Search Results

The integration of mixed-criticality software according to safety standards like ISO 26262 generates new, parasitic mutual effects within the involved software architectures. In this situation, established schedule design patterns like RMS fail to deliver both efficiency and safety, in particular the freedom of interference. In today's practice of building a schedule, certain such measures to fulfill these safety requirements can conflict with efficiency requirements. The target of this paper is to present a sound approach of how to solve such requirement conflicts and to build up schedules that are safe and also efficient. We present a general early-stage procedure to build safe, certifiable, and efficient schedules. The procedure is based on the established design patterns and adds guidelines on how to exploit additional options in both schedule design and software partitioning. This procedure was validated against typical real-world systems and one example is presented.

Automotive HW/SW architectures are becoming increasingly complex to support the deployment of new safety, comfort, and energy-efficiency features. Such architectures include several software tasks (100+), messages (1000+), computational and communication resources (70+ CPUs, 10+ buses), and (smart) sensors and actuators (20+). To cope with the increasing system complexity at lowest development and product costs, highest safety, and fastest time to market, model-based rapid-prototyping development processes are essential. The processes, coupled with optimization steps aimed at reducing the number of software and hardware resources while satisfying the safety requirements, enable reduction of the system complexity and ease downstream testing/validation efforts. This paper describes a novel model-based design exploration and optimization process for the deployment of a set of software tasks on a dual-processor control module implementing a fail-safe strategy.

For a long time, tools and methods for automotive E/E design were mostly in the domain of academic researches only. Recently, OEMs have started adopting selected contributions, because (very soon) it will become quite costly NOT to apply them. The first step is establishing centralized data storage for all design data. At present, selecting appropriate abstraction levels and design methods that get fed by and feed the data is the task at hand. In this paper, we summarize recent progress in this selection process with a focus on performance; which is a key aspect for architecture generation. Our contribution provides incremental progress from both ends of the mentioned gap (requirements vs. architecture vs. implementation) towards one another. The presentation is created around the IMES project [21] considering centralized data storage. However, the overall approach is based on established standards and common design patterns as much as possible.

More electronic vehicle functions lead to an exponentially growing degree of software integration in automotive ECUs. We are seeing an increasing number of ECUs with mixed criticality software. ISO26262 describes different safety requirements, including freedom from interference and absence from error propagation for the software. These requirements mandate particular attention for mixed-criticality ECUs. In this paper we investigate the ability to guarantee that these safety requirements will be fulfilled by using established (deadline monitoring) and new error detection mechanisms (execution time monitoring). We also show how these methods can be used to build up safe and efficient schedules for today's and future automotive embedded real time systems with mixed criticality software.

Vehicle communication networks are challenged by increasing demands for bandwidth, safety, and security. New data is coming into the vehicle from personal devices (e.g. mobile phones), infotainment systems, camera-based driver assistance, and wireless communication with other vehicles and infrastructure. Ethernet (IEEE 802.3) provides high levels of bandwidth and security, making it a potential solution to the challenges of vehicle communication networks. However, in order to be used in control applications, Ethernet must provide known timing performance (e.g. bounded latency and jitter), and in some cases redundancy. This paper explores use of Ethernet for in-vehicle control applications.

Multi-core systems are promising a cost-effective solution for (1) advanced vehicle features requiring dramatically more software and hence an order of magnitude more processing power, (2) redundancy and mixed-IP, mixed-ASIL isolation required for ISO 26262 functional safety, and (3) integration of previously separate ECUs and evolving embedded software business models requiring separation of different software parts. In this context, designing, optimizing and verifying the mapping and scheduling of software functions onto multiple processing cores becomes key. This paper describes several multi-core task design and scheduling design options, including function-to-task mapping, task-to-core allocation (both static and dynamic), and associated scheduling policies such as rate-monotonic, criticality-aware priority assignment, period transformation, hierarchical partition scheduling, and dynamic global scheduling.

