Controlling Concurrent Change - A Multiview Approach Toward Updatable Vehicle Automation Systems

The development of SAE Level 3+ vehicles [{SAE}, 2014] poses new challenges not only for the functional development, but also for design and development processes. Such systems consist of a growing number of interconnected functional, as well as hardware and software components, making safety design increasingly difficult. In order to cope with emergent behavior at the vehicle level, thorough systems engineering becomes a key requirement, which enables traceability between different design viewpoints. Ensuring traceability is a key factor towards an efficient validation and verification of such systems. Formal models can in turn assist in keeping track of how the different viewpoints relate to each other and how the interplay of components affects the overall system behavior. Based on experience from the project Controlling Concurrent Change, this paper presents an approach towards model-based integration and verification of a cause effect chain for a component-based vehicle automation system. It reasons on a cross-layer model of the resulting system, which covers necessary aspects of a design in individual architectural views, e.g. safety and timing. In the synthesis stage of integration, our approach is capable of inserting enforcement mechanisms into the design to ensure adherence to the model. We present a use case description for an environment perception system, starting with a functional architecture, which is the basis for componentization of the cause effect chain. By tying the vehicle architecture to the cross-layer integration model, we are able to map the reasoning done during verification to vehicle behavior

Response-Time Analysis for Task Chains in Communicating Threads

When modelling software components for timing analysis, we typically encounter functional chains of tasks that lead to precedence relations. As these task chains represent a functionally-dependent sequence of operations, in real-time systems, there is usually a requirement for their end-to-end latency. When mapped to software components, functional chains often result in communicating threads. Since threads are scheduled rather than tasks, specific task chain properties arise that can be exploited for response-time analysis. As a core contribution, this paper presents an extension of the busy-window analysis suitable for such task chains in static-priority preemptive systems. We evaluated the extended busy-window analysis in a compositional performance analysis using synthetic test cases and a realistic automotive use case showing far tighter response-time bounds than current approaches

Response-Time Analysis for Task Chains with Complex Precedence and Blocking Relations

For the development of complex software systems, we often resort to component-based approaches that separate the different concerns, enhance verifiability and reusability, and for which microkernel-based implementations are a good fit to enforce these concepts. Composing such a system of several interacting software components will, however, lead to complex precedence and blocking relations, which must be taken into account when performing latency analysis. When modelling these systems by classical task graphs, some of these effects are obfuscated and tend to render such an analysis either overly pessimistic or even optimistic. We therefore firstly present a novel task (meta-)model that is more expressive and accurate w.r.t. these (functional) precedence and mutual blocking relations. Secondly, we apply the busy-window approach and formulate a modular response-time analysis on task-chain level suitable but not restricted to static-priority scheduled systems. We show that the conjunction of both concepts allows the calculation of reasonably tight latency bounds for scenarios not adequately covered by related work

Self-Aware Scheduling for Mixed-Criticality Component-Based Systems

A basic mixed-criticality requirement in real-time systems is temporal isolation, which ensures that applications receive a guaranteed (CPU) service and impose a bounded interference on other applications. Providing operating system support for temporal isolation is often inefficient, in terms of utilisation and achieved latencies, or complex and hard to implement or model correctly. Correct models are, however, a prerequisite when response times are bounded by formal analyses. We provide a novel approach to this challenge by applying self-aware computing methodologies that involve run-time monitoring to detect (and correct) model deviations of a budget-based scheduler

An extensible autonomous reconfiguration framework for complex component-based embedded systems

We present a framework based on constraint satisfaction that adds self-integration capabilities to componentbased embedded systems by identifying correct compositions of the desired components and their dependencies. This not only allows autonomous integration of additional functionality but can also be extended to ensure that the new configuration does not violate any extra-functional requirements, such as safety or security, imposed by the application domain

A communication framework for distributed access control in microkernel-based systems

Microkernel-based architectures have gained an increasing interest and relevance for embedded systems. These can not only provide real-time guarantees but also offer strong security properties which become increasingly significant in certain application domains such as automotive systems. Nevertheless, the functionality of those complex systems often needs to be distributed across a network of control units for various reasons (e.g. physical location, scalability, separation). Although microkernels have been commercially established, distributed systems like these have not been a major focus. This is basically originated by the fact that – in the microkernel world – policy, device drivers and protocol stacks are userspace concerns and rather left to be solved by the particular application domain. Following the principle of least privilege, we therefore developed a distributed access-control framework for all network-based communication in microkernel-based systems that can be generically deployed. Our design not only enforces security properties such as integrity but is also scalable without adding too much overhead in terms of run time or code

Demonstrating Controlled Change for Autonomous Space Vehicles

Recent research discusses concepts of infield changes to overcome the drawbacks of conventional lab-based system design processes. In this paper, we evaluate the concept of controlled change by applying it to a demonstration of a potential future space exploration scenario with mobile robots. The robots are capable of executing several image computations for exploration, object detection and pose estimation, which can be allocated to both FPGA-and processor resources of a System-on-Chip. The demonstrator addresses three scenarios which cover application-, environment-, and platform change. The system adapts itself to any of the named changes. This capability can increase the autonomy of future space missions. Exemplary, the demonstrator executes adaption of applications during operation to fulfill the mission goals, adaption of reliability under changing environment conditions, and adaption to sensor failure

Hardware and Software Task Scheduling for ARM-FPGA Platforms

ARM-FPGA coupled platforms allow accelerating the computation of specific algorithms by executing them in the FPGA fabric. Several computation steps of our case study for a stereo vision application have been accelerated by hardware implementations. Dynamic Partial Reconfiguration places these hardware tasks in the programmable logic at appropriate times. For an efficient scheduling, it needs to be decided when and where to execute a task. Although there already exist hardware/software scheduling strategies and algorithms, none exploit all possible optimization techniques: re-use, prefetching, parallelization, and pipelining of hardware tasks. The scheduling algorithm proposed in this paper takes this into account and optimizes for the objectives latency/throughput and power/energy

Data-Age Analysis and Optimisation for Cause-Effect Chains in Automotive Control Systems

Automotive control systems typically have latency requirements for certain cause-effect chains. When implementing and integrating these systems, these latency requirements must be guaranteed e.g. by applying a worst-case analysis that takes all indeterminism and limited predictability of the timing behaviour into account. In this paper, we address the latency analysis for multi-rate distributed cause-effect chains considering staticpriority preemptive scheduling of offset-synchronised periodic tasks. We particularly focus on data age as one representative of the two most common latency semantics. Our main contribution is an Mixed Integer Linear Program-based optimisation to select design parameters (priorities, task-to-processor mapping, offsets) that minimise the data age. In our experimental evaluation, we apply our method to two real-world automotive use cases

Towards model-based integration of component-based automotive software systems

The increasing complexity of automotive software systems and the desire for more frequent software and even feature updates require new approaches to the design, integration and testing of these systems. Ideally, those approaches enable an in-field updatability of automotive software systems that provides the same degree of safety guarantees as the traditionally labbased deployment. In this paper, we present a layered modelling approach that formalises the integration procedure of automotive software systems using graph-based models and formal analyses