Performanzanalyse für Multi-Core Multi-Mode Systeme mit gemeinsam genutzten Ressourcen - Verfahren und Anwendung auf AUTOSAR -

In order to implement multi-core systems for single-mode and multi-mode real-time applications, as can be found in modern automobiles, their development process requires appropriate methods and tools for timing and performance verification. In this context, this thesis proposes first novel approaches for the analysis of worst-case blocking-times and response-times for single-mode real-time applications that share resources in partitioned multi-core systems. For this purpose a compositional performance analysis methodology is adopted and extended to take into account the contention of tasks on the processor cores and on the shared resources under different combinations of processor scheduling policies and shared resource arbitration strategies. Highly relevant is the compatibility of the proposed analysis methods with the specifications of the automotive AUTOSAR standard, which defines the combination of (1) preemptive, non-preemptive and cooperative core local scheduling with (2) lock-based arbitration of core local shared resources and spinlock-based arbitration of inter-core shared resources. Further, this thesis proposes novel timing analysis solutions for multi-mode distributed real-time systems. For such systems, the settling time of a mode change, called mode change transition latency, is identified as an important system parameter that has been neglected before. This thesis contributes a novel analysis algorithm which gives a maximum bound on each mode change transition latency of multi-mode distributed applications. Knowing the settling time of each mode change, the impact of multiple mode changes and of the possible overload situations can be handled in the early development phases of real-time systems. Finally, an approach for safely handling shared resources across mode changes is presented and a corresponding timing analysis method is contributed. The new analysis solution combines modeling and analysis elements of the multi-core and multi-mode related analysis solutions and focuses on the specification of the AUTOSAR standard. This enables system designers to handle the timing behavior of more complex systems in which the problems of mode management, multi-core scheduling and shared resource arbitration coexist. The applicability and usefulness of the contributed analysis solutions are highlighted by experimental evaluations, which are enabled by the implementation of the proposed analysis methods in a performance analysis tool framework.Um Multicore-Systeme für die Umsetzung zeitkritischer Single- und Multi-Mode Anwendungen in sicherheitskritischen Umgebungen einsetzen zu können, werden in dem Entwicklungsprozess geeignete Analysemethoden und Tools zur Bestimmung des Zeitverhaltens und der Performanz benötigt. Als erster Beitrag dieser Dissertation werden neue Analyseverfahren eingeführt, um die Worst-Case-Antwortzeiten und -Blockierungszeiten für statische Echtzeitanwendungen in Single-Mode eingebetteten Multicore-Systemen mit gemeinsam genutzten Ressourcen zu bestimmen. Die entwickelten Verfahren nutzen einen existierenden kompositionellen Performanzanalyseansatz und erweitern diesen, um verschiedene Kombinationen von partitionierenden Multiprozessor-Schedulingverfahren und –Synchronisationsmechanismen behandeln zu können. Besonders praxisrelevant ist die Möglichkeit, die Kombination von (1) preemptives, nicht-preemptives sowie kooperatives Prozessor-Scheduling und (2) Spinlock-basierten Synchronisationsmechanismen zu analysieren, die heute in AUTOSAR-konformen Automotive-Softwarearchitekturen standardisiert sind. Als zweiter Beitrag wird in dieser Dissertation ein neuer Ansatz für die Analyse der zeitlichen Auswirkungen von mehreren Szenarienübergängen in vernetzten Multi-Mode eingebetteten Systemen eingeführt. Als erste konstruktive Maßnahme ermöglicht das in dieser Arbeit präsentierte Verfahren die Berechnung der Einschwingzeit jedes Szenarioübergangs und leistet dadurch eine wichtige Hilfestellung beim Systementwurf. Auf diese Weise können die Auswirkungen der Szenarienübergänge, einschließlich der zeitlich begrenzten Überlastsituationen, kontrolliert und in den Systementwurf frühzeitig einbezogen werden. Als letzter Beitrag dieser Dissertation wird ein Ansatz für die Handhabung der Zugriffskonflikte auf gemeinsam genutzten Ressourcen in Multi-Mode eingebetteten Multicore-Systemen präsentiert und eine entsprechende Analysemethode eingeführt. Die neue Analyse kombiniert Modellierungs- und Analyse-Elemente der vorher in dieser Arbeit eingeführten Analyseansätze, und ermöglicht die Untersuchung des ungünstigsten Zeitverhaltens viel komplexer eingebetteten Multicore-Systemen. Dabei werden erneut Spezifikationen der AUTOSAR-Standards berücksichtigt. Nicht zuletzt werden alle Analysemethoden in eine Toolumgebung implementiert und für verschiedene Experimente, die deren praktische Anwendbarkeit hervorheben, angewendet

