In this paper, a new methodology is presented for topology optimization of networked embedded systems as they occur in automotive and avionic systems as well as wireless sensor networks. By introducing a model which is (1.) suitable for heterogeneous networks with different communication bandwidths, (2.) modeling of routing restrictions, and (3.) flexible binding of tasks onto processors, current design issues of networked embedded systems can be investigated. On the basis of this model, the presented methodology firstly allocates the required resources which can be communication links as well as computational nodes and secondly binds the functionality onto the nodes and the data dependencies onto the links such that no routing restrictions will be violated or capacities on communication links will be exceeded. Due to the often error-prone communication in networks, we allow for routing each data dependency over multiple routes in the networks. With this strategy, our methodology is able to increase the reliability of the entire system. This reliability analysis is based on Binary Decision Diagrams (BDDs) and is integrated in our multi-objective design space exploration. By applying Evolutionary Algorithms, we are able to consider multiple objectives simultaneously during the optimization process and allow for a subsequent unbiased decision making. An experimental evaluation as well as a demonstration of a case study from the field of automotive electronics will show the applicability of the presented approach.
Introduction
Embedded networks that can be found, e.g. in automotive systems, nowadays consist of up to 100 Electronic Control Units (ECUs) which are connected via different types of shared buses. Several communication standards combined with lots of design alternatives concerning the computational nodes, increase the design complexity of the entire networked embedded system. Moreover, the networked embedded system executes functionality which is typically distributed and consists of communicating processes statically bound onto computational nodes in the network. A system level designer, hence, has to take the decision about which computational and communication resources are required and where to execute tasks in the network such that no overload occurs on nodes and the capacity of communication links is not exceeded. Additionally, all these decisions have to be taken by respecting different constraints and objectives, like minimization of monetary costs, power consumption or maximizing fault-tolerance.
In this paper, we consider such networks that consist of computational nodes which are able to execute a certain amount of software load, and links with a certain capacity for the communication demand between the functions. Our methodology requires a so-called architecture graph [1] containing all available resources. From this architecture template the resources for the final system are selected and the functionality represented by a problem graph, introduced later on, is bound onto the selected network nodes. Moreover, the messages between the functions are bound to the communication links. By respecting multiple objectives, our methodology determines a set of so-called Paretooptimal solutions that allows for an unbiased decision making.
The paper is structured as follows: The next section presents related work in the field of system synthesis and automatic design of reliable systems. Section 3 introduces the network system model, gives an example and reasons for the chosen model, Section 4 explains our methodology for topology optimization of networked embedded systems. An evaluation of the proposed strategy will be given in Section 6 before concluding in Section 7.
Related Work
Several approaches exist targeting a similar problem which is commonly referred to as design space exploration of embedded systems. Unfortunately, as these approaches are dedicated for SoC designs, no straightforward extensions exist for exploring the implementation alternatives of networked embedded systems as they occur in automotive, avionic, or wireless sensor networks.
For signal processing architectures, SPADE (System-level Performance Analysis and Design space Exploration) [2] is a tool for performance analysis. This tool is incorporated by Artemis (Architectures and Methods for Embedded Media Systems) which explores the design space [3] . Another framework, called MILAN (Model-based Integrated simuLAtioN), is a design space exploration tool that works at different levels of abstraction [4] . Hierarchical data flow graphs including alternatives for application specification as well as an architecture template will be defined and explored at different levels of detail before simulative evaluation. Thiele et al. [5] propose a design space exploration methodology based on Evolutionary Algorithms (EA) for packet processing applications, called EXPO. Kianzad and Bhattacharyya propose a framework called CHARMED (Co-synthesis of HARdware-software Multimode EmbeddeD systems) [6] for the automatic design space exploration for periodic multi-mode embedded systems. Balarin et al. [7] propose Metropolis, a design space exploration framework which integrates tools for simulation, verification, and synthesis. All these tools have in common that they either do not consider communication at all or assume restricted binding conditions by requiring explicit communication modeling which is prohibitive in networked embedded systems.
