Timing Analysis of the FlexRay Communication Protocol

FlexRay will very likely become the de-facto standard for in-vehicle communications. However, before it can be successfully used for safety-critical applications that require predictability, timing analysis techniques are necessary for providing bounds for the message communication times. In this paper, we propose techniques for determining the timing properties of messages transmitted in both the static (ST) and the dynamic (DYN) segments of a FlexRay communication cycle. The analysis techniques for messages are integrated in the context of a holistic schedulability analysis that computes the worst-case response times of all the tasks and messages in the system. We have evaluated the proposed analysis techniques using extensive experiments. 1

Configuring the communication on FlexRay - the case of the static segment

The paper provided is a reworked version of the paper included in the ERTS Proceedings.International audienceThis paper deals with the configuration of the static segment of a FlexRay network, in the case where the tasks producing the signals are not synchronized with the FlexRay communication cycle, as it can be the case, for instance, if legacy software is to be re-used. First, we provide solutions to verify the freshness constraints of the signals exchanged in the static segment, under the form of both simple non-schedulability tests and an exact analysis. Then we propose a heuristic to construct the communication schedule, which proved to be efficient in our experiments. Finally, we highlight some future work that should help us further optimize the configuration of FlexRay networks, be it in regard to hardware resource usage or dependability objectives

Robust and secure resource management for automotive cyber-physical systems

2022 Spring.Includes bibliographical references.Modern vehicles are examples of complex cyber-physical systems with tens to hundreds of interconnected Electronic Control Units (ECUs) that manage various vehicular subsystems. With the shift towards autonomous driving, emerging vehicles are being characterized by an increase in the number of hardware ECUs, greater complexity of applications (software), and more sophisticated in-vehicle networks. These advances have resulted in numerous challenges that impact the reliability, security, and real-time performance of these emerging automotive systems. Some of the challenges include coping with computation and communication uncertainties (e.g., jitter), developing robust control software, detecting cyber-attacks, ensuring data integrity, and enabling confidentiality during communication. However, solutions to overcome these challenges incur additional overhead, which can catastrophically delay the execution of real-time automotive tasks and message transfers. Hence, there is a need for a holistic approach to a system-level solution for resource management in automotive cyber-physical systems that enables robust and secure automotive system design while satisfying a diverse set of system-wide constraints. ECUs in vehicles today run a variety of automotive applications ranging from simple vehicle window control to highly complex Advanced Driver Assistance System (ADAS) applications. The aggressive attempts of automakers to make vehicles fully autonomous have increased the complexity and data rate requirements of applications and further led to the adoption of advanced artificial intelligence (AI) based techniques for improved perception and control. Additionally, modern vehicles are becoming increasingly connected with various external systems to realize more robust vehicle autonomy. These paradigm shifts have resulted in significant overheads in resource constrained ECUs and increased the complexity of the overall automotive system (including heterogeneous ECUs, network architectures, communication protocols, and applications), which has severe performance and safety implications on modern vehicles. The increased complexity of automotive systems introduces several computation and communication uncertainties in automotive subsystems that can cause delays in applications and messages, resulting in missed real-time deadlines. Missing deadlines for safety-critical automotive applications can be catastrophic, and this problem will be further aggravated in the case of future autonomous vehicles. Additionally, due to the harsh operating conditions (such as high temperatures, vibrations, and electromagnetic interference (EMI)) of automotive embedded systems, there is a significant risk to the integrity of the data that is exchanged between ECUs which can lead to faulty vehicle control. These challenges demand a more reliable design of automotive systems that is resilient to uncertainties and supports data integrity goals. Additionally, the increased connectivity of modern vehicles has made them highly vulnerable to various kinds of sophisticated security attacks. Hence, it is also vital to ensure the security of automotive systems, and it will become crucial as connected and autonomous vehicles become more ubiquitous. However, imposing security mechanisms on the resource constrained automotive systems can result in additional computation and communication overhead, potentially leading to further missed deadlines. Therefore, it is crucial to design techniques that incur very minimal overhead (lightweight) when trying to achieve the above-mentioned goals and ensure the real-time performance of the system. We address these issues by designing a holistic resource management framework called ROSETTA that enables robust and secure automotive cyber-physical system design while satisfying a diverse set of constraints related to reliability, security, real-time performance, and energy consumption. To achieve reliability goals, we have developed several techniques for reliability-aware scheduling and multi-level monitoring of signal integrity. To achieve security objectives, we have proposed a lightweight security framework that provides confidentiality and authenticity while meeting both security and real-time constraints. We have also introduced multiple deep learning based intrusion detection systems (IDS) to monitor and detect cyber-attacks in the in-vehicle network. Lastly, we have introduced novel techniques for jitter management and security management and deployed lightweight IDSs on resource constrained automotive ECUs while ensuring the real-time performance of the automotive systems

