Building blocks for co-design of controllers and implementation platforms in embedded systems

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Mechanical Engineering, 2013.Cataloged from PDF version of thesis.Includes bibliographical references (p. 93-95).One of the biggest challenges in implementing feedback control applications on distributed embedded platforms is the realization of required control performance while utilizing minimal computational and communication resources. Determining such tradeoffs between control performance (e.g., stability, peak overshoot, etc.) and resource requirements is an active topic of research in the domain of cyber-physical systems (CPS). In this thesis, a setup is considered where multiple distributed controllers communicate using a hybrid (i.e., time- and event-triggered) communication protocol like FlexRay (which is commonly used in automotive architectures). Mapping all control messages to time-triggered slots results in deterministic timing and hence good control performance, but time-triggered slots are more expensive. The event-triggered slots, while being less expensive, result in variable message delays and hence poor control performance. In order to tradeoff between cost and control performance, a number of recent papers proposed a switching scheme where messages are switched between time- and event-triggered slots based on the state of the plant being controlled. However, all of these studies were based on a monotonic approximation of the system dynamics. This while simplifying the resource dimensioning problem (i.e., the minimum number of time-triggered slots required to realize a given control performance) leads to pessimistic results in terms of usage of time-triggered communication. In this thesis, it is shown that the usage of time-triggered communication (i.e., the requirement on the minimum number of time-triggered slots for a given control performance) is reduced when an accurate, non-monotonic behavior of the system dynamics is considered in the analysis. This technique is illustrated using a number examples and a real-life case study. While the focus is on communication resources in this thesis, these results are general enough to be applied to a wide range of problems from the CPS domain.by Leslie Grace Maldonado.S.M

Métodos de escalonamento de mensagens para o sistema de comunicação FlexRay

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Engenharia de Automação e Sistemas, Florianópolis, 2015.Este trabalho se insere na área de protocolos de tempo real, abordando especificamente o Sistema de Comunicação FlexRay, um protocolo de tempo real para usos automotivos. O objeto de estudo deste trabalho foram os mecanismos de escalonamento de fluxos de mensagens para o FlexRay, bem como as técnicas utilizadas na análise de tempo de resposta em sistemas que utilizam tal protocolo. O objetivo geral desta tese foi a elaboração e a avaliação de mecanismos para o escalonamento e análise de tempo de resposta de sistemas que utilizem o Sistema de Comunicação FlexRay. São apresentadas quatro propostas. As duas primeiras propostas estão relacionadas ao segmento Estático do FlexRay. Ambas demonstram a viabilidade de se definir a alocação de slots estáticos para cada nodo utilizando técnicas tradicionais para a análise de tempo de resposta considerando-se os requisitos temporais impostos pelo conjunto de fluxos de mensagens de cada nodo, e são métodos capazes de considerar conjuntos de fluxos com períodos que não são múltiplos de FC, sendo também capazes de considerar o caso em que a geração de mensagens nos fluxos não está sincronizada com o FC. São também apresentadas duas propostas que abordam a questão do escalonamento de fluxos de mensagens aperiódicos no Segmento Dinâmico do FlexRay. Foram apresentados dois mecanismos para métodos de arbitragem do DN que tiram vantagem da flexibilidade que fluxos aperiódicos possuem em relação a restrições de tempo real. Em ambos os mecanismos, os fluxos de mensagens aperiódicos de um sistema são associados com uma probabilidade de backoff, e um middleware de tempo real específico utiliza tal probabilidade de backoff para definir se uma mensagem gerada por um fluxo aperiódico irá competir ou não pelo barramento no ciclo de comunicação atual, influenciando nas chances que mensagens com prioridades mais baixas tem de serem transmitidas.Abstract : This work addresses the FlexRay Communication System, a digital serial bus for automotive applications designed to meet the demands of X-by-Wire systems. It provides flexibility, bandwidth and determinism by combining static and dynamic approaches for message transmission, incorporating the advantages of synchronous and asynchronous protocols. The area of interest of this work is scheduling mechanisms for FlexRay, being the overall objective of this thesis the development and evaluation of new techniques for scheduling and timing analysis for FlexRay. In this document four proposals are presented. Two proposals are related to FlexRay Static Segment. These two proposals demonstrate the feasibility of defining the static slot allocation for each node using traditional Response Time Analysis (RTA) techniques, and thus considering the timing requirements imposed by the set of message streams allocated to each node. The proposed techniques are able to deal with message stream sets where periods are not multiples of the FlexRay cycle duration, nor the messages generation is synchronized with the FlexRay cycle. They are also presented two proposals addressing the scheduling of aperiodic message streams in FlexRay Dynamic Segment. Both mechanisms use a probabilistic approach that takes advantage of the flexibility of aperiodic message streams regarding real-time constraints. In the proposed methods, a real-time middleware in each network node manages the transmission of messages generated by aperiodic streams in Dynamic Segment. Whenever a RT-middleware senses that aperiodic messages may be indefinitely postponed, it enters backoff mode. In backoff mode, a RT-middleware randomly defines whether an aperiodic message that is waiting to be transmitted will be sent to the bus in the current FC or if that message will be postponed to another FC, affecting the transmission chances of messages generated by streams with lower priorities have of being transmitted