Concerning the reliability aspect of this contribution, several approaches have been presented for analyzing systems with respect to reliability and fault tolerance. An overview of these techniques can be found in [8] . In the last years, these techniques were integrated in the synthesis phase of a system, in order to automatically synthesize reliable or fault-tolerant systems. An early approach in the field of fault-tolerant ASIC design has been introduced by Karri et al. [9] who minimize the hardware overhead caused by replication. As input data for their synthesis, the authors' approach requires a data flow graph (DFG), a redundancy ratio and the latency. With this information different transformations are performed on the DFG which reduce the cost for redundancy. The results are impressive, since the savings for hardware costs are up to 35.71% for a redundancy degree from 2 to 7 in their example.
Another approach [10, 11] tries to maximize reliability by selectively introducing redundancy for detecting soft errors. This approach is able to consider resources with the same functionality but different area, delay or reliability values. It first selects the most reliable resources needed to bind a certain DFG onto the resources and performs a scheduling. If this design does not meet area or latency constraints, one resource is exchanged with a smaller or faster but less reliable resource. With this exchange strategy, the presented synthesis strategy tries to fulfill the constraints area and latency while maximizing the reliability. Note that only one objective (reliability) can be optimized while area and latency are constraints.
A co-design framework which assesses reliability properties at the system level has been presented by Bolchini et al. [12] who propose a two step approach. In the first step the authors perform a partitioning respecting constraints like area, power, costs, etc. and in a second step the reliability of critical parts is increased. Unfortunately, this second step might worsen the solution obtained in the first step. Anyway, this approach is interesting since different methods are chosen in the second step for increasing reliability.
Coit and Smith [13] propose a relevant approach which synthesizes reliable systems with the help of Genetic Algorithms (GA). The GA selects appropriate resources and determines the degree of redundancy such that the cost is minimal for a given reliability. For estimating the reliability which is an objective function for the GA, the authors apply a neural network.
Here, we will present a strategy for solving a multi-commodity or multiconcurrent flow [14] problem together with the binding of functionality onto computational nodes in the network. Different to the two step approach in [12] , we consider reliability while optimizing our system.
Network System Model
The input to the topology optimization framework is a so-called specification graph. In this framework, we strictly separate behavior and structure:
consists of a problem graph G p , an architecture graph G a , mapping edges E m , and a set of message types M .
Problem and architecture graph can be defined formally:
The problem graph G p represents the set of applications to be realized by the implementation. Vertices represent processes and edges represent data dependencies between the processes.
1 Later, we replicate these edges, in order to increase the reliability by binding multiple instances of a problem graph edge onto a given architecture. The architecture graph G a (V a , E a ) models the template for the architecture of the system. As mentioned before, the architecture graph consists of all available resources. During the topology optimization phase, a subset of these resources will be selected (see Section 4) for implementation. Vertices v a ∈ V a represent resources and the connections of resources are modeled by edges e a ∈ E a . Finally, the mapping edges e m ∈ E m relate vertices of the problem graph G p with vertices of the architecture graph G a . A mapping edge e m ∈ E m indicates the possible implementation of a process on the corresponding resource. Annotated to each mapping edge can be parameters which will be evaluated if the mapping edge is activated. An example of a specification graph is shown in Fig. 1 . Gray nodes connected via directed edges represent functions with their data dependencies and white nodes represent resources connected via directed edges. The dashed edges in Fig. 1 represent mapping edges which are annotated with a parameter l representing the computational load. This computational load occurs at an architecture graph node v j ∈ V a if a problem graph node v i ∈ V p is bound onto v j . However, in our model, we distinguish a finite number of message types. Each message type m ∈ M corresponds to a communication protocol in the networked embedded system.
Definition 4 (Message Type) M denotes a finite set of message types m i ∈ M .