Conflict-Free Networks on Chip for Real Time Systems

[ES] La constante necesidad de un mayor rendimiento para cumplir con la gran demanda de potencia de cómputo de las nuevas aplicaciones, (ej. sistemas de conducción autónoma), obliga a la industria a apostar por la tecnología basada en Sistemas en Chip con Procesadores Multinúcleo (MPSoCs) en sus sistemas embebidos de seguridad-crítica. Los sistemas MPSoCs generalmente incluyen una red en el chip (NoC) para interconectar los núcleos de procesamiento entre ellos, con la memoria y con el resto de recursos compartidos. Desafortunadamente, el uso de las NoCs dificulta alcanzar la predecibilidad en el tiempo, ya que pueden aparecer conflictos en muchos puntos y de forma distribuida a nivel de red. Para afrontar este problema, en esta tesis se propone un nuevo paradigma de diseño para NoCs de tiempo real donde los conflictos en la red son eliminados por diseño. Este nuevo paradigma parte del Grafo de Dependencia de Canales (CDG) para evitar los conflictos de red de forma determinista. Nuestra solución es capaz de inyectar mensajes de forma natural usando un periodo TDM igual al límite teórico óptimo sin la necesidad de usar un proceso offline exigente computacionalmente. La red se ha integrado en un sistema multinúcleo basado en tiles y adaptado a su jerarquía de memoria. Como segunda contribución principal, proponemos un nuevo planificador dinámico y distribuido capaz de alcanzar un rendimiento pico muy cercanos a las NoC basadas en un diseño wormhole sin comprometer sus garantías de tiempo real. El planificador se basa en nuestro diseño de red para explotar sus propiedades clave. Los resultados de nuestra NoC muestran que nuestro diseño garantiza la predecibilidad en el tiempo evitando interferencias en la red entre múltiples aplicaciones ejecutándose concurrentemente. La red siempre garantiza el rendimiento y también mejora el rendimiento respecto al de las redes wormhole en una red 4 x 4 en un factor de 3,7x cuando se inyecta trafico para generar interferencias. En una red 8 x 8 las diferencias son incluso mayores. Además, la red obtiene un ahorro de área total del 10,79% frente a una implementación básica de una red wormhole. El planificador propuesto alcanza una mejora de rendimiento de 6,9x y 14,4x frente la versión básica de la red DCFNoC para redes en forma de malla de 16 y 64 nodos, respectivamente. Cuando lo comparamos frente a un conmutador estándar wormhole se preserva un rendimiento de red del 95% al mismo tiempo que preserva la estricta predecibilidad en el tiempo. Este logro abre la puerta a nuevos diseños de NoCs de alto rendimiento con predecibilidad en el tiempo. Como contribución final, construimos una taxonomía de NoCs basadas en TDM con propiedades de tiempo real. Con esta taxonomía realizamos un análisis exhaustivo para estudiar y comparar desde tiempos de respuesta, a implementaciones con bajo coste, pasando por soluciones de compromiso para diseños de NoCs de tiempo real. Como resultado, obtenemos nuevos diseños de NoCs basadas en TDM.[CA] La constant necessitat d'un major rendiment per a complir amb la gran demanda de potència de còmput de les noves aplicacions, (ex. sistemes de conducció autònoma), obliga la indústria a apostar per la tecnologia basada en Sistemes en Xip amb Processadors Multinucli (MPSoCs) en els seus sistemes embeguts de seguretat-crítica. Els sistemes MPSoCs generalment inclouen una xarxa en el xip (NoC) per a interconnectar els nuclis de processament entre ells, amb la memòria i amb la resta de recursos compartits. Desafortunadament, l'ús de les NoCs dificulta aconseguir la predictibilitat en el temps, ja que poden aparéixer conflictes en molts punts i de forma distribuïda a nivell de xarxa. Per a afrontar aquest problema, en aquesta tesi es proposa un nou paradigma de disseny per a NoCs de temps real on els conflictes en la xarxa són eliminats per disseny. Aquest nou paradigma parteix del Graf de Dependència de Canals (CDG) per a evitar els conflictes de xarxa de manera determinista. La nostra solució és capaç d'injectar missatges de mra natural fent ús d'un període TDM igual al límit teòric òptim sense la necessitat de fer ús d'un procés offline exigent computacionalment. La xarxa s'ha integrat en un sistema multinucli basat en tiles i adaptat a la seua jerarquia de memòria. Com a segona contribució principal, proposem