Towards MARTE++ : an enhanced UML-based language to Model and Analyse Real-Time and Embedded Systems for the IoT age

This paper presents requirements for an enhanced version of the UML Profile for MARTE, the current standard of the OMG for the modelling and analysis of real-time embedded systems. Since its adoption by the OMG in 2009 and after the various additions along recent years, MARTE has been essayed in a number of application domains and validation approaches. This paper makes a review of these various efforts describing extensions, additional functionality, and modeling needs that may serve as inputs for the preparation of a formal request for proposals (RFP) at the OMG. Aspects that have been found useful to have in it include modern platforms like Multi-core, Many-core and GPUs, networking for broader domains like the Internet of Things, federation of all modelling artifacts involved in the development process, including tracing mechanisms embedded in the language to link design and run-time artifacts, and more elaborated kinds of quantitative analyses and extra functional properties, like energy and memory consumption, heat dissipation, and temperature distribution. Also methodological aspects like its specification as a profile and/or as a meta-model will need to be discussed. Finally, the standard needs to be reviewed against the new executable UML related specifications; particularly to be in alignment with those semantics of state machines and composite structures.This work receives funding from the Spanish Government under grant number TIN2014-56158-C4-2-P (M2C2), and from the Electronic Component Systems for European Leadership Joint Undertaking under grant agreement No 737494 (MegaM@RT2). This Joint Undertaking receives support from the European Union’s Horizon 2020 research and innovation programme and Sweden, France, Spain, Italy, Finland, Czech Republic. We thank the anonymous reviewers for their insights and proposals of improvement

Timing in Technischen Sicherheitsanforderungen für Systementwürfe mit heterogenen Kritikalitätsanforderungen