In networks with links supporting different bandwidth protocols and bandwidths, it is crucial to distinguish different demands. Assume a certain amount of data has to be transferred between two nodes in a network. Between these nodes there are two types of networks, one which is dedicated for data transfer and supports multi-cell packages and one which is dedicated for, e.g., sensor values and therefore has a good payload/protocol ratio for one word messages. In such a case, the data which has to be transferred over two different networks would cause a different traffic in each network. Hence, we associate with each edge e ∈ E p so-called demand values which represent the required bandwidth when using a given message type or kind of network, respectively. An example for a network consisting of heterogeneous, multiple protocols can be found in automotive systems, where CAN-buses of different speed grades are connected to, e.g, a LIN-or MOST-bus. If messages have to be transferred between nodes connected to these different bus systems, a gateway has to be passed for adapting the messages to the corresponding network type.
Definition 5 (Demand) With each pair (e i , m j ) ∈ E p × M , we associate a real value d i,j ∈ R + 0 (possibly ∞, if the message type cannot occur) indicating the demand for communication bandwidth by the two adjacent processes.
Exemplarily, Fig. 1 shows a problem graph consisting of three nodes with three demands. While the demand between P 1 and P 2 as well as the demand between P 1 and P 3 can be routed over all two network types (|M | = 2), the demand between P 2 and P 3 can be routed only over a network that can transfer message type m 2 . This will be expressed by setting d 2,1 for edge e 2 = (P 2, P 3) between P 2 and P 3 to ∞. On the other hand, the supported bandwidth is modeled by so-called capacities to each message type m ∈ M associated with edges e ∈ E a and vertices v ∈ V a in the architecture graph.
Definition 6 (Capacity) With each pair (e i , m j ) ∈ E a ×M and v i ∈ V a ×M , we associate a real value c i,j ∈ R + 0 (possibly 0, if the message type cannot be routed over e i or v i ) indicating the capacity on a link e i or vertice v i for message type m j . For each edge e i ∈ E a or vertice v i ∈ V a , exactly one capacity c i is greater than 0. Fig. 1 shows an architecture graph consisting of four computational nodes (Ctrl.1,. . . ,Ctrl.4), one gateway (GW) and two buses. While BU S1 can transfer the message type m1, BU S2 can handle message type m2. The gateway can convert a message of type m1 to a message of type m2 and vice versa. Note that only capacities c > 0 and demands d < ∞ are shown in this figure. In our model, we assign exactly one capacity with c > 0 to each edge e ∈ E a and each vertice v ∈ V a in the architecture graph and at least one demand with d < ∞ to the edges e ∈ E p in the problem graph. Depending on the type of capacity, a demand of the corresponding type can be routed over such an architecture graph edge. With this extension, it is possible to limit the routing possibilities, and moreover, to assign different demands to one problem graph edge.
Since embedded networks have to fulfill certain demands concerning reliability, we will evaluate the reliability of the entire system. For this purpose, we annotate each resource in the architecture graph with a reliability value R. Our approach is able to handle reliability attributes as probabilities as well as exponential or Weibull distribution functions. How the reliability of a system is efficiently evaluated and optimized during the design space exploration is presented in Sec. 5.
Topology Optimization
From the previously described specification graph, the topology optimization framework (a) selects a subset of resources, (b) binds processes to these resources, and (c) assigns each demand to a dedicated path p = (e 1 , e 2 , . . . , e n ) where e 1 , . . . , e n ∈ E a and e 1 = (v 0 , v 1 ), e 2 = (v 1 , v 2 ), . . . , e n = (v n−1 , v n ) with v i ∈ V a . In summary, the topology optimization framework generates solutions to the given specification by using Multi-Objective Evolutionary Algorithms. Basically, this is done by encoding solutions in so-called chromosomes (see Fig. 2 ). Each solution can be decoded to an implementation (the so-called phenotype). Our topology optimization framework makes use of the formal definition of an implementation as given in [1] . In our case, an implementation consists of three parts: (i) the allocation that indicates which elements of the problem and architecture graph are used in the implementation, (ii) the process binding, i.e., the set of mapping edges which defines the binding of vertices in the problem graph to components of the architecture graph, and (iii) the demand binding assigning an instance of a problem graph edge with its demands to a path in the architecture graph while satisfying capacity constraints.
