecture that we comodel is composed of ECUs (Electronic Control Units) interconnected by a communication bus [9] . Every ECU is composed of a processor, a memory, a CAN interface and I/O interfaces.
A. SystemC/ Simulink Co-Modeling
In the first place, we used SystemC as a HW/SW Co-Modeling language for the entire system [10] . Therefore, it is not possible to implement the software part of the model developed in SystemC on our platform (Fig. 7 ) since this latter supports only C code generated from Simulink Blocks. Furthermore, Simulink is well established in the automotive industry as a quick modeling tool, offering automatic code generation.
Therefore, we use SystemC as modeling language for hardware architecture and Simulink as functional modeling language. So, we need to interface both SystemC and Simulink models as it is done in [11] . We used the «engine.h» C++ library (in the SystemC code), which allows commanding Matlab, stopping it and exchanging data with it from a program written in C, C++, Fortran, etc. Then, Matlab launches Simulink environment for simulation.
B. ECUs and CAN Bus Modeling
In this part of the work, we have modeled in SystemC the CAN protocol real-time behavior to realize communications between ECUs models (Fig.  1) . We have simplified the details to ease the modeling by implementing a virtual arbiter in the bus. With the Transaction Level Modeling (TLM), the communication between components is described as function calls.
Each ECU that needs to send a message transmits a request to the bus. If at least 2 ECUs request a bus transmission at the same time (i.e. in a time shorter than a bus cycle), the bus arbiter selects the most important message by comparing arbitration fields in the two messages. The same clock is used for all processors as the level of modeling granularity is high.
It is important to note that full CAN protocol is used only in models with high level of granularity, expressing transactions between ECUs. 
C. SystemC / Simulink Co-Simulation
The co-simulation interface may be in one of two ways: Either SystemC is in charge of controlling the simulation (as SystemC environment includes also a simulator) by running the Simulink model through MATLAB, or Simulink is considered as the master of the simulation and controls SystemC models [12] [13].
For our system, we adopted the first approach simply because it is the architecture (ECUs and CAN bus) that includes the embedded function (Fig. 2) . SystemC enables us to properly model the ECUs, the CAN bus and the interconnections. The developed HW model in SystemC will be our virtual platform quite close to our real one.
IV. COSITA Tool
We have developed the COSITA tool in order to have an interface between co-simulation and properties analysis (Fig. 3) . 
A. Simulation Inputs
One of our objectives is to generate scenarios for the execution of the simulated and implemented application. Therefore the first idea is to generate random values for Inputs/Outputs. But we aim to have a more intelligent approach to generate these values. Therefore, we used the dichotomous approach to cover the I/O signal range. On the other hand, several other scenarios generation methods may be used based on condition and decision coverage techniques.
Our tests will then be based on running N simulations, and in each run we apply new selected input values that may be considered as critical for the system.
B. Trace Files Generation and Analysis
The SystemC-Simulink co-simulation generates dated log files with all information about values changes of variables, ports…etc. While designing the SystemC model, we should indicate that we need to generate the simulation trace files, by adding the simple instruction "sc_create_vcd_trace_file()" to the program. Trace generation will be done by writing in a chronogram file; each signal can be logged simultaneously in several files. These files reflect the activity of the system. Trace files analysis can monitor the total behavior of a hardware architecture. For example, we can trace the internal and external activities of an ECU through its ports identifiers, variables identifiers, etc.
These trace files are in Value Change Dump (VCD) format. This VCD format is specified in the standard IEEE 1364. The VCD file starts with header information giving the date, the simulator's version number and the timescale used. Next, the file contains definitions of the scope and type of variables being dumped, followed by the actual value changes at each simulation time increment. Only the variables that change value during a time increment are listed. The simulation time recorded in VCD file is the absolute value of the simulation time for the changes in variable values (Fig. 4) . The tool suite COSITA launches SystemC-Simulink co-simulation by generating selected scenarios for cosimulation. After that, COSITA collects co-simulation traces files, merges them and analyze functional/architectural diagnosability metrics (observability and reachability) by parsing these trace files.
In a similar way of formal methods property checking techniques, we use the analysis of simulation traces method to verify certain HW-SW properties of the system modeled in SystemC-Simulink. The analysis of simulation traces has been discussed and compared to the SystemC-Simulink code parsing possibility, before it is applied.