Traditionally, timing requirements as (technical) safety requirements have been avoided through clever functional designs. New vehicle automation concepts and other applications, however, make this harder or even impossible and challenge design automation for cyber-physical systems to provide a solution. This thesis takes upon this challenge by introducing cross-layer dependency analysis to relate timing dependencies in the bounded execution time (BET) model to the functional model of the artifact. In doing so, the analysis is able to reveal where timing dependencies may violate freedom from interference requirements on the functional layer and other intermediate model layers. For design automation this leaves the challenge how such dependencies are avoided or at least be bounded such that the design is feasible: The results are synthesis strategies for implementation requirements and a system-level placement strategy for run-time measures to avoid potentially catastrophic consequences of timing dependencies which are not eliminated from the design. Their applicability is shown in experiments and case studies. However, all the proposed run-time measures as well as very strict implementation requirements become ever more expensive in terms of design effort for contemporary embedded systems, due to the system's complexity. Hence, the second part of this thesis reflects on the design aspect rather than the analysis aspect of embedded systems and proposes a timing predictable design paradigm based on System-Level Logical Execution Time (SL-LET). Leveraging a timing-design model in SL-LET the proposed methods from the first part can now be applied to improve the quality of a design -- timing error handling can now be separated from the run-time methods and from the implementation requirements intended to guarantee them. The thesis therefore introduces timing diversity as a timing-predictable execution theme that handles timing errors without having to deal with them in the implemented application. An automotive 3D-perception case study demonstrates the applicability of timing diversity to ensure predictable end-to-end timing while masking certain types of timing errors.Traditionell wurden Timing-Anforderungen als (technische) Sicherheitsanforderungen durch geschickte funktionale Entwürfe vermieden. Neue Fahrzeugautomatisierungskonzepte und Anwendungen machen dies jedoch schwieriger oder gar unmöglich; Aufgrund der Problemkomplexität erfordert dies eine Entwurfsautomatisierung für cyber-physische Systeme heraus. Diese Arbeit nimmt sich dieser Herausforderung an, indem sie eine schichtenübergreifende Abhängigkeitsanalyse einführt, um zeitliche Abhängigkeiten im Modell der beschränkten Ausführungszeit (BET) mit dem funktionalen Modell des Artefakts in Beziehung zu setzen. Auf diese Weise ist die Analyse in der Lage, aufzuzeigen, wo Timing-Abhängigkeiten die Anforderungen an die Störungsfreiheit auf der funktionalen Schicht und anderen dazwischenliegenden Modellschichten verletzen können. Für die Entwurfsautomatisierung ergibt sich daraus die Herausforderung, wie solche Abhängigkeiten vermieden oder zumindest so eingegrenzt werden können, dass der Entwurf machbar ist: Das Ergebnis sind Synthesestrategien für Implementierungsanforderungen und eine Platzierungsstrategie auf Systemebene für Laufzeitmaßnahmen zur Vermeidung potentiell katastrophaler Folgen von Timing-Abhängigkeiten, die nicht aus dem Entwurf eliminiert werden. Ihre Anwendbarkeit wird in Experimenten und Fallstudien gezeigt. Allerdings werden alle vorgeschlagenen Laufzeitmaßnahmen sowie sehr strenge Implementierungsanforderungen für moderne eingebettete Systeme aufgrund der Komplexität des Systems immer teurer im Entwurfsaufwand. Daher befasst sich der zweite Teil dieser Arbeit eher mit dem Entwurfsaspekt als mit dem Analyseaspekt von eingebetteten Systemen und schlägt ein Entwurfsparadigma für vorhersagbares Timing vor, das auf der System-Level Logical Execution Time (SL-LET) basiert. Basierend auf einem Timing-Entwurfsmodell in SL-LET können die vorgeschlagenen Methoden aus dem ersten Teil nun angewandt werden, um die Qualität eines Entwurfs zu verbessern -- die Behandlung von Timing-Fehlern kann nun von den Laufzeitmethoden und von den Implementierungsanforderungen, die diese garantieren sollen, getrennt werden. In dieser Arbeit wird daher Timing Diversity als ein Thema der Timing-Vorhersage in der Ausführung eingeführt, das Timing-Fehler behandelt, ohne dass sie in der implementierten Anwendung behandelt werden müssen. Anhand einer Fallstudie aus dem Automobilbereich (3D-Umfeldwahrnehmung) wird die Anwendbarkeit von Timing-Diversität demonstriert, um ein vorhersagbares Ende-zu-Ende-Timing zu gewährleisten und gleichzeitig in der Lage zu sein, bestimmte Arten von Timing-Fehlern zu maskieren

Analysis and Evaluation of Inter-Core Communication Based on a Multi-Core Automotive Software and Hardware

The vehicles have become increasingly computerized in order to satisfy the strict safety requirements and to provide better driving experiences. Growing complexity of vehicle functionality requires higher performance and increases complexity of electronic control units (ECUs) software. As a result, the AUTOSAR standard was established by several major vendors and manufactures in 2003. This foundation introduced a standard with the main goal to define a uniform ECU software architecture, which reduces the software complexity. The standardisation of software along with the increasing requirements for resources brought the single core processors to their limit of performance. Hence, new techniques had to be introduced to increase computational power. A solution to this problem is a multi-core processor. It is expected that the main focus for the automotive industry in the next decade will be to implement the existing single-core software to a multi-core architecture. One of the key challenges is to reduce the execution time of inter-core communication in order to maintain the response time in safety critical systems such as the electronic brake system. As the need for multi-core processors became apparent in the automotive industry, AUTOSAR introduced the initial release of multi-core support in 2012 with version 4.0. The specification provides guidelines for implementing multi-core architecture. One of the key elements is the Inter OSApplication Communication (IOC), which provides the cross-core communication between applications located in different cores on a single ECU. The current multi-core software implementation is still in development and there are performance limitations that offer scope for improvement. This thesis addresses the challenge of multi-core software in automotive systems and proposes possible approaches for inter-core communication. In order to identify possible improvements, a number of software benchmarking experiments were designed for intra-core and inter-core communication and implemented on an universal ECU to validate the performance in term of execution time and memory consumption. The results demonstrate that there are significant overheads caused by the design of the communication functions

