7 research outputs found
From Dataflow Specification to Multiprocessor Partitioned Time-triggered Real-time Implementation *
International audienceOur objective is to facilitate the development of complex time-triggered systems by automating the allocation and scheduling steps. We show that full automation is possible while taking into account the elements of complexity needed by a complex embedded control system. More precisely, we consider deterministic functional specifications provided (as often in an industrial setting) by means of synchronous data-flow models with multiple modes and multiple relative periods. We first extend this functional model with an original real-time characterization that takes advantage of our time-triggered framework to provide a simpler representation of complex end-to-end flow requirements. We also extend our specifications with additional non-functional properties specifying partitioning, allocation , and preemptability constraints. Then, weprovide novel algorithms for the off-line scheduling of these extended specifications onto partitioned time-triggered architectures à la ARINC 653. The main originality of our work is that it takes into account at the same time multiple complexity elements: various types of non-functional properties (real-time, partitioning, allocation, preemptability) and functional specifications with conditional execution and multiple modes. Allocation of time slots/windows to partitions can be fullyor partially provided, or synthesized by our tool. Our algorithms allow the automatic allocation and scheduling onto multi-processor (distributed) sys-tems with a global time base, taking into account communication costs. We demonstrate our technique on a model of space flight software systemwith strong real-time determinism requirements
From dataflow specification to multiprocessor partitioned time-triggered real-time implementation
We consider deterministic functional specifications provided by means of synchronous data-flow models with multiple modes and multiple relative periods. These specifications are extended to include a real-time characterization defining task periods, release dates, and deadlines. Task deadlines can be longer than the period to allow a faithful representation of complex end-to-end flow requirements. We also extend our specifications with partitioning and allocation constraints. Then, we provide algorithms for the off-line scheduling of these specifications onto partitioned time-triggered architectures à la ARINC 653. Allocation of time slots/windows to partitions can be fully or partially provided, or synthesized by our tool. Our algorithms allow the automatic allocation and scheduling onto multi-processor (distributed) systems with a global time base, taking into account communication costs. We demonstrate our technique on a model of space flight software system with strong real-time determinism requirements
Robust and secure resource management for automotive cyber-physical systems
2022 Spring.Includes bibliographical references.Modern vehicles are examples of complex cyber-physical systems with tens to hundreds of interconnected Electronic Control Units (ECUs) that manage various vehicular subsystems. With the shift towards autonomous driving, emerging vehicles are being characterized by an increase in the number of hardware ECUs, greater complexity of applications (software), and more sophisticated in-vehicle networks. These advances have resulted in numerous challenges that impact the reliability, security, and real-time performance of these emerging automotive systems. Some of the challenges include coping with computation and communication uncertainties (e.g., jitter), developing robust control software, detecting cyber-attacks, ensuring data integrity, and enabling confidentiality during communication. However, solutions to overcome these challenges incur additional overhead, which can catastrophically delay the execution of real-time automotive tasks and message transfers. Hence, there is a need for a holistic approach to a system-level solution for resource management in automotive cyber-physical systems that enables robust and secure automotive system design while satisfying a diverse set of system-wide constraints. ECUs in vehicles today run a variety of automotive applications ranging from simple vehicle window control to highly complex Advanced Driver Assistance System (ADAS) applications. The aggressive attempts of automakers to make vehicles fully autonomous have increased the complexity and data rate requirements of applications and further led to the adoption of advanced artificial intelligence (AI) based techniques for improved perception and control. Additionally, modern vehicles are becoming increasingly connected with various external systems to realize more robust vehicle autonomy. These paradigm shifts have resulted in significant overheads in resource constrained