V. FUNCTIONAL/ARCHITECTURAL DIAGNOSABILITY PROPERTIES ANALYSIS
Setting HW-SW properties for analyzing electronic architecture is strongly linked to the definition of requirements at the beginning of the development cycle. Thus, to satisfy the requirement of diagnosability in automotive architecture, we defined, but not limited to, two properties to be analyzed; Observability and Reachability.
A. Observability Checking
By observability, we mean the possibility for different functions of a system (identified by their I/Os and memory variables) to be observed by an independent diagnosis process, without interfering with the nominal operation of the system. Therefore, we check the observability potential (property) for an electronic system to allow adding a process of real time observation of the system's behavior.
We consider the observability property as a Boolean indicator for the functional/architectural diagnosis ability. It is true when the time available is sufficient for on observing process to carry out the periodic surveillance process. Hence, to determine the available time intervals for the observation process, we seek the free cycles not exploited by the nominal operation of the system.
After that, we compare the duration of the available cycles with the time necessary to execute the observation process using the same hardware resources. Keeping the same principle of analysis, this property could be also represented as an observation schedule. However, if the architecture becomes complicated, observability is represented as a degree or a Boolean as we cannot combine different observation schedules. This subject has been discussed in an earlier paper [14] .
B. Reachability Checking
We define reachability property as a Boolean indicator for the diagnosability of the hardware architecture. It is true when an ECUi can get access to Inputs/Outputs values of an ECUj, when both ECUi and ECUj are connected through the communication bus.
To determine the reachability of an ECUi to an Input/Output proper to ECUj, we seek messages sent from ECUi, having as a target the Input/Output in ECUj, by analyzing communication traces. For example in the (Fig. 5) , we have S3=f(E1).To get the E1 value to compute f(E1), E1 of ECUj should be reachable from ECUi. 
VI. PROPERTIES ANALYSIS RESULTS
We have tested our approach on the Smart Distance Keeping (SDK) function, given by a truck manufacturer. "SDK" is equivalent to the Adaptive Cruise Control (ACC) function, except that the distance/speed regulation is based only on a fixed
distance of 50 m (compliant to Europ for heavy trucks) [15] . Thus, using em the SDK sub-system maintains a safe i.e. the inter-vehicle distance is varying the velocity and is maintained at a distance of 50 m (Fig. 6) . TABLE 1 shows that 40% of the execute observation process on the CA on the global system (ECUs and CAN b
The Boolean value "1" for the "Relative distance" (Input) and Vehicle confirm the observability of the event. 
VII. ANALYSIS VALIDAT

A. DIAFORE: The emulation Platform
Simulation helps engineers validate viewpoint of hardware architecture de we are not able to test the physical real of embedded functions through simula the simulation, emulation allows the va make tests very close to the final operat electronic system, but on a unique conf by the manufacturer of the testing platfo DIAFORE is an automotive embe composed of several Electronic Cont Continental Corporation and based microcontrollers. These units can com each other, with a development PC devices through the CAN bus (Fig. 7) .
To implement an application on the pl step is to create a Simulink model of using blocks with a given sample ti application is validated during the sim 
B. Comparing Simulation-Emulation
In order to validate the results properties analysis, we check prop simulated models but also for dev running on a real automotive har Then we compare both simulati results.
All simulated models are no compared to real devices due t sampling rates or to other physical c In order to compute and com results, we generate trace files fro and emulation. Traces are obtained formats depending of the source. trace is obtained directly under a while emulation results trace is obta format.
• We have chosen CANalyzer to file due to its time accuracy, wh the program implemented in CA internal counter with a resolu Compared to the simulation tests, as a restriction since with the sim we can obtain a resolution of abo or microseconds, which is imp real platform tools.
Trace file generation from
• Trace file generation from sim The generation of these files i simulator in the VCD format as d
In order to unify analysis metho compare simulation and emulation transform the emulation traces files fro to a VCD format that contains only the there are values changes (Fig. 8) . 
C. Diagnosability metrics analyses com
The comparison analysis results simulation and emulation is direc SystemC-Simulink co-simulation re emulation on the automotive platform retrieve the generated VCD text files simulation and from emulation, anal identify the differences. In the follow different situations of the analysis comp
•
The first situation shows ex analysis results in both s (Fig.  not frequent; it reflects a precisely similar to the rea hard to obtain. Fig. 9 . Observability analyses compari
The second situation discrepancy between t observable slots of time between simulation and em may be the most probable • The last situation presents where a large differenc instance, concerning analysis, we may have two a. Both results different obs (Fig. 11) .
b. Only one of observable (F These two scenarios may be c reasons related to the hardware, b same software model in simulati such as:
• 