Mapping Requirements To AUTOSAR Software Components

Modern automotive electrical and electronic systems are rapidly growing in complexity. An increase in the number of systems under electronic control has led to a corresponding increase in the complexity of the deployed software. AUTOSAR has been developed as a means of managing this complexity through a standardised architecture which separates an application from its infrastructure. Reusable software components constitute the application logic of an AUTOSAR-based system. However a major problem which faces AUTOSAR and component-based software engineering in general is the difficulty in selecting components which fulfil the system requirements. This thesis presents a framework which allows requirements to be mapped directly to software components. It includes the results from a study which was carried out in conjunction with automotive and software engineering experts to test the framework

Development and certification of mixed-criticality embedded systems based on probabilistic timing analysis

An increasing variety of emerging systems relentlessly replaces or augments the functionality of mechanical subsystems with embedded electronics. For quantity, complexity, and use, the safety of such subsystems is an increasingly important matter. Accordingly, those systems are subject to safety certification to demonstrate system's safety by rigorous development processes and hardware/software constraints. The massive augment in embedded processors' complexity renders the arduous certification task significantly harder to achieve. The focus of this thesis is to address the certification challenges in multicore architectures: despite their potential to integrate several applications on a single platform, their inherent complexity imperils their timing predictability and certification. Recently, the Measurement-Based Probabilistic Timing Analysis (MBPTA) technique emerged as an alternative to deal with hardware/software complexity. The innovation that MBPTA brings about is, however, a major step from current certification procedures and standards. The particular contributions of this Thesis include: (i) the definition of certification arguments for mixed-criticality integration upon multicore processors. In particular we propose a set of safety mechanisms and procedures as required to comply with functional safety standards. For timing predictability, (ii) we present a quantitative approach to assess the likelihood of execution-time exceedance events with respect to the risk reduction requirements on safety standards. To this end, we build upon the MBPTA approach and we present the design of a safety-related source of randomization (SoR), that plays a key role in the platform-level randomization needed by MBPTA. And (iii) we evaluate current certification guidance with respect to emerging high performance design trends like caches. Overall, this Thesis pushes the certification limits in the use of multicore and MBPTA technology in Critical Real-Time Embedded Systems (CRTES) and paves the way towards their adoption in industry.Una creciente variedad de sistemas emergentes reemplazan o aumentan la funcionalidad de subsistemas mecánicos con componentes electrónicos embebidos. El aumento en la cantidad y complejidad de dichos subsistemas electrónicos así como su cometido, hacen de su seguridad una cuestión de creciente importancia. Tanto es así que la comercialización de estos sistemas críticos está sujeta a rigurosos procesos de certificación donde se garantiza la seguridad del sistema mediante estrictas restricciones en el proceso de desarrollo y diseño de su hardware y software. Esta tesis trata de abordar los nuevos retos y dificultades dadas por la introducción de procesadores multi-núcleo en dichos sistemas críticos: aunque su mayor rendimiento despierta el interés de la industria para integrar múltiples aplicaciones en una sola plataforma, suponen una mayor complejidad. Su arquitectura desafía su análisis temporal mediante los métodos tradicionales y, asimismo, su certificación es cada vez más compleja y costosa. Con el fin de lidiar con estas limitaciones, recientemente se ha desarrollado una novedosa técnica de análisis temporal probabilístico basado en medidas (MBPTA). La innovación de esta técnica, sin embargo, supone un gran cambio cultural respecto a los estándares y procedimientos tradicionales de certificación. En esta línea, las contribuciones de esta tesis están agrupadas en tres ejes principales: (i) definición de argumentos de seguridad para la certificación de aplicaciones de criticidad-mixta sobre plataformas multi-núcleo. Se definen, en particular, mecanismos de seguridad, técnicas de diagnóstico y reacción de faltas acorde con el estándar IEC 61508 sobre una arquitectura multi-núcleo de referencia. Respecto al análisis temporal, (ii) presentamos la cuantificación de la probabilidad de exceder un límite temporal y su relación con los requisitos de reducción de riesgos derivados de los estándares de seguridad funcional. Con este fin, nos basamos en la técnica MBPTA y presentamos el diseño de una fuente de números aleatorios segura; un componente clave para conseguir las propiedades aleatorias requeridas por MBPTA a nivel de plataforma. Por último, (iii) extrapolamos las guías actuales para la certificación de arquitecturas multi-núcleo a una solución comercial de 8 núcleos y las evaluamos con respecto a las tendencias emergentes de diseño de alto rendimiento (caches). Con estas contribuciones, esta tesis trata de abordar los retos que el uso de procesadores multi-núcleo y MBPTA implican en el proceso de certificación de sistemas críticos de tiempo real y facilita, de esta forma, su adopción por la industria.Postprint (published version