Robust and secure resource management for automotive cyber-physical systems

2022 Spring.Includes bibliographical references.Modern vehicles are examples of complex cyber-physical systems with tens to hundreds of interconnected Electronic Control Units (ECUs) that manage various vehicular subsystems. With the shift towards autonomous driving, emerging vehicles are being characterized by an increase in the number of hardware ECUs, greater complexity of applications (software), and more sophisticated in-vehicle networks. These advances have resulted in numerous challenges that impact the reliability, security, and real-time performance of these emerging automotive systems. Some of the challenges include coping with computation and communication uncertainties (e.g., jitter), developing robust control software, detecting cyber-attacks, ensuring data integrity, and enabling confidentiality during communication. However, solutions to overcome these challenges incur additional overhead, which can catastrophically delay the execution of real-time automotive tasks and message transfers. Hence, there is a need for a holistic approach to a system-level solution for resource management in automotive cyber-physical systems that enables robust and secure automotive system design while satisfying a diverse set of system-wide constraints. ECUs in vehicles today run a variety of automotive applications ranging from simple vehicle window control to highly complex Advanced Driver Assistance System (ADAS) applications. The aggressive attempts of automakers to make vehicles fully autonomous have increased the complexity and data rate requirements of applications and further led to the adoption of advanced artificial intelligence (AI) based techniques for improved perception and control. Additionally, modern vehicles are becoming increasingly connected with various external systems to realize more robust vehicle autonomy. These paradigm shifts have resulted in significant overheads in resource constrained ECUs and increased the complexity of the overall automotive system (including heterogeneous ECUs, network architectures, communication protocols, and applications), which has severe performance and safety implications on modern vehicles. The increased complexity of automotive systems introduces several computation and communication uncertainties in automotive subsystems that can cause delays in applications and messages, resulting in missed real-time deadlines. Missing deadlines for safety-critical automotive applications can be catastrophic, and this problem will be further aggravated in the case of future autonomous vehicles. Additionally, due to the harsh operating conditions (such as high temperatures, vibrations, and electromagnetic interference (EMI)) of automotive embedded systems, there is a significant risk to the integrity of the data that is exchanged between ECUs which can lead to faulty vehicle control. These challenges demand a more reliable design of automotive systems that is resilient to uncertainties and supports data integrity goals. Additionally, the increased connectivity of modern vehicles has made them highly vulnerable to various kinds of sophisticated security attacks. Hence, it is also vital to ensure the security of automotive systems, and it will become crucial as connected and autonomous vehicles become more ubiquitous. However, imposing security mechanisms on the resource constrained automotive systems can result in additional computation and communication overhead, potentially leading to further missed deadlines. Therefore, it is crucial to design techniques that incur very minimal overhead (lightweight) when trying to achieve the above-mentioned goals and ensure the real-time performance of the system. We address these issues by designing a holistic resource management framework called ROSETTA that enables robust and secure automotive cyber-physical system design while satisfying a diverse set of constraints related to reliability, security, real-time performance, and energy consumption. To achieve reliability goals, we have developed several techniques for reliability-aware scheduling and multi-level monitoring of signal integrity. To achieve security objectives, we have proposed a lightweight security framework that provides confidentiality and authenticity while meeting both security and real-time constraints. We have also introduced multiple deep learning based intrusion detection systems (IDS) to monitor and detect cyber-attacks in the in-vehicle network. Lastly, we have introduced novel techniques for jitter management and security management and deployed lightweight IDSs on resource constrained automotive ECUs while ensuring the real-time performance of the automotive systems

Intégration itérative des systèmes avioniques communicants en mode synchrone et asynchrone

Les systèmes avioniques modernes sont des systèmes distribués complexes et évolutifs. Ces systèmes sont conçus d’une manière itérative en intégrant à chaque itération une ou plusieurs fonctionnalités. L’ajout de nouvelles fonctionnalités impose des coûts supplémentaires de reconfiguration de telle sorte que l’ensemble du système soit conforme aux exigences temps-réel. Ces systèmes reposent également sur l’adoption d’un protocole de communication déterministe tel que le protocole AFDX. Ce dernier est utilisé dans les avions modernes tels que l’A380 de Airbus et le B787 de Boeing. Il repose sur une communication asynchrone avec limitation de la bande passante. Ce mécanisme permet d’assurer des délais finis de communication. La recherche de plus de déterminisme a poussé la communauté scientifique à chercher d’autres alternatives à AFDX. Le standard Time-triggered Ethernet constitue une bonne alternative. En plus de la communication asynchrone à bande passante limitée, il définit également une communication synchrone. Suivant le type de communication, les approches de vérification des exigences temps-réel diffèrent. Pour analyser les flux asynchrones, on utilise principalement des approches analytiques. Elles assurent un bon compromis entre performance et pessimisme. Pour les flux synchrones, on s’appuie plutôt sur le formalisme de contraintes pour synthétiser un ordonnancement faisable. La combinaison des deux flux constitue un défi en termes de vérification. De plus, les approches de vérification définies ne modélisent ni l’aspect évolutif ni la notion coût.----------ABSTRACT: Modern avionics systems are complex and evolving distributed ones. They are designed iteratively by integrating at each iteration one or more functionalities. Adding new functionality may impose additional reconfiguration costs so that the whole system complies with the realtime requirements. These systems also rely on the adoption of a deterministic communication protocol such as AFDX. The latter is used in modern aircrafts such as the Airbus A380 and the Boeing B787. It relies on asynchronous communication with bandwidth limitations. This mechanism ensures finite communication delays. The search for more determinism encourage the scientific community to look for other alternatives to AFDX. The Time-triggered Ethernet standard is a good alternative. In addition to asynchronous communication with limited bandwidth, it also defines synchronous ones. Depending on the type of communication, verification approaches of real-time requirements differ. To analyze asynchronous flows, we mainly use analytical approaches. They ensure a good compromise between performance and pessimism. For synchronous flows, we rely instead on constraint formalism to synthesize a feasible scheduling. The combination of the two flows is a challenge in terms of verification. In addition, defined verification approaches do not model neither the evolving aspect nor the cost concept