The use of simulation in the design of critical embedded systems

Les plate-formes virtuelles permettant de prédire par simulation numérique les performances deviennent peu à peu une réalité dans la conception des systèmes de contrôle les plus complexes et les plus contraints (automobile, aéronautique, contrôle de réseaux power-grid, etc). Dès les phases amont du cycle de conception, ces outils guident les concepteurs dans leurs choix de conception. Le premier objectif de cet exposé est de dresser un rapide panorama des modèles et techniques de simulation de l'embarqué critique: simulation du comportement fonctionnel (lois de contrôle), simulation "timing-accurate" des plate-formes d'exécution, de leur complémentarité et limites actuelles. Contrairement à des techniques mathématiques, la simulation ne fournit a priori aucune garantie sur la couverture de vérification et les situations pire-cas ("corner cases") ne sont pas nécessairement identifiées. Néanmoins la simulation est de plus en plus incontournable car les modèles analytiques ne sont généralement pas en mesure de capturer toute la complexité des systèmes réels. Le second objectif de cet exposé est d'identifier des bonnes pratiques méthodologiques pour l'utilisation de la simulation dans les systèmes critiques (ex: choix des temps de simulation et nombre d'expérimentations en fonction de caractéristiques structurelles des processus simulés, métriques de performances pour les événements rares, etc)

A QoS Aware Approach to Service-Oriented Communication in Future Automotive Networks

Service-Oriented Architecture (SOA) is about to enter automotive networks based on the SOME/IP middleware and an Ethernet high-bandwidth communication layer. It promises to meet the growing demands on connectivity and flexibility for software components in modern cars. Largely heterogeneous service requirements and time-sensitive network functions make Quality-of-Service (QoS) agreements a vital building block within future automobiles. Existing middleware solutions, however, do not allow for a dynamic selection of QoS. This paper presents a service-oriented middleware for QoS aware communication in future cars. We contribute a protocol for dynamic QoS negotiation along with a multi-protocol stack, which supports the different communication classes as derived from a thorough requirements analysis. We validate the feasibility of our approach in a case study and evaluate its performance in a simulation model of a realistic in-car network. Our findings indicate that QoS aware communication can indeed meet the requirements, while the impact of the service negotiations and setup times of the network remain acceptable provided the cross-traffic during negotiations stays below 70% of the available bandwidth

Using CPAL to model and validate the timing behaviour of embedded systems

This work presents a solution to the Formal Methods for Timing Verification (FMTV) Challenge 2015 using CPAL. CPAL stands for the Cyber-Physical Action Language and is a novel language to model, simulate and verify cyber-physical systems as those described in the challenge. We believe that the complexity of the challenge mainly stems from the complex interactions of the tasks and processes composing the aerial video tracking system of the challenge. Using CPAL we have derived a complete and unambiguous description of the system that supports timing verification. The different sub-challenges were solved by timing-accurate simulation and/or schedulability analysis. Even though simulation does not provide firm guarantees on the worst-case behaviour, it helps the system designer solve scheduling problems and validate the solutions, where verification tools can not be applied directly due to the complexity of the model as in the 2015 FMTV challenge

Performance impact of the interactions between time-triggered and rate-constrained transmissions in TTEthernet

Switched Ethernet is becoming a de-facto standard in industrial and embedded networks. Many of today's applications benefit from Ethernet's high bandwidth, large frame size, multicast and routing capabilities through IP, and the availability of the standard TCP/IP protocols. There are however many variants of Switched Ethernet networks, just considering the MAC level mechanisms on the stations and communication switches. An important technology in that landscape is TTEthernet, standardized as SAE6802, which allows the transmission of both purely time-triggered (TT) traffic and sporadic (or rate-constrained-RC) traffic. To the best of our knowledge, the interactions between both classes of traffic have not been studied so far in realistic configurations. This work aims to shed some light on the kind of performances, in terms of latencies, jitters and useful bandwidth that can be expected from a mixed TT and RC configuration. The following issues will be answered in a quantified manner by sensitivity analysis: How do both classes of traffic interfere with each other? What are the typical worst-case latencies and useful bandwidth that can be expected for a RC stream for various TT traffic loads? What is the overall impact of TTEthernet integration policy for the RC traffic? This study builds on a worst-case traversal time analysis developed by the authors for SAE6802, and explores these questions by experiments performed configurations of various sizes

Timing verification of real­time automotive Ethernet networks: what can we expect from simulation?

Switched Ethernet is a technology that is profoundly reshaping automotive communication architectures as it did in other application domains such as avionics with the use of AFDX backbones. Early stage timing verification of critical embedded networks typically relies on simulation and worst-case schedulability analysis. When the modeling power of schedulability analysis is not sufficient, there are typically two options: either make pessimistic assumptions or ignore what cannot be modeled. Both options are unsatisfactory because they are either inefficient in terms of resource usage or potentially unsafe. To overcome those issues, we believe it is a good practice to use simulation models, which can be more realistic, along with schedulability analysis. The two basic questions that we aim to study here is what can we expect from simulation, and how to use it properly? This empirical study explores these questions on realistic case-studies and provides methodological guidelines for the use of simulation in the design of switched Ethernet networks. A broader objective of the study is to compare the outcomes of schedulability analyses and simulation, and conclude about the scope of usability of simulation in the design of critical Ethernet networks

Formal Analysis of the Startup Delay of SOME/IP Service Discovery

An automotive network needs to start up within the millisecond range. This includes the physical startup, the software boot time, and the configuration of the network. The introduction of Ethernet into the automotive industry expanded the design space drastically and is increasing the complexity of configuring every element in the network. To add more flexibility to automotive Ethernet networks, the concept of Service Discovery was migrated from consumer electronics to AUTOSAR within the SOME/IP middleware. A network is not fully functional until every client has found its service. Consequently, this time interval adds to the startup time of a network. This work presents a formal analysis model to calculate the waiting time of every client to receive the first offer from its service. The model is able to determine the worst case of a given parameter set. Based on this, a method for calculating the total startup time of a system is derived. The model is implemented in a free-to-use octave program and validated by comparing the analytical results to a timing-accurate simulation and an experimental setup. In every case the worst-case assumption holds true -- the gap between the maximum of the simulation and the presented method is less than 1.3%