un nou planificador dinàmic i distribuït capaç d'aconseguir un rendiment pic molt pròxims a les NoC basades en un disseny wormhole sense comprometre les seues garanties de temps real. El planificador es basa en el nostre disseny de xarxa per a explotar les seues propietats clau. Els resultats de la nostra NoC mostren que el nostre disseny garanteix la predictibilitat en el temps evitant interferències en la xarxa entre múltiples aplicacions executant-se concurrentment. La xarxa sempre garanteix el rendiment i també millora el rendiment respecte al de les xarxes wormhole en una xarxa 4 x 4 en un factor de 3,7x quan s'injecta trafic per a generar interferències. En una xarxa 8 x 8 les diferències són fins i tot majors. A més, la xarxa obté un estalvi d'àrea total del 10,79% front una implementació bàsica d'una xarxa wormhole. El planificador proposat aconsegueix una millora de rendiment de 6,9x i 14,4x front la versió bàsica de la xarxa DCFNoC per a xarxes en forma de malla de 16 i 64 nodes, respectivament. Quan ho comparem amb un commutador estàndard wormhole es preserva un rendiment de xarxa del 95% al mateix temps que preserva la estricta predictibilitat en el temps. Aquest assoliment obri la porta a nous dissenys de NoCs d'alt rendiment amb predictibilitat en el temps. Com a contribució final, construïm una taxonomia de NoCs basades en TDM amb propietats de temps real. Amb aquesta taxonomia realitzem una anàlisi exhaustiu per a estudiar i comparar des de temps de resposta, a implementacions amb baix cost, passant per solucions de compromís per a dissenys de NoCs de temps real. Com a resultat, obtenim nous dissenys de NoCs basades en TDM.[EN] The ever need for higher performance to cope with the high computational power demands of new applications (e.g autonomous driving systems), forces industry to support technology based on multi-processors system on chip (MPSoCs) in their safety-critical embedded systems. MPSoCs usually include a network-on-chip (NoC) to interconnect the cores between them and, with memory and the rest of shared resources. Unfortunately, the inclusion of NoCs difficults achieving time predictability as network-level conflicts may occur in many points in a distributed manner. To overcome this problem, this thesis proposes a new time-predictable NoC design paradigm where conflicts within the network are eliminated by design. This new paradigm builds on top of the Channel Dependency Graph (CDG) in order to deterministically avoid network conflicts. Our solution is able to naturally inject messages using a TDM period equal to the optimal theoretical bound without the need of using a computationally demanding offline process. The network is integrated in a tile-based manycore system and adapted to its memory hierarchy. As a second main contribution, we propose a novel distributed dynamic scheduler that is able to achieve peak performance close to a wormhole-based NoC design without compromising its real-time guarantees. The scheduler builds on top of our NoC design to exploit its key properties. The results of our NoC show that our design guarantees time predictability avoiding network interference among multiple running applications. The network always guarantees performance and also improves wormhole performance in a 4 x 4 setting by a factor of 3.7x when interference traffic is injected. For a 8 x 8 network differences are even larger. In addition, the network obtains a total area saving of 10.79% over a standard wormhole implementation. The proposed scheduler achieves an overall throughput improvement of 6.9x and 14.4x over a baseline conflict-free NoC for 16 and 64-node meshes, respectively. When compared against a standard wormhole router 95% of its network throughput is preserved while strict timing predictability is kept. This achievement opens the door to new high performance time predictable NoC designs. As a final contribution, we build a taxonomy of TDM-based NoCs with real-time properties. With this taxonomy we perform a comprehensive analysis to study and compare from response time specific, to low resource implementation cost, through trade-off solutions for real-time NoCs designs. As a result, we derive new TDM-based NoC designs.Picornell Sanjuan, T. (2021). Conflict-Free Networks on Chip for Real Time Systems [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/177347TESI