Before defining the term implementation formally, we will explain the concept of activation as described in [1] .
1} that assigns to each edge and to each vertex the value 1 (activated) or 0 (not activated).
The task of topology optimization is to determine an implementation, i.e., an assignment of activity values to vertices and edges of the specification graph. An allocation α of a given specification graph G s is the subset of all activated vertices and edges of the problem graph G p and the architecture graph G a , i.e., α = α v ∪ α e , where α v = {v ∈ V p ∪ V a | a(v) = 1} and α e = {e ∈ E p ∪ E a | a(e) = 1}.
Definition 8 (Process Binding)
A process binding β p of a given specification graph G s is the subset of activated mapping edges E m , i.e., β p = {e ∈ E m | a(e) = 1}.
In order to restrict the search space, it is useful to determine the set of feasible allocations and feasible process bindings. A feasible process binding guarantees that communications demanded by the problem graph can be established in the allocated architecture. This is an important property in explicit modeling of communications. Hardly any other model known from literature exposes this property. Moreover, our methodology introduces redundancy for the communication. Often the communication routed over the network is error-prone and depends not only on a correct function of one resource but of many different resources. Therefore, we allow for binding multiple instances e k p,i of a problem graph edge e p,i ∈ E p onto a path in the network where k denotes the certain instance.
Definition 9 (Feasible Process Binding) Given a specification graph G s and an allocation α, a feasible process binding is a process binding β p that satisfies the following requirements:
(1) Each activated mapping edge e m ∈ β p starts and ends at an activated vertex, i.e.,
This definition differs from the concepts of a feasible binding presented in [1] in a way that communicating processes require at least one path in the architecture graph. The routing over multi-hop communication channels with limited capacity of the connections will be named demand binding in the following. 
otherwise Then, the following three kinds of constraints exist:
, with C being the incidence matrix of the architecture graph, K p,i being the number of instances of a problem graph edge e p,i , and
T . This constraint literally means that all incoming and outgoing flows of an architecture graph node have to be equal. If a demand producing or consuming process is mapped onto an architecture graph node, the sum of incoming flows differs from the sum of outgoing flows.
• The second constraint restricts the sum of demands d i,j bound onto an architecture graph edge e a,j to be less than or equal to the edge's capacity c j , where d i,j is the demand of the problem graph edge instance e k p,i . ∀j = 1 . . . |E a |:
being the number of instances of a problem graph edge e p,i ∈ E p .
• The third constraint restricts the sum of demands d i,j bound onto an architecture graph node v a,j to be less than or equal to the node's capacity c j , where d i,j is the demand of the problem graph edge e k p,i . ∀j = 1, . . . , |V a |:
Definition 11 (Feasible Allocation) A feasible allocation is an allocation α allowing at least one feasible process binding β p with a corresponding feasible demand binding β d .
Chromosome Decoding
As mentioned above, the decoding can be subdivided into three parts, the allocation, the process binding and the demand binding. While the allocation of resources and the binding of processes are part of the decoding process introduced in [1] , the demand binding which requires to solve a multi-commodity flow problem is new and explained in the following. In Fig. 3 the flow of the decoding step is presented. First, the allocation of resources is determined by the Allocation List (cf. Fig. 2 ). The allocation is repaired using the Repair Allocation List such that all processes can be bound onto resources. This is done by inserting resources into the allocation regarding their occurrence in the Repair Allocation List. After all processes are bound onto the architecture graph nodes using the processes' occurrence order in the Process Binding Priority List, a path feasibility check is performed which checks whether two adjacent problem graph nodes can communicate over a path between the allocated resources. This check is implemented as a depth first search suitable for cyclic graphs. During this check, the demands and capacities on the edges in the problem graph or the architecture graph are not respected.