ECUs and increased the complexity of the overall automotive system (including heterogeneous ECUs, network architectures, communication protocols, and applications), which has severe performance and safety implications on modern vehicles. The increased complexity of automotive systems introduces several computation and communication uncertainties in automotive subsystems that can cause delays in applications and messages, resulting in missed real-time deadlines. Missing deadlines for safety-critical automotive applications can be catastrophic, and this problem will be further aggravated in the case of future autonomous vehicles. Additionally, due to the harsh operating conditions (such as high temperatures, vibrations, and electromagnetic interference (EMI)) of automotive embedded systems, there is a significant risk to the integrity of the data that is exchanged between ECUs which can lead to faulty vehicle control. These challenges demand a more reliable design of automotive systems that is resilient to uncertainties and supports data integrity goals. Additionally, the increased connectivity of modern vehicles has made them highly vulnerable to various kinds of sophisticated security attacks. Hence, it is also vital to ensure the security of automotive systems, and it will become crucial as connected and autonomous vehicles become more ubiquitous. However, imposing security mechanisms on the resource constrained automotive systems can result in additional computation and communication overhead, potentially leading to further missed deadlines. Therefore, it is crucial to design techniques that incur very minimal overhead (lightweight) when trying to achieve the above-mentioned goals and ensure the real-time performance of the system. We address these issues by designing a holistic resource management framework called ROSETTA that enables robust and secure automotive cyber-physical system design while satisfying a diverse set of constraints related to reliability, security, real-time performance, and energy consumption. To achieve reliability goals, we have developed several techniques for reliability-aware scheduling and multi-level monitoring of signal integrity. To achieve security objectives, we have proposed a lightweight security framework that provides confidentiality and authenticity while meeting both security and real-time constraints. We have also introduced multiple deep learning based intrusion detection systems (IDS) to monitor and detect cyber-attacks in the in-vehicle network. Lastly, we have introduced novel techniques for jitter management and security management and deployed lightweight IDSs on resource constrained automotive ECUs while ensuring the real-time performance of the automotive systems
Scratchpad Memory Management For Multicore Real-Time Embedded Systems
Multicore systems will continue to spread in the domain of real-time embedded systems due to the increasing need for high-performance applications. This research discusses some of the challenges associated with employing multicore systems for safety-critical real-time applications. Mainly, this work is concerned with providing: 1) efficient inter-core timing isolation for independent tasks, and 2) predictable task communication for communicating tasks.
Principally, we introduce a new task execution model, based on the 3-phase execution model, that exploits the Direct Memory Access (DMA) controllers available in modern embedded platforms along with ScratchPad Memories (SPMs) to enforce strong timing isolation between tasks. The DMA and the SPMs are explicitly managed to pre-load tasks from main memory into the local (private) scratchpad memories. Tasks are then executed from the local SPMs without accessing main memory. This model allows CPU execution to be overlapped with DMA loading/unloading operations from and to main memory. We show that by co-scheduling task execution on CPUs and using DMA to access memory and I/O, we can efficiently hide access latency to physical resources. In turn, this leads to significant improvements in system schedulability, compared to both the case of unregulated contention for access to physical resources and to previous cache and SPM management techniques for real-time systems.
The presented SPM-centric scheduling algorithms and analyses cover single-core, partitioned, and global real-time systems. The proposed scheme is also extended to support large tasks that do not fit entirely into the local SPM. Moreover, the schedulability analysis considers the case of recovering from transient soft errors (bit flips caused by a single event upset) in several levels of memories, that cannot be automatically corrected in hardware by the ECC unit. The proposed SPM-centric scheduling is integrated at the OS level; thus it is transparent to applications. The proposed scheme is implemented and evaluated on an FPGA platform and a Commercial-Off-The-Shelf (COTS) platform.