Systems and network integration is a major challenge, and systematic analysis of the complex dynamic timing effects becomes key to building reliable systems. Very often, however, systematic analysis techniques are (considered) too restrictive with respect to established design practice. In this paper we present lessons learned from real-world case studies, in which OEMs have used the new SymTA/S scheduling analysis technology to evaluate different network choices with minimum effort. Thanks to its flexibility and supplier independence, SymTA/S can be applied in non-ideal situations, where other, more restricted technologies are inherently limited. Finally, we put the technology into relation with ongoing standardization activities.

Today, gated networks with several buses are becoming standard in automotive E/E-systems but are evolving differently among the various vehicle manufactures, with different topologies, combinations of bus protocols, and speeds. Making the right architecture decisions requires systematic evaluation of the many alternatives during early design stages. However, there are many trade-offs in terms of performance, cost, extensibility, etc.. In this context, scheduling analysis is a powerful tool. It clarifies performance, end-to-end timing, and dynamic behavior. This enables evaluation of networking alternatives, foresight of bottlenecks, and provides guidance in the design process. In the paper, the application of scheduling analysis in automotive network exploration and optimization will be demonstrated. Specific emphasize will be put on end-to-end timing, migration from CAN to FlexRay, black-box integration and early-stage assumptions, extensibility, and trade-offs.

When designing safety-critical automotive systems, verification of timing and performance are key, especially the verification of hard deadlines and other critical timing constraints. Test- or simulation-based approaches suffer from corner-case coverage problems and are becoming less reliable as systems grow in size and complexity. Time-triggered mechanisms (e.g. OSEKtime and FlexRay) were proposed as a way out by providing better timing prediction. However, for reasons of cost, flexibility and reactivity, future cars will mostly likely contain a mix of event-triggered (ET) and time-triggered (TT) components that are combined synchronously and/or asynchronously, thereby further complicating timing. Scheduling analysis has recently matured to allow reliable timing verification and systematic optimization for ET, TT, and mixed systems.

With the increasing complexity of electronic vehicle systems, one particular “gap” between function development and ECU integration becomes more and more apparent, and critical; albeit not new. The core of the problem is: as more functions are integrated and share the same E/E resources, they increasingly mutually influence and disturb each other in terms of memory, peripherals, and also timing and performance. This has two consequences: The amount of timing-related errors increases (because of the disturbance) and it becomes more difficult to find root causes of timing errors (because of the mutual influences). This calls for more systematic methods to deal with timing requirements in general and their transformation from function timing requirements to software architecture timing requirements in particular.

Along with the efforts to cope with the increase of functions which require higher communication bandwidth in vehicle networks using CAN-FD and vehicle Ethernet protocols, we have to deal with the problems of both the increased busload and more stringent response time requirement issues based on the current CAN systems. The widely used CAN busload limit guideline in the early design stage of vehicle network development is primarily intended for further frame extensions. However, when we cannot avoid exceeding the current busload design limit, we need to analyze in more detail the maximum frame response times and message delays, and we need good estimation and measurement techniques. There exist two methods for estimating the response time at the design phase, a mathematical worst-case analysis that provides upper bounds, and a probability based distributed response time simulation.

The increasing functionality and complexity of future electric/electronic architectures requires efficient methods and tools to support design decisions, which are taken in early development phases 6. For the past four years, a holistic approach for architecture development has been established at Mercedes-Benz Cars R&D department. At its core is a seamless design flow, including the conception, the analysis and the documentation for electric/electronic architectures. One of the actual challenges in the design of electric/electronic architectures concerns communication behavior and network topologies. The increasing data exchange between the ECUs creates high requirements for the networks. With the introduction of FlexRay 21 and Ethernet the automotive network architecture become a lot more heterogeneous. Especially gateways must fulfill many new requirements to handle the strict periodic schedule of FlexRay and the partly event-triggered communication on CAN-busses 23.