Search Results

The introduction of FlexRay is often motivated with high bandwidth, fail-safety, and deterministic timing. To no surprise, FlexRay is currently being introduced broadly in the chassis domain with its safety-critical, distributed control functions. However, also FlexRay system exhibit unwanted timing effects such as over- and under-sampling and ECU signal jitter. To fully exploit FlexRay’s potential, these effects must be understood, controlled, and reasonably considered in the supply-chain communication. In this paper, we illustrate the key timing pitfalls that exist with FlexRay. We further demonstrate how timing analysis increases confidence and allows thorough optimizations of FlexRay designs. This helps OEMs and Tier-1 suppliers to protect against timing problems early. Parts of the technology are available, however, new methodological steps are needed.

Developers of safety-critical real-time systems have to ensure that their systems react within given time bounds. Ideally, the system is designed to provide sufficient computing power and network bandwidth, is cost efficient and provides the necessary safety level. To achieve this goal, three challenges have to be addressed. First, it must be possible to account for timing during early development stages in the architecture exploration phase. Second, during software development, timing behavior and the effects of software changes on timing must be observable. Third, there must be a technology for formally verifying the final timing behavior for industry-size applications. In this article we present a comprehensive methodology for dealing with timing which addresses all three issues based on state-of-the-art commercial tools.

Due to the increasing integration of safety-critical functionalities into electronic devices, safety-related system design and certification have become a major challenge. Amongst others a suitable reaction of components in case of internal errors must be ensured in order to prevent a function from failing and to guarantee a certain degree of reliability. In this context a wide variety of different fault tolerance mechanisms have been developed in the past, including analytical considerations of error coverage and resulting reliability. However, most of these mechanisms induce a certain timing overhead, which in turn might affect the real-time capabilities of the system in a negative way. More concretely, even if each error is treated adequately such that no logical failure occurs, a timing failure due to missing a deadline cannot be ruled out definitely.

More electronic vehicle functions lead to an exponentially growing degree of software integration in automotive ECUs. We are seeing an increasing number of ECUs with mixed criticality software. ISO26262 describes different safety requirements, including freedom from interference and absence from error propagation for the software. These requirements mandate particular attention for mixed-criticality ECUs. In this paper we investigate the ability to guarantee that these safety requirements will be fulfilled by using established (deadline monitoring) and new error detection mechanisms (execution time monitoring). We also show how these methods can be used to build up safe and efficient schedules for today's and future automotive embedded real time systems with mixed criticality software.

Multi-core systems are promising a cost-effective solution for (1) advanced vehicle features requiring dramatically more software and hence an order of magnitude more processing power, (2) redundancy and mixed-IP, mixed-ASIL isolation required for ISO 26262 functional safety, and (3) integration of previously separate ECUs and evolving embedded software business models requiring separation of different software parts. In this context, designing, optimizing and verifying the mapping and scheduling of software functions onto multiple processing cores becomes key. This paper describes several multi-core task design and scheduling design options, including function-to-task mapping, task-to-core allocation (both static and dynamic), and associated scheduling policies such as rate-monotonic, criticality-aware priority assignment, period transformation, hierarchical partition scheduling, and dynamic global scheduling.

Systems and network integration is a major challenge, and systematic analysis of the complex dynamic timing effects becomes key to building reliable systems. Very often, however, systematic analysis techniques are (considered) too restrictive with respect to established design practice. In this paper we present lessons learned from real-world case studies, in which OEMs have used the new SymTA/S scheduling analysis technology to evaluate different network choices with minimum effort. Thanks to its flexibility and supplier independence, SymTA/S can be applied in non-ideal situations, where other, more restricted technologies are inherently limited. Finally, we put the technology into relation with ongoing standardization activities.

Today, gated networks with several buses are becoming standard in automotive E/E-systems but are evolving differently among the various vehicle manufactures, with different topologies, combinations of bus protocols, and speeds. Making the right architecture decisions requires systematic evaluation of the many alternatives during early design stages. However, there are many trade-offs in terms of performance, cost, extensibility, etc.. In this context, scheduling analysis is a powerful tool. It clarifies performance, end-to-end timing, and dynamic behavior. This enables evaluation of networking alternatives, foresight of bottlenecks, and provides guidance in the design process. In the paper, the application of scheduling analysis in automotive network exploration and optimization will be demonstrated. Specific emphasize will be put on end-to-end timing, migration from CAN to FlexRay, black-box integration and early-stage assumptions, extensibility, and trade-offs.

When designing safety-critical automotive systems, verification of timing and performance are key, especially the verification of hard deadlines and other critical timing constraints. Test- or simulation-based approaches suffer from corner-case coverage problems and are becoming less reliable as systems grow in size and complexity. Time-triggered mechanisms (e.g. OSEKtime and FlexRay) were proposed as a way out by providing better timing prediction. However, for reasons of cost, flexibility and reactivity, future cars will mostly likely contain a mix of event-triggered (ET) and time-triggered (TT) components that are combined synchronously and/or asynchronously, thereby further complicating timing. Scheduling analysis has recently matured to allow reliable timing verification and systematic optimization for ET, TT, and mixed systems.

The increasing functionality and complexity of future electric/electronic architectures requires efficient methods and tools to support design decisions, which are taken in early development phases 6. For the past four years, a holistic approach for architecture development has been established at Mercedes-Benz Cars R&D department. At its core is a seamless design flow, including the conception, the analysis and the documentation for electric/electronic architectures. One of the actual challenges in the design of electric/electronic architectures concerns communication behavior and network topologies. The increasing data exchange between the ECUs creates high requirements for the networks. With the introduction of FlexRay 21 and Ethernet the automotive network architecture become a lot more heterogeneous. Especially gateways must fulfill many new requirements to handle the strict periodic schedule of FlexRay and the partly event-triggered communication on CAN-busses 23.