Contention-Free Execution of Automotive Applications on a Clustered Many-Core Platform

28th Euromicro Conference on Real-Time Systems (ECRTS 2016). 5 to 8, Jul, 2016. Toulouse, France.Next generations of compute-intensive real-time applications in automotive systems will require more powerful computing platforms. One promising power-efficient solution for such applications is to use clustered many-core architectures. However, ensuring that real-time requirements are satisfied in the presence of contention in shared resources, such as memories, remains an open issue. This work presents a novel contention-free execution framework to execute automotive applications on such platforms. Privatization of memory banks together with defined access phases to shared memory resources is the backbone of the framework. An Integer Linear Programming (ILP) formulation is presented to find the optimal time-triggered schedule for the on-core execution as well as for the access to shared memory. Additionally a heuristic solution is presented that generates the schedule in a fraction of the time required by the ILP. Extensive evaluations show that the proposed heuristic performs only 0.5% away from the optimal solution while it outperforms a baseline heuristic by 67%. The applicability of the approach to industrially sized problems is demonstrated in a case study of a software for Engine Management Systems.info:eu-repo/semantics/publishedVersio

Application Software Components in Autosar

This dissertation presents a set of concepts of AUTomotive Open System ARchitecture, AUTOSAR, starting with how AUTOSAR is structured in differents layers, where each layer has a specific task. The Runtime Environment, RTE, is the most important layer when the topic is communication between AUTOSAR layers. The Virtual Functional Bus, VFB, is key concepts to facilitate the designing an Automotive System, making it possible to relocate some Software Components that belongs to the AUTOSAR Application Layer. This dissertation will also approach, in a development way, key concepts needed to create Software Components, such as, Data Types, the differents Software Components types, Interfaces Types used in the communication of the different Software Components and where the Software Component will call the implemented code, Runnables. In this dissertation will be presented the key idea of reusability of the Software Components, and the strong architecture of AUTOSAR

Is Europe in the Driver's Seat? The Competitiveness of the European Automotive Embedded Systems Industry

This report is one of a series resulting from a project entitled ¿Competitiveness by Leveraging Emerging Technologies Economically¿ (COMPLETE), carried out by JRC-IPTS. Each of the COMPLETE studies illustrates in its own right that European companies are active on many fronts of emerging and disruptive ICT technologies and are supplying the market with relevant products and services. Nevertheless, the studies also show that the creation and growth of high tech companies is still very complex and difficult in Europe, and too many economic opportunities seem to escape European initiatives and ownership. COMPLETE helps to illustrate some of the difficulties experienced in different segments of the ICT industry and by growing potential global players. This report reflects the findings of a study conducted by Egil Juliussen and Richard Robinson, two senior experts from iSuppli Corporation on the Competitiveness of the European Automotive Embedded Software industry. The report starts by introducing the market, its trends, the technologies, their characteristics and their potential economic impact, before moving to an analysis of the competitiveness of the corresponding European industry. It concludes by suggesting policy options. The research, initially based on internal expertise and literature reviews, was complemented with further desk research, expert interviews, expert workshops and company visits. The results were ultimately reviewed by experts and also in a dedicated workshop. The report concludes that currently ICT innovation in the automotive industry is a key competence in Europe, with very little ICT innovation from outside the EU finding its way into EU automotive companies. A major benefit of a strong automotive ICT industry is the resulting large and valuable employment base. But future maintenance of automotive ICT jobs within the EU will only be possible if the EU continues to have high levels of product innovation.JRC.DDG.J.4-Information Societ