In regards to real-time task communication, two types of communication are considered. 1) Asynchronous inter-task communication, between either sequential tasks (single-threaded) or parallel tasks (multi-threaded). 2) Intra-task communication, where parallel threads of the same application exchange data. A new task scheduling model for parallel tasks (Bundled Scheduling) is proposed to facilitate intra-task communication and reduce synchronization overheads. We show that the proposed bundled scheduling model can be applied to several parallel programming models, such as fork-join and DAG-based applications, leading to improved system schedulability. Finally, intra-task communication is governed by a predictable inter-core communication platform. Specifically, we propose HopliteRT, a lean and predictable Network-on-Chip that connects the private SPMs
Real-time communications over switched Ethernet supporting dynamic QoS management
Doutoramento em Engenharia InformáticaDurante a última década temos assistido a um crescente aumento na utilização
de sistemas embutidos para suporte ao controlo de processos, de sistemas
robóticos, de sistemas de transportes e veículos e até de sistemas domóticos
e eletrodomésticos. Muitas destas aplicações são críticas em termos de
segurança de pessoas e bens e requerem um alto nível de determinismo com
respeito aos instantes de execução das respectivas tarefas. Além disso, a implantação
destes sistemas pode estar sujeita a limitações estruturais, exigindo
ou beneficiando de uma configuração distribuída, com vários subsistemas
computacionais espacialmente separados. Estes subsistemas, apesar de
espacialmente separados, são cooperativos e dependem de uma infraestrutura
de comunicação para atingir os objectivos da aplicação e, por consequência,
também as transacções efectuadas nesta infraestrutura estão sujeitas às
restrições temporais definidas pela aplicação.
As aplicações que executam nestes sistemas distribuídos, chamados
networked embedded systems (NES), podem ser altamente complexas e
heterogéneas, envolvendo diferentes tipos de interacções com diferentes
requisitos e propriedades. Um exemplo desta heterogeneidade é o modelo de
activação da comunicação entre os subsistemas que pode ser desencadeada
periodicamente de acordo com uma base de tempo global (time-triggered),
como sejam os fluxos de sistemas de controlo distribuído, ou ainda ser
desencadeada como consequência de eventos assíncronos da aplicação
(event-triggered). Independentemente das características do tráfego ou do
seu modelo de activação, é de extrema importância que a plataforma de
comunicações disponibilize as garantias de cumprimento dos requisitos da
aplicação ao mesmo tempo que proporciona uma integração simples dos
vários tipos de tráfego.
Uma outra propriedade que está a emergir e a ganhar importância no seio
dos NES é a flexibilidade. Esta propiedade é realçada pela necessidade de
reduzir os custos de instalação, manutenção e operação dos sistemas. Neste
sentido, o sistema é dotado da capacidade para adaptar o serviço fornecido à
aplicação aos respectivos requisitos instantâneos, acompanhando a evolução
do sistema e proporcionando uma melhor e mais racional utilização dos
recursos disponíveis.
No entanto, maior flexibilidade operacional é igualmente sinónimo de
maior complexidade derivada da necessidade de efectuar a alocação dinâmica
dos recursos, acabando também por consumir recursos adicionais no sistema.
A possibilidade de modificar dinâmicamente as caracteristicas do sistema
também acarreta uma maior complexidade na fase de desenho e especificação.
O aumento do número de graus de liberdade suportados faz aumentar
o espaço de estados do sistema, dificultando a uma pre-análise. No sentido de
conter o aumento de complexidade são necessários modelos que representem
a dinâmica do sistema e proporcionem uma gestão optimizada e justa dos
recursos com base em parâmetros de qualidade de serviço (QdS).
É nossa tese que as propriedades de flexibilidade, pontualidade e gestão
dinâmica de QdS podem ser integradas numa rede switched Ethernet (SE),
tirando partido do baixo custo, alta largura de banda e fácil implantação. Nesta
dissertação é proposto um protocolo, Flexible Time-Triggered communication
over Switched Ethernet (FTT-SE), que suporta as propriedades desejadas e
que ultrapassa as limitações das redes SE para aplicações de tempo-real tais
como a utilização de filas FIFO, a existência de poucos níveis de prioridade
e a pouca capacidade de gestão individualizada dos fluxos. O protocolo
baseia-se no paradigma FTT, que genericamente define a arquitectura de uma
pilha protocolar sobre o acesso ao meio de uma rede partilhada, impondo
desta forma determinismo temporal, juntamente com a capacidade para
reconfiguração e adaptação dinâmica da rede. São ainda apresentados vários
modelos de distribuição da largura de banda da rede de acordo com o nível de
QdS especificado por cada serviço utilizador da rede.