Modeling and Analysis of Automotive Cyber-physical Systems: Formal Approaches to Latency Analysis in Practice

Based on advances in scheduling analysis in the 1970s, a whole area of research has evolved: formal end-to-end latency analysis in real-time systems. Although multiple approaches from the scientific community have successfully been applied in industrial practice, a gap is emerging between the means provided by formally backed approaches and the need of the automotive industry where cyber-physical systems have taken over from classic embedded systems. They are accompanied by a shift to heterogeneous platforms build upon multicore architectures. Scien- tific techniques are often still based on too simple system models and estimations on important end-to-end latencies have only been tightened recently. To this end, we present an expressive system model and formally describe the problem of end-to-end latency analysis in modern automotive cyber-physical systems. Based on this we examine approaches to formally estimate tight end-to-end latencies in Chapter 4 and Chapter 5. The de- veloped approaches include a wide range of relevant systems. We show that our approach for the estimation of latencies of task chains dominates existing approaches in terms of tightness of the results. In the last chapter we make a brief digression to measurement analysis since measuring and simulation is an important part of verification in current industrial practice

Métodos de escalonamento de mensagens para o sistema de comunicação FlexRay

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Engenharia de Automação e Sistemas, Florianópolis, 2015.Este trabalho se insere na área de protocolos de tempo real, abordando especificamente o Sistema de Comunicação FlexRay, um protocolo de tempo real para usos automotivos. O objeto de estudo deste trabalho foram os mecanismos de escalonamento de fluxos de mensagens para o FlexRay, bem como as técnicas utilizadas na análise de tempo de resposta em sistemas que utilizam tal protocolo. O objetivo geral desta tese foi a elaboração e a avaliação de mecanismos para o escalonamento e análise de tempo de resposta de sistemas que utilizem o Sistema de Comunicação FlexRay. São apresentadas quatro propostas. As duas primeiras propostas estão relacionadas ao segmento Estático do FlexRay. Ambas demonstram a viabilidade de se definir a alocação de slots estáticos para cada nodo utilizando técnicas tradicionais para a análise de tempo de resposta considerando-se os requisitos temporais impostos pelo conjunto de fluxos de mensagens de cada nodo, e são métodos capazes de considerar conjuntos de fluxos com períodos que não são múltiplos de FC, sendo também capazes de considerar o caso em que a geração de mensagens nos fluxos não está sincronizada com o FC. São também apresentadas duas propostas que abordam a questão do escalonamento de fluxos de mensagens aperiódicos no Segmento Dinâmico do FlexRay. Foram apresentados dois mecanismos para métodos de arbitragem do DN que tiram vantagem da flexibilidade que fluxos aperiódicos possuem em relação a restrições de tempo real. Em ambos os mecanismos, os fluxos de mensagens aperiódicos de um sistema são associados com uma probabilidade de backoff, e um middleware de tempo real específico utiliza tal probabilidade de backoff para definir se uma mensagem gerada por um fluxo aperiódico irá competir ou não pelo barramento no ciclo de comunicação atual, influenciando nas chances que mensagens com prioridades mais baixas tem de serem transmitidas.Abstract : This work addresses the FlexRay Communication System, a digital serial bus for automotive applications designed to meet the demands of X-by-Wire systems. It provides flexibility, bandwidth and determinism by combining static and dynamic approaches for message transmission, incorporating the advantages of synchronous and asynchronous protocols. The area of interest of this work is scheduling mechanisms for FlexRay, being the overall objective of this thesis the development and evaluation of new techniques for scheduling and timing analysis for FlexRay. In this document four proposals are presented. Two proposals are related to FlexRay Static Segment. These two proposals demonstrate the feasibility of defining the static slot allocation for each node using traditional Response Time Analysis (RTA) techniques, and thus considering the timing requirements imposed by the set of message streams allocated to each node. The proposed techniques are able to deal with message stream sets where periods are not multiples of the FlexRay cycle duration, nor the messages generation is synchronized with the FlexRay cycle. They are also presented two proposals addressing the scheduling of aperiodic message streams in FlexRay Dynamic Segment. Both mechanisms use a probabilistic approach that takes advantage of the flexibility of aperiodic message streams regarding real-time constraints. In the proposed methods, a real-time middleware in each network node manages the transmission of messages generated by aperiodic streams in Dynamic Segment. Whenever a RT-middleware senses that aperiodic messages may be indefinitely postponed, it enters backoff mode. In backoff mode, a RT-middleware randomly defines whether an aperiodic message that is waiting to be transmitted will be sent to the bus in the current FC or if that message will be postponed to another FC, affecting the transmission chances of messages generated by streams with lower priorities have of being transmitted