In the next phase, we have to perform the task of demand binding. For this purpose, we introduced a list for Problem Graph Edge Instances which contains the actual degree of redundant instances of a problem graph edge by K p,i . After multiplying our problem graph edges, there are in general two possible solutions for this problem: (1) Using an ILP solver for exact solutions or (2) using a heuristic by encoding the demand binding in the chromosome. In this paper, we will compare both approaches. By using an ILP solver, we use the allocation and process binding to formulate the ILP as presented in Def. 10. The objective of this ILP formulation is to minimize the total flow in the network: min(
Note that the instances of the problem graph edge e p ∈ E p routed over the architecture graph nodes v a ∈ V a are not considered. Otherwise, the node internal communication which does not demand network capacities will be considered either.
However, using a chromosome encoding, a Problem Graph Edge Priority List is decoded. Each element in this list refers to a certain instance of a problem graph edge that has to be mapped onto the resources of the architecture graph. Beginning with the first element, the demand of the problem graph edge instance is bound onto the shortest path with sufficient capacities. All capacities along this path are reduced by the demand. Here, only the demand type is considered which corresponds to the capacity type of the architecture graph edge. The objective to be minimized corresponds to the ILP formulation. If no path with sufficient capacities can be found in the architecture graph, an error counter is increased by one. This error counter is another objective to be minimized and helps the Evolutionary Algorithm to guide the search towards feasible solutions. If this error counter equals zero, a valid implementation has been found. Note that our methodology may route multiple instances of a problem graph edge over one resource in the architecture graph. Due to the routing, it is not possible to ensure that totally different paths will be found. But since our methodology is able to vary the number of problem graph edge instances, it can reduce the number of one kind of problem graph instances if there is no benefit for the reliability of the system.
System Evaluation
After decoding an implementation and checking its feasibility, the evaluation of the entire system takes place. Typical evaluators are: To sum the monetary costs associated with the allocated resources resulting in an overall cost objective value. Additionally, the computational load on the network nodes as an orthogonal objective to the flow in the network can be considered. However, competing objectives allow for implementing different solutions which are all called to be Pareto-optimal.
Since embedded networked systems have to fulfill certain demands with re- spect to reliability, we extended our methodology with a reliability evaluator. Until now, reliability was considered to be too extensive for an optimization with all other and often competing objectives simultaneously [12] . Therefore, we will introduce our methodology to integrate reliability as an objective in multi-objective design space exploration. Starting with an introduction of the extended system model, we will briefly describe how our methodology selects resources and binds processes. Afterwards, our efficient technique to determine the reliability of complex system structures using BDDs will complete our methodology description. Fig. 4 shows a simplified system of the model described in Sec. 3 or Fig. 1 . For the sake of simplicity, we do not distinguish between communication and computational resources in this graph which will act as a running example in this section. To model the reliability of the used resources, the reliability of each resource is annotated as an attribute in the architecture graph. Our approach is able to handle reliability attributes as probabilities as well as exponential or Weibull distribution functions.
Multiple Demand Binding for Redundancy
The concept of redundancy, which is the existence of more than one means for performing a required function in an item [8] , is well known for the ability to increase the reliability of a system. In common system synthesis models, each process in the problem graph is bound to exactly one resource from the architecture graph. This lack of redundancy simplifies the reliability analysis of the system to a series structure of all components of the system. Consider the example in Fig. 4 with P 1 being bound to R1, P 2 being bound to R2 and P 3 being bound to R4. The reliability of this example calculates to R(R1) · R(R2) · R(R4) = 0.612.
Since our analysis technique is efficient enough to handle complex system structures, we introduced the ability to bind one kind of problem graph edges to a set of paths or resources, respectively, thus, creating several instances of one problem graph edge in the implementation of the system.
Remember the definition for a feasible binding in Sec. 3: For each problem graph edge a set I i of problem graph edges I i ⊆ E p is bound onto the architecture graph according to the demand binding β d .