Esta dissertação expõe a motivação para a criação do protocolo FTT-SE,
apresenta uma descrição do mesmo, bem como a análise de algumas das
suas propiedades mais relevantes. São ainda apresentados e comparados
modelos de distribuição da QdS. Finalmente, são apresentados dois casos de
aplicações que sustentam a validade da tese acima mencionada.During the last decade we have witnessed a massive deployment of embedded
systems on a wide applications range, from industrial automation to process
control, avionics, cars or even robotics. Many of these applications have an
inherently high level of criticality, having to perform tasks within tight temporal
constraints. Additionally, the configuration of such systems is often distributed,
with several computing nodes that rely on a communication infrastructure to
cooperate and achieve the application global goals. Therefore, the communications
are also subject to the same temporal constraints set by the application
requirements.
Many applications relying on such networked embedded systems (NES)
are complex and heterogeneous, comprehending different activities with different
requirements and properties. For example, the communication between
subsystems may follow a strict temporal synchronization with respect to a
global time-base (time-triggered), like in a distributed feedback control loop,
or it may be issued asynchronously upon the occurrence of events (eventtriggered).
Regardless of the traffic characteristics and its activation model, it
is of paramount importance having a communication framework that provides
seamless integration of heterogeneous traffic sources while guaranteeing the
application requirements.
Another property that has been emerging as important for NES design and
operation is flexibility. The need to reduce installation and operational costs,
while facilitating maintenance is promoting a more rational use of the available
resources at run-time, exploring the ability to tune service parameters as the
system evolves.
However, such operational flexibility comes with the cost of increasing the
complexity of the system to handle the dynamic resource management, which
on the other hand demands the allocation of additional system resources.
Moreover, the capacity to dynamically modify the system properties also
causes a higher complexity when designing and specifying the system, since
the operational state-space increases with the degrees of flexibility of the
system.
Therefore, in order to bound this complexity appropriate operational models
are needed to handle the system dynamics and carry on an efficient and
fair resource management strategy based on quality of service (QoS) metrics.
This thesis states that the properties of flexibility and timeliness as needed
for dynamic QoS management can be provided to switched Ethernet based
systems. Switched Ethernet, although initially designed for general purpose
Internet access and file transfers, is becoming widely used in NES-based applications.
However, COTS switched Ethernet is insufficient regarding the needs
for real-time predictability and for supporting the aforementioned properties due
the use of FIFO queues too few priority levels and for stream-level management
capabilities. In this dissertation we propose a protocol to overcome those
limitations, namely the Flexible Time-Triggered communication over Switched
Ethernet (FTT-SE). The protocol is based on the FTT paradigm that generically
defines a protocol architecture suitable to enforce real-time determinism on a
communication network supporting the desired flexibility properties.