Packet scheduling algorithms for a software-defined manufacturing environment

With the vision of Industry 4.0, Internet of things (IoT) and Internet of Services (IoS) are making their way to the modern manufacturing systems and industrial automation. As a consequence, modern day manufacturing systems need wider product variation and customization to meet the customer's demands and survive in the competitive markets. Traditional, dedicated systems like assembly lines cannot adapt the rapidly changing requirement of today's manufacturing industries. A flexible and highly scalable infrastructure is needed to support such systems. However, most of the applications in manufacturing systems require strict QoS guarantees. For instance, time-sensitive networks like in industrial automation and smart factories need hard real-time guarantees. Deterministic networks with bounded delay and jitter are essential requirement for such systems. To support such systems, non-deterministic queueing delay has to be eliminated from the network. To this end, we present Time-Sensitive Software-Defined Networks (TSSDN) with a logically centralized controller which computes transmission schedules based on the global view of the network. SDN control logic computes optimized transmission schedules for the end hosts to avoid in network queueing delay. To compute transmission schedules, we present Integer Linear Programming and Routing and Scheduling Algorithms with heuristics that schedule and route unicast and multicast flows. Our evaluations show that it is possible to compute near optimal transmission schedules for TSSDN and bound network delays and jitter

Design of a New High Bandwidth Network for Agricultural Machines

Ethernet is by now the most adopted bus for fast digital communications in many environments, from household entertainment to PLC robotics in industrial assembly lines. Even in automotive industry, the interest in this technology is increasingly growing, pushed forward by research and by the need of high throughput that high dynamics distributed control demands. Although 100base-TX physical layer (PHY) does not seem to meet EMC requirements for vehicular and heavy-duty environments, OPEN Alliance BroadR Reach (soon becoming IEEE standard as IEEE 802.3bw) technology is the most promising and already adopted Ethernet-compatible PHY, reaching 100Mbps over an unshielded twisted pair. An agricultural machine is usually a system including tractor and one or more implements attached to it, to the back or to the front. Nowadays, a specific CAN-based distributed control network support treatments and applications, namely ISOBUS, defined by ISO 11783. This work deals with architectural and technological aspects of advanced Ethernet networks in order to provide a high-throughput deterministic network for in-vehicle distributed control for agricultural machinery. Two main paths of investigation will be presented: one concerning the prioritization of standard Ethernet taking advantage of standard ways of prioritization in well-established technologies; the other changing the channel access method of Ethernet using an industrial fieldbus, chosen after careful investigation. The prioritization of standard Ethernet is performed at two, non-mutual exclusive layers of the ISO OSI stack: one at L3, using the diffserv (former TOS) Ip field; one at L2, using the priorities defined in IEEE 802.1p, used in IEEE 802.1q (VLAN). These choices have several implications in the specific field of application of the agricultural machines. The change of the access method, instead, focused on the adoption of a specific fieldbus, in order to grant deterministic access to the medium and reliability of communications for safety-relevant applications. After a survey, that will be reported, the Powerlink fieldbus was chosen and some modifications will be discussed in order to suit the scope of the research