This requirement enables to bind demands onto several resources and thus, introducing redundancy. But, only at least one permutation of problem graph edge instances has to work correctly, in order to be a valid implementation. As an example, Fig. 5 shows one possible feasible binding for a given problem graph. The process P 1 is bound onto resource R1, process P 2 is bound onto resource R4 and process P 3 is bound onto R4, too. Moreover, the demand between process P 1 and P 2 is bound onto two different paths over resource R2 and R3. Considering all resources being allocated, the requirement that each activated mapping edges ends at an allocated resource is also fulfilled. The requirement that at least one permutation of problem graph edge instances has to work correctly can for example be fulfilled even with a defect of R3. Then, the demand between P 1 and P 2 can still be routed over R2. With this strategy, we introduce redundant instances for the communication and thus, increase the reliability of a system.
For a better visualization and for the proposed reliability analysis in section 5.2, we introduce a new type of graph, the so-called instance graph
For each process v ∈ V p exactly one vertex v ∈ V i exists. For each instance e k p,j of a problem graph edge e p,j an edge e ∈ E i in the instance graph exists. Such an edge represents a set of resources forming a path in the architecture graph. This set of resources can be derived from the demand binding β d .
This graph provides the interesting information about which permutation of problem graph edge instances leads to a correctly working system. Such a permutation can be seen as a path through the graph that includes all instance graph nodes v ∈ V i , but at least one of the parallel edges between two adjacent instance graph nodes. Fig. 6 shows the instance graph for the binding in Fig. 5 . Next, we will show how the instance graph can be used to quantify the reliability for our system model.
Reliability Analysis
To quantify the reliability of the system, the used analysis technique has to be able to handle complex system structures. Due to resource sharing, it is not possible to simply consider combinations of series/parallel structures. To analyze the reliability in an appropriate amount of time, we introduce a technique that generates the structure function [8] ϕ directly from the specification graph, the allocation α, the process binding β p , as well as the demand binding β d and encodes it in a binary decision diagram (BDD) [16] . 
The function ϕ is defined by Eq. (2) and (3) where the variables p j and v a,n will be substituted with binary variables b i afterwards:
This first condition ensures that each operation p i = v i ∈ V p is working and can communicate correctly. Hence, the entire system is correct. The second part of Eq. (2) has to be refined by Eq. (3) which ensures that at least one instance e k p,j ∈ E i of a problem graph edge e p,j ∈ E p works correctly:
Our technique now uses the term from Eq. (2) and generates a BDD representing this term. Since the variables b i represent the resources v a,i ∈ V a , the operations p j have to be substituted by the resources v a,i with (p j , v a,i ) ∈ β p . A working resource v a,i is represented by b i = 1 and a malfunction of a resource v a,i by b i = 0.
After the BDD representing the structure function ϕ Gs,α,βp,β d of the system G s is generated, the BDD is used to quantify the reliability of the system by calculating the probability of the BDDs root node. For this purpose, we used a Shannon-decomposition based algorithm introduced in [17] . If the reliability of the resources and mapping edges is modeled by the failure probability which is typically the case in reliability engineering, the reliability of the root node can be used as the objective value and equals R(t). Since the example in Fig. 5 uses probabilities as reliability attributes, our approach can easily calculate the reliability of this implementation, which is 0.7092. If the reliability of the components is given by a distribution function, e.g., exponential distribution or Weibull distribution, another value has to be chosen as the objective. We chose the mean time to failure, MTTF = ∞ 0 R(t), which demands a numerical integration during system synthesis. Here, the probability of the root node of the BDD is calculated for every t needed by the integration process.