This dissertation addresses the motivation for FTT-SE, describing the
protocol as well as its schedulability analysis. It additionally covers the resource
distribution topic, where several distribution models are proposed to manage
the resource capacity among the competing services and while considering
the QoS level requirements of each service. A couple of application cases are
shown that support the aforementioned thesis
Timing in Technischen Sicherheitsanforderungen für Systementwürfe mit heterogenen Kritikalitätsanforderungen
Traditionally, timing requirements as (technical) safety requirements have been avoided through clever functional designs. New vehicle automation concepts and other applications, however, make this harder or even impossible and challenge design automation for cyber-physical systems to provide a solution. This thesis takes upon this challenge by introducing cross-layer dependency analysis to relate timing dependencies in the bounded execution time (BET) model to the functional model of the artifact. In doing so, the analysis is able to reveal where timing dependencies may violate freedom from interference requirements on the functional layer and other intermediate model layers. For design automation this leaves the challenge how such dependencies are avoided or at least be bounded such that the design is feasible: The results are synthesis strategies for implementation requirements and a system-level placement strategy for run-time measures to avoid potentially catastrophic consequences of timing dependencies which are not eliminated from the design. Their applicability is shown in experiments and case studies. However, all the proposed run-time measures as well as very strict implementation requirements become ever more expensive in terms of design effort for contemporary embedded systems, due to the system's complexity. Hence, the second part of this thesis reflects on the design aspect rather than the analysis aspect of embedded systems and proposes a timing predictable design paradigm based on System-Level Logical Execution Time (SL-LET). Leveraging a timing-design model in SL-LET the proposed methods from the first part can now be applied to improve the quality of a design -- timing error handling can now be separated from the run-time methods and from the implementation requirements intended to guarantee them. The thesis therefore introduces timing diversity as a timing-predictable execution theme that handles timing errors without having to deal with them in the implemented application. An automotive 3D-perception case study demonstrates the applicability of timing diversity to ensure predictable end-to-end timing while masking certain types of timing errors.Traditionell wurden Timing-Anforderungen als (technische) Sicherheitsanforderungen durch geschickte funktionale Entwürfe vermieden. Neue Fahrzeugautomatisierungskonzepte und Anwendungen machen dies jedoch schwieriger oder gar unmöglich; Aufgrund der Problemkomplexität erfordert dies eine Entwurfsautomatisierung für cyber-physische Systeme heraus. Diese Arbeit nimmt sich dieser Herausforderung an, indem sie eine schichtenübergreifende Abhängigkeitsanalyse einführt, um zeitliche Abhängigkeiten im Modell der beschränkten Ausführungszeit (BET) mit dem funktionalen Modell des Artefakts in Beziehung zu setzen. Auf diese Weise ist die Analyse in der Lage, aufzuzeigen, wo Timing-Abhängigkeiten die Anforderungen an die Störungsfreiheit auf der funktionalen Schicht und anderen dazwischenliegenden Modellschichten verletzen können. Für die Entwurfsautomatisierung ergibt sich daraus die Herausforderung, wie solche Abhängigkeiten vermieden oder zumindest so eingegrenzt werden können, dass der Entwurf machbar ist: Das Ergebnis sind Synthesestrategien für Implementierungsanforderungen und eine Platzierungsstrategie auf Systemebene für Laufzeitmaßnahmen zur Vermeidung potentiell katastrophaler Folgen von Timing-Abhängigkeiten, die nicht aus dem Entwurf eliminiert werden. Ihre Anwendbarkeit wird in Experimenten und Fallstudien gezeigt. Allerdings werden alle vorgeschlagenen Laufzeitmaßnahmen sowie sehr strenge Implementierungsanforderungen für moderne eingebettete Systeme aufgrund der Komplexität des Systems immer teurer im Entwurfsaufwand. Daher befasst sich der zweite Teil dieser Arbeit eher mit dem Entwurfsaspekt als mit dem Analyseaspekt von eingebetteten Systemen und schlägt ein Entwurfsparadigma für vorhersagbares Timing vor, das auf der System-Level Logical Execution Time (SL-LET) basiert. Basierend auf einem Timing-Entwurfsmodell in SL-LET können die vorgeschlagenen Methoden aus dem ersten Teil nun angewandt werden, um die Qualität eines Entwurfs zu verbessern -- die Behandlung von Timing-Fehlern kann nun von den Laufzeitmethoden und von den Implementierungsanforderungen, die diese garantieren sollen, getrennt werden. In dieser Arbeit wird daher Timing Diversity als ein Thema der Timing-Vorhersage in der Ausführung eingeführt, das Timing-Fehler behandelt, ohne dass sie in der implementierten Anwendung behandelt werden müssen. Anhand einer Fallstudie aus dem Automobilbereich (3D-Umfeldwahrnehmung) wird die Anwendbarkeit von Timing-Diversität demonstriert, um ein vorhersagbares Ende-zu-Ende-Timing zu gewährleisten und gleichzeitig in der Lage zu sein, bestimmte Arten von Timing-Fehlern zu maskieren