Catálogo de publicaciones - libros

Determining the worst-case execution times (WCETs) of tasks in safety-critical hard real-time systems is a difficult problem. A combination of automatic analysis techniques with a few user annotations yields precise WCET estimates.

Up to 70 electronic control units (ECU’s) serve for safety and comfort functions in a car. Communicating over different bus systems most ECU’s perform close loop control functions and reactive functions and have to fulfill hard real time constraints. Some ECU’s controlling on board entertainment/office systems are software intensive, incorporating millions of lines of code. The challenge for the design of those distributed and networked control units is to define all requirements and constraints, understand and analyze those manifold interactions between the control units, the car and the environment (driver, road, weather) in normal as well as stress situations (crash). To improve the design of safety critical ECU’s we propose an enhanced development process (double-V-model). The use of different modeling descriptions for closed loop control, reactive systems and software intensive systems requires a CASE-tool integration platform. We have developed “GeneralStore” as a platform to support model driven design with hetero-geneous models in a design process which is concurrent and distributed between the automotive manufacturer and several suppliers.

A safety-critical real-time computer system must provide its services with a dependability that is much better than the dependability of any one of its constituent components. This challenging goal can only be achieved by the provision of fault tolerance. The design of any fault-tolerant system proceeds in four distinct phases. In the first phase the fault hypothesis is shaped, i.e. assumptions are made about the types and numbers of faults that must be tolerated by the planned system. In the second phase an architecture is designed that tolerates the specified faults. In the third phase the architecture is implemented and the functions and fault-tolerance mechanisms are validated. Finally, in the fourth phase it has to be confirmed experimentally that the assumptions contained in the fault-hypothesis are met by reality. The first part of this contribution focuses on the establishment of a comprehensive fault hypothesis for safety-critical real-time computer systems. The size of the fault containment regions, the failure mode of the fault containment regions, the assumed frequency of the faults and the assumptions about error detection latency and error containment are discussed under the premise that in future a distributed system node is expected to be a system-on-a-chip (SOC). The second part of this contribution focuses on the implications that such a fault hypothesis will have on the future architecture of distributed safety-critical real-time computer systems in the automotive domain.

Our primary goal is to develop a compositional real-time scheduling framework where global (system-level) timing properties are established by composing together independently (specified and) analyzed local (component-level) timing properties. In this paper, we define two problems and one design issue in developing such a framework and present our approaches to the problems and the design issue. The two problems are (1) the scheduling interface derivation problem that is to (exactly) abstract the collective real-time requirements of a component as a single real-time requirement, or a scheduling interface and (2) the scheduling interface composition problem that is to (exactly) compose the scheduling interfaces of components into the system-level scheduling interface. The design issue is how to define a scheduling interface model. Our approach is to use the standard periodic model as the scheduling interface model and to address the two problems with the periodic model. We introduce exact conditions under which our proposed periodic scheduling interface model can abstract the collective real-time requirements that a set of periodic tasks demands under EDF (earliest deadline first) and RM (rate monotonic) scheduling. We present simulation results to evaluate the overheads that the periodic scheduling interfaces incur in terms of utilization increase.

The automotive domain is one of the most promising areas for component and service technologies in the near future. Vehicles are increasingly becoming integrated systems where both intra-vehicle and inter-vehicles interactions require that a set of federated components (services) be properly orchestrated. The interactions and cooperations among the members of such federations suggest the use of well-known architectural styles to properly design new systems. Among the various styles, we explore the use of the publish-subscribe paradigm for intra-vehicle cooperations and the service-oriented paradigm for vehicle-to-vehicle and vehicle-to-environment interactions. We argue that available modeling notations provide adequate support to specification, but still lack proper support to the validation phase.

In this paper we discuss component models and their validation in the context of the automotive domain. In particular, we show how publish/subscribe and service-oriented applications can be analyzed through model-checking techniques by drawing simple examples from the automotive domain.

This paper describes a new approach towards a component architecture for hard real time control applications as found, for example, in the automotive domain. Based on the paradigm of Logical Execution Time (LET) as introduced by Giotto [1], we adapt the high-level language construct which allows us to organize and parallelize real time code in the large. Our module construct serves multiple purposes: (1) it introduces a namespace for program entities and supports information hiding, (2) it represents a partitioning of the set of actuators and control logic available in a system, (3) it acts as a static specification of components and dependencies, (4) it may serve as the unit of dynamic loading of system extensions and (5) it may serve as the unit of distribution of functionality over a network of electronic control units. We describe the individual usage cases of modules, introduce the syntax required to specify our needs and discuss various implementation aspects.

We report on how implementing a Model Based Automotive SW Engineering Process in an industrial setting can ensure the correctness of automotive applications when a process based on formal models is used. We show how formal methods, in particular model checking, can be used to ensure consistency of the models and can prove that the models satisfy selected functional and safety requirements. The technique can also be used to automatically generate test vectors from the model. Hence we show how in many ways formal verification techniques can add value to the models used for different purposes in developing automotive applications.

Embedded software development for automotive applications is widely considered as a significant source of innovation and improvements in cars. However, software development processes do not address well the needs of large-scale distributed real-time systems, like the ones automobiles do (or soon will) contain. The paper introduces a vision for the model-based development of embedded software, which is based on the broad-spectrum modeling of the applications in the context of a larger system, formal (and computer-supported) analysis of models, and automatic synthesis of the application(s). The paper also describes some initial steps taken to build the infrastructure for supporting such a process in the form of modeling and model transformation tools. The paper concludes with a list of challenging research problems.

Embedded Automotive systems are becoming increasingly complex, and as such difficult to design and develop. Model-based approaches are gaining foothold in this area, and increasingly the system design and development is being conducted with model-based tools, most notably Matlab® Simulink® and Stateflow® from Mathworks Inc., among others. However, these tools are addressing only a limited aspect of the system design. Moreover, there is a lack of integration between these tools, which makes overall system design and development cumbersome and error-prone. Motivated by these shortcomings we have developed an approach, based on Model-Integrated Computing, a technology matured over a decade of research at ISIS, Vanderbilt University. The center-piece of this approach is a graphical modeling language, Embedded Control Systems Language for Distributed Processing (ECSL-DP). A suite of translators and tools have been developed that facilitate the integration of ECSL-DP with industry standard Simulink and Stateflow tools, and open the possibility for integration of other tools, by providing convenient and extensible interfaces. A code generator has been developed that synthesizes implementation code, configuration and firmware glue-code from models. The approach has been prototyped and evaluated with a medium scale example. The results demonstrate the promise of the approach, and points to interesting directions for further research.

The paper first presents the integration options of what we call the Timing Description Language (TDL) with MathWorks’ Matlab/Simulink tools. Based on the paradigm of logical execution time (LET) as introduced by Giotto [2], TDL enhances Giotto towards a component architecture for real-time control applications [9]. The challenge is to provide appropriate visual and interactive modeling capabilities so that the developer can come up with the TDL timing model in the context of Simulink which has established itself as defacto modeling standard for control applications. The paper illustrates by means of a simple case study how we envision an adequate integration of both the TDL and the Simulink modeling approaches.