Experimental Evaluation
In the following experiments, we are comparing at first the two following different implementations without considering any reliability aspects. The first implementation uses the Evolutionary Algorithm SPEA2 [18] for binding of demands onto the resources in the architecture graph and the second one solves the ILP formulation from Def. 10 using LpSolve [19] . For the evaluation of these algorithms, we used applications with 10 and 20 individual demands and all mapping possibilities on a 3x3 mesh. We defined the capacities of the architecture graph edges each to 100% and produced for each number of demands three different scenarios by varying the demand sizes between 1% and 100%. For each of these scenarios, we executed three iteration runs with the EA-based and the ILP-based methodology and obtained three solution sets S i s,ILP and S i s,EA with i = 1, .., 3 containing the set of Pareto-optimal solutions after the iteration. Extracting all Pareto-optimal solutions out of the solution sets S i s,ILP and S i s,EA provides us a set of solutions which we assumed to con-tain the Pareto-optimal solutions. Therefore, these solutions were taken as a reference set S r . In order to evaluate the iteration runs of our proposed heuristic and the combined approach incorporating an ILP, the shortest normalized distance d(s s ) between the Pareto-front of the reference set S r and the solutions s s ∈ S The indices o1 and o2 denote the two objectives, for a considered points, whereas, the indices max and min denote the maximal value or the minimal value of the points belonging to the reference set S r . The average distances and standard deviations in each iteration for the cases with 10 demands and 20 demands are presented in Fig. 7a ) and Fig. 7b ). Fig. 8a ) and Fig. 8b) show the distance over the exploration time. The topology optimization has been executed on a Intel Pentium IV (2.7GHz/512MB RAM) running Linux. We can clearly see that our proposed heuristic converges faster and at the same time runs faster than the hybrid approach of an Evolutionary Algorithm with an exact ILP formulation (EA/ILP).
Next, we evaluate our approach considering reliability as well. A case study from the field of automotive applications aimed at optimizing the network topology and the binding of an adaptive light controller (ALC). In this case study, more than 100 different processes are producing, processing and consuming data. These processes need to be bound onto a network consisting of 36 sensors, 30 controllers/gateways, and 35 actuators. While the controllers could be connected with different types of buses, we connected each sensor and actuator via point-to-point (P2P) communication links to each controller in the specification graph. One objective of the topology optimization was to find solutions that minimize the total wire length of the P2P connections and the bus systems while the topology optimization on the other hand aimed at minimizing the monetary cost of the entire system which has a direct effect to the allocation of resources. Additionally, certain demands have been annotated to the edges between the functional units which have to be bound to the edges and nodes between the sensors, controllers/gateways and actuators. By combining all demand routing alternatives, binding possibilities and resource allocation options, the search space incorporated about 2 300 possibilities.
Using our heuristic, we were able to find a set of approximated Pareto-optimal solutions to this topology optimization problem. Whereas, the hybrid ILP/EAbased approach having failed completely caused by the huge ILP models. Thus, we are not able to present quantitative results for this case study. Anyway, we will show how the reliability has been increased by considering the reliability as an objective in the design space exploration. Fig. 9 shows the average minimal and maximal MTTF-values over 10 explorations for the ALC. Note that we can offer design solutions that are up to ≈ 20% more reliable than the ones found by common design space exploration tools neglecting reliability. Hence, all these solutions are optimal in a multi-objective view which is presented in Fig. 10 . This huge example shows the ability of our reliability analysis technique to be even appropriate for the most complex examples that our exploration technique is able to handle and is therefore, fully applicable in our system-level design framework.
The experiments were carried out on a Intel Pentium 4 3.20GHz machine with 1GB RAM. As an example, the average exploration time (10 exploration runs) for the ALC over 500 generations and a population size of 100 individuals was 2h37m. In our experimental results for the ALC, the exploration time was ≈ 10 times higher than a coarse reliability approximation by a multiplication of the reliability values. This overhead is mainly due to the complexity of constructing of the BDDs, which highly depends on the system structure and is O(2 |α|+|β| ) in worst-case.
Conclusion and Future Work
In this paper, we presented a framework topology optimization for reliable networked embedded systems. The input specification is given by a specification graph permitting modeling of demands for heterogeneous networks. The novelties may be summarized as follows: a) Our specification graph enables the modeling of routing restrictions, for example if a certain type of demand cannot be routed over some parts in a network. In addition to the model, b) we proposed a new chromosome encoding and a novel heuristic for demand binding. c) The performance of the proposed strategy has been compared with an ILP-based approach and it has been shown that it performs very well. d) We increase the reliability by allocating more reliable resources and introducing redundancy for the inter process communication. Moreover, the applicability to recent design issues in the field of automotive networks has been presented. All in all, the presented framework provides a first methodology for multiobjective exploration of heterogeneous networked embedded systems.
