Towards the Formal Verification of a Distributed Real-Time Automotive System

We present the status of a project which aims at building, formally and pervasively verifying a distributed automotive system. The target system is a gate-level model which consists of several interconnected electronic control units with independent clocks. This model is verified against the specification as seen by a system programmer. The automotive system is implemented on several FPGA boards. The pervasive verification is carried out using combination of interactive theorem proving (Isabelle/HOL) and model checking (LTL)

Design and implementation of an UVM functional verification environment for IEEE 802.1AE-compliant MAC Security IPs in automotive applications

The constant growth of automotive network complexity has led top line models including more than 100 Electronic Control Units (ECUs). As a result, in-car networks are rapidly reaching their limits in terms of data load, flexibility and bandwidth. The Ethernet backbone is consequently considered as the best solution from the automotive world because it provides a common network topology, easy integration with other subdomains, excellent performance and high flexibility. On the other hand, the increasing interconnection of vehicles with the outside world expands the attack surface providing multiple attack points, either internal or external, that could be exploited to interact maliciously with the car. The IEEE 802.1AE MAC Security Standard (MACsec) solves security weakness of Ethernet communication offering data integrity, authenticity and confidentiality. Therefore an Intellectual Property (IP) for automotive application compliant with the before mentioned standard appears to be a suitable solution. Security countermeasures, besides guaranteeing the car against attacks, should not impact on vehicle normal operation because of unexpected behaviour. Indeed, since the vast majority of automotive applications is classified as safety-critical, even a single bug could endanger not only cars but also passengers’ lives. Hence, a thorough functional verification is essential in order to provide a device together safe and secure. In this work a deep analysis of functional verification for MACsec compliant IP has been carried out, multiple verification approaches and techniques have been investigates in order to identify the most suitable for the specific case. This study, considering requirements of re-usability, flexibility and high performance, led to the implementation of a UVM-based verification platform together with the MACsec IP behavioural model required in such a verification environment. The testbench has been deployed to intensively test the IP – more than 10 millions tests have been executed. Verification results depict that several bugs, either concerning functionality or security, have been discovered achieving 100% verification coverage. Moreover, performance wise, the testbench has proven to be up to ten times faster than the one already in place during the design phase. Flexibility, re-usability and high performance of the implemented platform has made the verification process much faster and easier. Moreover, for the same reasons, the testbench has been adopted by other teams in similar verification projects

High-Integrity Performance Monitoring Units in Automotive Chips for Reliable Timing V&V

As software continues to control more system-critical functions in cars, its timing is becoming an integral element in functional safety. Timing validation and verification (V&V) assesses softwares end-to-end timing measurements against given budgets. The advent of multicore processors with massive resource sharing reduces the significance of end-to-end execution times for timing V&V and requires reasoning on (worst-case) access delays on contention-prone hardware resources. While Performance Monitoring Units (PMU) support this finer-grained reasoning, their design has never been a prime consideration in high-performance processors - where automotive-chips PMU implementations descend from - since PMU does not directly affect performance or reliability. To meet PMUs instrumental importance for timing V&V, we advocate for PMUs in automotive chips that explicitly track activities related to worst-case (rather than average) softwares behavior, are recognized as an ISO-26262 mandatory high-integrity hardware service, and are accompanied with detailed documentation that enables their effective use to derive reliable timing estimatesThis work has also been partially supported by the Spanish Ministry of Economy and Competitiveness (MINECO) under grant TIN2015-65316-P and the HiPEAC Network of Excellence. Jaume Abella has been partially supported by the MINECO under Ramon y Cajal postdoctoral fellowship number RYC-2013-14717. Enrico Mezzet has been partially supported by the Spanish Ministry of Economy and Competitiveness under Juan de la Cierva-Incorporación postdoctoral fellowship number IJCI-2016- 27396.Peer ReviewedPostprint (author's final draft

Implementing Toyota Production System (TPS) concept in a small automotive parts manufacturer

This study investigates the consequences of implementing Toyota Production System (TPS) in the local automotive parts manufacturer production line. The production line consisted of three different processes and two inter-process buffers. A verified base model was created using WITNESSTM computer simulation software. Reducing WIP is the primary objective of the study focusing on varying the sizes of inter-process buffers. Results generated from the simulation indicate that reducing inter-process buffers simultaneously would produce significant effect in reducing WIP compared to reducing each buffer independently

Assurance Benefits of ISO 26262 compliant Microcontrollers for safety-critical Avionics

The usage of complex Microcontroller Units (MCUs) in avionic systems constitutes a challenge in assuring their safety. They are not developed according to the development requirements accepted by the aerospace industry. These Commercial off-the-shelf (COTS) hardware components usually target other domains like the telecommunication branch. In the last years MCUs developed in compliance to the ISO 26262 have been released on the market for safety-related automotive applications. The avionic assurance process could profit from these safety MCUs. In this paper we present evaluation results based on the current assurance practice that demonstrates expected assurance activities benefit from ISO 26262 compliant MCUs.Comment: Submitted to SafeComp 2018: http://www.es.mdh.se/safecomp2018